Linksys Still In Violation of the GPL?

A reader writes:"From a recent post to LKML: "...Clearly, the kernel source that Linksys provided cannot be used to recreate the kernel that they are shipping with their product. Therefore, they have been, and still remain in violation of the GPL." Several heavy hitters have signed this one, including Jeremy Allison and Alan Cox." There's also commentary from David Turner and Bradley Kuhn of the FSF.

Re:Why should they?

[BorgDrone]

If you use GPL, you are supposed to reveal ALL the code you have even if it parts of it was designed completely independently?

You have to release all sourcecode that is part of a derived work of the GPL software.

Since a modified kernel is a derived work of the original GPL-ed kernel they have to release the source to their modified kernel.

Re:Do you really want them to stop?

[aonaran]

...or, more likely, now that they are a Cisco subsidiary, IOS.

"Linksco"?

[Lodragandraoidh]

The merging of Linksys and Cisco was seen by some to be a good thing.

However it appears that culture of 'security through obscurity', as seen in Cisco router firmware apps has found its way into the Linksys product line, to the detriment of the GPL contract.

What Cisco is doing is wrong - plain and simple. If Cisco chooses to use copyrighted material under the GPL, they need to live up to their responsibilities under that license. I urge Cisco/Linksys to fix the problem before things get out of hand. You can't participate in the free/opensource software community half way.

Re:oops.

Linksys is distributing the software in binary form, and thus is under the same obligations as any other distributor.

Re:Something I've always wondered

[Yartrebo]

Well, the GPL does say the following:

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

If a compiler isn't available to the recipient, than it isn't machine readable, and should be a GPL violation.

Re:Explanation

I'm assuming this isn't a troll.

However, the code base that was released is the COMPLETE GPL code base that we modified for use in the product.

The point here is that Linksys (you?) needs
to release all of the code that was linked
into the kernel, whether the code is GPL
or not. This is a "feature" of the GPL.

If you had used kernel modules all around, you'd
be on better ground. But as it is, you're shipping the binary of a customized kernel that can't be reproduced from the sources that have been released; and that's bad.

Re:oops.

[Jonah+Hex]

I believe your thinking of this Slashback story with a response from the Linksys PR rep.

Calm down that jerking knee, then apply ice. In response a post which raised the question of whether Linksys was in violation of the GPL by not distributing, nor offering links to, the source code for the software controlling their 802.11g base stations. A representative from Linksys-PR sent in this note about the "missing" source code:

Linksys is a strong proponent of both Linux and the Open Source movement. The code within our routers is using User Space code without linking dynamically or statically to any GPL (GNU GENERAL PUBLIC LICENSE) code. Any code which does not have a static or dynamic link to anything covered by the General Public License is not GPL'ed, and can be considered closed source.

We regret it took some time to respond to this posting. To assure timely responses to inquiries like this in the future, please use the following procedure which complies with the requirements of the General Public License:

1. Please put your request in writing or in an email addressed to info@Linksys.com
2. You have to request the code for the specific modules you want. It is not valid to issue a request for any "code you may be using."
3. Technically, you are also supposed to provide us with a self-addressed stamped envelope, along with funds to cover the cost of providing the code to you. But Linksys will handle requests on a case-by-case basis. Thank you."

However there's been a couple of additional stories since then about new Linksys GPL releases.

Linksys Releases GPLed Code for WRT54G They released their code mods on their website.
Linksys and the GPL, Again Missing code mods from the Linksys webpage.

Obviously this is something that's going to take awhile to work out, not only with Linksys but other companies that are enjoying the riches of open source code.

Jonah Hex

Re:Something I've always wondered

No, they use the "attempt to compile it and referrences to files not provided appear" argument. If you port to INTERCAL++ and ALL the files are provided then you have provided the full source. But if in the process of porting you add five new files to the derived work and only provide two of the five in source then you have failed to provide the full source.

Regardless of how you want to twist their argument, Linksys is not providing the full source code.

Tough.

[squarooticus]

The terms of the GPL are that, upon distribution of a binary constructed partially from GPL'ed code, you need to offer the source code of everything that links with GPL'ed code. If you can't do that and simultaneously satisfy your other contracts/commitments, then you can't release the product. Period.

The only two resolutions as far as I can tell that will be acceptable to the kernel development team are to release the missing code and violate your contract with the third-party, or to remove the product from the market.

TROLLING

[110010001000]

Everyone:

My above post was an intentional troll. It is to prove a few points about the ridiculous nature of the moderation system on slashdot.

1) If you post quickly, you will have a chance to be read and moderated. This system rewards those who post without spending time to think about or read the article(s) involved. I think at least an hour should pass before any posts are made public, and those posts should be posted in random order. The main problem is that the posts at the "top" get modded, while the others get ignored.

2) The most ridiculous assertions (our proprietary code is not licensed under the GPL and is therefore not released) is modded up a 4-INFORMATIVE??? already?

3) You cannot trust anything that is said on an anonymous forum such as this. Don't take it so seriously.

Thank You,
Bill Gates

Re:Kernel modules need not be GPL'd

[_Upsilon_]

That's exactly the issue. The have modules, but for their modules to work they added to the core kernel. The pieces that have been added to the kernel need to be GPL'd.

Not designed by Linksys

[Tiersten]

The actual hardware and core software wasn't designed by Linksys. Linksys however make the web frontend and do make some changes to the core platform.

I've got a Buffalo access point and it's got nearly identical firmware and hardware. Even the firmware file format is the same. The only differences are that the front end was written by Melco (parent company of Buffalo) and the Linksys one was by Linksys.

Featurewise it's roughly similar as well. I'd guess that most of these "cheap" all-in-one Broadcom & Linux based access points were pretty much the same.

I wouldn't solely point the finger at Linksys, other people have the same GPLed code in their products as well.

Re:Sick of this type of thing

[Jameth]

I commonly note this kind of attitude these days. Is there any need to be so harsh? Certainly, if they are non-compliant, a solid stand should be taken. However, it appears at the moment that this can be resolved without the court system being involved.

Of course, if they drag their feet again, that's another matter. As someone pointed out on the list, this was likely outsourced, and this may have been an honest mistake.

Be nice, give them a week. Rushing to court and suing people left and right is what makes the legal system so bad and the lawyers so rich. Lawsuits should be a last resort. However, when they are needed, they should be of sufficient force to kill a small Godzilla.

As an example, take SCO. People asked them to show the code. People asked them to shut up. People asked them again. Now, RedHat, IBM, and plenty of others are bringing charges against them for violating the GPL, and a whole lot of other shit. In a year, SCO will not only not exist, they will exist as an inverted entity, so broke that they are beyond being broke.

Re:Kernel modules need not be GPL'd

[MWelchUK]

However the article states that they believe that Linksys have removed code that they have _statically_ linked to the kernel. If they were modules they would be _dynamically_ linked.

They have modified the kernel to allow it to work with there closed drivers but not provided the changes to the kernel. They do not need to provide code for the module/userspace code, they _do_ need to provide the changes to the kernel.

Re:Something I've always wondered

[michael_cain]

I know of no way other than being able to compile and run the resulting binary to verify that the source code provided is indeed the correct, working source code. Your point about the custom compiler may be valid -- that is, I'll give you my source code changes, but they are specific to a particular compiler you do not have. Given full source code, you can presumably port it to whatever compiler you do have. However, there would certainly be lines across which said custom compiler could not step (IMO) and have the whole thing remain GPL-compliant.

For example, one of the Bell Labs' UNIX gods (I forget which) demonstrated how a C compiler could (a) insert backdoor binary code into applications it was compiling and (b) recognize when it was compiling itself and insert the backdoor-inserting code. Thus none of the source files, for either the compiler or the application, showed that there was a backdoor. They were making the point that the system is not secure if you're initially dependent on some chunk of binary code (or at least you have to analyze that binary, which is much more difficult).

In this GPL example, if the custom compiler inserted binary code needed to build a working program, and no other compiler working strictly from the source could produce a working program, there's pretty clearly a violation.

Re:GPL scares me.

[Fnkmaster]

If you are writing software for a closed source product, you shouldn't incorporate any GPLed source code into your product, period. Pretty much any other Open Source license usually has some mechanism to make it permissible to use with a closed source product. Even the LGPL generally lets you use it (by building the LGPLed code into dynamically linked libraries, and calling them from your closed source binary code using a well-defined interface).

Then again, if you are just building websites or business software for internal use only, using GPLed software may not be an issue. With internal only software, it's never distributed outside your organization, so there's no concern about who requests copies of the source code, and it probably would be useless to people outside anyway. And for web software, you are generally only installing the software itself on a web server, not distributing it to anybody else. So it doesn't particularly matter if you're calling GPLed modules from your code, because you are never intending to distribute your code to anybody else.

Of course, if you were intending on using GPLed or any Open Source code in a commercial project, it should go through at least a modest vetting by a lawyer in advance if there are any doubts or lack of clarity about licenses, conflict between licenses and so forth. Don't forget that a big part of being a software developer in this day and age IS being an intellectual property vendor, and you NEED to be responsible for learning about and understanding how the law and licensing contracts affect your tools in trade. If you choose to be ignorant, don't be surprised when the market passes you by.

Re:GPL maybe too rough?

[arkanes]

There's a GPL variant called the LGPL exactly for people who feel this way. If you feel the GPL is too harsh, then don't use it - find an LGPL, or BSD, or whatever licensed project to build off of instead. Or build it from scratch. This ain't a hard concept, and I wonder why people get so worked up about it.

Re:Kernel modules need not be GPL'd

[ls+-lR]

Did you even read the article? Their whole point of all that discussion about the symbol tables and their offsets in memory (etc.) was making the case that it WASN'T a module, and rather that it was statically linked into the core kernel, and hence must be GPL'ed.

In other words: yes, no shit, binary kernel modules are fine. That's not what this is.

Re:oops.

[ninewands]

As Linksys PR said:

Linksys is a strong proponent of both Linux and the Open Source movement. The code within our routers is using User Space code without linking dynamically or statically to any GPL (GNU GENERAL PUBLIC LICENSE) code. Any code which does not have a static or dynamic link to anything covered by the General Public License is not GPL'ed, and can be considered closed source.

I beg to differ with their position wrt the correctness of their analysis on how to go about withholding some of their code as 'closed source.'

As an example of the RIGHT way to do this (whether you agree with the politics of it or not), I would submit that Nvidia withholds the source to their binary-only video drivers, but makes the glue code that adapts it to a specific kernel freely available. In addition, NOT having the source to the Nvidia drivers in no way impedes my ability to compile a kernel.

The fact that it is not possible to configure, much less compile, the kernel tree available from Linksys's GPL software page indicates that they have withheld code which SHOULD be released under the GPL because of how tightly it is interwoven into the kernel code.

Just my US$0.02

Re:Something I've always wondered

[Dammital]

... one of the Bell Labs' UNIX gods (I forget which) demonstrated how a C compiler could (a) insert backdoor binary code into applications it was compiling and (b) recognize when it was compiling itself and insert the backdoor-inserting code

You are referring to Ken Thompson's Turing Award Lecture.

Re:Something I've always wondered

[rmohr02]

Quoth the GPL:

The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.

So if they kept the compiler in the device, they are required to release the source to it.

Re:Are we sure Linksys is in violation?

[Edward+Faulkner]

If Linksys refused to release the source to some custom modules, that would not be a violation. But that's not the case here.

They modified the kernel proper, as demonstrated in the letter.

Re:Move to BSD

Don't forget Vinum for another significant peice of work.

Or that often companies pay FreeBSD developers for work and let them just put the work directly into the tree. (the new 5.x threads code and GEOM framework spring to mind.)

Re:Something I've always wondered

[Novus]

However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

If it's a custom compiler, it can't be normally distributed with the operating system on which the executable runs, so they have to provide it according to the above part of the GPL.

Anything short of GPL compliance is infringement.

[jbn-o]

I'd be much happier if companies were forced to release good, unhindered specs/APIs... I don't care if you didn't give out your specific implementation, fine... whatever... but give me the means to create my own implementation that can function the same as theirs. Is that soo much to ask?

This work is being distributed under the GNU General Public License so anything short of that (such as distributing specifications) it is not sufficient. Also, the GNU GPL covers patented implementations, making it possible for you to reimplement their APIs without infringing a licensor's patents. So your request is actually too little to ask here.

If Linksys did not want to comply with the GNU GPL, they should have chosen a work under a different license to distribute and modify. They are being granted a valuable work under a liberal license; they did not have the right to infringe the copyrights of the kernel contributors and there is no moral justification for doing so. But, given the high moderation on the parent comment, I'm guessing that many /. readers want to grant corporate copyright infringers anything they say they need to make money.

Mod parent -1: Clueless.

The GPL does not allow statically linking non-GPL code into a GPL binary, eg the linux kernel.

People have even debated whether dynamically linking non-GPL binary kernel modules is truely permissible under the GPL, but statically linking is definitely a no-no.

This is one of the big reasons why the Lesser Gnu Public License is often used for libraries.

Re:Kernel modules need not be GPL'd

[sudog]

You're not reading the article. There are static modifications to the Linux kernel that aren't being released. It's not a question of "if modules" or "then they're ok". It's clear in the linked article! Sheesh!

Cripes, people. RTFA!

FSF Response: Cool Down

[Royster]

Found on the LKML list.

Subject: Linksys/Cisco GPL Violations
From: David Turner (novalis@fsf.org)
Date: Mon Sep 29 2003 - 10:22:47 AKDT

To Linux Developers Concerned about the Linksys/Cisco GPL Violations:

We are in ongoing negotiating with Linksys/Cisco about this issue. Information from Andrew Miklas and others has been very helpful to us in our negotiations, and we encourage others to share with us any technical information about this or any other GPL violation.

This isn't the first GPL violation we have dealt with; we've been actively enforcing the GPL for over ten years. Our usual practice is not to publicly announce details of ongoing violation negotiations, because we find that private negotiation yields quicker and better cooperation. By building a relationship with violators where we are helping them to come into compliance, we avoid having to fight in court, and are able to spend less resources per violation. Our number one goal in any GPL violation case is to get proper and full compliance with the license; everything
else is secondary.

GPL violations sometimes take time to resolve. We wish that we could force resolution quicker, but we haven't found a way to do that. We have, however, discovered a variant of Brooks's Law: adding more lawyers to a GPL violation usually makes it take longer. Lawyers are reluctant to admit to mistakes, because they fear it could be used against them. Engineers and product managers are typically interested in fixing mistakes, so we try our best to work with them first before escalating to legal teams on both sides. Such escalation has happened on this violation, so it will take additional time to resolve the matter.

In addition, we are leading a coalition of many copyright holders in the WRT54G, as Linux is only one part of a large body of GPL'ed software in the product. We formed this coalition because, having done enforcement cases for a product with a broad range of copyright holders before, we have found that separate enforcement actions and/or law suits from individual copyright holders make attainment of compliance more difficult.

We will continue to do everything necessary to obtain full compliance on this and any other products where violations can be confirmed. On this particular violation, we will keep the community informed when issues come up that impact the rights of everyone whose work is being distributed by Cisco or any of its subsidiaries.

If you are a copyright holder on software in the WRT54G, or any other Cisco product, you are welcome join this coalition. Please email for details.

Sincerely,

David Turner, GPL Compliance Engineer, FSF
Bradley M. Kuhn, Executive Director, FSF

Correct.

[mindstrm]

There is no requirement that you are able to compile it... but only with relation to the tools involved. For instance, if it was ported to their custom compiler which used dirctives that ours don't support, that's our problem, not theirs.

If, however, it doesn't compile because they neglected to include the full source code, that's another matter.

These guys didn't just say they can't compile it, they analyzed WHY it wouldn't compile; modules are looking for symbols that do not exist in the kernel.....that means code is taken out.

In your intercal++ example, it would not violate teh GPL in any way.

Re:GPL be damned!

GPL doesn't "twist copyright inside out". There's no sense of "using copyright against itself". The GPL is simply a fairly straightforward list of some conditions under which you are licensed to use some copyrighted code -- most importantly that you make the source available.

That's no more "twisted" than, say, requiring people to pay you $699 as a condition for using the copyrighted source.

The GPL doesn't undo copyright. It requires copyright enforcement even to exist. Let's not get carried away with rhetoric*.

*On Slashdot? I must be new here.

Linksys Could Learn Something From Actiontec

[Damin]

Several weeks ago, I submitted an article to my Local LUG on the Actiontec Dual PC modem and the fact that it ran uClinux. It worked it's way up the chain until it got Slashdotted. Since that time, Actiontec has embraced the community and opted to take part in the process. They are not only releasing all source code, but the tool chain, recovery utilities and daughterboards to allow additional development on their platform. They have also hired a consultant to help ensure the Open Source community gets solid documentation and has someone to represent them that understands our needs. The Actionhack mailing list archives can be viewed here. What they will be releasing can be viewed here. Linksys could do well to realize that their actions are pointing the way for other more nimble competition to take advantage of their ill advised behavior.