Applying for fiscal hosting

[a1ex]

Topic split from https://www.magiclantern.fm/forum/index.php?topic=24548.0

Please just sign up for a patreon page to pay the bills. Then let's grab you at least a 5mkiv or whatever your heart wishes to do the magic work. Community will support it.

Well, given the recent evolution of the project (in particular, recent contributions), opening an individual Patreon page doesn't make sense to me. If we will do some kind of fundraising, it has to be for the entire team of developers and contributors, not just for one individual developer. And I think I've found a much better tool for this purpose.

I'm looking at Open Collective. They offer something similar to a non-profit organization, but without the requirement to incorporate one - they call it a "virtual non-profit". It's fully transparent (everybody can see how we spend the money), they do all the paperwork for us (for a fee), and it's open to all contributors, not just to one particular person, or to a closed group or core developers. Anyone can submit invoices to be reimbursed for project-related expenses, but the core team has to approve them. It even allows paying contributors for their time, as long as they can submit an invoice as a freelancer (but - depending on their country - they may need to register a local business or a sole proprietorship).

In other words, with Open Collective, even if I won't be available for some months (hopefully not years), the project will be able to continue without my direct involvement - as the money from the supporters won't be in my pockets, but available to the entire team of developers/contributors (whoever will still be active in the community). That would be pretty difficult to achieve with Patreon.

Open Collective already offers fiscal hosting for several open source projects - both US-based (Open Source Collective) and EU-based (Open Collective Europe ASBL). Some projects hosted there:

- Qubes OS (US host)
- Mastodon (US host)
- Vue JS (US host)
- Rada.re (US host)
- Tor (US host)
- Manjaro (EU host)
- many others

Here's our page on Open Collective - but it's not functional yet (you can't donate yet).

Also worth reading:
- What is Open Collective & how it works?
- Open Collective is a New, Transparent Way to Fund Open Source Projects
- Open Collective Docs - all of them
- The Value of Fiscal Sponsorship in FLOSS Communities (also covered on LWN)

I've got in touch with Open Collective in spring 2019, but had to abandon the idea for a while (having several unfinished projects in the pipeline, then pandemic etc). Back then, they were very friendly and open towards our project, so... earlier this week I've decided to resume the application process. They even offered to help with legal advice - will keep you posted once I'll have more details.

We still need to choose between the EU-based host (my personal preference), or the US-based one (which is specifically tailored to open source projects, and - according to OC admins - much better prepared for hosting our project). Last year I would have strongly leaned towards the EU-based host, primarily because of DMCA, but this is no longer a critical issue (in my opinion for now, to be confirmed).

Assuming this will work out, i.e. if the level of support will allow me to return to the project without risking my ability to pay the bills, I'll do just that - my job still allows some degree of flexibility. Otherwise, if the donations will not be enough to partially cover my costs of living, but if they will exceed the hosting costs, I might be able to reimburse contributors for their project-related expenses (such as high-speed cards, or nonfree documentations, or equipment needed for reverse engineering, maybe a camera or two... depending on the budget).

Of course, in the past, there were voices completely against money (very understandable), so if there are any concerns with my proposal, I won't move forward unless consensus is reached. I haven't sorted out the details yet - last year I've got green light from Trammell and g3gg0, which is why they are listed on our Collective page linked earlier.

[nikfreak]

Finally! Glad you decided to collect some money.

Edit: Didn't know OpenCollective but being fully transparent really suits you as person and the ML project. Chapeau!

[domasa]

Idea: Future builds could be available for donors only. It would motivate more to donate

First ML build was also for additional fee (if I remember correctly).

[Walter Schulz]

Consensus requires discussion. Or at least an opinion/statement. Don't see much progress here. Status?

[garry23]

I went to the open collective page, but it's not clear if we are 'active' yet.

I'm ready to support 

Cheers

Garry

[nikfreak]

patience. No rush.

[a1ex]

Indeed, this takes time. However, the latest update from Open Collective left me without many hopes - apparently they are not very comfortable with the legal gray areas. They might have a long answer in 3 weeks or so; until then, I can only speculate.

Their initial reaction was very good though - apparently they already knew about our project before initiating the discussion. Maybe there's still some tiny hope.

Still looking into alternatives.

[a1ex]

Status update: as you might have expected, Open Source Collective (US-based) has to be very careful not to put themselves at risk by accepting us, so they had to review our reverse engineering activities. Unfortunately the response wasn't positive.

After a virtual meeting with their lawyer, together with g3gg0 and coutts, where we tried to explain what we do and what are the points we are careful about, things progressed a little. Earlier this week, I've received a small positive sign that there might be a way forward - still waiting for the details.

In any case, one of the biggest roadblocks is the FIR encryption, which might be problematic under DMCA - although we don't distribute any Canon code in our downloads, and we don't publish any encryption tools either. On recent models - since DIGIC 8 - Canon Basic is likely helpful from the DMCA point of view, as there's no encryption to be bypassed. On old models, UART - which we figured out in 2018 - might also be useful, as there's no encryption to be bypassed there, but one would have to attach wires to the camera.

So, there are some alternatives to FIR encryption - but we didn't know about them before ~ 2018. Now, the question is whether our previous approach of creating fake firmware updates (ML-SETUP.FIR, ROM dumpers) is going to haunt us, and for how long.

Anyway - the lawyer who advised Open Collective told us that one of the preferred ways to make our project acceptable for fiscal hosting would have been to apply for a DMCA exemption for allowing software modifications to digital cameras - unfortunately, the application deadline had passed some months ago...

However, I've recently found about an initiative from EFF, where they ask for an exemption to allow repairing *and* modifying any software-enabled device:
https://twitter.com/EFF/status/1331657954412544002
https://www.eff.org/deeplinks/2020/11/lets-stand-home-hacking-and-repair

If you have a story about how:

- someone in the United States;
- attempted or planned to modify, repair, or diagnose a product with a software component; and
- encountered a technological protection measure (including DRM or digital rights management—any form of software security measure that restricts access to the underlying software code, such as encryption, password protection, or authentication requirements) that prevented completing the modification, repair, or diagnosis (or had to be circumvented to do so)
—we want to hear from you! Please email us at [email protected] with the information listed below, and we'll curate the stories we receive so we can present the most relevant ones alongside our arguments to the Copyright Office. The comments we submit to the Copyright Office will become a matter of public record, but we will not include your name if you do not wish to be identified by us.

I'm tempted to ask EFF whether they would be interested in our story. Though, I have several reasons to believe our approach regarding fake FIR files, without publishing the encryption tools, is actually safe from the DMCA - but this part is still being reviewed by Open Collective at the time of writing.

If we decide to contact EFF, they would have to submit our story to Copyright Office no later than December 14: https://www.copyright.gov/1201/2021/. Further details available on Discord - e.g. if you'd like to help me review the draft e-mail for EFF.

BTW, normally our software is free, but today is Black Friday - you can get it for a reduced price

[Danne]

Following. Very interesting.

[a1ex]

Shortly after me going into full Donald Trump mode on Twitter, something magic happened.

We have received a reply from Software Freedom Conservancy - another US-based fiscal sponsoring organization to which we have applied back in 2013. They are also on good terms with Open Collective. Some relevant projects already hosted on Conservancy: OpenWRT (joined September 2020), Wine, Samba, Git, Mercurial, Homebrew, QEMU.

Their reaction was totally unexpected to me - in particular, this paragraph sounds very promising:

We turn projects away these days, but only if they aren't a good fit for our mission, but that's not a case for you all — in fact, Magic Lantern is the kind of project we're really interested in seeing apply!

Background: we have submitted an application letter in January 2013, but we haven't received a reply back then. We didn't follow up, because shortly afterwards, we talked to SFLC - which, at that time, I thought it was a related organization, but it wasn't the case - who advised us sharply against taking donations. Their advice wasn't really in disagreement with the advice from EFF, as they also said that making money out of our software could increase our legal risk - but SFLC was a lot more conservative, possibly because of the 1DX/1DC rumour, which appeared shortly after we spoke to EFF. That's when we stopped accepting monetary donations, from what I remember. Eventually we calmed down to some extent and started accepting BTC as a workaround.

So, the idea of fiscal hosting is not new for us, but - back in 2013 - we gave up after receiving the not-so-favorable advice from SFLC. OK, Conservancy said they weren't prepared to accept us in 2013 either - but the lack of reply was actually a honest mistake from both sides (bad timing + not following up).

Of course, this does not mean Conservancy accepted us, or that is going to accept us, but they seem to have a genuine interest in figuring out a way forward. We'd still have to go through the same steps as with Open Collective, as they need to know what we are doing, to make sure our reverse engineering activities are not risky for them.

TLDR: now we've got two potential fiscal hosts to work with

If you are wondering: "Conservancy does encourage projects to apply to multiple non-profit homes to find the best fit.". Therefore, it is my understanding that discussing our application with both Open Source Collective and Conservancy in parallel shouldn't be an issue.

[Kharak]

Awesome, really hope it comes through!

And thanks for sharing.

[a1ex]

The story for EFF is coming together, thanks to everybody who reviewed it on the Discord channel!

As it will appear in a public mailing list and will end up as a public comment, I've shared a link there, if anyone else would like to take a peek or suggest further edits. I'll submit it once it settles, likely tomorrow or the day after. The timing is short, as EFF would have to review it, to get in touch with us for additional info, and to turn it into a pertinent comment for Copyright Office, all before December 14.

Please note this was written as a response to EFF's request for a story about how DMCA interferes with legitimate tinkering with the software-enabled device you have bought (in our case, the DSLR camera). It's not a request for EFF to help us, so it should probably be kept as readable as possible, for anyone outside our project - that is, it shouldn't get too technical.

https://www.eff.org/deeplinks/2020/11/lets-stand-home-hacking-and-repair

The story for EFF can be considered an extended version of the series of tweets shared earlier. Actually, the tweets were copied and/or adapted from an earlier draft.

[a1ex]

Update: I have submitted the story to EFF earlier this week, right before the website went offline; you may read it here (or the shorter version on Twitter, if you prefer). They got back to me, and we expect to have a virtual meeting with them this Tuesday - together with Trammell and g3gg0.

Both Open Collective and Conservancy reacted positively to our attempt to contact EFF - hopefully something good will come out of this

Will keep you posted.

Edit: here's the outcome of our EFF letter

https://www.youtube.com/watch?v=QCJkZlZQoUQ

https://www.ifixit.com/News/47696/were-hosting-a-press-call-to-discuss-how-copyright-law-hinders-repair

[a1ex]

Update: just received an e-mail from Open Collective, titled: " We can host Magic Lantern! "

Santa arrived early?

Next steps: will find out after a virtual meeting with them.

[flostro]

Cool! So what does that mean exactly?
Funding? Full Time Magic Lantern Developers?

[a1ex]

Hopefully yes - though, part time would be a much more likely scenario. Some details a few posts earlier. The cool part is - with Open Collective at least - that the funds will be available to anyone in the community who makes significant contributions - not just to me or to a restricted set of core developers. And, of course, anyone will be able to see where the money goes

Highly recommended reading: https://docs.opencollective.com/help

Or watch this video - from one of the Open Collective founders:

https://www.youtube.com/watch?v=lyOmToAyvjk

We aren't able to accept money yet; still need to discuss with them and find out the details. But it's a clear step in this direction.

[theBilalFakhouri]

Nice

[nikfreak]

finally! Great news! 

[Kharak]

Congrats guys! You earned it a thousand times over!

[wib]

Oh ! It's getting somewhere !

[Michael Vito]

My wallet is on standby

[c_joerg]

Update: just received an e-mail from Open Collective, titled: " We can host Magic Lantern! "

In the CHDK forum I once heard the statement that as soon as CHDK became more commercial, Canon could protect its cameras better for debugging. Is that to be expected here too?

[Walter Schulz]

No link given and therefore unable to check source.

Q: "Commercial" as in
- Becoming a legal entity (company)?
- Charging people for software and services?

ML project team's step looking for a covering host has nothing to do with that!
And why should Canon wait for any kind of action by ML and/or CHDK to tighten cam software security? They can do it any time and don't have to ask anyone for permission.

[DeafEyeJedi]

...Santa arrived early?

Indeed this is all great progress, @a1ex!

[a1ex]

In the CHDK forum I once heard the statement that as soon as CHDK became more commercial, Canon could protect its cameras better for debugging. Is that to be expected here too?

They could have done so back in 2012, when we were accepting donations, or in 2013, when we've got a massive popularity spike after announcing raw video (see e.g. Petapixel, EOSHD and several others). To date, Canon have not removed the ability to run AUTOEXEC.BIN from the card (feature present in all EOS models from DIGIC 2 to DIGIC X), they have not removed the massive amount of debug messages we are relying on, they have not locked down the UART interface and so on.

What they did: they removed the ability to downgrade from certain firmware versions, but this seems to be in response to vulnerabilities recently identified by Checkpoint Research. In other words, they do react quickly if anything bothers them.

They have also changed the encryption in EOS R/RP and newer models, but we didn't even have to figure it out. That's because, at the same time, they also enabled Canon Basic on those models - the scripting engine documented by CHDK some 10 years ago - making it even easier to execute code on these cameras, without even having to worry about DMCA. This scripting engine is likely present on all DIGIC 8 and X models, already confirmed on R/RP, R5/R6, M50, 250D and others.

On top of that, on DIGIC 7/8/X, you can temporarily patch pretty much anything in Canon firmware, by remapping parts of the ROM into RAM. This was possible to a very limited extent on DIGIC 2..5 ("cache hacks"), and no known possibility to patch ROM contents on DIGIC 6. Longer version here.

In other words, recent models are likely a lot more hackable than previous ones. The main reason why there is no ML on these models yet, is lack of developer time. Proof of concept was already done back in 2018 - all those "Hello World" screenshots actually demonstrate running custom code alongside Canon's own firmware. Though, the initial plan was to delegate the porting efforts for new models entirely to the community... hence all of that work on emulator and development documentation.

Yes, there are some technical difficulties, as the hardware changed significantly (so porting is no longer "just" a matter of tweaking the existing code), and the instruction set also changed to Thumb (so, many of our low-level tricks will no longer out of the box), but all of these can be solved given sufficient development time.

BTW, operating under Open Collective's umbrella is somewhat like a nonprofit - Open Collective themselves call it a "virtual nonprofit". Does this count as "commercial" or otherwise a threat for Canon? I don't know, and I hope they don't see it that way. One of the biggest advantages of this approach is - if you ask me - that two fiscal hosting organizations with no previous connections to our project (Open Collective and Conservancy) have reviewed our reverse engineering activities and - after multiple rounds of legal advice - they have (finally) found our project acceptable. I hope this is going to give some peace of mind to everyone involved in the project - at least compared to previous state, where quite a few ex-contributors asked me to remove their e-mail / username / etc from this website because of the legal uncertainty.

We are not the only ones doing this - there are also other "alternative firmware" projects moving in the same direction, for example, OpenWrt joined Software Freedom Conservancy a few months ago, and Rockbox considered joining as well.

And it wasn't a rushed decision either. I've started to consider Open Collective at the beginning of 2019, but fiscal hosting isn't a recent idea - back in 2013 we've tried to apply to Software Freedom Conservancy. As it didn't work out, back in 2014 I've started to work with Apertus, hoping to "subsidize" ML development that way. That didn't work either. Earlier this year I've tried my luck with freelancing (again, didn't work out), and also started some side projects that don't rely on reverse engineering, but none of them had the potential to cover any costs of living within the next few years without *massive* time involvement from my side. So, the only sensible choice was to... change my mind towards fundraising for ML development.

I've submitted the application to Open Collective a long time after crossing a critical point of no longer being able to dedicate long hours to hobby projects (ML in particular). The alternative - for me - would have been to watch from the sidelines - as I did since mid-2019 - at least for the next few years, and hope for the best. Yes, the project can definitely progress without my involvement - Danne and others already proved this - so I can also step back if there are serious concerns about Canon getting upset by this change. As I said before, things will only move in this direction as long as there will be consensus.

This video - very similar to the previous one - explains the situation very well. It's from one of the founders of Open Collective - meeting with them scheduled for Tuesday

https://www.youtube.com/watch?v=szE_00HC5h4