Tom Marble's Blog

Check out:

See also all posts and comments


Is SFLC Shooting Open Source in the Foot?

The academic article by SFLC about ZFS is troubling and may unintentionally shoot free software licensing in the foot.

When I was at Sun (as part of the team that released the Java Programming Language by starting the OpenJDK project) I often heard community concerns about the CDDL license. At the time the big complaint was about the "Choice of Venue" clause.

I got involved because Sun had developed many essential Java libraries and distributed them under CDDL. The community requested a more permissive license and I was able to convince internal project leaders (and Sun's lawyers) to make a licensing change for a handful of these projects. And there was much rejoicing.

Based on my experience in helping Java to become open source I came to appreciate the legal hacks on copyright which make open source possible. It's the free software license which uses copyright to enable sharing (vs. the default of disabling sharing).

Open Source Licenses

And so I have appreciated many of the writings and speeches from SFLC on the mechanisms of software freedom. I was particularly moved by the talks about the "Freedom Box" concept.

That's why this SFLC post on ZFS sounds so off key: if open source works because of free software licenses it seems weird to weaken that foundation by prioritizing the "equity" (or intended spirit) of the license.

Allow me to mention that as I do most of my computing these days on GNU/Linux I miss the super cool features of ZFS from Solaris. I did try an early version of btrfs and was quite disappointed (but that's another story).

In this happy case the source code for ZFS is available, but what about the future, when we aren't so lucky and someone asserts in court that the "you know, the software license was really about the spirit of sharing and that means we are allowed to use it -- and not be held to the pesky details as written in the license".

A lawyer I respect called this out: "Equity" has no place in US law. The point is that for lawyers software licenses work because they have clear, written rules to guarantee the spirit is upheld; but spirit doesn't work in front of a judge -- clear rules do.

Free and open source software has made so much progress in all facets of life why on earth would we second guess the licensing tools that made it possible? And why would SFLC try to shift the spotlight (and in this case the legal burden) to "a good-faith belief that the conduct falls within the equity of the license". Especially given the earlier comment which clearly states "[the combination] is inconsistent with the literal meaning of GPLv2 section 2(b)."


The entire raison d'être for open source software licenses was so that developers (and users) would have clarity and wouldn't have to ask permission to use the software!!!

As stated elsewhere (and like I did with those Java libraries) the easy solution is to have the ZFS copyright holder (now Oracle) reclicense (or dual license) the code under a compatible license (permissive or copyleft). If OpenSolaris was still a thing I might understand some hesitancy, but why not liberate ZFS now?

So we have to wonder what could possibly be motivating this odd "spirit of the license" position on the part of SFLC? Fortunately charities that enjoy non-profit status are required to make public filings of their income in something called a "Form 990". The latest SFLC 990 I could find shows SFLC getting 78% (or just over $5 million) from "non public support" (see page 14).

A number with "two commas" would even be interesting to for-profit companies. Just whom is making these "donations" and what exactly do they get in return? Apparently I'm not the only one wondering about this question.

On one hand it's important to know if SFLC as a non-profit is, indeed, acting in the public interest (as the IRS requires). Yet the even bigger issue here is would "asking for a consensus about the spirit" trump the written copyright license and set a scary precedent for open source software in general?

Testing 1 2 3

Testing 1 2 3

Does anyone use RSS anymore?

This is just a test post to make sure all the machinery is still working!


M41LZ in Tails

Here is the background on my workshop presentation M41LZ in Tails: securing e-mail at Code Freeze 2015. Currently the slides are under heavy development -- stay tuned as they are updated in anticipation of v1.0.0 on January 14, 2015. Of course the slides alone don't provided the extra commentary and personal experiences -- you'll have to come to Code Freeze for that!

Code Freeze 2015


Tom Marble is best known for being the first "OpenJDK Ambassador" on the Sun Microsystems core team that open sourced the Java programming language. Tom has a Masters degree in Electrical Engineering from the University of Minnesota where he worked under Otto H. Schmitt. He has combined his EE and community experiences in open source hardware projects such as USB TRNG and his software and intellectual property experiences by organizing a legal and policy issues track at Europe's largest open source conference, FOSDEM. Tom's passion for Free Software is demonstrated by frequent speaking at conferences such as O'Reilly's Open Source Convention, JavaOne, the Debian conference, Software Passion (Sweden), Fórum Internacional do Software Livre (Brazil) and Linux Conf Australia.

Mr. Marble is committed to increasing diversity in technology (especially in open source) by volunteering as an organizer for ClojureBridge Minneapolis -- a weekend workshop for women to learn the Clojure programming language -- as well as the GNOME Outreach Program for Women on behalf of the Debian project.

Tom is the founder of Informatique, Inc.: a consultancy which leverages his hardware, software and legal engineering background for client projects as diverse as telematics for electric vehicles, probabilistic model checking, autonomous cyber defense, and multiplayer online gaming.


We are stuck between knowing that our Internet communications are vulnerable and using overly complex crypto tools. This workshop will explain, step by step, how to use open source encryption available in a live USB drive based system to secure e-mail. Along the way you will learn about threats to anonymity on the web and how to harness the Web of Trust. We'll then explore the next steps to making secure e-mail more practical for everyday use.


The presentation can be viewed live at

The source for the presentation is at


Please let me know how I can improve this presentation!



Today I've made some modest changes to my CV, LinkedIn and various online profiles. The theme has been "less is more" and I want to highlight my interest consulting in Clojure, security and embedded hardware.

Why corp-to-corp consulting? I regularly get asked this question by companies that want to fill permanent, full-time positions. Having worked for big companies, small companies and even having founded a Silicon Valley startup from Minnesota (just think of the miles!) I've come to realize that consulting is a great fit for me. I can carefully chose clients projects that have really interesting problems and at the same time invest continually in personal development (e.g. conference organizing, working to increase the participation of women in open source software). One of the nice fringe benefits for clients is I can share best practices that I've learned in my travels with each engagement.

Let me know if your project could use some extra hands!



Yesterday I had a blast presenting my talk Security not by chance: the AltusMetrum hardware true random number generator at DebConf14.

DebConf 14

USB TRNG is a collaborative effort with AltusMetrum to create a completely open hardware and Free software true random number generator.

In my talk I mention the rationale for gathering more entropy: The Linux urandom boot-time entropy hole as described in the paper Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices.

I also mention some of the difficulty in assessing RNG quality for security applications as highlighted by Matthew Green in his blog post How do you know if an RNG is working?.

I've been lucky to work on this design with Bdale Garbee and Keith Packard.

If you'd like to learn more you can...

  • Download the presentation (see below)
  • Check out the web page for USB TRNG
  • Join us on IRC OFTC #altusmetrum
  • Join the trng mailing list

Let me know if you'd like to get involved!


10000 Processes in Om

10,000 Processes in Om

I have just published om-processes which is a port of David Nolen's 10,000 Processes in Clojurescript to Om.

Clojurescript is a port of Clojure to JavaScript which is especially well suited for running in a browser. Just as Clojure offers a pleasant LISP on the JVM Clojurescript offers (nearly the same) LISP in the browser. The performance of Clojurescript is outstanding due to the massive optimizations available from the Google Closure compiler.

JavaScript, however, has some fundamental flaws... Top among these are it is single threaded which leads to an asynchronous callback style of "event programming". Clojure's core.async offers a solution in the form of CSP style programming. Using core.async one can think about coding in a more intuitive way.

In 10,000 Processes Nolen demonstrates using core.async to simulate independent "threads" despite the fact that the underlying platform has no native support for threads.

In Om Nolen leverages Facebook's React to create a high performance, immutable model for client programming.

The technical study om-processes is simply the fusion of all these ideas into one demonstration. Who knew web development could be so much fun!

Is this thing still on

Is this thing still on?

This is just a test of posting to my blog.. it's been too long...

And, since I upgraded my VPS I realize the dates/ordering of posts was lost :(

I'll try to remedy this!

Legal Issues at FOSDEM 2014

Legal Issues at FOSDEM 2014

I'm very pleased to announce the Call For Participation for the FOSDEM 2014 Legal Issues DevRoom.

This is the third year that I've been lucky enough to collaborate with some leading practitioners of Free Software and Open Source licensing and community leadership to organize this intense event on the topic of what makes FLOSS possible and what are the key issues facing FLOSS today. I'm joined by my friends Karen Sandler, Bradley Kuhn, and Richard Fontana.

I have been fascinated by the intersection of law and technology because it is the clever use of copyright that makes Free, Libre and Open Source Software possible. We hope to stimulate discussion on topics such as:

  • Copyleft vs. permissive licensing: What is a policy case for copyleft? If so what form should it take?
  • How is software freedom important in ensuring privacy and security?
  • What defines a Free Software and/or Open Source project?
  • Do traditional Free Software values face some level of cooption from for-profit corporate interest? If so, how?
  • Copyleft licensing models and how they relate to business models. Are there some business models that are license-permissible but bad for community building? On the other side, does your license choice limit or expand your community?
  • Eroding software freedom in the proliferation of closed computing devices such as mobile phones and tablets
  • Copyleft enforcement and compliance planning from a developer perspective. What is the future of GPL enforcement? Is it working?
  • What is its impact on adoption of copyleft?
  • How does the 'so-called' software patent war impact Free Software and Open Source?
  • Copyleft license compatibility. What are the challenges of code base merges when various licenses are in use? How does a compatibility analysis between licenses work?

Please submit your talk idea before December 1st and plan to join us in Brussels on February 1st and 2nd!


ClojureBridge Minnesota

ClojureBridge Minnesota

Of course the weather being what it is -- winter came in with a bang -- our turnout last night at was light....


But we had a small, enthusiastic group that discussed the recent Clojure Conj by editorializing the fine blog bost by Logan Linn.

We also introduced the ClojureBridge effort to the group and everyone sees nice synergy between this and our recent success in November with "beginner's night" (which we plan to repeat every other meeting).

As a software development consultant I often co-work at CoCoMSP -- a melting pot of entrepreneurial energy. I have introduced the idea of hosting ClojureBridge at CoCoMSP with the founders and they are considering it (fingers crossed)!

Now we need to recruit more volunteers to help organize our local ClojureBridge Minnesota workshop next spring!

Ask me how you can help!


2011 and not J1

Calendar.getInstance().get(Calendar.YEAR) == 2011 && ! J1

Here we are in the middle of yet another J1 and, alas, I won't be joining folks in the City of Oracle World. Of course I'm skeptical of the "new" hotel based format (from last year)... But the reason I would want to go is, of course, the "hallway track": to see friends and colleagues like: @robilad, @alexismp, @mreinhold, @fabianenardon, @virtualsteve, @delabassee, @brjavaman, @karianna, @romainguy, @headius, @AzulSystemsPM, @jddarcy, @jfarcand, @tom_enebo, @asz and @terrencebarr.

I'm not even sure of Oracle is aware of the hallway track?

The big news recently for FLOSS enthusiasts was the sunsetting of the DLJ. When we released a redistributable version of Java under the DLJ in 2006 we heard a lot of criticism about this new, less restrictive license. The Free Java world saw it as simply "not enough". As it turns out on the same day Rich Green promised the open sourcing of Java and with this news the roar of applause was amazing. However it would take a full year before the complete publication of OpenJDK source code. And, even then, the community was frustrated by the lack of support for the Java plugin.

During this intitial period we heard from people such as the Brazilian's at FISL that the Java plugin -- now well integrated with GNU/Linux under the DLJ -- made it possible to do banking and file tax returns on their favorite platform. Meanwhile an open source plugin effort was underway. Largely through the efforts of RedHat OpenJDK gained a truly open source implementation of the plugin. However due to the lack of a public spec (and source code) it continues to be very difficult to get the exact same Java plugin behavior with the IcedTea plugin.

Before the acquisition of Sun many of us had hoped that the code for the new Java plugin would be contributed to OpenJDK. Even though Larry has a beard he clearly doesn't drink the open source Kool-Aid and thus Oracle has decided to continue the closed plugin status. Since UI developers gave up on applets long ago maybe this is just an annoyance... At the very least its a shame that we now have a completely fractured Java plugin landscape and GNU/Linux users that need applets will have to struggle (as in the bad old days) to configure their browsers correctly.

Despite this setback it does seem that Java technology is enjoying a renaissance in the form of dynamic languages built on top of the JVM. I'm hoping to help with the modularization of OpenJDK and encourage community based performance analysis tools that extend the platform.

Send me a tweet and let me know how the hallway track is going!


This blog is powered by ikiwiki