Your Ubuntu-based container image is probably a copyright violation

[mjg59]

Update: A Canonical employee responded here, but doesn't appear to actually contradict anything I say below.

I wrote about Canonical's Ubuntu IP policy here, but primarily in terms of its broader impact, but I mentioned a few specific cases. People seem to have picked up on the case of container images (especially Docker ones), so here's an unambiguous statement:

If you generate a container image that is not a 100% unmodified version of Ubuntu (ie, you have not removed or added anything), Canonical insist that you must ask them for permission to distribute it. The only alternative is to rebuild every binary package you wish to ship[1], removing all trademarks in the process. As I mentioned in my original post, the IP policy does not merely require you to remove trademarks that would cause infringement, it requires you to remove all trademarks - a strict reading would require you to remove every instance of the word "ubuntu" from the packages.

If you want to contact Canonical to request permission, you can do so here. Or you could just derive from Debian instead.

[1] Other than ones whose license explicitly grants permission to redistribute binaries and which do not permit any additional restrictions to be imposed upon the license grants - so any GPLed material is fine

Comments

Ubuntu and copyright violations for containers ...

[flosslinuxblog.blogspot.co.uk]

I recently went on a formal AWS course. Advised to use Amazon's own Linux for machines, I pointed out that I would use Debian for preference because of licence and patent concerns and because I'd know what was in them and was told "Why on earth would anyone use Debian?" [The rest of my colleagues in the room collapsed in laughter at this point, since they know me].

Presumably Fedora containers would also be licensing and copyright appropriate: I'm not sure, given Red Hat policies on licensing and derivatives now whether I'd want to base containers on CentOS

Re: Ubuntu and copyright violations for containers ...

[(Anonymous)]

We concluded on Twitter that a Fedora-based container with modifications or additional bits is a bit of a grey area if it contains any Fedora branding; it's fine from a copyright point of view, but we haven't really considered the Fedora trademark policy for that case so far as anyone who was discussing it knew. At worst, though, you'd be fine building a container using the generic-release and generic-logos packages instead of fedora-release and fedora-logos (though the idea is actually that you use generic-foo as templates and build your own packages with whatever branding you like) - you don't have to rebuild anything else.

Re: Ubuntu and copyright violations for containers ...

[quaid.id.fedoraproject.org]

As said above, for Fedora and CentOS, it's pretty straightforward and unambiguous. Copyright is only involved in giving rights under license, the question here is one of trademark. If there is any apparent gray area, it would be good to go with a report to one of the appropriate email addresses -- legal@lists.fedoraproject.org or centos-tm@centos.org. There is an explicit goal in both projects to be as reusable as possible.

In both distros, there are two packages that need to be changed - *-release and *-logos. That is, fedora-release and fedora-logos, or centos-release and centos-logos. This is a very long established practice with a history of public support from Red Hat's legal team that you can do-what-you-like as long as you change those two packages and have a different name for your release.

In fact, the Fedora Project has the 'Fedora Remix' logo process that allows you to do what you like with the code, and you have the option of calling it a 'Fedora Remix' - https://fedoraproject.org/wiki/Remix (https://fedoraproject.org/wiki/Remix)

You do not need to rebuild the rest of the distro. You just need to replace the logos in the above two packages, rebuild them, and you are good to go. In fact, as mentioned above, Fedora has a generic-logos package -- you don't have to bother with artwork (as long as you don't mind dancing hot dogs of unknown meat-like origin https://bugzilla.redhat.com/show_bug.cgi?id=495561 (https://bugzilla.redhat.com/show_bug.cgi?id=495561) .)

It is true that both projects ask that you do not call your release 'Fedora' or 'CentOS' if you change any packages, and the reasoning is pretty clear -- when you rebuild, you could introduce changes (including malicious code on purpose or by accident), and both communities have enormous reputations to protect. What they release is built, tested, and signed on a protected build system. That's part of what the brand (trademark) promise provides.

[(Anonymous)]

Question: If I would redistribute this artcle and modify a few sentenses in there. Would it be ok to do that in your name, or would you prefer I'd ask you for permission before doing so?

Now, if I'd just copy it into my local archive, would you still care about me modifying it?

[mjg59]

That would be a great analogy if anybody were saying they should be allowed to distribute modified Ubuntu while calling it unmodified Ubuntu, but since nobody is saying that it kind of falls down.

[(Anonymous)]

Fart fart fart

only binaries?

[(Anonymous)]

Does this only apply to binaries, i.e. images, or also to Dockerfiles themselves?

I sincerely hope that it at least only cover the former... The latter could then also be expanded to blog posts explaining how to install software ;-)

[(Anonymous)]

Wouldn’t that be a trademark violation rather than a copyright violation? You still can distribute the same software, in terms of functionality, but you can no call it “Ubuntu”.

[grok-mctanys.livejournal.com]

No, it can still be a copyright violation.

Remember, by default everything is copyrighted to its respective author. As a recipient, you only have fair use rights to make and/or distribute copies. The only reason you can make as many copies as you want of Ubuntu (or GPLd works, or works under other Free licenses) is that they come with a copyright license which allows you to make copies - provided you adhere to the other conditions in the license.

As per the GPL: "However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so."

So, if the copyright license says "you can only make copies if a) they are *identical* to the original, or b) if you remove *all* references to Ubuntu and recompile everything from sources yourself" and you fail to honour that, then you're in breach of copyright.

[(Anonymous)]

You're almost correct, but entirely wrong.

There's a lot of irrelevant ifs in here. Canonical does not have a license that states anything like this. They do however own the 'Ubuntu' trademark. This is entirely a trademark violation, copyright has nothing to do with it.

[mjg59]

They require you to remove trademarks even for non-infringing uses. They require that you rebuild software that doesn't embody the trademarks. This is not limited to trademark law.

does not apply to real life

[(Anonymous)]

but seriously, who is using ubuntu, debian or even fedora for containers? Yes, there are many pre-fabricated containers on the docker hub, done by amateurs that have no clue about real world computing, but everybody can post there and docker does not do any checks on the material posted there, as a result the docker hub is a worse place than wordpress plugins, it is 90% crap and has no relevance to real work. Nobody in a real work scenario with some minimal skills and security requirements will use a container made by some random guy found on a public hub, and certainly you will not build your ultra-slim microservice infrastructure with some bloat-distro like ubuntu oder redhat. OTOH for private usage this is no problem either, so this is a non-issue.

Re: does not apply to real life

[(Anonymous)]

+1

Deriving from Debian

[(Anonymous)]

"Or you could just derive from Debian instead."

Are you sure this is sufficient to stay clear of legal trouble? You also say that "[...] a strict reading would require you to remove every instance of the word "ubuntu" from the packages". There are plenty of packages in the Debian archive that contain the string "ubuntu" in changelogs (version strings in particular, but also maintainer e-mail addresses), documentation, and elsewhere. Many of these packages are required to run even a fairly minimal Debian system. Heck, even the linux package changelog has "ubuntu" all over it in Jessie.

Am I missing something or, by that "strict reading" is Debian also in violation of Ubuntu's (Canonical's) policies here?

Re: Deriving from Debian

[(Anonymous)]

As I understand it Debian haven't obtained those packages from Ubuntu, though, and so aren't subject to Ubuntu's conditions. The packages have been uploaded by the original copyright authors (that is, the packagers) and so the terms of use in Debian are whatever they've put in debian/copyright.

Re: Deriving from Debian

[(Anonymous)]

First, let's be clear that Debian obviously doesn't distribute binaries built by Ubuntu. At least I would hope they don't. There are, however, tons of source packages in Debian that contain package changelog entries copied verbatimly from the corresponding Ubuntu source packages. Some of them even include Ubuntu release code names rather than the Debian ones. One would need to compare diffs of the package versions in question to be sure but I would think it's reasonable to assume that not only the changelog entries have been copied from Ubuntu but the source changes as well. It doesn't matter much who did the copying. How can you be sure that they had the right to upload to Debian under a different license? Were they even aware of the implications of Ubuntu's copyright policy? Often the Ubuntu uploader wasn't the same person as the Debian uploader. Also, Canonical employees don't own the copyright to their changes. Community packagers working on both Ubuntu and Debian packages simultaneously? Perhaps. But even if they do, will they indemnify you if Canonical thinks otherwise? At the end of the day, if you don't want to lull yourself in a false sense of security, you must assume that code has moved from Ubuntu into Debian and that this happened under Canonical's terms.

The open question is whether Canonical has a case for going after Debian or (and this seems more likely to me) someone basing their stuff on Debian. You can take your pick between copyright or trademark law. To get you into trouble under copyright law I guess it's sufficient if there's any code under a license that's liberal enough to allow Canonical to add the extra restrictions Matthew blogged about on top of it. If changes under that combined license have been imported from Ubuntu into Debian one could argue that Canonical has a case. Irrespective of the copyright policy, under a strict reading of trademark law it may be sufficient for anything in Debian to contain the string "*buntu". Whether either case stands any chance in court is not clear at all, though, but that's the point: There's a non-zero chance of success for Canonical. Thus, unless you have a large legal department and a budget to match, it's now just no longer a sane business decision to have this doubt looming over your product. You'll want to stay clear of this risk.

I believe Debian should take action. Whether that be seeking proper legal counsel as to whether or not Debian users may be affected by this (I'd sure like to be proven wrong!) and if so under what conditions and to what extent. Or whether it be removing code with problematic license status and any Ubuntu trademarks from the Debian archive just to be sure.

Is that so ?

[(Anonymous)]

"Any redistribution of modified versions of Ubuntu must be approved, certified or provided by Canonical if you are going to associate it with the Trademarks."

"If you are producing software for use with or on Ubuntu you may reference Ubuntu, but must avoid: (i) any implication of endorsement, or (ii) any attempt to unfairly or confusingly capitalise on the goodwill of Canonical or Ubuntu."

So let me summarize.
- GPL is out of scope
- Personal Use or internal organisational use is out of scope
- Redistribution is out of scope, provided you don't want to associate your altered package with Ubuntu trademarks, which does not mean you can't refer to Ubuntu

[(Anonymous)]

So distribute the original instead and run a script on the user's system removing all unnecessary files ...

[(Anonymous)]

It is not that easy. With docker you distribute an image with an installed ubuntu + some packages and maybe some self compiled stuff. This image is no official distribution image of canonical, so you are not allowed to use their trademarks. That's why it's a problem with docker.
Your approach is to use an official base image (is there one?) from canonical and a Dockerfile.

totally likely to happen

[tigrmesh]

I can see this happening.

You have an idea, and it's a one-off/prototype, and you just want to see if it works, and you're excited, so you use a container that will be quick to set up, and then it does work, and you show it off … and you just violated copyright.

It's very easy to get swept up in the excitement of open source without really thinking about what that means. Almost everyone I know is a) quite young, b) new to open source, c) new to linux, or d) all three. Many of them don't think about copyright or licensing. And many don't realize all the ways that those apply.

So where I live, it's "totally likely to happen".

Thanks for being clear.

Vagrant?

[(Anonymous)]

Presumably this same policy also applies to non-container images like for Vagrant?

Is that so ?

[(Anonymous)]

First, this violation only implies certain distribution of images, what you fail to mention completely. "Canonical insist that you must ask them for permission to distribute it" is a false statement. Personal and internal use is excluded completely and are always permitted.

Second, you state "The only alternative is to rebuild every binary package you wish to ship[1], removing all trademarks in the process." Again a false statement. Canonical has made it crystal clear that a solution using overlayfs on top of the official ubuntu image is 100% legit and as such always permitted.

Yet your title reads "Your Ubuntu-based container image is probably a copyright violation", which is simply untrue, a big generalization, and FUD. IMHO your personal quest damages the FOSS world more than the things you are writing about.

Re: Is that so ?

[mjg59]

Personal and internal use is excluded completely and are always permitted.

I mean yeah but that doesn't sound like any of the interesting cases.

Canonical has made it crystal clear that a solution using overlayfs on top of the official ubuntu image is 100% legit and as such always permitted.

No, certain Canonical employees have said that Docker images that inherit from the official Ubuntu image are fine. They haven't pointed to anything in the policy that permits this, they haven't said that this is true of the general case, and they haven't made it clear that this is an official position. There's probably still enough to claim estoppal in the Docker case, but outside that I think you're on your own.

Sure! I dislike Ubuntu IP as well.

[(Anonymous)]

While I use ubuntu derivatives on my computers, their IP and somesuch is a crap. So when it comes to making embedded designs, I'm really much better using Debian. There are far more picky about IP things and do not expose any weird/non-reasonable requirements eiter.

So if Canonical wants to hurt their systems adoption: okay, I think they acieved it. So at least some part of Internet Of Things going to be Debian based instead. Whatever, Ubuntu is just too risky/troublesome to use it in any commercial application. And it is their IP policy to blame.

[(Anonymous)]

So for this reasons almost all official docker images built against Debian not Ubuntu

Ilyas Bakirov