All posts by Daniel Stenberg

Development

strcasecmp in Turkish

A friendly user submitted the (lib)curl bug report #2154627 which identified a problem with our URL parser. It doesn’t treat “file://” as a known protocol if the locale in use is Turkish.

This was the beginning of a minor world-moving revelation for me. Of course this is already known to mankind and I’m just behind, but really: lots of my fellow hacker friends had no idea either.

So “file” and “FILE” are not the same word case insensitively in Turkish because ‘i’ is not the lowercase version of ‘I’.

Back to strcasecmp: POSIX pretty much makes the function useless by saying that “The results are unspecified in other locales [than POSIX]”.

I’m a bit annoyed by this fact, as now I have to introduce my own function (which thus cannot use tolower() or toupper() since they also are affected by the locale) and use since the strings in our code is clearly used for “English” strings so file and FILE truly are the same string when compared case insensitively…

Licensing, Open Source

Copyleft and closed dual license ethics

3 Comments

There are a bunch of companies out there today that offer their products in a dual-license style, where you can download and use the GPL licensed version or buy the proprietary licensed version (often together with some kind of service deal) that you then can use without the “burden” of a GPL agreement. Popular known brands doing this include Trolltech/Qt (now Nokia), MySQL (now Sun), OO.o (Sun), Sleepycat (now Oracle) (Berkely DB is not strictly GPL but still copyleft) and VirtualBox (now Sun) etc.

It’s perfectly legal for them to do this, as the company is the copyright holder of all the files, they can just easily re-release everything under whatever license they want at their own discretion. The condition is of course that they are in fact copyright holders of everything, that the parts they don’t have copyright for are either licensed under an enough liberal license or that they can buy a similar relicense from third party lib authors.

It kills contributions from non-employees since doing a large chunk of code for these guys means that you would hand over copyright to a company whose entire business idea is to convert that to a proprietary license and make money from it. In a way you cannot do yourself since they can turn the GPL code into proprietary goods and you cannot. This may be a clue to why MySQL has less community contributors. The forced assigning of copyright over to a company could very well also be a contributing factor to OO.o’s problems to attract developers.

Companies “hide” the truth about this and try talking customers into the proprietary license. I’ve worked a bit with Qt and the wording they have used have often given companies the impression that they have to pay for the proprietary licensed version to be allowed to use the product in a commercial product. I’ve had to explain to several customers that as long as they just adhere to GPL they can use the free version just fine without paying anything. Trolltech also has this dubious condition tied to their commercial license: “The Commercial license does not allow the incorporation of code developed with the Open Source Edition of Qt into a commercial product.“[*] Needless to say, this will prevent companies from trying the open source licensed route first. I’m curious if they even have the legal right to make that claim.

This puts competitors at an arm’s distance of course since no other companies can take the code and conduct business the same way. Of course this is part of the reason why they gladly adapt GPL for this. Lots of actions by these companies make me feel that they aren’t real and true open source believers, but that they use this label a lot for marketing and for making sure competitors can’t do the same as they do.

The GPL version is without support for customers in another push to drive them to pay for the proprietary license instead of the GPL one. Of course, it being open source lets companies going the GPL route to fix their own problems since they have the source and all, but the push towards the proprietary license also narrows how many customers that will actively contribute anything back since there’s little chance they will do anything in a project with a proprietary license. I honestly can’t see many other possible legitimate reasons why companies wouldn’t do support for the GPL licensed versions.

I’ve not personally worked in any of these projects under such proprietary licenses, but I would love to hear experiences from people that have!

Obviously all this are not problems large enough to concern users. Quite possibly so because these companies do a good enough job and keep the GPL versioned versions of their software at a sufficiently good quality so that there just don’t appear any forked projects that take the GPL version and run with it in a different direction. Another explanation could be that there are good enough alternative projects to go with if you’re not happy with one of these dual-licensed ones.

A little related anecdote told to me by an MySQL employee (who’s name shall remain untold). He described how they still haven’t implemented a feature in MySQL that many people have requested, since they according to him don’t want to cram in more stuff in the existing branch but instead are releasing it in the next major release (due to release in 4-6 months or similar). In the next sentence he explained how they already have it implemented in the closed version for at least one paying customer… Any (other) true open source project would’ve made that change available as a patch/branch in the GPL version for the public.

I’m pretty sure I personally would release my patches as open source only if I would change any code for any of these products. But yeah, that would mean that they would never get incorporated into their “real” products…

Open Source

Nordic Free Software Award Nominee 2008

It seems I’m again (as I was last year) nominated for the Nordic Free Software Award.

They list thirteen nominees, of which there are four organizations/companies. I’m proud to be mentioned in such a swell company.

Unfortunately I cannot be present at the FSCONS itself this year (where the award is being handed over), so all the partying and celebrating the award winner will have to be done without me! 🙂

cURL and libcurl

Another curl scan shows work to do

The nice guys on Coverity did a new scan on curl (the 7.19.0 source code) and they dug a bunch of new flaws. The previous version they checked was 7.16.1, release some 20 months before. The new changes are not only because of how the code has changed in the mean time, but it seems their scanner have improved a bit since the last time as well!

Here’s a sample view of how libcurl might dereference a NULL pointer with a step-by-step explanation on what conditions that lead to the flaw:

They identify 22 flaws and I found it interesting to compare the top list of bad functions as reported by Coverity with the complexity list I showed the other day. First we need to ignore the 9 flaws Coverity found in the ‘curl’ tool code (i.e not within the library). Then the 10 remaining functions with flaws marked by Coverity are:

  • Curl_getinfo (4 flaws, all the other ones have one each)
  • Curl_cookie_add (present in the complexity top-10 table)
  • FormAdd (present in the complexity top-10 table)
  • parsedate
  • ftp_parse_url_path
  • tftp_do
  • resolve_server
  • curl_easy_pause
  • add_closure
  • Curl_connect

See? Only two of them were present in that list. The Coverity tool does in fact also count the complexity for each function, and while it doesn’t match the values pmccabe shows exactly, they seem to agree in general about what functions that are the most complex ones.

Ok, now let’s go work on fixing all these problems…

Rockbox

Meizu M3 displays Rockbox

Just days after the nice Sansa v2 LCD screenshots, the guys on the Meizu front brought this picture (photo taken by Frank Gevaerts).

It does show a working LCD driver although of course the colours are all messed up due to some glitch still remaining in there…

It’s somewhat confusing with another model called M3, as Rockbox already runs on the iAudio M3 since March 2008. I think we need to refer to the Meizu M3 as MM3 or perhaps always with Meizu prepended or similar to differentiate between them properly.

Nice job!

cURL and libcurl, Security

Curl Cyclomatic Complexity

I was at the OWASP Sweden meeting last night and spoke about Open source and security. One of the other speakers present was Simon Josefsson who in his talk showed a nice table listing functions in his project sorted by “complexity“. Functions above a certain score are then considered “high risk” as they are hard to read and follow and thus may be subject to security problems.

The kind man he is, Simon already shows a page with a Curl Cyclomatic Complexity Report nicely identifying a bunch of functions we should really consider poking at to decrease complexity of. The top-10 “bad” functions are:

Function Score Statements Lines Code
ssh_statemach_act 254 880 1582 lib/ssh.c
Curl_http 204 395 886 lib/http.c
readwrite_headers 129 269 709 lib/transfer.c
Curl_cookie_add 118 247 502 lib/cookie.c
FormAdd 105 210 421 lib/formdata.c
dprintf_formatf 92 233 395 lib/mprintf.c
multi_runsingle 94 251 606 lib/multi.c
Curl_proxyCONNECT 74 212 443 lib/http.c
readwrite_data 73 127 319 lib/transfer.c
ftp_state_use_port 60 195 387 lib/ftp.c

I intend to use this as an indication on what functions within libcurl to work on. My plan is to primarily break down each of these functions to smaller ones to make them easier to read and follow. It would be cool to get every single function below 50. But I’m not sure that’s feasible or even really a good idea.

Rockbox

Rockbox displays stuff on Sansa v2

3 Comments

The small team of Rockbox hackers working on the Sandisk Sansa v2 architecture have been doing some great progress recently and I think it’s fair to say that we all enjoy Rafaël Carré’s photo on the left here (showing a Sansa Clip) that shows the state of where things are right now.

There is code running. There’s a start on a LCD driver and there’s a working concept to put our own bootloader code onto the device that can load and start rockbox in a future.

Nice work on this guys!

Rockbox

Rockbox on FLOSS Weekly #43

Randal Schwartz and Leo Laporte interviewed our own Paul “Llorean” Louden about the Rockbox project on FLOSS Weekly and we were a bunch of Rockboxers hanging out on the IRC channel #rockbox while it was streamed live. This will be in the FLOSS Weekly episode #43 that’s supposedly going to become available on friday the 3rd of October.

I think Paul did a great job explaining a lot of things, big and small, around the project and how it works and runs.

Rockbox

Not Based on Linux

Linux Action ShowOk so the guys on the Linux Action Show podcast don’t really get a lot of bonus points from me lately. The episode after they had their “we need to sell proprietary software” outburst, they slammed the Rockbox 3.0 release (roughly 23:40 into the episode for you who want to fast-forward to it).

They started off the news about Rockbox 3.0 claiming it is based on Linux (which it isn’t and never was), only to mention that they failed to install on their ipod 3rd gen at their first attempt (but succeeded at a second attempt), whined somewhat on the installer and then again complained about the inability to install themes even though this is 3.0 yada yada yada.

All in all, pretty much a complete non-understanding for the hard work and endless time that hundreds of people have put into Rockbox. Nothing particular to hear or care about, just a bit annoying.