Kernel Modules that Lie About Their Licenses

jon787 writes "An email to LKML about the Linuxant's HSF Modem drivers lying to the kernel about their license has prompted some interesting replies. Lots of talk about how to effectively blacklist these kind of things; a patch is here. One of the more interesting is this one. Linus as always has his $0.02."

Re:/0 is like a period, it ends the statement.

[REBloomfield]

I'd have said so... but I'm sure they'd come up with a typo argument, or something similar.

Are they really 'lying'?

[Richard_at_work]

Interesting story, considering the gray area many consider binary modules to be. Linus has said that he considers binary modules to not be far enough removed from GPL code and thus infringing, but since binary modules have been around since very early on in the kernels development history without any enforcement of the GPL with regards to them, wouldnt that potentially count against the GPL applying to binary modules if someone did decide to take action? Doesnt the whole idea of kernel license strings interfere with this view as well? If modules are infringing if they arent GPL, then why would they need to tell the kernel that they arent under the GPL? Also, where in the Kernel license does it require you to be truthful to the kernel about your modules license? Nowhere, because it cant. The GPL will not allow you to put that limitation on use of the kernel. Again, it comes back to wondering about the legality of binary modules.

Personally, I dont use linux and as such, this doesnt directly affect me. But still, it raises interesting questions about how far removed code has to be to be able to be licensed differently. The kernel module API is a publically available API, and Linus does not consider this to be far enough removed. So what is? Does the kernel have to adhere to the CPUs or Motherboards firmware license, because its using a publically available API just like kernel modules are?

Interesting. Very interesting!

Re:Get over it

[REBloomfield]

The issue is how the kernel treats binary only modules. If it loads one of these drivers, belieing it to be GPL, and your system gets b0rked, then I'll bet you'll be the first running screaming, with all the people with RedHat maintenance contracts closely behind...

Can't get over it

[Rotworm]

I don't believe that. Companies that make hardware shouldn't be so dogged about protecting their software. I buy a router/etc for the hardware, not for the companies excellent firmware. I don't see why companies should protect their firmware at all, if it's open source, more people will buy their hardware.

Re:Can't get over it

[Rotworm]

Without the firmware, that router of yours would cease working.
Give more credit than that.
I realize they won't work, but firmware should not be a core component of a hardware company, they should work on their hardware first, and not consider firmware a company-breaking secret technology.
For instance, open firmware makes this possible.

Why are they doing this?

[aaronmcdaid]

Excuse my ignorance, but why are they doing this?
I assume it's to allow them to access some 'GPL only' functionality.

This reminds me of the court case where a console game maker was allowed by the court to insert some copyrighted text because it was the only way to make a game that would work.
Is there any similarity, lawyers of /. ?

Now I'm waiting until the /.ing is over so I can RTFA and get some facts!

I don't see what the big deal is

[Call+Me+Black+Cloud]

Could someone explain to me why this is an issue? The web page where you download the drivers reads:

Most files in this package are released under terms described in the LICENSE file. Some distinct components, located in the modules/GPL directory however are covered by the GNU General Public License. See the files LICENSE and modules/GPL/COPYING for details.

It doesn't sound like they're trying to hide anything ("LICENSE" above is linked to their license) yet everyone is running around claiming evil intent. What would they gain by this ruse, if it was intentional? Has anyone contacted the company directly to get their take on it?

Re:I don't see what the big deal is

[AstroDrabb]

They are trying to fool the Linux kernel into thinking that the module is a GPL module. The Linux kernel will log a message that this module (or any non-GPL module) is "tainted". There are Linux users that want a completely Open Source OS and do not want to use software that is not released with a license that is approved by the FSF.

They are releasing a non-GPL module with a small GPL wrapper and there is nothing wrong with that. That is what NVIDIA does. However, in the source code for the GPLed wrapper, they are marking their binary only driver as GPLed software. They include \0 in their license string and pass that to the Linux kernel. The \0 in C terminates a string, so the Linux kernel only sees the part of the string that comes before the \0, which in this case is only "GPL". So basically the Linux kernel loads up the module thinking it is GPLed which is not good for the types of users I explained above and I would think it could have some legal issues. How do you think MS would react if I wrote software that played around with their license or lied to their subsystems? I bet they would have a flock of lawyers on me in a heart beat.

Again, it is no big deal that the module is not GPLed. There are a bunch of binary only drivers/modules for the Linux kernel. I use some of them like the NVIDIA drivers. The issue is that this company is lying about their software license.

Re:Poor processes

[heironymouscoward]

Bringing in the lawyers is the only way to stop GPL violators.

It's true when it comes to closed products (like DVD players). But not when it comes to drivers that the kernel can actively choose to load or reject.

All it takes is a community-moderated database of drivers and their GPL-conformancy status. A non-conformant driver would be rejected by the kernel. Its authors would have to release the source code and have this vetted.

Something like the GPL equivalent of trusted computing.

Good Luck

[Royster]

In a similar case, the maker of a game console had copyprotection code which had to be invoked before a game played. Someone who wrote a game, but didn't want to pay licensing fees, invoked the same code becuase it was the only way to get their game to run. They were sued under the Lanham Act. The plaintiffs claimed that their display of their trademark could make someone think that the console manufacturer was the source of the game causing consumer confusion.

The court rightly ruled that the console designer caused the code to display the trademark and that they were responsible for any confusion that resulted.

Putting MODULE_LICENSE("GPL\0... in their code could be viewed by the courts as using a method of operation to accomplish a module load. It is very unlikely that they would view it as a grant of a GP License to someone who received the code.

Re:Good Luck

[Sloppy]

there's no compatibility reason to export a dishonest description of the module's license.

Sure there is. Say you're the company that makes the winmodems (or whatever this hardware is). Your customer files a bug report for something totally unrelated to the modem driver code, say a filesystem bug. Hans Reiser decides he has better things to do that worry about whether or not some uninitialized pointer in the winmodem driver code happens to be corrupting disk buffers, so he files the report in /dev/null. (Now maybe that's a wise thing for him to do, but still, maybe it was also a real bug in the filesystem. Whatever.) The customer's problem doesn't get looked at. The customer gets unhappy. The customer finds out that it's because of your driver, that they're unhappy. They decide to not buy any more of your crappy undocumented winmodems. You pay a price in the market.

Now I kind of like that justice, but that's because I happen to fucking hate winmodems even more than I hate closed drivers. It's still a pretty good reason, though, to have your driver lie to the kernel. Maybe, just maybe, you're sure your driver is ok, and don't want its closed-ness to get in the way of people getting bug reports for completely different parts of the kernel.

Trusting the data????

[lish2]

Anyone who's heard of buffer overflows knows you should NEVER trust the string you're working with, and always check its size. Why on earth is the code written such that a \0 will break it?

Re:Get over it

[sir_cello]

> For wireless cards, the FCC effectively prohibits it.

To be clear, this is just as much a choice of the manufacturer who decides to put sufficient amount of the driver into software such that the device has to be certified as a "hardware and software" combination, not just "hardware" itself.

I have participated in ETSI conformance testing: when you test the product against a known hardware and software combination, you are _held_ to that known hardware and software combination. If you alter the software (e.g. a new build), you need to recertify.

This is entirely fair IMHO, otherwise a dodgy bug in the new version of the software causes RF splatter and destroys the spectrum.

The issue here for the open source community is to either (a) convince the manufactures to put it all into hardware/firmware so that software is not part of the certification, or (b) separately certify the linux driver with the hardware.

Re:Lying should be OK...

[hiroko]

If Office 2003 started asking the Win32 API - areYouReallyMicrosoftWindows(). Then MS Windows would return true...

What would Wine get to return?

I'm not convinced...

Wine could reply false, and if $MS_PRODUCT failed to work for that reason then there would be some nice material for anti-trust litigation.

You could argue that the failure to work could be more subtle, like performing some operations more slowly, but as we have the ability to change the value returned to areYouReallyMicrosoftWindows(), we could figure out if it was affecting the programs operation.

Re:Binary modules, licensing, and module strings

[Richard_at_work]

It's a moot point; a proprietary module that uses GPL symbols is an unauthorized derivative.

But how can some symbols be GPL and some not, considering that, as it stands, the entirety of the core kernel code is licensed under the GPL, and the GPL does not allow exceptions to that licensing? Im not trying to flame, its just not that clear to me! :)

Re:hypocrites

[ckaminski]

Yeah, it's a bit hypocritical. On the upside, however, it's still GPL'd so you can change the DRM to your hearts content or remove it altogether. Try that with the DRM coming out of the recording industry.

Re:Why do i care?

So the driver is closed and propitiatory, as long as it works with my kernel why should I care. ( all religious OSS arguments aside.. I'm taking for a *real* reason )

You know why windows 98 was buggy as hell? Crappy proprietary drivers. NVidia's drivers always crash with a kernel panic on my machine, so I can't use any advanced capabilities of the card under Linux.

Let's face it, proprietary drivers are crap. Companies are lazy and don't care if their code is bugy as long as it works for 80% of the people. That's why Microsoft now wants to sign drivers.

But all this is somewhat off topic :)

Re:Why do i care?

[dasunt]

Seriously, why do I care about this at all?

The alternative seems to be no driver, and the kernel becomes a useless lump of code. We cant demand that companies that produce hardware support anything they don't want too, be happy they at least give us closed drivers... 5 years ago they didnt even do that, unless it was for a Microsoft kernel.

Some of us would rather support open drivers than closed drivers. When I buy hardware, I try to buy hardware with open drivers. Why? Because it directly affects me.

Case in point: Lets say I buy a Promise SX4000 RAID5 card. It has "linux drivers". However, by linux drivers, it means that it has precompiled drivers that only work for certain kernels. Congratulations, my upgrade path is restricted.

Now lets say I buy a RAID5 card with open drivers. My upgrade path is no longer restricted.

It's UNLAWFUL to make open-source drivers

[tepples]

It's unlawful to make a Free driver for some devices. For instance, v.92 modulation used in POTS modems is covered by patents whose holders are not willing to license their implementation in free software. Not all modems store their firmware in a flash chip on the device itself, instead relying on the driver to upload firmware after every cold boot. A Free driver distributed in developed countries would have to restrict itself to 20-year-old modulations, none of which are sufficient to connect to any popular dial-up Internet service provider.

Linuxant's Response to this matter!

[foobar01]

Linuxant has added a note about this issue to their site, with a link to their response on the Linux kernel mailing list.

Re:/0 is like a period, it ends the statement.

[afidel]

The answer is obvious, make a GPL wrapper driver that does nothing but accesses the data structures and communicates via an interface to the closed driver. Playing stupid politics with system info is just a retarded dead end. The info is made available to some classes of drivers because it is usefull, in reality it is usefull to any driver that can benifit from the info, open or not. So witholding the data from closed drivers is just lessening the experience/reliability/etc of people who use Linux but who aren't Open Source zealots. That's the aim of the driver interface but it's a stupid one, and as I pointed out it's easy enough to circumvent.

Re:Linuxant Responds and explains themselves.

[dido]

Frankly, I still don't see why they should have bothered. Anyone who's gotten over the bar enough to know how to load and use their drivers should have read in their documentation that the many repetitive warnings were benign. They say:

Actually, we also have no desire nor purpose to prevent tainting. The purpose of the workaround is to avoid repetitive warning messages generated when multiple modules belonging to a single logical "driver" are loaded (even when a module is only probed but not used due to the hardware not being present). Although the issue may sound trivial/harmless to people on the lkml, it was a frequent cause of confusion for the average person.

Who are these "average persons" they talk about here I wonder, who have the know-how to manually load binary kernel modules and at the same time do so without reading the instructions that came along with it carefully? A newbie would be intimidated by the whole process and try to read the docs as carefully as possible before trying it, so it can't be them... They should have written a FAQ and clean documentation about this issue, instead of lying to Linus and his merry band of kernel hackers.

Re:Thought experiment

[Xeleema]

(Hm, I smell a troll...but I'll bite.)
In regards to being a hypocrite; changing the ID of a browser to IE and surfing the web does not make one a hypocrite in this case. However, if someone complained to a humble Web Admin about a bug/feature while their bowser ID was set to something other than the original ID is a hypocrite.

Re:/0 is like a period, it ends the statement.

[cshark]

If all we're talking about is API calls, what makes some API calls okay, while others are "dirivitive works?" If any API call can be considered a dirivitive work, than couldn't you say that all API calls could be considered "dirivitive works?"

Re:/0 is like a period, it ends the statement.

[orthogonal]

The issue is this: they want access to GPL data structures. If they claim to be not GPL, they don't get it. If they copy it into their own code, they become a derivative work of Linux and are forced to become GPL. If they try to access the data structures in some round-about way, they're still linking, and so are forced to become GPL.

Since they're accessing "GPL data structures" solely for the purpose of interoperability between their driver and the kernel, wouldn't that be allowed under the DMCA interoperability clause, and thus, by Congressional intent, not be a violation of copyright (as Congress presumably by including the interoperability clause in the DMCA assumed it and intended it, either not to contravene or to override, any other statute, e.g., Title 17)?

If the driver isn't violating the linux kernel copyright, then no license is required, and so no strictures of that license, e.g. release of code under the GPL, are in force.

But IANAL, so if I'm missing something, enlighten me.

Original purpose wasn't to deny, but to allow

[Nygard]

A lot of the posters here seem to think the GPL-only module string and the "Tainted" message were created to make it harder to allow binary-only or non-GPL drivers.

In fact, the reverse is true. Many device vendors were hesitant to release drivers for Linux because of the binary linkage created when the driver gets loaded. Under a strict interpretation of the GPL, that would consitute enough of a linkage to make the drivers a derivative work.

Some vendors did not want their drivers to automatically fall under the GPL just because of dynamic loading.

The GPL flag was created to let non-GPL drivers clearly indicate that they were not derivatives and would not be GPL-licensed.

This is an example of a vendor that wants to eat its cake and have it too.

WRONG: It's about support....

[vt0asta]

So witholding the data from closed drivers is just lessening the experience/reliability/etc of people who use Linux but who aren't Open Source zealots. That's the aim of the driver interface but it's a stupid one, and as I pointed out it's easy enough to circumvent.

If a kernel oops or panic occurs in a driver, it's important for the kernel developers to quickly know if it's a GPL driver (or a 3rd party binary only driver that they shouldn't even waste their time looking at). Too much noise is generated on LKML for broken binary drivers that just can't be fixed or troubleshooted.

Zealotry has it's hand in that Open Source people really only want to fix Open Source drivers.

Your clever circumvention idea is well known, it will not save you in getting kernel developer support, however.

A (Sort-of) User Perspective

I've been using a few different versions of this driver for awhile, and I have to say I disapprove of this because it circumvents a process that was put in to avoid a wild goose chase (not worrying about a kernel problem when a binary driver has been loaded.)

You see, these drivers are almost worthless. They make the kernel unstable when loaded. They create an OOM error with pci hotplugging. I've had to reboot 5+ times in one day.

The only way I was able to track it to the drivers was by blacklisting the mods with hotplug and reading log messages.

Now, they may or may not crash on all systems, but I personally was close to filing bug reports complete with dumps. If it's true that this change doesn't show up in the dumps, the kernel developers would be busy tracking down bugs that weren't a result of their code.

How much time do you think would have been wasted on these reports (assuming that I am not alone in having kernel panics from these drivers?)

As for the whole "the tainted messages were confusing the customer" schtick: There are about 6 different modules that get loaded, so there would be 6 different tainted messages (which can be spooky...) but I can't even remember the last time I saw a "tainted kernel" message. Nowadays, most modules are being loaded in the background with any messages going to a log somewhere on the system. Besides, a one line explanation would be enough to not bother the user ("It's for kernel developers. You don't need to worry about it." or "It's to help people fix your computer if something goes horribly wrong."

Blacklisting is extreme

[Performer+Guy]

FWIW IMHO the string ends at the \0 I don't care what garbage in memory exists after this, this is not a subtle issue or grey area, \0 ends the string, subsequent information is irrelevant.

But back to my subject, blacklisting is a bit heavy handed. Hmm... we have a company that provides drivers for Linux, yup they're proprietary winmodem drivers but they're there. To *suppress warnings* they have unfortunately chosen to prematurely end their string with a \0, that's really nasty and foolish but blacklisting them as a company from installing kernel modules is way frikin OTT.

How does this help joe public get his winmodem working?
How does this encourage any corporation from releasing proprietary drivers for in Linux? (Which are better than no drivers IMHO)

There are other drivers (particularly audio and graphics) that use proprietary code implemented by private companies and these are used every day by many thousands of Linux users.