Linksys and the GPL, Again

Rob Flickenger writes "While poking around on the Linksys WRT54G (one of the new Linux 2.4.5 based APs) at a SeattleWireless Hack Night session, we noticed a number of binaries in their firmware (including Zebra, PPP 2.4.1, and iptables to name three) that are released under the GPL, some of which are obviously modified. The question is, where is the source code to Linksys' modifications? Their "GPL Code Center" has the packages, but they are the pristine distributions, without any changes whatsoever. I've asked Linksys for clarification, but given Linksys' customer service reputation, I highly encourage other interested parties to ask them as well. More details are up on my weblog on oreillynet.com."

How does Cisco relate to this

[neye_eve]

They just bought linksys, right? So wouldn't this take an increasingly interesting turn if it's Cisco violating the GPL instead of "just" Linksys. heh, go after the deep pockets :-)

Re:How does Cisco relate to this

[TedCheshireAcad]

Havent thought about this before, but if the Linksys router uses Linux 2.4.x, and Cisco owns Linksys, then Cisco can join the fight against SCO. If SCO is claiming that kernel 2.4.x infringes on its IP, then Linksys/Cisco should be fighting not to pay ~$700 per router they've sold.

Troubling.

[Meat+Blaster]

I'm concerned about the recent increase in GPL stories lately where companies that are embracing Linux are being carefully scrutinized. Maybe it's counterproductive to constantly play the hardline approach when Linux is finally starting to get decent drivers... I know part of the reason I switched to Linux in the first place was because I didn't like some of the tactics commercial software vendors were using.

Is this going to chase away companies adopting Linux for use with their products?

Re:Troubling.

[pork_spies]

Look, I write kernel code. not much, but a little. My contact with the users of my code is that if they make something better with my code then they can let me use it too. It's not "going for" anybody to ask that they honour the deal the I (and every other kernel hacker) have struck with them.

Re:Troubling.

[aborchers]

Is this going to chase away companies adopting Linux for use with their products?

Companies that don't play by the rules shouldn't be using Linux, even if it costs us good driver support, etc. One of the benefits of using the GPL is that it provides a self-protection mechanism to ensure that Linux is not closed off and fragmented into opaque binary distros. If such fragmentation were allowed, you will see exactly the problems you had previously with commercial vendors appearing in Linux products, only multiplied.

Re:Troubling.

[keester]

I'm concerned about the recent increase in GPL stories lately where companies that are embracing Linux are being carefully scrutinized.
This is FUD. Companies don't support linux because they want to be community friendly. They do it because there is a demand and they want to make money. If they are going to profit from GPL code, then they should follow the terms of the license agreement. It really is that simple.

Re:Troubling.

[pavon]

Yeah, but we really ought to approach this with more grace than the "guilty till proven" innocent stance that slashdoter's seem to seeth with. I mean this guy doesn't have any concrete evidence that the GPL has been violated, didn't give Linksys time to respond to his claims, but instead just posted slander about them on a large news source. Yeah, thats the way to get people to embrace the GPL.

This should be the appropriate line of behavior when you notice a potential GPL violation.

1) Contact the author of the software in question.

They are the ones that have the right to persue a copyright violation, and thus should be the ones to deal with the potential violators, not an angry vigilante. Furthermore, there may be other circumstances which you are not aware of, like if the author is distributing the code in question under a second license. For all you know that "obviously modifed" version was writen by the author himself, so make some money on the side.

2) The author should politely contact the suspect explaining that there is some concern that they might be using his software against the terms of the licence (GPL), and request more information about the situation.

3) The author should check with the good guys at the FSF to make sure he understands all the nuances of the GPL in this situation.

4) If the suspect is not cooperative, the author should then send a more stongly worded letter, stating that the company is in violation of the law. It would be very preferable to hire a laywer to help draft this letter and take a second look at the situation at this point.

5) If the company is still not cooperative, then and only then the author should publicise the violation to the community in the hope that public backlash will cause the company reverse their opinion.

6) As a last resort legal actions should be taken, if money can be had for the trial.

Yes, Linksys has a history of things like this but that does not justify these knee-jerk reactions.

Re:Troubling.

[Jim+Hall]

Under GPL, you basically have your hands tied. You can't legally modify and use the code withouth submitting them back, and you can't really submit back the changes because they are usually hacks to get it to work how you want (not "improvements" on the code).

That's incorrect. The GNU GPL does not require you to submit anything back to the project you modified. However, the source code is under the GNU GPL, and the GNU GPL does require you to make that source code available if you redistribute the program. Check section 3.

If you make changes (even a hack to get something to work right on your hardware, or even to correct someone's spelling mistake in an error message), those changes are also under the GNU GPL, and you are similarly required to make that source code available if you redistribute the program.

I work on several open source / free software projects, including the FreeDOS Project. I've dealt with companies who use and redistribute FreeDOS and forget to provide the source code. Usually, all it takes is a friendly note: "hey, you forgot to make the source code available ... see section 3 of the GNU GPL ... here are some ways to do that." If the email is not harrassing ("show me the source or I'll sue your pants off") or intimidating ("you are so lame, why didn't you include the source?") the company will correct it and make the source code available as soon as possible.

The key thing to remember here is not to be an asshole to Linksys/Cisco. If they didn't provide the source code, just remind them what to do, and they'll fix it. If we act like assholes, what kind of message does that send to Linksys/Cisco?

(I'm not suggesting the original poster is an asshole - he's not. But we should be sure to keep our attitudes in check when dealing with Linksys/Cisco.)

-jh

Who takes the reigns?

[Doesn't_Comment_Code]

I would really like to see some "Open source lawyers" ... or the lawyer version of open source software developers. People who go after random problems like this in their spare time. It would make the world a better place. Imagine GOOD lawyers, not bad ones - working for free for the betterment of society.

If there were people like that around, I would like to see them follow up this case, and those like it.

In the absence of open lawyers, I think a lot of GPL and licensing issues will not be followed up. Without someone to pursue a law or contract, it doesn't really do much.

We've been lucky until now because all the people using GPL software have the open source spirit. But the more open source gets into a market driven economy, the more we will see this type of thing.

Bring on the Open Lawyers!

obviously ?

[javatips]

we noticed a number of binaries in their firmware (including Zebra, PPP 2.4.1, and iptables to name three) that are released under the GPL, some of which are obviously modified

What he means by obviously modified? The file size is different? Maybe they just compiled it with different parameters!

Re:obviously ?

[sfire]

Please understand that zebra uses autoconf, the released source has a configure script which allows --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc]. This does not change the source.

Re:obviously ?

[Dogun]

Download the firmware updated, dd the right section, mount it cramfs.
Look at the busybox binary.
run strings on it.
There is at least 1 error message that isn't in standard busybox. That is a surefire sign that they made a modification to it.

As for zebra, I heavily suspect it's the same deal.

Reasons why this might not be true

[sfire]

we noticed that the zebra running on the WRT54G doesn't use the standard configuration file locations. This means that it must certainly be a modified binary.

This may just be stuff sent to the configure script, using the vanilla sources.

binaries are compiled with a modified GCC (with a signature string of "GCC: (GNU) 3.0 20010422 (prerelease) with bcm4710a0 modifications"). That bcm4710 refers to the Broadcom chipset that this AP is actually made from.

Did they release the modified GCC? Somehow I doubt they put gcc on the access point. Since they did not release the binary, they don't need to release the source.

Why is it "obvious"?

[aridhol]

The "obvious" change is that the configuration files are in a different-than-standard location for Zebra. However, there are two problems with this:

• Zebra has a commercial port by the primary developers, which may be modified by license
• ./configure --prefix=whatever --sysconfdir=xxx allows you to change file locations before compiling, without changing the source.

The article also states that LinkSys is using a modified GCC. So what? They aren't distributing a modified GCC, so they are not bound to distribute sources.

Re:DMCA...

[keester]

Ouch! What a shock this would be:

SlashDork: You're violating the GPL.

Linksys: So, slap me on the wrist. BTW you're going to jail for violating the DMCA.

like with SCO -- prove it

[hankaholic]

It's cool to bash Linksys because some idiot with posting rights to O'Reillynet.com doesn't know enough to download the source code and check out the configure options, but SCO makes accusations and everybody flips out.

In both cases, I say, prove it. Prove that Linksys didn't build the source using their compiler (which they haven't given you a binary to, and so don't owe you source) and the original source code which the author of the article admitted was available for download, using configure flags to specify an alternate configuration file location.

Guess what? It's totally possible that Linksys is in full compliance with the GPL. This guy didn't bother to make sure that the code was in violation before crying foul and putting up a "Linksys sucks -- email them and ask for the modified source!" page.

I took two minutes to "apt-get source zebra", and look at this:

chet@bunny:~/tmp/zebra-0.93b$ ./configure --help | grep dir
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--datadir=DIR read-only architecture-independent data [PREFIX/share]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--infodir=DIR info documentation [PREFIX/info]
--mandir=DIR man documentation [PREFIX/man]
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
CPPFLAGS C/C++ preprocessor flags, e.g. -I<include dir> if you have
headers in a nonstandard directory <include dir>
chet@bunny:~/tmp/zebra-0.93b$

There's nothing to see here, folks. There's no story here, because just like with the SCO stories, there is absolutely no substantiated evidence.

Congratulations, Michael. You have been trolled. Maybe if you'd read the article before posting it to the front page you'd have spared Linksys some bad publicity.

Re:request?

[bahamat]

If anybody bothered to RTFA...

He's basically making 2 claims.
1. Zebra uses non-standard file locations, so it must be modified.
2. GCC used to compile the system has been modified (binary signature is different).

However, I'm currious to what extent of moving files constitutes being "modified". Are these changes that can be made with "./config --target-dir=/someplace/else"? If so, then the claim is baseless because no modification of the source was necessary.

As for GCC, we can see that it was modified because the binary signature is different. Does this constitute a GPL violation? Possibly, I'm unclear what the intent of the GPL is in a situation like this. Basically, GCC was modified and used internally by LinkSys. If I modify GCC and don't distribute it to anyone other than me, do I have to put the changes out on a website (or anywhere)? No. Is it different for a corporate entity?

If binaries compiled with an undistributed modified GCC are distributed, does that then require the disclosure of the modifications to GCC? I think that the spirit of the GPL would have to say yes, but since IANAL, they may be perfectly within the law to keep it. It's exclusion may be just an oversight.

The last time a LinkSys issue came up, we discovered that it was just a matter of someone jumping the gun too quickly. I think that LinkSys is a smart company, and I think they respect the Linux community. I don't think they would shoot themselves in the foot with licencing issues. Let's all have a little patience and give them the benifit of the doubt until there are more facts than speculations, shall we?

Not GPL Violation-RTFC

[dnoyeb]

It appears that the posters assumed violation of the GPL was because the router used files from non-standard locations. Further, it appears that said file locations can be specified in a 'conf' file. Finally, it appears as a result of this that the claim of GPL violation by Linksys is in error.

Also, the claim that Broadcom may need to release their source also seems to be in error due to the fact that their modified GCC has not been publicly released, and the only one that can claim the right to examine said source code of the GCC modifications is Linksys.

RTFA-and the comments that follow...