Linksys and the GPL, Again

Rob Flickenger writes "While poking around on the Linksys WRT54G (one of the new Linux 2.4.5 based APs) at a SeattleWireless Hack Night session, we noticed a number of binaries in their firmware (including Zebra, PPP 2.4.1, and iptables to name three) that are released under the GPL, some of which are obviously modified. The question is, where is the source code to Linksys' modifications? Their "GPL Code Center" has the packages, but they are the pristine distributions, without any changes whatsoever. I've asked Linksys for clarification, but given Linksys' customer service reputation, I highly encourage other interested parties to ask them as well. More details are up on my weblog on oreillynet.com."

request?

[npietraniec]

Did anyone formally request the source? The just might give it up. Imagine that. Why is this getting so much press?

Re:request?

[jonfromspace]

Isn't the point that you have to distribute the source WITH the product? (Or at least offer it)

Re:request?

[mccalli]

Did anyone formally request the source? The[y] just might give it up. Imagine that.

Did anyone formally read the linked weblog that forms the basis of this article? It just might contain the answer. Imagine that.

Cheers,
Ian

Re:request?

[bahamat]

If anybody bothered to RTFA...

He's basically making 2 claims.
1. Zebra uses non-standard file locations, so it must be modified.
2. GCC used to compile the system has been modified (binary signature is different).

However, I'm currious to what extent of moving files constitutes being "modified". Are these changes that can be made with "./config --target-dir=/someplace/else"? If so, then the claim is baseless because no modification of the source was necessary.

As for GCC, we can see that it was modified because the binary signature is different. Does this constitute a GPL violation? Possibly, I'm unclear what the intent of the GPL is in a situation like this. Basically, GCC was modified and used internally by LinkSys. If I modify GCC and don't distribute it to anyone other than me, do I have to put the changes out on a website (or anywhere)? No. Is it different for a corporate entity?

If binaries compiled with an undistributed modified GCC are distributed, does that then require the disclosure of the modifications to GCC? I think that the spirit of the GPL would have to say yes, but since IANAL, they may be perfectly within the law to keep it. It's exclusion may be just an oversight.

The last time a LinkSys issue came up, we discovered that it was just a matter of someone jumping the gun too quickly. I think that LinkSys is a smart company, and I think they respect the Linux community. I don't think they would shoot themselves in the foot with licencing issues. Let's all have a little patience and give them the benifit of the doubt until there are more facts than speculations, shall we?

Re:request?

[sfire]

As I've been stating and the other replier also stated zebra uses a configure script. --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc] allows them to modify file locations, yet not modify the source. This means that the gpled source is all that needs to be downloaded, which is provided on that site.

Troubling.

[Meat+Blaster]

I'm concerned about the recent increase in GPL stories lately where companies that are embracing Linux are being carefully scrutinized. Maybe it's counterproductive to constantly play the hardline approach when Linux is finally starting to get decent drivers... I know part of the reason I switched to Linux in the first place was because I didn't like some of the tactics commercial software vendors were using.

Is this going to chase away companies adopting Linux for use with their products?

Re:Troubling.

[pork_spies]

Look, I write kernel code. not much, but a little. My contact with the users of my code is that if they make something better with my code then they can let me use it too. It's not "going for" anybody to ask that they honour the deal the I (and every other kernel hacker) have struck with them.

Re:Troubling.

dont like it? use BSD.

Re:Troubling.

[aborchers]

Is this going to chase away companies adopting Linux for use with their products?

Companies that don't play by the rules shouldn't be using Linux, even if it costs us good driver support, etc. One of the benefits of using the GPL is that it provides a self-protection mechanism to ensure that Linux is not closed off and fragmented into opaque binary distros. If such fragmentation were allowed, you will see exactly the problems you had previously with commercial vendors appearing in Linux products, only multiplied.

Re:Troubling.

[keester]

I'm concerned about the recent increase in GPL stories lately where companies that are embracing Linux are being carefully scrutinized.
This is FUD. Companies don't support linux because they want to be community friendly. They do it because there is a demand and they want to make money. If they are going to profit from GPL code, then they should follow the terms of the license agreement. It really is that simple.

Re:Troubling.

[femto]

No, it's only going to chase away dishonest companies, which the community doesn't need anyway.

If a company doesn't like the GPL, what's wrong with approaching the authors and saying 'Look, we can't live with this, can we negotiate some other license?'. Instead dishonest companies break the law, and violate the authors' copyright. If someone did it to them, they would be using words like 'theft' and 'pirate'. It's not playing hardball, it's called common courtesy.

Re:Troubling.

[John+Hasler]

> I'm concerned about the recent increase in GPL
> stories lately where companies that are embracing
> Linux are being carefully scrutinized. Maybe it's
> counterproductive to constantly play the hardline

If these companies were using VXWorks or Windows CE you can be damn sure that they would be required to comply with every detail of the much more complex licenses. Why should they not be required to comply with the GPL? It's not like it's difficult or expensive.

> Is this going to chase away companies adopting
> Linux for use with their products?

Only the ones who think that "Free software" == "public domain".

Re:Troubling.

[JanneM]

Because the stuff they want to use is available under GPL, but not BSD?

Re:Troubling.

[Matt+Ownby]

However, in this case Linksys may just be careless, sloppy or ignorant of its obligations. I think it would be a mistake to assume that they are blatantly defying the GPL. I agree that Linksys ought to be reminded of its GPL obligations, but I think it is imperative that this reminder be courteous and polite. Even if Linksys recognizes that they are in the wrong, they won't be eager to continue linux support if everytime they release an update, they receive angry responses.

Re:Troubling.

[pavon]

Yeah, but we really ought to approach this with more grace than the "guilty till proven" innocent stance that slashdoter's seem to seeth with. I mean this guy doesn't have any concrete evidence that the GPL has been violated, didn't give Linksys time to respond to his claims, but instead just posted slander about them on a large news source. Yeah, thats the way to get people to embrace the GPL.

This should be the appropriate line of behavior when you notice a potential GPL violation.

1) Contact the author of the software in question.

They are the ones that have the right to persue a copyright violation, and thus should be the ones to deal with the potential violators, not an angry vigilante. Furthermore, there may be other circumstances which you are not aware of, like if the author is distributing the code in question under a second license. For all you know that "obviously modifed" version was writen by the author himself, so make some money on the side.

2) The author should politely contact the suspect explaining that there is some concern that they might be using his software against the terms of the licence (GPL), and request more information about the situation.

3) The author should check with the good guys at the FSF to make sure he understands all the nuances of the GPL in this situation.

4) If the suspect is not cooperative, the author should then send a more stongly worded letter, stating that the company is in violation of the law. It would be very preferable to hire a laywer to help draft this letter and take a second look at the situation at this point.

5) If the company is still not cooperative, then and only then the author should publicise the violation to the community in the hope that public backlash will cause the company reverse their opinion.

6) As a last resort legal actions should be taken, if money can be had for the trial.

Yes, Linksys has a history of things like this but that does not justify these knee-jerk reactions.

Re:Troubling.

[Jim+Hall]

Under GPL, you basically have your hands tied. You can't legally modify and use the code withouth submitting them back, and you can't really submit back the changes because they are usually hacks to get it to work how you want (not "improvements" on the code).

That's incorrect. The GNU GPL does not require you to submit anything back to the project you modified. However, the source code is under the GNU GPL, and the GNU GPL does require you to make that source code available if you redistribute the program. Check section 3.

If you make changes (even a hack to get something to work right on your hardware, or even to correct someone's spelling mistake in an error message), those changes are also under the GNU GPL, and you are similarly required to make that source code available if you redistribute the program.

I work on several open source / free software projects, including the FreeDOS Project. I've dealt with companies who use and redistribute FreeDOS and forget to provide the source code. Usually, all it takes is a friendly note: "hey, you forgot to make the source code available ... see section 3 of the GNU GPL ... here are some ways to do that." If the email is not harrassing ("show me the source or I'll sue your pants off") or intimidating ("you are so lame, why didn't you include the source?") the company will correct it and make the source code available as soon as possible.

The key thing to remember here is not to be an asshole to Linksys/Cisco. If they didn't provide the source code, just remind them what to do, and they'll fix it. If we act like assholes, what kind of message does that send to Linksys/Cisco?

(I'm not suggesting the original poster is an asshole - he's not. But we should be sure to keep our attitudes in check when dealing with Linksys/Cisco.)

-jh

Re:Troubling.

[Otter]

Absolutely, companies have to play by the rules. At the same time, there is probably a better way of enforcing the rules than the usual mechanism of "somebody thinks there might be a GPL violation and immediately sends the Slashdot mob after them".

In this case, the only evidence AFAICT that the Linksys binaries are based on modified code is that files are installed in non-standard locations, which hardly requires source modification. And, as usual, the complainant hasn't bothered to wait for a response from the company in question. (Atypically, he at least asked.) It's far from clear that we need to go to DefCon 3 over this.

Re:Troubling.

[dominator]

There is a better way. I'm in the process of filing suit against a repeat GPL violator. The guys at the FSF are *extremely* happy and willing to help you through this. They're willing to provide legal assistance and even represent you throughout the process. Their goal is to free software, and to protect the rights of the free software that's out there.

If you have a problem, send Bradley Kuhn a quick email. He'll probably get back to you within a day or two. If things look naughty, you'll probably have a phone or in person conversation with him and/or Eben Moglen. I have.

Slashdot should be a last resort for these sorts of things. Mass hysteria and flamage is bad. The press is a powerful weapon that you should use - but only when it's the right time for it. Only use this if your other doors have been shut. Treat it like a doomsday device.

If you haven't contacted the FSF or the program/library's author about this, posting this to Slashdot is downright irresponsible and even reprehensible.

Dom

Who takes the reigns?

[Doesn't_Comment_Code]

I would really like to see some "Open source lawyers" ... or the lawyer version of open source software developers. People who go after random problems like this in their spare time. It would make the world a better place. Imagine GOOD lawyers, not bad ones - working for free for the betterment of society.

If there were people like that around, I would like to see them follow up this case, and those like it.

In the absence of open lawyers, I think a lot of GPL and licensing issues will not be followed up. Without someone to pursue a law or contract, it doesn't really do much.

We've been lucky until now because all the people using GPL software have the open source spirit. But the more open source gets into a market driven economy, the more we will see this type of thing.

Bring on the Open Lawyers!

Re:Who takes the reigns?

[bn557]

I've met a few, although they usually go by public defenders. They start out 'for the good of society' but after defending the 7th 14 year old who shot his mama cuz she wouldn't buy him some new pumas, they quickly turn to alcohol and depression.

Pat

Re:Who takes the reigns?

You mean like the EFF and the ACLU?

obviously ?

[javatips]

we noticed a number of binaries in their firmware (including Zebra, PPP 2.4.1, and iptables to name three) that are released under the GPL, some of which are obviously modified

What he means by obviously modified? The file size is different? Maybe they just compiled it with different parameters!

Re:obviously ?

[blane.bramble]

Considering some of the files for zebra can be reconfigured when running configure, and others can be specified on the command line, this implies nothing of the sort without any specific examples.

Reasons why this might not be true

[sfire]

we noticed that the zebra running on the WRT54G doesn't use the standard configuration file locations. This means that it must certainly be a modified binary.

This may just be stuff sent to the configure script, using the vanilla sources.

binaries are compiled with a modified GCC (with a signature string of "GCC: (GNU) 3.0 20010422 (prerelease) with bcm4710a0 modifications"). That bcm4710 refers to the Broadcom chipset that this AP is actually made from.

Did they release the modified GCC? Somehow I doubt they put gcc on the access point. Since they did not release the binary, they don't need to release the source.

Re:Reasons why this might not be true

[perly-king-69]

binaries are compiled with a modified GCC

Could this, plus params sent to ./configure cause the obvious changes?>

Re:Reasons why this might not be true

[aridhol]

then Broadcom would have to release their changes.

Yes, Broadcom would have to release their changes. But not to the general public. The source only has to be released to the same organizations to whom the binaries were released - in this case, Linksys. If Broadcom gave you a copy of their modified GCC, they'd also have to give you a copy of their source.

Re:Reasons why this might not be true

[JimDabell]

If Broadcom was distributing the modified compiler as part of an SDK to third-party developers using the chip, then Broadcom would have to release their changes.

Yes, but only to the third party developers, they have no obligation to release the source to the world. Ask one of those third party developers to get you a copy.

Re:Reasons why this might not be true

[Jah-Wren+Ryel]

You are confusing installation and configuration on the user's system with installation and configuration done at the factory.

The GPL refers to the tools used to install the software on the user's system by the user's own hand. The software in question here is embedded, that means all the software was installed at the factory and thus any tools used to install that software are not covered by the GPL.

Re:More and more...

[SubtleNuance]

Who is this "we" of which you speak? GNU/Linux users are not violating anyone's copyright. The GPL, the license does not encourage or facilitate copyright violation...

What are you talking about?

Why is it "obvious"?

[aridhol]

The "obvious" change is that the configuration files are in a different-than-standard location for Zebra. However, there are two problems with this:

• Zebra has a commercial port by the primary developers, which may be modified by license
• ./configure --prefix=whatever --sysconfdir=xxx allows you to change file locations before compiling, without changing the source.

The article also states that LinkSys is using a modified GCC. So what? They aren't distributing a modified GCC, so they are not bound to distribute sources.

Re:A new bad guy?

[JZ_Tonka]

"It looks like Linksys wants to use superior GPL code, but doesn't want to play by the rules and let competitors in on the action. If they were going to act this way, than they should have stuck to proprietary works."

Hence the reason why corporate industries shy away from the GPL and developing OSS in general. Giving competitors their superior code means they lose their competetive edge, and consequently costs them money.

Re:A new bad guy?

I know for a fact that a few other companies are using Linux in their network devices (ie, VPN gateways, routers, etc.) that are not even mentioning they are using Linux and calling it their own proprietary OS. This was from a conversation I had with one of the company's product managers. I bet many other network device manufactures out there are using modified Linux and other GPL'ed code in their products and not revealing that they are.

Duplicity

[WindowsTroll]

From the article

"I believe the GPL is an important document that is intended to prevent exactly this sort of theft of code. Any company that incorporates GPL software into a commercial product and attempts to skirt the licensing terms is nothing short of a thief, building on the stolen effort of countless contributors. "

Let me make sure that I have this right - it is not OK to "steal" copyrighted software that is "freely" distributed, but it is OK to "steal" other copyrighted materials (mp3s) that were never "freely" distributed?

When on the opposite side of the fence....

[Sean80]

Uh oh, here I go. I honestly don't understand how the claims in this post are any different from those claimed by SCO.

I just presume that, given the audience that visits Slashdot, people will at least be smart enough to realise that they're now on the other side of the fence. Sure, maybe SCO are wrong. But maybe, just maybe, they believe they're in exactly this same position.

Re:And the RIAA says...

Fair enough. If someone trading RIAA copyrighted music gets busted, they live with the consequences.

The objection to the RIAA and friends is not that they are enforcing their copyright, but that they are using a dragnet approach. A lot of people who do not trade restrictively licensed material are caught up by virtue of the DMCA. Those who want to write their own DVD player, those who want to remove anti-compeitive measures in DVDs (region coding), those who want to run Linux on games consoles, those who want to build a jukebox with their own music, and so on...

like with SCO -- prove it

[hankaholic]

It's cool to bash Linksys because some idiot with posting rights to O'Reillynet.com doesn't know enough to download the source code and check out the configure options, but SCO makes accusations and everybody flips out.

In both cases, I say, prove it. Prove that Linksys didn't build the source using their compiler (which they haven't given you a binary to, and so don't owe you source) and the original source code which the author of the article admitted was available for download, using configure flags to specify an alternate configuration file location.

Guess what? It's totally possible that Linksys is in full compliance with the GPL. This guy didn't bother to make sure that the code was in violation before crying foul and putting up a "Linksys sucks -- email them and ask for the modified source!" page.

I took two minutes to "apt-get source zebra", and look at this:

chet@bunny:~/tmp/zebra-0.93b$ ./configure --help | grep dir
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--datadir=DIR read-only architecture-independent data [PREFIX/share]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--infodir=DIR info documentation [PREFIX/info]
--mandir=DIR man documentation [PREFIX/man]
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
CPPFLAGS C/C++ preprocessor flags, e.g. -I<include dir> if you have
headers in a nonstandard directory <include dir>
chet@bunny:~/tmp/zebra-0.93b$

There's nothing to see here, folks. There's no story here, because just like with the SCO stories, there is absolutely no substantiated evidence.

Congratulations, Michael. You have been trolled. Maybe if you'd read the article before posting it to the front page you'd have spared Linksys some bad publicity.

Re:A new bad guy?

[DavidTC]

Their superior code? If it's their superior code, they why don't they release it under whatever license they want?

Meanwhile, back to the LinkSys discussion, which is about LinkSys using someone elses's superior code. (And, BTW, is a bunch of crap, the article poster has no evidence that the binaries are modified.)

Re:A new bad guy?

[sfire]

And as I've been stating, I think Linksys is uses unmodified source code. Zebra uses the configure script to decide where files get stored. So all that is needed is --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc] to place the files elsewhere, while not modifying the sourcecode.

Weak point of the GPL

[RevMike]

This is a perfect example of one of the weaknesses of the GPL.

The GPL requires that anyone who publishes or distributes a GPL binary also make available (in a machine readable format normally used to exchange source code files) the source.

The intent is that the receiver of the GPL binary should be able to regenerate it from source, modify it, and generate enhanced versions.

By using a tool not generally available to build the source, the distributor has made it difficult for end users to enhance the software.

Hopefully the FSF will modify future versions of the GPL to require the following:

• The source code be supplied with clear documentation detailing the tools and their versions used to execute the build.
• Any "in-house" proprietary tools and proprietary patches of tools that materially affect the ability of others to replicate the build process must also be disclosed under a free and open license.
• If commercial proprietary software is used as a tool in said build, the distributor must not enter into any sort of contract, agreement, or other understanding with the tool vendor that prevents the user from acquiring those tools and using them to enhance the software.

I think this will generally cover the bases. Linux can be compiled with a proprietary compiler - usually one supplied for use with a specific chip set - but the distributor must enable their customers to replicate the builds.

Re:Weak point of the GPL

[glenstar]

Holy crap! If those modifications made it into the GPL I don't think any software company would even consider using it. Think about it... not only would they have to release their code (IP), but create detailed documents about build environments, in-house tools, etc, etc... Why not just close up shop? You would be giving your competitors a detailed blueprint for creating a product from which your company is trying to make a profit.

No thanks, the GPL is hard enough to sell as it is. Remember that fracas about using GPL'd Java packages? Holy shit! People were claiming that since technically the GPL'd Java code was linked at *runtime* that maybe the entire project would have to be GPL'd. Wow.

Give me a BSD or Apache license any day... licenses should not, in my opinion, have an almost religious ideology behind them.

You also said: By using a tool not generally available to build the source, the distributor has made it difficult for end users to enhance the software.

GPLers throw around that phrase a lot, "end users". The assumption is that an end user even knows what a compiler is. Most of them do not. For a true end user the GPL doesn't do or mean shit. I mean, come on, they have the "right" to modify their software... and most of them don't even know what a commandline is. That's very useful.

To the *developer*, the GPL is potentially another story. It's great to have access to code, to make changes, etc. But, let's keep that straight... the GPL is for the developer crowd and not the end user. It is not liberating the end user from anything at all.

Re:BSD

[mrscott]

You wouldn't have been a defendant anyway. Your company would have been. If I were your boss, I'd probably be displeased to find that one of my people added an additional operating system to our support load without prior authorization as well. If you were trying to sway him, you might have considered going to him before you went off on your own and did something that you obviously knew he wouldn't appreciate.

Re:GPL loophole?

[crosbie]

Yeah, if it doesn't already, the GPL needs to specify that the binary (or a 100% functional binary compatible equivalent) must be derivable from the source code in combination with a compiler/toolset (for which source code must be available, and this source code must produce the compiler/toolset (or functional equivalent) when used in conjunction with a standard compiler).

Tricky.

Keep bashing them

They'll eventually grow sane and switch to BSD.

Not a GPL loophole.

[ChrisDolan]

From the GPL:

"The source code for a work means the preferred form of the work for making modifications to it"

My interpretation is that if you routinely need to change pieces of GCC to change your code, then the GCC source *is* your source and the GPL requires you to release it.

I don't know....

[Eminor]

They only have to release the source code if they are distributing the software. In this case, it is embedded in a product (firmware). I don't know how the GPL would be interpretted in this case (are they distibuting this software).

I would say that in this case a company should not have to release their source. I think it is quite petty to be making this into a big deal. They've adopted linux in their firmware. It's been modified to work with their hardware, so how are these modifications going to be useful to people who haven't bought their router?

I do agree that in most that when you distribute modified GPL software you should release the source, but in this case the software is hidden inside a product. The only thing obvious to the user is the FUNCTION of the firmware, not the architecture of the firmware. So are they really distributing GPL'd software? Not in the traditional way.