Slashdot Mirror
Linksys and the GPL, Again
Rob Flickenger writes "While poking around on the Linksys WRT54G (one of the new Linux 2.4.5 based APs) at a SeattleWireless Hack Night session, we noticed a number of binaries in their firmware (including Zebra, PPP 2.4.1, and iptables to name three) that are released under the GPL, some of which are obviously modified. The question is, where is the source code to Linksys' modifications? Their "GPL Code Center" has the packages, but they are the pristine distributions, without any changes whatsoever. I've asked Linksys for clarification, but given Linksys' customer service reputation, I highly encourage other interested parties to ask them as well. More details are up on my weblog on oreillynet.com."
They just bought linksys, right? So wouldn't this take an increasingly interesting turn if it's Cisco violating the GPL instead of "just" Linksys. heh, go after the deep pockets :-)
Is this going to chase away companies adopting Linux for use with their products?
Are you sure you're not infringing your countries' laws by fiddling around with the internals of the router
Or is that still legal?
--
This sig is inoffensive.
I would really like to see some "Open source lawyers" ... or the lawyer version of open source software developers. People who go after random problems like this in their spare time. It would make the world a better place. Imagine GOOD lawyers, not bad ones - working for free for the betterment of society.
If there were people like that around, I would like to see them follow up this case, and those like it.
In the absence of open lawyers, I think a lot of GPL and licensing issues will not be followed up. Without someone to pursue a law or contract, it doesn't really do much.
We've been lucky until now because all the people using GPL software have the open source spirit. But the more open source gets into a market driven economy, the more we will see this type of thing.
Bring on the Open Lawyers!
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
we noticed a number of binaries in their firmware (including Zebra, PPP 2.4.1, and iptables to name three) that are released under the GPL, some of which are obviously modified
What he means by obviously modified? The file size is different? Maybe they just compiled it with different parameters!
Absolutly not, but you do have to make it available upon request.
Finkployd
To date, many people have asked, no one has recieved.
It looks like Linksys wants to use superior GPL code, but doesn't want to play by the rules and let competitors in on the action. If they were going to act this way, than they should have stuck to proprietary works.
Did anyone formally read the linked weblog that forms the basis of this article? It just might contain the answer. Imagine that.
Cheers,
Ian
we noticed that the zebra running on the WRT54G doesn't use the standard configuration file locations. This means that it must certainly be a modified binary.
This may just be stuff sent to the configure script, using the vanilla sources.
binaries are compiled with a modified GCC (with a signature string of "GCC: (GNU) 3.0 20010422 (prerelease) with bcm4710a0 modifications"). That bcm4710 refers to the Broadcom chipset that this AP is actually made from.
Did they release the modified GCC? Somehow I doubt they put gcc on the access point. Since they did not release the binary, they don't need to release the source.
The GPL clearly states that the modified source code must be avaiable on-line? Or the modified code may be only avaiable off-line?
------I can please only one person per day. Today is not your day. Tomorrow isn't looking good either.------
Who is this "we" of which you speak? GNU/Linux users are not violating anyone's copyright. The GPL, the license does not encourage or facilitate copyright violation...
What are you talking about?
With no real threat of serious (ie costly) legal action for violating the GPL, what's to stop this happening again and again? How many other companies have stolen GPL code and are distributing it without our knowing about it?
Then again, if someone did sue for copyright infringement, what kind of damages could you claim?
The article also states that LinkSys is using a modified GCC. So what? They aren't distributing a modified GCC, so they are not bound to distribute sources.
I can't say that I don't give a fuck. I've just run out of fuck to give.
For those who have not read the linked weblog entry, here are the reasons he believes it to be a GPL violation:
1) "One perfect example of this is Zebra, the advanced dynamic routing software package. By opening the firmware file directly, as well as by making queries through the makeshift ping interface mentioned earlier, we noticed that the zebra running on the WRT54G doesn't use the standard configuration file locations. This means that it must certainly be a modified binary." He also mentions that Linksys seems to have used a modified GCC to compile their software, "with a signature string of "GCC: (GNU) 3.0 20010422 (prerelease) with bcm4710a0 modifications"). That bcm4710 refers to the Broadcom chipset that this AP is actually made from."
2) Yes, the author DID email Linksys asking for the source code. You can read that message here. According to the update at the bottom of the weblog entry, he got a response shortly before midnight on 29 July, but it just said that the issue was being directed to second level support.
Unless they provided you with a license to run the compiler which they have, they aren't required to furnish source code.
If they were provided with a modified version of GCC, they themselves do have a right to the modified source. The GPL provides you with the freedom to make and distribute modifications to a program which is licensed to you.
However, it doesn't say that you have to provide the program itself to anyone.
I use GPM for mouse handling. The software was made available by the author(s). I can make modifications to it all I want, but unless I provide someone else with a binary based upon my modified source, I don't have to provide source code to anything.
Know your rights well. Know where they stop even better -- you don't want to come off as a maniac claiming rights to that which isn't yours, but be sure that you know what rights are provided to you.
I'd like to know RMS' take on GPL'd apps being distributed as part of an "embedded" device. Google, here I come...
Somebody get that guy an ambulance!
1. Maybe someone could tell SCO that the Access Point uses unauthorized derivatives of SYS V unix containing hundreds of thousands of lines of code.
2. Then SCO could sue Linksys to release their code so they could see if it contains their "IP". Then the Slashdotters could see the code.
3. PROFIT!!!
Take this sig and shove it.
while you're at it, imagine whirled peas
From the article
"I believe the GPL is an important document that is intended to prevent exactly this sort of theft of code. Any company that incorporates GPL software into a commercial product and attempts to skirt the licensing terms is nothing short of a thief, building on the stolen effort of countless contributors. "
Let me make sure that I have this right - it is not OK to "steal" copyrighted software that is "freely" distributed, but it is OK to "steal" other copyrighted materials (mp3s) that were never "freely" distributed?
"Microsoft has made computing accessible to a population who would otherwise not be able to use computers" - B. Kernigha
I just presume that, given the audience that visits Slashdot, people will at least be smart enough to realise that they're now on the other side of the fence. Sure, maybe SCO are wrong. But maybe, just maybe, they believe they're in exactly this same position.
In both cases, I say, prove it. Prove that Linksys didn't build the source using their compiler (which they haven't given you a binary to, and so don't owe you source) and the original source code which the author of the article admitted was available for download, using configure flags to specify an alternate configuration file location.
Guess what? It's totally possible that Linksys is in full compliance with the GPL. This guy didn't bother to make sure that the code was in violation before crying foul and putting up a "Linksys sucks -- email them and ask for the modified source!" page.
I took two minutes to "apt-get source zebra", and look at this:There's nothing to see here, folks. There's no story here, because just like with the SCO stories, there is absolutely no substantiated evidence.
Congratulations, Michael. You have been trolled. Maybe if you'd read the article before posting it to the front page you'd have spared Linksys some bad publicity.
Somebody get that guy an ambulance!
You are mistaken about this.
You can charge what you will for verbatim (un-modified) copies of the source. but if you sell someone the binary, the source must either accompany the binary, or be offered "for a charge no more than your cost of physically performing source distribution".
What this means is that if I haven't purchased the binary (inside the router) I can't demand they give me the source. I have to negotiate for it; they can demand any price they want. But once I've bought the router, I can demand the source for the binaries. This effectively limits the amount they can charge for the source to the amount they can charge for the binary.
See Section 3 of the GPL (http://www.gnu.org/licenses/gpl.txt) Version 2, June 1991:
The thing about things we don't know is we often don't know we don't know them.
Their modified GCC is not 'normally distributed with the major components of the operating system'. So according to this clause it needs to be distributed (in source or binary form). But, since GCC is under the GPL the source of the modified GCC must be released.
QED.
Wait, wait. If I claim rights that I don't have, won't that make it easier for me to get a job with the RIAA?
-------------------------
As easy as herding cats!
OK, so Linksys used a modified gcc to compile some of the GPL'd software on their AP. As noted, unless they put the modified gcc binaries on their AP as well, they don't have to distribute the source. But this raises an interesting point.
Say I create a modified compiler that recognizes some piece of code, or tag and replaces it with an "improved" piece of code. For example, it recognizes the code for a particular driver, like the tg3 driver in the Linux kernel, for one example, and inserts optimized compiled code in place of the actual code in the output binary, where this optimized code is actually a completely new driver, derived from the original GPL driver.
Now technically, I haven't broken the GPL if I distribute the output binary in a product but don't distribute the source for the optimized driver. The optimizations are present in gcc, not the source code, and I'm not distributing gcc. The changes in the output binary are just the way that the compiler I used "interprets" the code that was compiled. It does, of course, break the spirit of the GPL. Is there a way to address this, or is it a giant glaring loophole in the GNU Public License?
-Todd
"The details of my life are quite inconsequential..."
If anybody bothered to RTFA...
He's basically making 2 claims.
1. Zebra uses non-standard file locations, so it must be modified.
2. GCC used to compile the system has been modified (binary signature is different).
However, I'm currious to what extent of moving files constitutes being "modified". Are these changes that can be made with "./config --target-dir=/someplace/else"? If so, then the claim is baseless because no modification of the source was necessary.
As for GCC, we can see that it was modified because the binary signature is different. Does this constitute a GPL violation? Possibly, I'm unclear what the intent of the GPL is in a situation like this. Basically, GCC was modified and used internally by LinkSys. If I modify GCC and don't distribute it to anyone other than me, do I have to put the changes out on a website (or anywhere)? No. Is it different for a corporate entity?
If binaries compiled with an undistributed modified GCC are distributed, does that then require the disclosure of the modifications to GCC? I think that the spirit of the GPL would have to say yes, but since IANAL, they may be perfectly within the law to keep it. It's exclusion may be just an oversight.
The last time a LinkSys issue came up, we discovered that it was just a matter of someone jumping the gun too quickly. I think that LinkSys is a smart company, and I think they respect the Linux community. I don't think they would shoot themselves in the foot with licencing issues. Let's all have a little patience and give them the benifit of the doubt until there are more facts than speculations, shall we?
What if you modify GCC for use with a particular project (based on GPL program Foo) in the following way:
When your new GCC reads in the code for Foo, it compiles it incorrectly so that it convenently produces a program with your desired changes. This could be done by constructing a lookup table with original Foo code lines corresponding to modified code lines.
The result: from the original GPL Foo source, you have your own custom binary. Upon distribution of this binary, you are bound by the GPL to give access to the source, i.e. the original GPL Foo source. Since you're not distributing your custom GCC binary, you don't need to give access to its source either.
I'm sorry if I just broke Linux. Tell me if I'm wrong!
Bitchslapped. Neat.
As I've been stating and the other replier also stated zebra uses a configure script. --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc] allows them to modify file locations, yet not modify the source. This means that the gpled source is all that needs to be downloaded, which is provided on that site.
Umm no...
/.ers have, I think you've missed the point completely on that issue. You may not have noticed, but most people here don't believe in violating the copyrights of musicians by illigally downloading MP3's. What we have a problem with however, is the RIAA's attempts to destroy legit P2P services that can be used to share legal MP3's (among other things). Also, the fact that they're attempting to take the law into their own hands (such as that attempt to being able to crack people's boxes if they suspected them of copying illegal music without a judge to intervene) seems to most to be a violation of our rights. The fact that the RIAA is sueing individuals also means that little guys that could actually be sharing only legal music could get caught up in the struggle and not be able to pay to get out of it through a lawsuit, and are forced to settle. We disagree with how the RIAA is acting, but most would just urge artists to use a different avenue instead of the RIAA rather than break the law.
Several things wrong with your argument. First off, as we've all heard, copyright violation is not stealing, it's copyright violation. What Linksys is being accused of is not following the licensing agreement set forth in the GPL, thereby ignoring the individual developer's copyrights that they have on those GPL'ed works.
Now as for your comment on MP3's and the negative view towards the RIAA that most
The GPL was meant to allow the original authors some sort of payment without the use of actual money (eg, code that anyone else modified and released to the public). It's also meant to make it easier for people to see what's going on inside of these things and be able to make needed changes to suit the users need, and that right is protected by the copyright holder through his use of the GPL. How you can assume that it's the same as illegal filesharing, I have no idea.
The GPL has no effect if you do not distribute the software. The GPL does not cover the output of the program. Therefore a modified but undistributed GCC does not require them to give you the source.
The source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
The only way I could see that falling under the GPL is if their source is essentially useless because only their unreleased compiler can compile it, to the extent that you couldn't change the code to work with an available compiler. Sounds pretty weak to me.
You wouldn't have been a defendant anyway. Your company would have been. If I were your boss, I'd probably be displeased to find that one of my people added an additional operating system to our support load without prior authorization as well. If you were trying to sway him, you might have considered going to him before you went off on your own and did something that you obviously knew he wouldn't appreciate.
You may realize this, but I'll cover it before someone gets confused - the source does not have to be made available to "anybody who asks." It must be made available to those who receive a binary distribution of the software. Quite a bit of difference there.
It appears that the posters assumed violation of the GPL was because the router used files from non-standard locations. Further, it appears that said file locations can be specified in a 'conf' file. Finally, it appears as a result of this that the claim of GPL violation by Linksys is in error.
Also, the claim that Broadcom may need to release their source also seems to be in error due to the fact that their modified GCC has not been publicly released, and the only one that can claim the right to examine said source code of the GCC modifications is Linksys.
RTFA-and the comments that follow...
the --sysconfdir=X string ends up in one of the .h files (config.h?) and it propagates thru in your binaries.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
No thanks, the GPL is hard enough to sell as it is. Remember that fracas about using GPL'd Java packages? Holy shit! People were claiming that since technically the GPL'd Java code was linked at *runtime* that maybe the entire project would have to be GPL'd. Wow.
Give me a BSD or Apache license any day... licenses should not, in my opinion, have an almost religious ideology behind them.
You also said: By using a tool not generally available to build the source, the distributor has made it difficult for end users to enhance the software.
GPLers throw around that phrase a lot, "end users". The assumption is that an end user even knows what a compiler is. Most of them do not. For a true end user the GPL doesn't do or mean shit. I mean, come on, they have the "right" to modify their software... and most of them don't even know what a commandline is. That's very useful.
To the *developer*, the GPL is potentially another story. It's great to have access to code, to make changes, etc. But, let's keep that straight... the GPL is for the developer crowd and not the end user. It is not liberating the end user from anything at all.
Here is a copy of their license from one of the source files:
Then, I respectfully stand corrected.
I've heard many people say this, and it always throws me. The GPL is not law; I don't understand how it would need to be "tested in court". As I understood it, the GPL is a private agreement which all parties agree to for mutual benefit. If a court were to find it unenforcable, it would not mean that (in this example) LinkSys would be free to use the code without distributing the source, but rather that LinkSys would no longer have a license to use the code. Short of finding copyright law itself (which HAS been tested in court) unenforcable, I can't imagine how court could find the GPL eggregious enough to warrant an illegal infringment of anyone's inalienable rights.
The thing about things we don't know is we often don't know we don't know them.
My interpretation is that if you routinely need to change pieces of GCC to change your code, then the GCC source *is* your source and the GPL requires you to release it.
They only have to release the source code if they are distributing the software. In this case, it is embedded in a product (firmware). I don't know how the GPL would be interpretted in this case (are they distibuting this software).
I would say that in this case a company should not have to release their source. I think it is quite petty to be making this into a big deal. They've adopted linux in their firmware. It's been modified to work with their hardware, so how are these modifications going to be useful to people who haven't bought their router?
I do agree that in most that when you distribute modified GPL software you should release the source, but in this case the software is hidden inside a product. The only thing obvious to the user is the FUNCTION of the firmware, not the architecture of the firmware. So are they really distributing GPL'd software? Not in the traditional way.