[personal profile] mjg59
Update: A Canonical employee responded here, but doesn't appear to actually contradict anything I say below.

I wrote about Canonical's Ubuntu IP policy here, but primarily in terms of its broader impact, but I mentioned a few specific cases. People seem to have picked up on the case of container images (especially Docker ones), so here's an unambiguous statement:

If you generate a container image that is not a 100% unmodified version of Ubuntu (ie, you have not removed or added anything), Canonical insist that you must ask them for permission to distribute it. The only alternative is to rebuild every binary package you wish to ship[1], removing all trademarks in the process. As I mentioned in my original post, the IP policy does not merely require you to remove trademarks that would cause infringement, it requires you to remove all trademarks - a strict reading would require you to remove every instance of the word "ubuntu" from the packages.

If you want to contact Canonical to request permission, you can do so here. Or you could just derive from Debian instead.

[1] Other than ones whose license explicitly grants permission to redistribute binaries and which do not permit any additional restrictions to be imposed upon the license grants - so any GPLed material is fine

Deriving from Debian

Date: 2015-07-21 11:34 am (UTC)
From: (Anonymous)
"Or you could just derive from Debian instead."

Are you sure this is sufficient to stay clear of legal trouble? You also say that "[...] a strict reading would require you to remove every instance of the word "ubuntu" from the packages". There are plenty of packages in the Debian archive that contain the string "ubuntu" in changelogs (version strings in particular, but also maintainer e-mail addresses), documentation, and elsewhere. Many of these packages are required to run even a fairly minimal Debian system. Heck, even the linux package changelog has "ubuntu" all over it in Jessie.

Am I missing something or, by that "strict reading" is Debian also in violation of Ubuntu's (Canonical's) policies here?

Re: Deriving from Debian

Date: 2015-07-22 10:54 am (UTC)
From: (Anonymous)
As I understand it Debian haven't obtained those packages from Ubuntu, though, and so aren't subject to Ubuntu's conditions. The packages have been uploaded by the original copyright authors (that is, the packagers) and so the terms of use in Debian are whatever they've put in debian/copyright.

Re: Deriving from Debian

Date: 2015-07-22 09:32 pm (UTC)
From: (Anonymous)
First, let's be clear that Debian obviously doesn't distribute binaries built by Ubuntu. At least I would hope they don't. There are, however, tons of source packages in Debian that contain package changelog entries copied verbatimly from the corresponding Ubuntu source packages. Some of them even include Ubuntu release code names rather than the Debian ones. One would need to compare diffs of the package versions in question to be sure but I would think it's reasonable to assume that not only the changelog entries have been copied from Ubuntu but the source changes as well. It doesn't matter much who did the copying. How can you be sure that they had the right to upload to Debian under a different license? Were they even aware of the implications of Ubuntu's copyright policy? Often the Ubuntu uploader wasn't the same person as the Debian uploader. Also, Canonical employees don't own the copyright to their changes. Community packagers working on both Ubuntu and Debian packages simultaneously? Perhaps. But even if they do, will they indemnify you if Canonical thinks otherwise? At the end of the day, if you don't want to lull yourself in a false sense of security, you must assume that code has moved from Ubuntu into Debian and that this happened under Canonical's terms.

The open question is whether Canonical has a case for going after Debian or (and this seems more likely to me) someone basing their stuff on Debian. You can take your pick between copyright or trademark law. To get you into trouble under copyright law I guess it's sufficient if there's any code under a license that's liberal enough to allow Canonical to add the extra restrictions Matthew blogged about on top of it. If changes under that combined license have been imported from Ubuntu into Debian one could argue that Canonical has a case. Irrespective of the copyright policy, under a strict reading of trademark law it may be sufficient for anything in Debian to contain the string "*buntu". Whether either case stands any chance in court is not clear at all, though, but that's the point: There's a non-zero chance of success for Canonical. Thus, unless you have a large legal department and a budget to match, it's now just no longer a sane business decision to have this doubt looming over your product. You'll want to stay clear of this risk.

I believe Debian should take action. Whether that be seeking proper legal counsel as to whether or not Debian users may be affected by this (I'd sure like to be proven wrong!) and if so under what conditions and to what extent. Or whether it be removing code with problematic license status and any Ubuntu trademarks from the Debian archive just to be sure.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags