Sony Rootkit Allegedly Contains LGPL Software

Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.

Re:Uuuuuh

[wlan0]

According to the EFF.

This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Re:Uuuuuh

[DataPath]

Small clarification - you're not freed from the requirement to make the code for the lgpl portion available. You don't have to make the source code for the program that links against the LGPL code available.

No, Sony would have been ok if they had installed a README with their rootkit explaining that their digital rights management solution contained code distributed under the LGPL license, and direct users of the software to a website containing the source code.

More info

[muzzy]

The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.

Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/
There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.

Almost.

If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL.

Not necessarily. The only requirement is that the end-user can recreate the end result by modifying the LGPL part. This can also be met by distibuting statically linked binaries and all .o files (also the closed ones). AFAIK, Loki did this for statically linked, closed-source, SDL-based games.

"operating system on which the executable runs"

[tepples]

<sarcasm>Thus explaining why every single open source project includes the full GCC source tree with it?</sarcasm>

The GNU General Public License and the GNU Lesser General Public License have an operating system exemption. The exact wording of the exemption in both licenses is as follows:

However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

True, the corner cases of this exemption have not been tested in a court of law, especially in conjunction with the "mere aggregation" exemption.

In Case Anybody's Losing Track

[trentrez]

FYI. BoingBoing have compiled a comprehensive timeline of events surrounding this: http://www.boingboing.net/2005/11/14/sony_anticust omer_te.html

outdated info, it's LGPL nowadays

[muzzy]

That's outdated. mpglib was relicensed under LGPL some years ago already, check www.mpg123.de