Does Using GPL Software Violate Sarbanes-Oxley?

Anonymous Coward writes "eWeek is reporting that The Software Freedom Law Center has published a white paper that dismisses recent publications from embedded systems seller Wasabi Systems. Wasabi recently released statements focusing on alleged GNU General Public License violations in relation to the Sarbanes-Oxley Act of 2002. The white paper, titled "Sarbanes-Oxley and the GPL: No Special Risk," essentially counsels users of the free software license that they have no need to worry."

SOX is change management over financial systems

[futuresheep]

SOX requires strict change management controls over financial systems. When we went through our audit, the auditing company was mostly concerned with how changes were made to these systems, what management controls were in place to monitor these changes, and the processes that were in place to ensure their integrity. None of the OSS software used in these processes was given a second glance beyond the aforementioned items. As an example, our use of Nessus as one the our tools for network audits and our archive of Nessus scans was applauded.

Just my Experience.

Since when is the GPL a EULA

[Tweekster]

What would use of software have to do with the GPL... The user does not have to accept the terms of the GPL to USE the software...

Groklaw quotes Moglen: FUD, plain and simple.

[toby]

Article here.

Quoting a response by the Software Freedom Law Center:

the latest Software Freedom Law Center white paper maintains ... these issues were reviewed and it was found that there is in fact no special risk for developing GPL'd code under SOX. "Under most circumstances, the risk posed to a company by SOX is not affected by whether they use GPL'd or any other type of software. Arguments to the contrary are pure anti-GPL FUD [fear, uncertainty and doubt]," the paper says.

Wasabi = BSD zealots

[drwho]

I contacted Wasabi hoping to buy some tools from them for BSD development on embedded platforms. When I asked about a platform they didn't support, the proceeded to criticize that CPU and Linux saying they were underpowered and immature, basically, they want you to buy their favorite CPU. Sadly, this company is made from NetBSD developers, who I had previously thought were among the less rabid BSD zealots.

I stayed with Linux for embedded systems, and probably will forever, unless embedded BSD is freed from the grips of these people.

Sarbanes-Oxley is a joke

[rfolstad]

I speak from experience and people can and will use SOX as an excuse for anything and everything. The problem is auditors are now trying to understand technology and they just don't get it.

The basics of SOX is that your CEO must sign that the proper controls are in place to ensure that all changes made to production systems that affect the reporting of financial information are approved changes.

Companies can take this to mean that changes to your firewalls, mail servers and webserver need to be logged and monitored with scrutiny. And they will even send "auditors" in to take screenshots of /etc/shadow hahahahahahhaa.. It's hilarious.

Realistically it is impossible to be 100% SOX compliant and profitable. This bill will be gone within 5 years and other countries without silly laws like this will prosper in the meantime.

So yes. If there is a not an audit trail in place where someone approves of applying that patch to the linux kernel on all production machines then you are not SOX compliant. Just like if someone doesn't approve installing that critical service pack from microsoft. Without approval and test cases you will fail your SOX audit unless you pay the extortion^H^H^H^H^H^H^H^H^H fee that anderson^H^H^H^H^H^H^H accenture is charging these days.

Re:Intended Consequences of laws

[dada21]

Yes, let them go wild. It will teach the average "investor" that there is no such thing as a free lunch. You should NEVER put your money into a business that you don't have faith in or trust. If you make it government's job to make people "tell the truth" you'll get lies covered by legal loopholes.

The problem starts with the Fed (Greenspan, Bernanke and their inflationary cycle) that makes money worthless over time so we seek to invest it to at least break even. The problem is made worse by the same inflationary cycle that makes our salaries go up slower than the inflationary cost of living increases (which go up because of the money printing). It goes downhill from there -- the SEC makes investors believe they're protected, which in a free market is a fallacy. You are only protected through contracts, not through law forcing people to act a certain way. Beyond contracts you protect yourself by doing business with people with a history (see eBay's feedback system).

This is all a mess, made worse by people who have faith in others. I have no faith in others except those who have proven their trustworthiness to me. This is why I only invest in businesses I have direct contact with.

Wasabi Burns

[Doc+Ruby]

I knew the founders of Wasabi Systems, here in NYC. The original "brains" behind the startup, which planned a "Red Hat for NetBSD", got screwed by his lawyer partner in the late 1990s, and left. No surprise to hear their business model is lying about GPL (Linux) in press releases.

Re:Intended Consequences of laws

[AuMatar]

Contracts can be enforced in a private market without the force of law. If you sign a contract, you take out contract insurance through a private company. This company issues a "bond" against your signature, guaranteeing the other party that you'll follow through, and also offering you insurance against the other party running off. This happens all the time in the construction industry (I should know, I own a business that gets bonded on each project).

No, it can't. First off- I sure as hell shouldn't HAVE to take out insurance for every one of my contracts. Yeah, thats a great idea- lets build up yet another level of middle men into society. Second off- its rife for corruption. For example, say I have a contract with a big company- say WalMart (no reason for picking them except their size). The bond company does hundreds of contracts with WalMart a year. They do 3 or 4 with me. We have a disagreement. WalMart tells them to side with WalMart, or they'll never give them buisness again. Who do you think they're going to side with?

The free market doesn't work on situations like this. They're called externalities, and covered in econ 101. A course I become more increasingly sure no libertarian has ever taken.

Sure, someone can take their terrible negative feedback and start anew with another company, but would you trust a 30 year old with zero feedback? Neither would I.

So in a world already hampered by big corporations, you want to add another artificial stumbling block raising the barriers to entry and allowing the big corps to fuck you over even more. Another great idea.

Don't forget to factor in that over half of all buisnesses fail in under 5 years. So yes, there would at any one time be a majority of buisnesses with little to no feedback. You'd also have a whole new class of crooks- feedback scams. They happen on ebay all the time- someone creates an account, sells a few dozen items to friends to build up feedback, then scams some unlucky guy (or frequently several unlucky guys) out of thousands of dollars in a big sale.

In a free market, interest rates are free to go up and down. Banks that need money can offer better rates than those who have money. Also, in a free market with a fixed money supply (100% reserves) we'd see soft deflation, which is good for the economy -- it gives people reason to save, increasing the money supply to banks for loans to GOOD businesses, not junk ones.

Deflation is no better than inflation. Both are good for different sectors of the economy and different economic classes. Inflation is good for people in debt (they need to pay less when the debt is due), deflation is good for debt owners (the debt is worth more when it is due). There's good reasons for prefering inflation to deflation- inflation makes credit very expensive. It makes buisnesses hard to start and homes hard to buy. Historicly inflation in this country was pushed for by farmers, who were land rich and cash poor, so they could more easily utalize their land to generate debt in bad years and repay in good.

As for a fixed money supply- thats not a good thing. One of the biggest problems in the middle ages was that the fixed money supply frequently left too little cash money in an area, limiting economic growth. The basic macroeconomics equation is change in money supply+ change in velocity of money=change in GDP plus inflation. If the money supply is fixed, you either have no change in GDP or you end up having money cycle very quickly. Quickly cycling money lowers savings rates (you have to spend it more often). Its much preferred to have a slowly increasing money supply. The ideal is to increase the money supply just enough so that inflation is 0, but this is nearly impossible to do. In practice its better to overincrease it and have mild inflation than the reverse.

Beware Your EULA

[Stephen+Samuel]

Man, if you're worried about the GPL, imagine what happens if you use Microsoft Software?

Under the MS EULA, once you upgrade your software, you have no rights to use the older version(s). This means that if the 'upgrade' breaks your mission-critical software you are so toast.
If you don't revert your software, then your mission-critical software wll remain broken until Microsoft deigns to fix the issue.
If you do revert your software then you're in violation of the EULA and subject to having Microsoft demand that you delete the entire package at any time.

With the GPL, you're only likely to run into problems if you want to distribute the software without distributing the full source. You can sometimes get away with not publishing the source to isolated parts of software written by you, but at that point you're running on the border and should talk to lawyers to make sure that you're not crossing over the line.