Slashdot Mirror
GPL Violation, Microtest's DiskZerver
Slashdot reader brtb reports:
About a year ago my employer, a local high school, purchased a couple MicroTest "DiskZervers," network-attached-storage boxes designed to cache CD images for LAN usage. We were mainly Netware-and-Win95 at that time, and the Zervers performed flawlessly in that configuration. But problems began when the district IT department made the decision to switch us over to an NT-domain setup. The Zervers, even with their advertised "Domain Integration" support, didn't seem to like this too well, so I dug a little deeper... imagine my surprise when I found out the boxes are actually embedded 486's with Linux and a whole slew of other GPL'ed software, mentioned nowhere in the manuals or on the accompanying software CD.
Apparently, Microtest (NAS division since sold to XStore) put together a mess of GPL software - a modified Linux kernel 2.0.27, Samba 1.9.x-ALPHA (!!!), the MARS_NWE netware emulator, and GNU C libraries (libc5), among others, stuffed them on a flash chip in a drive-bay-size embedded 486-based computer, and sold it as their "DiscZerver" product line. They also used some non-GPL packages, including Apache and Netatalk (macintosh server). Nothing wrong with their methods, but there's plenty wrong in their implementation.
The web interface and proprietary Windows front-end, the only given methods of configuring the device, refer to the various services generically, like "Web server," "SMB server," "NCP server," etc. - there's no mention anywhere, even in the manual, of the actual programs being used. Of course along with this is no accompanying source code or even the offer to provide any, as the GPL requires.
I can't even get any useful tech support from this company, much less someone to ask about getting the source code for the software and whatever modifications they made, which includes a flash file-system driver ("yaffs" - I think MicroTest wrote it, as I can't find any info on it) for the kernel. I did manage to hack out the hidden-from-customers root password; with that I found a shell prompt (Stand-alone Shell v1.0 - GPL? dunno) which only increased my determination as I could see exactly what programs they managed to steal, strip out identifying info, and use without credit.
I did contact the FSF with the limited information I had before I got shell access, and they did confirm the existence of a GPL violation, but were unable to do anything specific as they do not hold copyright on any of the programs I knew of at the time (and actually suggested I post to Slashdot to get some answers). xStore itself has not returned my emails or phone call. I have another e-mail in to the FSF, now that I know the machine includes glibc1.
So, right now I have a nice little piece of hardware, some mis-compiled (I think) software, and no idea what to do next. At the very least, I learned that my usual policy of disassembling and analyzing any new hardware we get is the right one; of course that doesn't help all the LAN users that need access to these CDs. I'd be happy if I could just get the code so I can fix SMBd/NMBd to work properly. I've thought about trying to make my own really-small distro to load on, but it's not really worth my time - I could just load the cached CD images (thankfully just standard .ISO's) off the Zerver's CD-storage hard drive into my other Linux server, compile and install Samba correctly (works great if you do it right) , and get on with life... but I really shouldn't have to do either. Any ideas?
If they put up an FTP site that includes a) all the original source code used for the product, and b) all the modifications, there should not be a problem. The GPL allows the sale of products based on GPL'd code, but you have to give your changes back to your customers. They probably only have to give the source code and their changes to customers, though, and not to the general public.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
And now some of you who say the FSF (and by extension, RMS) are "control freaks" since they ask that the copyright of GNU stuff be assigned to them see the reason why.
It isn't about control: it's about protection.
Ryan T. Sammartino
"Ancora imparo"
My first guess is that XStore didn't do enough due diligence, or if they did, then they ignored what they found out. Even if they did some, it may well be that Microtest is liable - what's scary will be how _much_ they're liable for. This may well turn into a very interesting test case - will XStore have to publish all the code they've changed? Will they have to pay damages? Possibly most worrying for a commercial software company (which they seem to be) is that if they've done their own development (or paid for development in the sense that they bought the product), then the Intellectual Property that they thought they owned may end up having to be made available to everyone. It'll be a very interesting case if someone decides to prosecute.
Yes. Section 1 of the GPL applies here.
If they have not made any mods are they still required by the GPL to have the same offer?
Yes. Again, section 1.
What if they had embedded a minimal Linux setup in an EPROM? Seems it'll be a pain to use Linux in an embedded device if you have to keep provided source media even if you didn't change any GPL'ed code and just added your own programs
I don't see what the pain is in putting the GPL in your manual along with a written offer to provide source (see section 3 b) of the GPL).
Ryan T. Sammartino
"Ancora imparo"
How did you figure out that the product was full of GPL code and such? From the looks of things, it appears you had to reverse engineer binary code and hack out a root passwd. IANAL, but chances are good xStore put in the license agreement that you werent allowed to do those two things. You may run into trouble with that should everything turn out legit. Yes, they may have breached the GPL, but their agreement probably restricted you from those activities.
But it's a different sort of liability.. Lets assume for a moment that both parties violated their respective licenses. Violating the DiskZerver license restricts your ability to use their software. Violating the GPL restricts DiskZerver's ability to distribute the software. There are no penalties for *using* software you purchased after violating the license agreement (except possibly in UCITA states) -- you just lose "perks" like support or something equally inane. On the other hand, there a *significant* penalties for distributing software that you no longer have the license to. As a matter of fact, thanks to lobying there are not only penalties, it's also a felony.
They may charge you with DMCA violations if the root password was encrypted, though.
Too true. Infact this vigilantism is prime material to drive away any sort of commercial acceptance of linux. It's clear that any *appearance* of impropriety is enough for people to start calling for DDos attacks around here. If it were my descision, I'd go with BSD or some other embedded OS. (Yes I know you still need to give credit, though at least I can link to a distributed library without giving out my source) The constant minefield of GPL/LGPL and fanatics that follow are too much to put up with. Makes MS licensing schemes for their embedded OS seem like kindergarden math. Even if I had to pay $10 per device, at least I wouldn't have to put up with this...
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
BTW, just so nobody goes off on a security tangent about a hidden root password, I tested the one I found on the second Zerver and it doesn't work, so apparently they made it different for each machine (GOOD IDEA).
Do nothing! Personally, I can't wait to see the parasitic GPL go to court and lose. If you write a book on fishing, and after reading it I invent a new maneuver that allows the catching of a larger type of bass, I shouldn't be forced to tell you how I did it. That isn't freedom, it's not even communism, it's just tyranny with a pretty face.
For what it's worth, if you don't want the hassle of going to court and being the martyr that pays through the nose to defeat this nonsense, just use BSD. Besides being more stable and closer to true unix, BSD licenses basically let you do whatever you like. This is why BSD has been a mainstay of appliances for years (and will remain so); that's what runs on this Snap! fileserver I've been playing with all day.
Hey freaks: now you're ju
You know what? I just changed my mind. I just looked at the license page in the manual. Not only do they not give any credit (which could perhaps be an oversight) they explicitly claim EVERYTHING. Here it is:
License and Warranty Provisions
This manual and the product described in it have been protected internationally by
copyright and other applicable laws with all rights reserved. You may not remove or
conceal any trademark, patent or copyright notice appearing on the product or this
manual. Microtest remains the sole owner of the software programs that are part of this
product. Microtest grants you a nonexclusive license to use these software programs.
This license is for a single fileserver only. You may not make any copies of the software
other than as a backup copy for your own use. You may not sell, rent, lease, lend,
distribute or otherwise transfer copies of the software or this manual to others, except
that you may permanently transfer all copies of the software in your possession
(including any backups) and all related materials as a set to another person who
accepts the terms of this license agreement. You may not modify, transcribe, translate,
decompile, reverse engineer or reverse assemble the software, or create any derivative
works from it. Microtest may terminate this license at any time without notice if you
breach any of these terms. If any provision of this license is held to be unenforceable or
contrary to any applicable law, the validity of the remaining provisions shall not be
affected.
Here's the particlar part of that turns me:
Microtest remains the sole owner of the software programs that are part of this
product.
This sucks, and that is just plain stupid. I figure that a standard boilerplate license got slapped on it, and there may be some miscommunication/disconnection between the developers and the legal department. (Who knows, maybe thats why they discontinued and sold the entire division?)
Throw the book at 'em.
Close-
DiskZerver is the product. You don't sue products.
MicroTest claimed to have originated the DiskZerver product, and sold it to Xstore.
Xstore now can sue MicroTest for selling what they didn't own.