GPL Violation, Microtest's DiskZerver

Early this week, brtb submitted an eye-opening write up which may end up as the classic example of a large-scale GPL violation. Microtest's DiskZerver, a NAS device designed to handle CDs, would seem to be a sharp product, except it's based on software licenced under the GPL and potentially other free-software licenses as well. Of course, you would never know this, because Microtest never mentioned it, however that didn't stop Microtest from manufacturing and then marketing the device before it sold it off to another company. DiskZerver's new company xStore, which was unaware of the licensing issues, was notified about them, and this impending article. They have yet to comment. In situations like this, what should a company do to bring such a glaring GPL violation back into compliance?

Slashdot reader brtb reports:

About a year ago my employer, a local high school, purchased a couple MicroTest "DiskZervers," network-attached-storage boxes designed to cache CD images for LAN usage. We were mainly Netware-and-Win95 at that time, and the Zervers performed flawlessly in that configuration. But problems began when the district IT department made the decision to switch us over to an NT-domain setup. The Zervers, even with their advertised "Domain Integration" support, didn't seem to like this too well, so I dug a little deeper... imagine my surprise when I found out the boxes are actually embedded 486's with Linux and a whole slew of other GPL'ed software, mentioned nowhere in the manuals or on the accompanying software CD.

Apparently, Microtest (NAS division since sold to XStore) put together a mess of GPL software - a modified Linux kernel 2.0.27, Samba 1.9.x-ALPHA (!!!), the MARS_NWE netware emulator, and GNU C libraries (libc5), among others, stuffed them on a flash chip in a drive-bay-size embedded 486-based computer, and sold it as their "DiscZerver" product line. They also used some non-GPL packages, including Apache and Netatalk (macintosh server). Nothing wrong with their methods, but there's plenty wrong in their implementation.

The web interface and proprietary Windows front-end, the only given methods of configuring the device, refer to the various services generically, like "Web server," "SMB server," "NCP server," etc. - there's no mention anywhere, even in the manual, of the actual programs being used. Of course along with this is no accompanying source code or even the offer to provide any, as the GPL requires.

I can't even get any useful tech support from this company, much less someone to ask about getting the source code for the software and whatever modifications they made, which includes a flash file-system driver ("yaffs" - I think MicroTest wrote it, as I can't find any info on it) for the kernel. I did manage to hack out the hidden-from-customers root password; with that I found a shell prompt (Stand-alone Shell v1.0 - GPL? dunno) which only increased my determination as I could see exactly what programs they managed to steal, strip out identifying info, and use without credit.

I did contact the FSF with the limited information I had before I got shell access, and they did confirm the existence of a GPL violation, but were unable to do anything specific as they do not hold copyright on any of the programs I knew of at the time (and actually suggested I post to Slashdot to get some answers). xStore itself has not returned my emails or phone call. I have another e-mail in to the FSF, now that I know the machine includes glibc1.

So, right now I have a nice little piece of hardware, some mis-compiled (I think) software, and no idea what to do next. At the very least, I learned that my usual policy of disassembling and analyzing any new hardware we get is the right one; of course that doesn't help all the LAN users that need access to these CDs. I'd be happy if I could just get the code so I can fix SMBd/NMBd to work properly. I've thought about trying to make my own really-small distro to load on, but it's not really worth my time - I could just load the cached CD images (thankfully just standard .ISO's) off the Zerver's CD-storage hard drive into my other Linux server, compile and install Samba correctly (works great if you do it right) , and get on with life... but I really shouldn't have to do either. Any ideas?

Put up and FTP site

[evenprime]

If they put up an FTP site that includes a) all the original source code used for the product, and b) all the modifications, there should not be a problem. The GPL allows the sale of products based on GPL'd code, but you have to give your changes back to your customers. They probably only have to give the source code and their changes to customers, though, and not to the general public.

Re:Put up and FTP site

[spudnic]

I really doubt that they would lose any customers.

Any potential customer who, as you said, "had oogles of free time -and- the requisite skills" probably wouldn't even look at a product like this in the first place. They would already know what could be accomplished with a stock Linux install. These are the guys (like most of us) who would read the advertisement for the product and say, "Gee, I can do all that with Linux for free."

Now on the other hand, if their time where valuable, they might look at this product a little differently. Sure it could be done in house, and we could develop or modify some control software to make it easy to administer for non-tech, but why? In this case, I'm paying for the work they did in setting this up as a package, not for the underlying GPLed code.

Things are very different in the business world than when you are in college or just starting out. My company would gladly pay an extra few hundred bucks or so for a turnkey solution rather than to pay my salary for a couple of days for me to get all this set up by myself.

FSF & Copyright

[ryants]

but were unable to do anything specific as they do not hold copyright on any of the programs I knew of at the time (and actually suggested I post to Slashdot to get some answers).

And now some of you who say the FSF (and by extension, RMS) are "control freaks" since they ask that the copyright of GNU stuff be assigned to them see the reason why.

It isn't about control: it's about protection.

you may have broken the license agreement....

[jeffy124]

How did you figure out that the product was full of GPL code and such? From the looks of things, it appears you had to reverse engineer binary code and hack out a root passwd. IANAL, but chances are good xStore put in the license agreement that you werent allowed to do those two things. You may run into trouble with that should everything turn out legit. Yes, they may have breached the GPL, but their agreement probably restricted you from those activities.

Basically, it's an issue of risk. If it turns out that they have no GPL violations, then you could get nailed for breaking the license they provided. On the other hand, you could show that they broke the GPL prior to specifying the license terms you use the product with, either voiding their license or something of that nature.

Re:you may have broken the license agreement....

[BRTB]

Now I've been known to be wrong, but here's the way I see it: I knew it was based on GPL software just from looking at the syslogs in the interface - the boot sequence from Linux kernel and various lines from "smbd", "nmbd" and "nwserv" were pretty hard to miss. As far as I can see, the software they wrote themselves was the Web interface itself, a filesystem driver and some CD-image-management programs; the only "reverse-engineering" I had to do was to the GPLed software itself.

BTW, just so nobody goes off on a security tangent about a hidden root password, I tested the one I found on the second Zerver and it doesn't work, so apparently they made it different for each machine (GOOD IDEA).

Re:Did they modify/redistribute, or just distribut

[ryants]

So, they slapped together a box and shipped it out without mentioning Linux or GNU. Does the GPL say anything about this?

Yes. Section 1 of the GPL applies here.

If they have not made any mods are they still required by the GPL to have the same offer?

Yes. Again, section 1.

What if they had embedded a minimal Linux setup in an EPROM? Seems it'll be a pain to use Linux in an embedded device if you have to keep provided source media even if you didn't change any GPL'ed code and just added your own programs

I don't see what the pain is in putting the GPL in your manual along with a written offer to provide source (see section 3 b) of the GPL).

This is an embedded system

[imp]

People have been saying for years that embedded systems need not fear from open source zealots.
since the software wasn't distributed separate from the hardware, it is hard to know if this fits
the definition of a distribution within its meaning in the GPL.

This is the reason that our systems are based on FreeBSD. We have a niche market (high precision timing systems) where we still have a lot of proprietary IP. FreeBSD lets us deploy that
without fear of GPL forcing issues.

And before anybody says anything, the company has
paid me for many hours of FreeBSD bug fixes over the years and contributes back to FreeBSD all that
we can because we know that it is in our best financial interst. FreeBSD isn't our compeditive
advantage, our ability to do high precision timing
systems is.