GPL Violation, Microtest's DiskZerver

Early this week, brtb submitted an eye-opening write up which may end up as the classic example of a large-scale GPL violation. Microtest's DiskZerver, a NAS device designed to handle CDs, would seem to be a sharp product, except it's based on software licenced under the GPL and potentially other free-software licenses as well. Of course, you would never know this, because Microtest never mentioned it, however that didn't stop Microtest from manufacturing and then marketing the device before it sold it off to another company. DiskZerver's new company xStore, which was unaware of the licensing issues, was notified about them, and this impending article. They have yet to comment. In situations like this, what should a company do to bring such a glaring GPL violation back into compliance?

Slashdot reader brtb reports:

About a year ago my employer, a local high school, purchased a couple MicroTest "DiskZervers," network-attached-storage boxes designed to cache CD images for LAN usage. We were mainly Netware-and-Win95 at that time, and the Zervers performed flawlessly in that configuration. But problems began when the district IT department made the decision to switch us over to an NT-domain setup. The Zervers, even with their advertised "Domain Integration" support, didn't seem to like this too well, so I dug a little deeper... imagine my surprise when I found out the boxes are actually embedded 486's with Linux and a whole slew of other GPL'ed software, mentioned nowhere in the manuals or on the accompanying software CD.

Apparently, Microtest (NAS division since sold to XStore) put together a mess of GPL software - a modified Linux kernel 2.0.27, Samba 1.9.x-ALPHA (!!!), the MARS_NWE netware emulator, and GNU C libraries (libc5), among others, stuffed them on a flash chip in a drive-bay-size embedded 486-based computer, and sold it as their "DiscZerver" product line. They also used some non-GPL packages, including Apache and Netatalk (macintosh server). Nothing wrong with their methods, but there's plenty wrong in their implementation.

The web interface and proprietary Windows front-end, the only given methods of configuring the device, refer to the various services generically, like "Web server," "SMB server," "NCP server," etc. - there's no mention anywhere, even in the manual, of the actual programs being used. Of course along with this is no accompanying source code or even the offer to provide any, as the GPL requires.

I can't even get any useful tech support from this company, much less someone to ask about getting the source code for the software and whatever modifications they made, which includes a flash file-system driver ("yaffs" - I think MicroTest wrote it, as I can't find any info on it) for the kernel. I did manage to hack out the hidden-from-customers root password; with that I found a shell prompt (Stand-alone Shell v1.0 - GPL? dunno) which only increased my determination as I could see exactly what programs they managed to steal, strip out identifying info, and use without credit.

I did contact the FSF with the limited information I had before I got shell access, and they did confirm the existence of a GPL violation, but were unable to do anything specific as they do not hold copyright on any of the programs I knew of at the time (and actually suggested I post to Slashdot to get some answers). xStore itself has not returned my emails or phone call. I have another e-mail in to the FSF, now that I know the machine includes glibc1.

So, right now I have a nice little piece of hardware, some mis-compiled (I think) software, and no idea what to do next. At the very least, I learned that my usual policy of disassembling and analyzing any new hardware we get is the right one; of course that doesn't help all the LAN users that need access to these CDs. I'd be happy if I could just get the code so I can fix SMBd/NMBd to work properly. I've thought about trying to make my own really-small distro to load on, but it's not really worth my time - I could just load the cached CD images (thankfully just standard .ISO's) off the Zerver's CD-storage hard drive into my other Linux server, compile and install Samba correctly (works great if you do it right) , and get on with life... but I really shouldn't have to do either. Any ideas?

you may have broken the license agreement....

[jeffy124]

How did you figure out that the product was full of GPL code and such? From the looks of things, it appears you had to reverse engineer binary code and hack out a root passwd. IANAL, but chances are good xStore put in the license agreement that you werent allowed to do those two things. You may run into trouble with that should everything turn out legit. Yes, they may have breached the GPL, but their agreement probably restricted you from those activities.

Basically, it's an issue of risk. If it turns out that they have no GPL violations, then you could get nailed for breaking the license they provided. On the other hand, you could show that they broke the GPL prior to specifying the license terms you use the product with, either voiding their license or something of that nature.

Did they modify/redistribute, or just distribute?

[Sabalon]

From reading the snippet hear, it sounds like they put a whole bunch of pieces together into a box, and shipped it, after adding on a new admin tool.

Since (I'm guessing) the admin tool probably just modifies the config files, I fail to see how that could possibly be a GPL violation.

There is mention of a modified kernel, but without further info, I will take that to mean almost anything from radically modified code to a loadable module, which could be on both spectrums - details? Without, it is just the normal /. hearsay.

So, they slapped together a box and shipped it out without mentioning Linux or GNU. Does the GPL say anything about this? If they have not made any mods are they still required by the GPL to have the same offer?

What if they had embedded a minimal Linux setup in an EPROM? Seems it'll be a pain to use Linux in an embedded device if you have to keep provided source media even if you didn't change any GPL'ed code and just added your own programs.

Re:FSF & Copyright

[kabir]

It isn't about control: it's about protection.

I think that should read "It istn' only about control: it's also about protection". As most anyone who's dealt with RMS will assure you, it's most definitely also about control on some level.

This is an embedded system

[imp]

People have been saying for years that embedded systems need not fear from open source zealots.
since the software wasn't distributed separate from the hardware, it is hard to know if this fits
the definition of a distribution within its meaning in the GPL.

This is the reason that our systems are based on FreeBSD. We have a niche market (high precision timing systems) where we still have a lot of proprietary IP. FreeBSD lets us deploy that
without fear of GPL forcing issues.

And before anybody says anything, the company has
paid me for many hours of FreeBSD bug fixes over the years and contributes back to FreeBSD all that
we can because we know that it is in our best financial interst. FreeBSD isn't our compeditive
advantage, our ability to do high precision timing
systems is.

Re:Put up and FTP site

[spudnic]

I really doubt that they would lose any customers.

Any potential customer who, as you said, "had oogles of free time -and- the requisite skills" probably wouldn't even look at a product like this in the first place. They would already know what could be accomplished with a stock Linux install. These are the guys (like most of us) who would read the advertisement for the product and say, "Gee, I can do all that with Linux for free."

Now on the other hand, if their time where valuable, they might look at this product a little differently. Sure it could be done in house, and we could develop or modify some control software to make it easy to administer for non-tech, but why? In this case, I'm paying for the work they did in setting this up as a package, not for the underlying GPLed code.

Things are very different in the business world than when you are in college or just starting out. My company would gladly pay an extra few hundred bucks or so for a turnkey solution rather than to pay my salary for a couple of days for me to get all this set up by myself.

This is Who goes after them...

Xstore paid for the IP assets of that Microtest. They paid for, among other things, custom software, from that DiskZerver, which turned out to be stolen GPL ware.

That is fraud. Very simple. Very defined under the law. Very easy to determine who to sue, and the outcome is very likely a judgement against Microtest, possible criminal charges as well. Not for using GPL ware, but for selling that which you do not own.

All without DMCA or any other new BS laws being necessary.

Re:Did they modify/redistribute, or just distribut

[ryants]

Because it showed that "provided" and "if" mean the same thing

Sure... but they carry different conotations.

It also showed that "you may do X provided you do Y" does not imply "you may not do X if you do not do Y".

Huh? It certainly does imply that. "may" implies permission: the condition for that permission is that you do Y. If you do not do Y, then you do not have permission to do X. Said another way, in order to obtain permission to do X, you must fullfill the conditions spelled out in Y. If you do not fullfull those conditions, you don't have permission. I fail to see why this is so difficult for you to understand.

Can you provide any backup to that assertion?

See above.