The box may never get hacked (emphasis on may), but that doesn't do much to stop MITM attacks. Which is where https comes in.

(I realize that isn't the point you were addressing, and your comment was perfectly correct. I'm just bringing this back around to the original topic.)

Yes, the Chinese Government always has access to any servers hosted on American soil. And vice versa. No reason either country (or any others) would ever have to use MITM attacks. Oh no, of course not. All the countries in the world are happy to work together at all times. :rolleyes:

Now there's a winning argument for you:

"Hey Webmaster!"

"Yes?"

"You shouldn't use https!"

"Oh? Why not?"

"With regular http, it's easier for people to block the ads which fund your site."

"I see. Yes, I certainly do hate having an income."

The problem with that theory is that HTTPS Everywhere is run by the EFF and Tor, not Google!

Let's Encrypt is the joint project which Google is involved with. But again, the EFF is also a major backer of the project. And frankly? The EFF has a much better record of supporting my privacy and freedom than Anonymous Coward. Forgive me if I continue to find them more reliable and trustworthy than some random Internet guy.

How will it do that when the Internet Security Research Group (which is backed by the EFF among others--including, yes, Google) is giving them away for free?

The problem here is the assumption (which Winer got from God-only-knows where) that Google is the one behind the drive to use https, when, in fact, the EFF and Tor are major backers of the push. And, while I don't trust Google as far as I could throw them, I trust the EFF and Tor a lot more than I trust this Winer guy.

Dave Winer seems to think this is a Google thing. In point of fact, HTTPS Everywhere is sponsored by the EFF and Tor. And Let's Encrypt is run by an umbrella organization whose members include the EFF and Mozilla as well as Google, Cisco, and Akamai.

I don't have much trust for Google, but I do have a lot more trust for the EFF than I do for some random software developer. Even if he's old. I'm sure Winer is well-intentioned (given his history), but he doesn't seem to have done his research very well, in this case.

The EFF's reasons for supporting https are a lot stronger than Winer seems to realize. Google's reasons, I can't address, since I'm not familiar with them, but the EFF's arguments are pretty strong. MITM attacks at the government actor level are not just hypothetical.

From the EFF's page:

Now, I admit there are still some questions which aren't as frequently discussed as they should be, such as private LANs where https isn't an option. (I have http services running on such a LAN myself.) But that can be dealt with. For IP4, it's fairly easy--whitelist private ranges. For IP6, you'd have to have a way of designating your trusted network. But it can be dealt with. And the public Internet should be encrypted. Anyone who argues otherwise is simply clueless. (Or culpable.)

No one in this thread (neither me nor anyone else) has claimed that "the GPL is copyright"--your reasoning here is pure strawman--but that doesn't change the fact that all possible violations of the GPL are also copyright violations. In the eyes of the law, this is purely a coincidence (even though the GPL was carefully written to ensure that this would be the case). Thus, the violation of copyright and the breach of contract are separate matters to be judged separately.

The GPL explicitly allows anything copyright allows. Thus, all violations of the GPL are violations of copyright law. Not because the law says so, but because it's logically impossible for it to be otherwise.

But because they're separate issues in the eyes of the law, you can still be guilty of both. The contract issue isn't going to be dismissed just because it happens to involve copyright violation. Even though all possible contract violations happen to be copyright violations, the law is still going to judge on a case-by-case basis, since the GPL is a contract/license, not a law.

So, the bottom line is that the OP's claim ("violating the GPL is violating the law") is true, not because the GPL is part of copyright law (your bizarre strawman theory), but because only actions which would otherwise violate copyright law are capable of violating the GPL. There doesn't have to be an explicit legal link if one set of actions is a strict subset of the other. Which it is.

A single action can be the subject of multiple charges. In this case, Artifex decided to sue for both copyright infringement and breach of contract for the same action--distributing a derived version of their software. Why? 1. it's considered good practice to throw all the charges you can in court, in case some of them don't stick. 2. It can result in a bigger judgment/more money to win on multiple charges.

And no, the courts wouldn't have dismissed the claim just because it was also a copyright violation. That's not how things work. If you steal from your employer, they're likely to charge you with both theft (or embezzlement) and breach of your employment contract. The fact that your behavior was against the law doesn't change the fact that it also violated your contract, and certainly doesn't render it irrelevant. Why would it? Why on earth would those charges be dismissed? The things you people come up with. Sheesh!

Bottom line, the GPL only covers the distribution of software, and thus, it is impossible to violate the GPL without distributing the software, and distributing without the permission granted by the GPL is a copyright violation, so any violation of the GPL is, inherently, a copyright violation.

It doesn't matter that it's a contract. You still can't violate the GPL without violating copyright, because you can't agree to the GPL except by engaging in behavior (distribution) which would be a copyright violation if not for the GPL. If you haven't distributed the code, you're not bound by the contract. If you have, and you violate the GPL, then you've also violated copyright, because you distributed the code without a valid contract/license. There are no other possibilities with the GPL (even if there certainly are with contracts in general).

Not all automobiles are trucks, but all automobiles which are trucks are trucks, and all violations of the GPL are copyright infringements, because the GPL doesn't apply to any not-potentially-infringing activities.

And I'm not sure what you think Artifex proves, since Artifex sued for copyright violation as well as contract violation. Which is sensible, because it's impossible to violate the GPL without violating copyright law.

The GPL says that you do not have to accept its terms, and can simply abide by normal copyright rules instead. So, unless you're doing something that would otherwise violate copyright, it doesn't even apply. And you can't violate the GPL when it doesn't even apply!

So that only leaves cases where 1. you're violating what copyright law would allow, but following the GPL (which is fine) or 2. violating what copyright law would allow and violating the GPL. Thus, if you're violating the GPL, you're violating copyright law.

It's really that simple.

That's not a restriction. Copyright law doesn't allow you to redistribute in the first place, so that's a merely a limited grant of permission. You can redistribute (which copyright law doesn't allow) if and only if you do X. That doesn't make X a restriction. It makes X a contingent condition on the permission you wouldn't otherwise have. The sum total is still more permissions than you would have had otherwise. Even if you don't like the specific conditions.

After all, if you don't like the GPL's conditions, you can ignore them and follow copyright law instead. So how can that possibly be a restriction of any sort? The only immutable restrictions are those which are not allowed by copyright law or by the GPL. And the only reason you have to obey those restrictions is because they're part of copyright law. The GPL doesn't restrict you at all. Copyright law does all the restricting. The GPL simply outlines the very specific terms under which you can ignore the normal restrictions of copyright law.

Now children. Behave yourselves. :p ;)

In the US, at least, a lawyer (robo- or otherwise) cannot sue on your behalf without permission from you. So you can't be bankrupted by these evil robo-lawyers unless you agree to pursue the suit. In which case, you probably deserve to be bankrupt.

If the patches are not in compliance with the GPL, then they're being distributed in violation of copyright law. Which is illegal, last I checked.

The GPL doesn't have to be "codified into law", because nothing else gives you permission to distribute the code in question. The only purpose of the GPL, really, is to provide people with a defense against infringement charges by the copyright holders. And technically, it contains no restrictions at all--it simply has limits on the otherwise-illegal things allows you to do. Anything copyright law allows, the GPL allows. So the only way to "violate the GPL" is to do something against the law.

That said, we still have no idea whether GR Security is violating the GPL (and thus copyright law). All we really know is that Bruce is entitled to his opinion.

A "privately operated company" that only still exists because of decades of government support.

They're "privately operat[ing]" on government handouts. So, yeah, seems pretty reasonable to me that the government gets a say in how they operate. You might question whether they should be operating at all, but that's a separate question.

Basically, I consider this development worrisome, but not frightening. There are a number of possibilities for how things could go. Therefore, my current plans are:

1. Make sure I have accounts with some of the competing services, so I can move if necessary.
2. Familiarize myself with the competing services, so I won't be caught flat-footed if I have to move.
3. Keep a sharp eye on any further developments on the Github side, so I can (hopefully) see when it's time to move.

Yes, I could have just voted "Continue to use Github", but that seemed like a...partial truth, so I picked "Other" instead.