Slashdot Mirror
Does Using GPL Software Violate Sarbanes-Oxley?
Anonymous Coward writes "eWeek is reporting that The Software Freedom Law Center has published a white paper that dismisses recent publications from embedded systems seller Wasabi Systems. Wasabi recently released statements focusing on alleged GNU General Public License violations in relation to the Sarbanes-Oxley Act of 2002. The white paper, titled "Sarbanes-Oxley and the GPL: No Special Risk," essentially counsels users of the free software license that they have no need to worry."
The SFLC wrote the paper titled "No Special Risk" ... Wasabi Systems alleged SO violations.
And no surprise...they advertise BSD-based products on their front page. (Not dissing Any of the BSDs, they're cool, IMO.)
tasks(723) drafts(105) languages(484) examples(29106)
Who can recommend a good book on IT 404?
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
they want their boring back.
In case you have no clue what "Sarbanes-Oxley" is, you can check out official info and the Wikipedia article. Basically it is a set of laws that place limits on what companies (and those working for them, especially upper management) can do. This has mostly to do with declaring assets and transfers of money. It tries to prevent companies from defrauding investors and so on. These laws were enacted after the Enron scandal.
Wasabi's complaint is that under these laws, you have to declare all assets, including intellectual property. Their rationale is that using open-source software, you may be in violation of the law if you do not review and declare that usage.
As was pointed out last time this was discussed on slashdot, a company would only be in trouble if they were already doing something illegal: violating the GPL. If you violate the GPL, then you're misrepresenting your ownership of IP (claiming to have a license you don't), and thus are also violating Sarbanes-Oxley.
So what's the problem? If a company follows the GPL, then everything is fine. They have nothing to worry about. If they violate the GPL, then they're breaking multiple laws. So, as always, companies should make sure that what they are doing is legal. This in no way diminishes the extent to which GPL software can be used in commercial environments. Wasabi acts as if there is some tremendous additional legal burden to using GPL software. However it seems that Sarbanes-Oxley would equally apply if you mis-represented your ownership of non-GPL software. So there's no difference. (You can read the Software Freedom Law Center white paper for a more complete explanation.)
Some think that these situations are unintended consequences of laws that have "good" effects. Sarbanes-Oxley was intended, from the start, to be the ultimate way for governmentto control any corporation at will.
The law was initially meant to "fix" problems such as the Enron fiasco, but if you rewind just a few years, you see that most of these fiascos came directly out of trying to take advantage of loopholes in previous laws. The SEC colludes with the rest of the all powerful federal government to constantly keep non-preferred companies on their toes, while giving excessive power to the cronies. Sarbanes-Oxley will have the same effect.
The one light in Congress, Dr. Ron Paul, made an excellent note regarding Sarbanes-Oxley and the cost it will pass on to consumers. The Mises Institute also has a ton of great articles and blog posts regarding the horrors of this law.
It is time to realize that government is NOT good at regulating business, except from the point of view of the cronies. Bills like this will rarely be used for their original intent, and the un?-intended consequence in the long run is to see criminals made of innocents that had nothing to do with the law's purpose.
Instead of voting, I think we need to start pitching money in a hat to buy rope for those who violate their oath to uphold the Constitution.
violators of GPL are violators of Sarbanes-Oxley.
solution: don't violate the GPL.
You can never equivocate too much.
Does the GPL Violate Sarbanes-Oxley?
[E]ssentially counsels users of the free software license that they have no need to worry.
Coming soon:
Does peanut butter taste like fish?
No
Is water wet?
Yes
Short and informative - this is great stuff!
I meta-moderate because I care.
If you rely on public websites for your corporate legal advice, you deserve exactly what you pay for it.
Ultimately, there is only one kind of person who can tell you if it is legal or not. That person is called a Judge or, in rare instances for corporations, a Jury.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
SOX requires strict change management controls over financial systems. When we went through our audit, the auditing company was mostly concerned with how changes were made to these systems, what management controls were in place to monitor these changes, and the processes that were in place to ensure their integrity. None of the OSS software used in these processes was given a second glance beyond the aforementioned items. As an example, our use of Nessus as one the our tools for network audits and our archive of Nessus scans was applauded.
Just my Experience.
What would use of software have to do with the GPL... The user does not have to accept the terms of the GPL to USE the software...
The phrase "more better" is acceptable English. suck it grammar Nazis
I don't understand neither the original article title nor the Slashdot article title. How can GPL (or using GPL'ed software) violate the SOX, if GPL'ed software is used as the license permits? Reading the article didn't give me any insight about this issue.
What this means practically for the vast majority of companies complying with SOX is that the threat to their businesses posed by potential GPL license violations, both inadvertent and intentional, is so low as to be immaterial.
Does the GPL Violate Sarbanes-Oxley? - No
He who knows best knows how little he knows. - Thomas Jefferson
Quoting a response by the Software Freedom Law Center:
you had me at #!
I contacted Wasabi hoping to buy some tools from them for BSD development on embedded platforms. When I asked about a platform they didn't support, the proceeded to criticize that CPU and Linux saying they were underpowered and immature, basically, they want you to buy their favorite CPU. Sadly, this company is made from NetBSD developers, who I had previously thought were among the less rabid BSD zealots.
I stayed with Linux for embedded systems, and probably will forever, unless embedded BSD is freed from the grips of these people.
I speak from experience and people can and will use SOX as an excuse for anything and everything. The problem is auditors are now trying to understand technology and they just don't get it.
/etc/shadow hahahahahahhaa.. It's hilarious.
The basics of SOX is that your CEO must sign that the proper controls are in place to ensure that all changes made to production systems that affect the reporting of financial information are approved changes.
Companies can take this to mean that changes to your firewalls, mail servers and webserver need to be logged and monitored with scrutiny. And they will even send "auditors" in to take screenshots of
Realistically it is impossible to be 100% SOX compliant and profitable. This bill will be gone within 5 years and other countries without silly laws like this will prosper in the meantime.
So yes. If there is a not an audit trail in place where someone approves of applying that patch to the linux kernel on all production machines then you are not SOX compliant. Just like if someone doesn't approve installing that critical service pack from microsoft. Without approval and test cases you will fail your SOX audit unless you pay the extortion^H^H^H^H^H^H^H^H^H fee that anderson^H^H^H^H^H^H^H accenture is charging these days.
Does peanut butter taste like fish?
Coming soon to Grot: Fish-flavored peanut butter.
Does this actually have anything to do with the article? No
The Article says that violating the GPL may be a SOX violation, but no more so than any other EULA.I've seen a lot of complaints about Zonk; SM is worse.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
The Founders of this insane country have got to be spinning in their graves.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Who Effing Cares! WTF HAPPENED TO /.?! This is real lame news to be the norm now! STOP IT!!!!!!!
I knew the founders of Wasabi Systems, here in NYC. The original "brains" behind the startup, which planned a "Red Hat for NetBSD", got screwed by his lawyer partner in the late 1990s, and left. No surprise to hear their business model is lying about GPL (Linux) in press releases.
--
make install -not war
I have to agree.... this is really lame filler type news on this site. It seems that ole Slashdot has really gone down hill... even looking at the number and quality of comments on the different news lines is on the decline.... looks like digg is really kicking ass.
My understanding is that one of the reasons that Enron got as far as it did was because of the absence of laws that declared a conflict of interest if the same firm used for accounting/auditing, was also used for consulting. Doing the right thing would have meant giving up either of those roles, and all the money that went with it. Money talks, integrity walks.
If my understanding is accurate, I wonder why it wasn't fixed by simply closing this loophole. Seems like every time something goes wrong (and it went terribly wrong here), there's an additional excuse to increase "oversight" - and all the red tape, hassle, and extra cost that goes with it. I also seem to recall that someone sounded the alarm quite aways before Enron broke, but was ignored by Congress.
They're obviously trying to denegrate the competition by telling lies about it. That's why Red Hat sued SCO. They should be forced to prove their allegations or shut up.
People who think for themselves will one day realize that in the end, it's all about FREEDOM. Corporations do not have your best interests at heart and never will. The GPL is where the future of free software is, and only the GPL. People who bitch and moan about things will one day thank the GPL for being what it is. Corporations are becoming stronger. GPL software can never be stopped by anyone, ever, anytime.
dammit, SOX = sound exchange.
You're forgetting the most important part of the act: holding executives personally accountable for their company's malfeasance.
The Government in notorious for telling you that you need to comply with regulations without telling you how to comply. This sounds great at first, but this also leaves you open for penalties later if they determine that the methods you chose were insufficient. There is nothing in Sarbanes-Oxley that restricts the use of any specific sort of software to comply.... as long as if/when they investigate you they determine that you are/were in compliance.
What happens if a company develops intellectual property and releases it as GPL? Are they still required to report it?
... what happens then?
I gather from a quick reading that simply using GPL software doesn't imply any risk, since the company in question does not own the IP outright. But if they are the original developers
"My God...it's full of trolls!"
Is this an 'innocent until proven guilty' world or a 'guilty until proven innocent' world?
I tend to take a decidedly buddhist view when it comes to that, nothing to do with the religion (before I get a religious flamewar going here), but I believe in moderation. Completely distrusting everyone is no worse than complete trusting everyone. You have to strike a balance - the way our world works depends upon it. Buisness depend upon trusting that the average consumer is not a theif (someone should tell the RIAA that, before they strangle the music industry), relationships depend upon trusting that the person you are with will be true to you, in whatever way that means to you.
~ Wizardry Dragon
Sheesh. RTFA guys - the accusation isn't that the GPL itself violates SOX, but that if you violate the GPL, you're violating SOX, because you're making misrepresentations about what IP you own.
It's a dubious theory to begin with, and misreporting it doesn't help.
Wasabi Systems has been spreading some FUD about the GPL prior to this. My understanding of the situation is that they're a company that delivers NetBSD solutions and employs the key NetBSD developers. NetBSD has been particularly eager to get rid of GPLed code in their distribution but gcc is hard to replace unless you are willing to pay. They still like to advertise how they are essentially GPL free.
I suppose they're bitter because of Linux's success while very little attention has been directed at the BSDs and most of that has been towards FreeBSD. NetBSD is a great OS but I find it disturbing that free software projects turn against each other like this.
You're right. Sarbanes-Oxley doesn't matter today. What was I thinking?
Wasabi employs many of the people behind NetBSD and is leading the push to commercialise it. They offer many proprietary extensions to NetBSD, and it seems they are now into sleazy FUD marketing too...
From my growing experience with SOX, I probably violate it every time I take a piss without capturing it.
Yes, we are forced to make screenshots from fileserver accounts creation, change, whatever, same for the mailserver and so on. We create TONS of papers. Papers for everything. Nobody will ever read them, nor understand them.
SUXBOX! This is just new trick for those "companies" to make gazillions of money in "auditing". Auditing? Muhahaha, they skim threw the papers, asks hillarious stupid questions, where the IT people just litteraly laugh at them.
How should this EVER help preventing anykind of accountant fraud? In no way, never every. EVER. If you record a new users rights or not, it will not stop him or her to trick the balance sheet or do some other stuff.
But whatever. Luckily someone gets rich of it.
"Freiheit ist immer auch die Freiheit des Andersdenkenden" - Rosa Luxemburg, 1871 - 1919
Digg is slowly getting better, but it's not quite there yet. Their new comment and moderation system has really helped them, but it's at a level so far below Slashdot's that it almost of made them more pathetic. Until they have a good moderation and comment threading system and the article submitters start typing full sentences, they won't be my primary news source.
Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
As you can see from Groklaw's article on this, the answer is no. The costs do not change merely because one uses the GPL. SOX is a royal pain in the ass to comply with, true, but GPL software isn't any more problematic than software released under other licenses.
Under the MS EULA, once you upgrade your software, you have no rights to use the older version(s). This means that if the 'upgrade' breaks your mission-critical software you are so toast.
If you don't revert your software, then your mission-critical software wll remain broken until Microsoft deigns to fix the issue.
If you do revert your software then you're in violation of the EULA and subject to having Microsoft demand that you delete the entire package at any time.
With the GPL, you're only likely to run into problems if you want to distribute the software without distributing the full source. You can sometimes get away with not publishing the source to isolated parts of software written by you, but at that point you're running on the border and should talk to lawyers to make sure that you're not crossing over the line.
Free Software: Like love, it grows best when given away.
It's not the GPL clashing with SOX, it's when a company knowingly uses GPL code in their proprietary product, lies to the stockholders by saying they own the code i.e. list it as an asset on the balance sheet, and then refuses to release the source code as required by distributing software containing GPL'd code.
Would be like a bank robber worrying about an unpaid traffic ticket he got enroute to the bank robbery.
Apocalypse Cancelled, Sorry, No Ticket Refunds
The Wasabi Whitepaper itself says it doesn't:
"None of this applies to companies who merely use GPL software, such as those who run Linux on their servers, as long as their software was created in a compliant way. In addition, none of this applies to companies using non-GPL open source software, such as BSD; in the case of BSD, there is no requirement to make modifications open source. Rather, the requirements discussed here apply to companies who modify GPL software, such as embedded OEMs
using Linux."
This is only about companies releasing products with GPL software.
Actually it would be good for Open Source if it was a violation. It would be leverage to use against these infringing embeded companies.
And it's a complete joke and waste of money. More of Congress making stupid laws and costing people more money, and now we have accountants telling us how to make software? And what counts as 'quality'? Please...
what has changed since the last time this was a topic on /. a few short weeks ago (January 19th @ 13:18 to be exact)?
The reason why they're making their case against the GPL is important. Proprietors are saying that the GPL makes them nervous, they don't like the commons the GPL creates and maintains. Proprietors want to discourage everyone from using and developing GPL-covered code so that they have less competition and won't have to spend their time lobbying governments around the world to help make Free Software implementations of various programs impossible. Thus this is just another legal risk FUD case against the most widely used Free Software license, the GNU GPL which fails to mention what the Software Freedom Law Center points out:
And when it comes to GPL-covered software being so complicated to deal with, the SFLC has this to say:
Digital Citizen
.... consumer choice.
Ever heard if it?
From the programmers creating F/OSS to the users who chose to use it...
Now what would we have if that weren't so?
Sarbanes-Oxley is god's gift to consultants.
It really says nothing about technology. Yet consultants get companies to do whatever they want by claiming it will put them in violation of SOX.
FUD FUD FUD FUD!!!
I guess all the organisations that are using the GPL'd Snare for Windows, Snare for Solaris, Snare for (Linux|AIX|Tru64|etc..). to help them meet their Sarbanes-Oxley audit-related objectives (or GLBA / DCID / DIAM / ACSI 33 / NISPOM / HIPAA / etc..) will be laughing their collective asses off then ;)
Red. (Disclaimer: Snare developer)
Does the GPL Violate Sarbanes-Oxley?
By Peter Galli
March 7, 2006
Well, I guess it depends upon whether you consider the article's title to be part of the article. There are sentences in the article that are ambiguous enough to make one wonder which interpretation is intended, as well:
"The fact remains that no criminal charges on the basis of violating SOX have ever been brought against a GPL user," he said.
Note that it says GPL user, not violator. Of course, Peter Galli almost certainly didn't pick the title, as that is typically done by the editor. There are lots of times when the Slashdot article title gets it wrong, but this wasn't one of them.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
*Violating* the GPL, which is a specialization of violating copyright law, could expose you to civil litigation. Failure to anticipate such a risk might get you into Sox territory. But if that's what it takes to get your company to abide by basic laws such as copyright, you probably have much bigger problems than Sox compliance.
-fb Everything not expressly forbidden is now mandatory.
I think that there ought to be an appropriate regulatory infrastructure to require transparency in corporations. Transparency is the goal, not regulating what companies must do or don't do.
What I can't understand about many of these scandals is why the CEO was so heavily involved in cooking the books or pressuring the CFO's to do so. The CFO isn't supposed to work for the CEO. All the more reason to suggest that C-level officers should not also be on the Board of Directors.
I also think that with two smaller laws, we could do wonders for transparency in corporations: 1) Neither the CEO nor CFO ought to serve on the board of directors of a publically traded company and 2) The CFO ought to be paid a salary and not offered any securities from the company as compensation. This is to avoid an incentive to cook the books.
LedgerSMB: Open source Accounting/ERP
I always found it interesting. In Jakarta, Indonesia, the only road to the airport is a private toll road. One company *controls* access to the airport serving the largest city in the country. Talk about corporations running everything.
The smog is horrendous, the polution is terrible. The rivers are awash in garbage. The government has not the money to provide the basic services necessary to clean things up. The tap water usually comes from wells and smells of sewage because there is no water treatment. Yes, there is a lot of black money, but this does not work the way we would like-- most of these people don't even have the legal right to squat where they do.
Part of the problem is that the problems of land reform, economic reform,and the development of sustainable cities are heavily intertwined problems. When poor people have no documentation of ownership of land where they have built houses, they cannot finance their businesses, nor can the government collect taxes. Hence garbage piles up in the rivers, and so forth. This is why countries such as Peru have found that land reform is crucial to helping those small black-money businesses you describe. Yet, who owns the land? You got it. The large corporations.
I lived in Jakarta for a total of about eight months. I can tell you that our current system, imperfect as it may be, is far better than what exists in Indonesia.
I do not wish to go back to a world like that. I think that we do need to continue to focus on transparency, such as allowing every shareholder full access to a firm's accounting data.
LedgerSMB: Open source Accounting/ERP
Releasing code under the GPL does not take away any rights to relicense it in another manner. Trolltech, for example, offers QT either under the GPL or a commercial license.
My understanding is that one of the reasons that Enron got as far as it did was because of the absence of laws that declared a conflict of interest if the same firm used for accounting/auditing, was also used for consulting. Doing the right thing would have meant giving up either of those roles, and all the money that went with it. Money talks, integrity walks.
If my understanding is accurate, I wonder why it wasn't fixed by simply closing this loophole. Seems like every time something goes wrong (and it went terribly wrong here), there's an additional excuse to increase "oversight" - and all the red tape, hassle, and extra cost that goes with it. I also seem to recall that someone sounded the alarm quite aways before Enron broke, but was ignored by Congress
Except that your understanding isn't correct. Firstly auditors already are banned from undertaking consulting engagements, and were even before SOX came in.
Secondly, auditors can never be totally independent of a company - after all, they are paid out of company funds to perform audits. A much more sensible approach is to recognise that there are always threats to independence, but that auditors can establish certain safeguards against these threats. For example, by prohibiting members of the audit team from buying stock in the companies they audit. Or by mandating a 'cooling off' period during which an audit partner cannot go join an audit client in a financial role. This approach - unsurprisingly known as the "threats and safeguards" approach originated in the Institute of Chartered Accountants in England & Wales in the late 90s and is now part of the code of ethics of the International Federation of Accountants.
Also there are often good reasons why you should hire your auditors to undertake non-audit (non-consulting) work. They already have a wealth of knowledge about your company which another firm simply wouldn't have. Another firm would have to spend lots of time - and that means shareholders' money, folks! - learning about your company. So instead of mandating a blanket ban, SOX required (Section 201) that the company's audit committee pre-approve non-audit services. So it recognises that sometimes they will be the best firm for the job, whilst adding another hurdle for them to cross before they can provide non-audit services.
Visit Snowflake Showers
We were talking about using existing GPLed code in your own code. You can NOT relicense THAT code in any other manner than the owner allows.
Software sucks. Open Source sucks less.