Sony Rootkit Allegedly Contains LGPL Software

Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.

Re:Uuuuuh

[YA_Python_dev]

Doesn't the LGPL permit this?

No. You can link LGPLed software with proprietary software, but you must still distribute the sources of at least the free software (free as in RMS).

Re:Uuuuuh

[wlan0]

According to the EFF.

This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Nope.

[Dr.+Manhattan]

If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL. If you dynamically link to the LGPL code (e.g. shared library, DLL) then you don't have to open up the code that links to it (this is the primary difference between the GPL and the LGPL) but if you distribute the LGPL library with your binaries, you must offer the code for the LGPL portion, too.

That being said, from what I've read it appears that the Sony DRM code may be looking for LAME on the system (to block it from working on their 'protected' stuff) but doesn't appear to actually contain LAME code.

Re:Uuuuuh

[DataPath]

Small clarification - you're not freed from the requirement to make the code for the lgpl portion available. You don't have to make the source code for the program that links against the LGPL code available.

No, Sony would have been ok if they had installed a README with their rootkit explaining that their digital rights management solution contained code distributed under the LGPL license, and direct users of the software to a website containing the source code.

More info

[muzzy]

The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.

Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/
There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.

Almost.

If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL.

Not necessarily. The only requirement is that the end-user can recreate the end result by modifying the LGPL part. This can also be met by distibuting statically linked binaries and all .o files (also the closed ones). AFAIK, Loki did this for statically linked, closed-source, SDL-based games.

"operating system on which the executable runs"

[tepples]

<sarcasm>Thus explaining why every single open source project includes the full GCC source tree with it?</sarcasm>

The GNU General Public License and the GNU Lesser General Public License have an operating system exemption. The exact wording of the exemption in both licenses is as follows:

However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

True, the corner cases of this exemption have not been tested in a court of law, especially in conjunction with the "mere aggregation" exemption.

Re:"operating system on which the executable runs"

[maxwell+demon]

Moreover, the gcc runtime libraries (the only part of gcc which ends up in gcc compiled code, and therefore could affect the licensing) all have special exceptions to the GPL, so that they don't cause the programs they are linked to to be covered by the GPL.

LAME is in there, just not in GO.EXE

[muzzy]

Regarding GO.EXE, it's a cockup. I've posted a few other posts here explaining the real situation. LAME along with some other LGPL code is being used in other binaries on the DRM, I couldn't initially find them since they're compressed in XCP.DAT on the cd but they get installed on the system.

In Case Anybody's Losing Track

[trentrez]

FYI. BoingBoing have compiled a comprehensive timeline of events surrounding this: http://www.boingboing.net/2005/11/14/sony_anticust omer_te.html

Re:LGPL

[DVega]

LGPL requires access to the source code. The only difference with GPL is that LGPL allows linking with non-free (non-?GPL) components.

It's getting pulled anyhow

[confusion]

Not that it lessens their tresspass, but Sony is apparently pulling the "infected" CDs:
http://www.usatoday.com/tech/news/computersecurity /2005-11-14-sony-cds_x.htm

Jerry
http://www.cyvin.org/

outdated info, it's LGPL nowadays

[muzzy]

That's outdated. mpglib was relicensed under LGPL some years ago already, check www.mpg123.de

Re:Glee

[Lisandro]

It is. It's called Righteous Babe records.

Re:LAME encoder

[sd4l]

Isn't the LAME encoder an MP3 encoder that still needs to be licensed from Thompson?

In short, No!

Longer version: According to Dave Arland, a U.S. spokesman for Thomson Multimedia - 'its policy has always been to allow free use of the company's MP3 patents in "freely distributable software"'

Newsforge Article

Re:Code vs metadata

[Bogtha]

You are way off. "Fair use" isn't a specific law, it is a set of factors that must be considered in a copyright infringement case. Read up on it. You can't definitively say "there's no fair use law covering this" because fair use is non-specific. It's a huge grey area.

Re:Not Sony

[WhiteWolf666]

No, its not cut and dry like that.

In court, damages would be determined based upon the length of time when you were told you were in violation, and when you decided to correct this behavior.

If you were warned that you were in violation, today, and correct the violation in a week, or stop distributing the code in a month (as soon as reasonably possible) damages would be 'negligible'.

If you were warned that you were in violation, then ignored it indefinitely, until the matter was brought up in court, that would be considered willfully infringing. There would be damages, but of a limited amount, and an injunction against you for this kind of behavior.

If you were warned that you were in violation, then you denied it, then you tried to disprove it, then you counter-sued, then you ignored it, attempted to settle, caused settlement negotiations to break down, filed to have the hearing moved to a different jurisdiction, etc etc, the court could be persuaded to lean towards the '$100,000 per CD copyright fine'.

The court is given a fair amount of leeway in deciding this kind of thing. Behave badly, and unless you have a crack legal team, you'll get slapped. Judges, regardless of whether they are right wing or left wing have a _very_ serious sense of fairness. Fuck with some one in a willful way, and play with them in court to prolong your profiteering, and a judge _will_ come down on you hard.

Hilariously, this seemed to work too well for Microsoft. They got the judge so damn pissed off that had to reverse his decision. In my opinion, however, you'll never see this happen again. No judge will make the kind of comments that were made in that case.