Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sun Finds & Exploits Hole in the GPL *Update*

Posted by ryuzaki0 on from the not-playing-fair dept.

chrisd writes "Sun is shipping binaries (no source code for you!) of some of Donald Beckers work, saying in their defense that "It says that anyone using its kit is responsible for ensuring that how it's used doesn't violate licenses, and that's not Sun's problem."" Update: 09/15 11:30 PM by CT :The article is somewhat confusing here: this is essentially a cross compiler, and Sun isn't distributing anything in violation of the GPL, and if they used their compiler to distribute binary drivers, that wouldn't violate the GPL either, assuming that they distributed the original driver source code as well.

12 of 334 comments (clear)

  1. You know... by Millennium · · Score: 5

    It would have been really helpful if the poster of this article had actually said what piece of software Sun was distributing. For those who haven't read the article, it seems to be a pieve of software that converts Linux driver binaries to Solaris/x86 ones (note that this only seems to work for drivers). The software itself is, I believe, proprietary (but does not use any GPL'd code itself).

    This isn't a GPL breach, in letter or in spirit. The author of the article is correct: it is the responsibility of driver porters to ensure that their drivers don't violate licenses, not Sun's. In the case of GPL'd drivers, they do this by providing the sources, which they must do for the Linux drivers. Since the Sun toolkit seems to be little more than a recompiler (less than that, actually; more like a relinker) it hasn't actually modified the source any more than a compiler does.

    Maybe I'm wrong about the software's nature; I'd appreciate corrections if that is the case. But it looks like a lot of people are blowing this out of proportion. Sun is not violating the GPL. It has created software which could, theoretically, be used as an aid in GPL violation, but isn't intended for that purpose (rather like Napster and DeCSS can be used in violating more restrictive, and some might say unethical, licenses but are not intended for that purpose).

    I'll admit, this looks a bit fishy. But I support Napster and DeCSS; because of that I can't cry out against this driver converter without being a hypocrite.
    ----------

  2. Both Perens and Becker are wrong by John+Goerzen · · Score: 4
    From the description of the kit, it sounds like Sun is merely providing something that could be considered to be roughly analogous to a compiler. The referenced article does not establish whether this "compiler" is GPL'd, nor whether it uses GPL'd code. Even if it is not, it would still be perfectly acceptable to use it to convert GPL source to object code, and Sun is right -- the people that distribute that object code are the ones that have to obey the GPL. In short, Becker can't really object to that.

    Now, if Sun itself is distributing object code derived from GPL software, they have an obligation to follow the GPL with regard to distributing source. It is also unclear whether or not they are doing this. If they are not, then they are in clear violation of the GPL, and I don't see where Bruce sees the gray area. (And, FWIW, they should have asked RMS about this, not Bruce.)

    So, in essence, from what we know: 1) the idea of compiling source intended for Linux into a Solaris object code is not objectionable nor a violation of the GPL even if the compiler is not GPL'd; and 2) if Sun uses GPL'd code in their compiler, they must include the source. So on #1, Becker is wrong, and on #2, Perens is wrong. If Sun indeed is using GPL'd code and not including source, then they need to be taken to task. Otherwise, they are not doing anything to violate the GPL.

    1. Re:Both Perens and Becker are wrong by Bruce+Perens · · Score: 5
      Well, the reporter didn't write down everything I said. Sun must indeed ship source for the drivers. The point is that they may use GPL drivers on Solaris without distributing Solaris source. They can integrate the entire Linux TCP/IP stack if they want, which might be interesting in the case of IPV6. Stallman said he'd fix this in GPL version 3.

      Thanks

      Bruce

      --
      Bruce Perens.
  3. What the GPL says in this case by Bruce+Perens · · Score: 4
    The GPL makes an exception in the case of components that are normaly distributed with the OS and compiler, as long as the GPL component is not distributed with them. The exception was intended to allow people to run Emacs on the Sun, long ago before there was a Free OS. It (in my opinion, and I'm not an attorney) unfortunately does not distinguish between executables and drivers sufficiently to disallow it from being applied to drivers. That means that you can use GPL drivers with any OS as long as you follow the GPL requriements and distribute the source code for the driver, and you don't distribute the driver with the OS (thus the run-time loading). Sorry, but that's the case as far as I can tell. I don't have to like it, but we in the free software community should honor agreements as they are written, not as they were intended but we didn't fully write down our intent. I wrote RMS about this problem and he said he'd fix it in GPL 3.

    Thanks

    Bruce

    --
    Bruce Perens.
  4. I'm not sure I get it... by Old+Man+Kensey · · Score: 4
    What seems to have people up in arms is that Sun has (essentially) written a cross-compiler that takes Linux/Intel source and produces output for Solaris/Sparc.

    What's the problem here?

    Is it that the binary might or might not have new code in it introduced by the compiler? If that's the case, the same could be said if, say, Metrowerks distributed the source for these drivers with its compiler. Essentially the GPL under this interpretation forbids shipping binaries of GPL'ed code compiled with a non-GPL compiler. Also, it would mean that any code compiled with a GPL'ed compiler would become GPL'ed if the compiler introduced any foreign code (I don't know if gcc does or not).

    I don't think this is a huge concern anyway. The compiler can't pull but so many "dirty tricks" simply because it can't know what the code is supposed to ultimately do. And compilers work at such a low level that the question of what is or isn't "foreign" code with respect to a given set of source is non-trivial, especially with an optimizing compiler.

    Is the concern over the fact that Sun isn't shipping the driver source with the driver binaries? Assuming that this is the only concern, does anyone really care? Unless they've changed the source, does it matter to me whether I get the source for tulip.o from Sun or from Donald Becker? More specifically, if I put tulip.o binaries on my FTP site as a convenience for my user-group, am I obligated to distribute tulip.c myself? Is it not enough to say "get the source from the author?" Under a particularly strict reading of the GPL, it would be unacceptable to have tulip.c and tulip.o in the same directory as separate files -- they would have to be zipped together so as to be sure that Section 3 of the GPL could not be breached inadvertently.

    Or is Becker just throwing a tantrum because he doesn't like seeing his work used for something outside the scope of his intent (to write a Linux driver)? This is, I hope, a remote possibility, because in itself that attitude defeats the whole point of the GPL, but one that occurs to me to toss out.

    --
    -- Old Man Kensey
  5. Bad journalism by Mike+Schiraldi · · Score: 5

    Sun is ... saying "It says that anyone using its kit is responsible for ensuring that how it's used doesn't violate licenses, and that's not Sun's problem."

    When i first read that, i didn't realize that the quote was from the author of the article -- i was shocked, thinking a Sun spokesperson said that.

    CmdrTaco: You really should have edited that submission to make it more clear.
    --

    --

    --
    Mod up a post Rob doesn't like and you'll never mod again

  6. The problem is GPL vs LGPL by AJWM · · Score: 4

    Now, it's been a long time since I had to build drivers into a Sun operating system (so long that it was probably SunOS rather than Solaris), but AFAIK it does not support dynamic loading of driver modules the way Linux does. (And even if it does, that could be argued as irrelevant -- it's a matter of dynamic vs static linking.)

    Now, if Becker's drivers were released under the LGPL, which explicitly allows linking with proprietary code, this would be a non-issue. However, the general intent of the GPL is to not allow such linking, static or dynamic -- although the latter has been argued as insufficiently made clear in the GPL. And there's the problem.

    If the drivers are statically linked into a Solaris kernel, then that's pretty clearly a GPL violation. If dynamically loaded, then it may be as Bruce Perens states, violating the spirit of the GPL (vs LGPL). Whether it also violates the letter of the GPL may end up being up to a judge to decide.

    No, no, no. It ain't ME babe,
    It ain't ME you're looking for.

    --
    -- Alastair
  7. The GPL should be able to handle this... by prizog · · Score: 5

    From the article: "Sun's controversial little kit takes open source Linux drivers and converts them into Solaris binaries. "

    OK, here's the deal: The kit itself is just a piece of software - it no more "encourages" licens violations than GCC does. But any product of the kit was originally made from some code. Chances are, that code was under copyright and license. So, distributing the modified binary is distributing a derivative work - this is only allowed under the terms of the license the original code was under (in this case, the GPL). So, Sun must distribute the source to Becker's drivers if it distributes binaries of them (for any system).


    -Dave Turner.

    --
    Become a FSF associate member before the low #s are used
  8. Analogy Error by _Sprocket_ · · Score: 5
    This is the napster to kernel drivers, the Xerox machine to books. Remember, it's not Napster's problem that users violate copyright with the service. Nor is it Xerox's probolem that people photocopy copyrighted works on machines.
    Napster doesn't come packages with a Metallica MP3 file to demonstrate how to distribute MP3s. Xerox machines don't include a photocopied Webster's dictionary so the purchaser can see how to duplicate a book.

    Sure, if SUN was just providing the (what appears to be) compiler then there would be no issue. If they included the source code to the GPL code they ship as example binaries, there would be no issue. In that case it would be simular to Napster distrubuting an MP3 with permission of the artist or Xerox buying dictionaries to include with their photocopier.

  9. It's a (cross) compiler! by EyesOfNostradamus · · Score: 5
    > Sun's controversial little kit takes open source Linux drivers and converts them into Solaris binaries.

    To me this sounds like the definition of a compiler. Ok, so maybe it does a bunch of additional magic to convert the API's, but nothing to get our panties in a knot over.

    Sure, an unscrupulous party could use this to "compile" an open source Linux driver into a Solaris binary, and "forget" to ship the source with it, but the same is true for any compiler. So what's the problem with this? If we attack Sun for this, we should also surrender to the MPAA, because admittedly DeCSS could be used for infringment.

    > To his surprise, the kit used the Linux eepro100 and Tulip network drivers as examples. Becker wrote those drivers. Sun never asked his permission to convert them to Solaris binaries.

    Again, what's the problem? That's just as if an application developer complainted that sb compiled his app for an Alpha, whereas he had developped it on an Intel. Nobody does the GPL say (or intend) that applications should only be run on the platform that they were developped for. If that was the case, we would be hypocrites for denying the MPAA the right to restrict their movies to the Windows platform (or to a given regions).

    > Now Perens has ruled, or should one say opined, that Sun is perfectly within its legal rights -

    ... and I'd say, they're within their moral rights too.

  10. The legality of limiting linking by JSBiff · · Score: 4
    I would like to start out with, IANAL!

    Second, I would like to say I love the GPL and do not want to see it legally weakened. That is, in fact, the reason I have thought about this. Because if the GPL makes (what a court deems to be) over-broad claims, that would definitely weaken the GPL. So don't flame me ;-)

    But, I have been thinking for a long time that the GPL's claim to limit who can and can't link to GPL'd code might be tenuous. It is very easy, when I can point to a program and say "that program's source code contains my source code" to say that that code should therefore be GPL'ed. I can argue though, that a program that links to your library doesn't somehow become one program, it merely uses your code, and remains a separate entity that can be distributed under seperate copyrights. I think that one might find that a court might entertain the idea that linking code doesn't make it a derivative program.

    To illustrate, let me argue it this way. Copyright, If I understand it correctly, allows you to specify terms upon which people can obtain a copy of your work, and make copies/derivatives; however, once someone _has_ a copy, I think, you can't really specify how they can use it(there are some exceptions, e.g. public performances, etc; and of course companies try to limit people's usage all the time, so I could be wrong here). So, if I have legally obtained a copy of your source-code, and this source-code is in the form of a library (or module in this case, which is similar), I might (I don't know, IANAL, and as far as I know no court has ever ruled on this) be able to make the case that "my" code (in this case sun's solaris x86 kernel; in the previous sentence, and for a bit following, when I say "my" I am speaking from the hypothetical standpoint of a defendant making a case in a GPL lawsuit) was distributed legally, and that the user got the GPL'ed code legally (assuming the module's/library's source code is included), and that the GPL cannot limit the user from using the two together.

    Let's look at this another way: if a commercial software company said that their library X couldn't be linked against program Y, even though I paid for library X and got it legally, and paid for program Y and got it legally, because company Y hadn't paid a fee to the maker of library X, then we on slashdot would all be crying that this library distributor was making a draconian claim to rights that they didn't have: namely the claim that they could control how I used their software after I had gotten it legally. Why do we apply a double-standard to free-software?

  11. Wake up people by ibpooks · · Score: 4

    C'mon! Wake up!

    This is the napster to kernel drivers, the Xerox machine to books. Remember, it's not Napster's problem that users violate copyright with the service. Nor is it Xerox's probolem that people photocopy copyrighted works on machines. We can have it one way or the other. If it's not Napster's fault, and if it's not Xerox's fault. Then Sun cannot possibly be held accountable for what people do with their software.

    Remember, it is the responisibility of the user to ensure that no copyrighted source code is converted to binary drivers.