Slashdot Mirror

← Back to Stories (view on slashdot.org)

Abusing the GPL?

Posted by Cliff on from the manipulations-and-loopholes dept.

Anonymous with good reason, a reader would like to bring this important question to your collective attention: "Our (technically savvy) lawyer has advised my company that 'incidental resources' do not a work derive. For example: If I have a student's version of a development environment whose license does not allow me to distribute code compiled with it for commercial use, I am legally allowed to use the environment to create my ANSI C++ code, which, when I compile it with GCC, I am free to use to whatever commercial end I like. This seems fairly intuitive. (After all, you could have written the same thing in a text editor, and the debugging, etc, that you need the IDE for doesn't actually 'show up' in the final code). Here's the kicker: My company wants to translate this to an abuse of the GPL and has been advised 'full speed ahead!'"

"How, you may ask?

Integrate the highly useful GPL code we're eyeing into our only slightly more complex (but much more lucrative) project, thereby saving us at least 30% of the coding involved. The company then go all the way to production with it, but instead of finally compiling the actual project for distribution, they instead compile a bunch of incomprehensible gobbledygook that just happens to compile to the same bytecode. You know the game: globally replace every function name, variable name, and so on from our code with nonsensical names (or random characters), remove all of the comments, and any other form of obfuscation they can introduce. They will then GPL the obfuscated gobbledygook, which isn't much more useful to anyone than reverse-engineered bytecode would be (it is a complex project). 'Voila!' All the benefits of a huge GPL project and countless thousands of volunteer hours and unreadable, incomprehensible source tree.

For the record: I do not think this is right yet, I have not been able to find any precedent for why the GPL should protect against this kind of abuse.

I'm not trying to snitch on my company -- or lose my job, which is why I am posting anonymously -- but hopefully some lawyers out there could point out some iron-clad legal reason preventing this sort of thing. I've read the GPL through at least a dozen times since yesterday, and so far it looks like our lawyer is right. I have not found any relevant linkage either, as I have mentioned. Links to extended legal analyses of the GPL from a technical standpoint (if any exist) would be the most helpful. All help is appreciated."

9 of 661 comments (clear)

  1. Source code = preferred form for modification by phr2 · · Score: 5, Informative
    The GPL explicitly defines source code as the preferred form of a program for modifying it.

    To find out whether the gobbletygook you distribute is source code or not is simple: if you normally add features to the program by editing the gobbletygook, it's source. If you instead edit the stuff that you compiled to gobbletygook and then recompile it, then the stuff you distributed isn't source and it's a clear-cut GPL violation.

  2. Why did it take so many posts? by fizbin · · Score: 5, Informative

    Why did it take so many posts for someone to point this out? Do people not read the GPL?



    What a day to be without moderator points...



    For those too lazy to read the whole thing, read section three, point #3 very carefully. Just because something compiles does NOT mean that it is source according to the GPL. That you would not do development on the obfuscated gobbledegook clearly shows that the obfuscated version is NOT the preferred form for modification. I would be highly suspicious that your lawyer is insufficiently anal when reading contracts if they missed this.



    As for precedent, can anyone find a discussion of GPL'ed yacc/bison grammars? This would fit exactly the case above - the original source that must be distributed is the .y file, not the result of compiling the .y to a .c file. Unfortunately, I don't think that anyone has ever been tempted to rip off a GPL'ed grammar.

    1. Re:Why did it take so many posts? by Sir+Robin · · Score: 5, Informative

      Section 3 also mentions: The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. [Emphasis mine.]

      So, not only do that have to release the unobfuscated code, but they have to release the scripts that obfuscated it. What fun! :)

      --
      My /. ID is only 5,210 away from Bruce Perens's.
  3. You company does not have permission by Jamie+Lokier · · Score: 4, Informative

    (BTW, I am not a legal advisor. This is my understanding of the GPL).

    If you are including other people's GPL'd source code in a program which you distribute, then you must abide by the terms of that license. Section 3 of the GPL is precise enough to disallow scrambling the source code:

    1. You must provide the source code of the whole GPL program to your customers, as defined in clauses 3a, 3b and 3c.
    2. The provided source must correspond exactly with the binary that you give your customers. So it must include your modifications, for exactly that version.
    3. The provided source must be in the "preferred form of the work for making modifications to it". That means the source code must be what you actually load into your editor to develop the software. In other words, you must distribute the useful source code.

    There is nothing to stop you changing all the variable names, or the style of someone else's code. However, if you distribute a GPL'd binary then the source you distribute with it must be the source that you prefer to use for modifying the program yourself. You may be called upon to prove this in a dispute.

    For reference, section 3:

    3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

    a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

    The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

    If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

  4. It's a GPL violation, and more by Bruce+Perens · · Score: 5, Informative
    Obligatory disclaimer: This is not legal advice, get another lawyer than the one you've already heard from to give you that.

    The GPL states:

    The source code of a work means the preferred form of the work for making modifications to it.
    That term was written to prevent exactly the sort of obfuscation the attorney is proposing. Obfuscated code is demonstrably not the preferred version for creating modifications. So, what is being proposed is a GPL violation, and your company's attorney missed that part of the license. The talk about incidental resources isn't germane, it actually seems to be intended to confuse, because what is being proposed clearly is a derivative work, and the company attorney is acknowledging that when he suggests that the obfuscated code be GPL-ed.

    But there are simpler remedies than legal ones. If the free software developer community hears about a product using obfuscated code to circumvent the GPL, they will retaliate by creating a non-obfuscated version and using it to compete with your company's product. They are experienced at reverse-engineering, they have excellent tools for code reformatting and analysis, and there are a many programmers who will be angry enough to work on this.

    If your employer wants to unashamedly take advantage, they are simply buying a lawsuit. The free software community does have the resources to bring one - it would probably be brought by law professor Eben Moglen of Columbia University. He wants more legal tests of the GPL, and would love to make an example of your employer. Don't go there.

    Bruce

    --
    Bruce Perens.
  5. A two part problem by Christian+Hicks · · Score: 5, Informative
    This sort of issue breaks down into two sub-problems:

    1. Is it in violation of the GPL? This question is not a simple one, but such actions may very well be violation of the GPL. If this matter reached court, the question would center on whether the process applied to the GPL'd code constituted part of the process to create the derivative work, as derivitive work is defined in the GPL. For example, an expert might argue that code obfuscation can be part of the compilation process. It is oversimplified to say that laws are reinterpreted on the fly to capture the intent of the law. What is true is that these sorts of questions - for example, what constitutes compilation - are likely to be viewed in a manner which assists the obvious intent of the applicable contract/law.

    2. If it is a violation, can it be proved? Probably. Our company works for lawyers on code plagiarism cases all the time. There are many algorithms you can apply to show statistically significant relationships between a body of code and its obfuscated counterpart. The same should be possible with bytecode. Once a reasonable basis for suspicion is established, plaintiffs could get discovery of the company's code repositories and depose employees under oath.

    Christian Hicks
    Elysium Digital, L.L.C.
    http://www.elys.com

  6. Re:Cut and dried Copyright violation by renehollan · · Score: 4, Informative
    if you (re)distribute changes, you must at least distribute those changes as source code.

    The GPL does address the issue of what constitutes "source code" at some length. From section 3:

    The source code for a work means the preferred form of the work for making modifications to it.

    I'd hardly think that obfuscated source would qualify as "the preferred form of the work for making modifications to it."

    --
    You could've hired me.
  7. Re:Sounds wrong to me by TheCarp · · Score: 5, Informative
    Because the GPL says you have to redistribute the source, modified or original, as source. You can do it as binary too, but you have to distribute the source to any person that you distribute a binary to that wants it. This obfustcated text is NOT source code... it is a preprocessed intermediate bytecode.

    Now, the fact that this intermediate bytecode is legal C or whatever other language the original was written in doesn't make it source. It just means that that is the internal syntax of this intermediate stage. This is because the defining characteristic of source code is that it is human readable. It is what the developer wrote and would use to modify it himself. WHen you preprocess this in such a way that it is no longer suitable for human reading and maintaining, it ceases to be source...and ceases to meet the GPL source requirement.

    I highly recomend that anyone who is going to talk about this actually READ the GPL

    From the GPL:

    The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.


    -Steve
    --
    "I opened my eyes, and everything went dark again"
  8. Your clarifying language... by SPYvSPY · · Score: 4, Informative

    Yes, that would be one test for "preferred form", but there are others and the other side of any dispute will present them. The point is that the standard that you propose does not necessarily follow from the language of the GPL. In other words, your standard is more suitable than the GPL language. Of course, at trial, the credibility of your engineers and/or anyone testifying about their procedures will be at issue.