Slashdot Mirror
Does Using GPL Software Violate Sarbanes-Oxley?
Anonymous Coward writes "eWeek is reporting that The Software Freedom Law Center has published a white paper that dismisses recent publications from embedded systems seller Wasabi Systems. Wasabi recently released statements focusing on alleged GNU General Public License violations in relation to the Sarbanes-Oxley Act of 2002. The white paper, titled "Sarbanes-Oxley and the GPL: No Special Risk," essentially counsels users of the free software license that they have no need to worry."
The SFLC wrote the paper titled "No Special Risk" ... Wasabi Systems alleged SO violations.
And no surprise...they advertise BSD-based products on their front page. (Not dissing Any of the BSDs, they're cool, IMO.)
tasks(723) drafts(105) languages(484) examples(29106)
Who can recommend a good book on IT 404?
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
they want their boring back.
In case you have no clue what "Sarbanes-Oxley" is, you can check out official info and the Wikipedia article. Basically it is a set of laws that place limits on what companies (and those working for them, especially upper management) can do. This has mostly to do with declaring assets and transfers of money. It tries to prevent companies from defrauding investors and so on. These laws were enacted after the Enron scandal.
Wasabi's complaint is that under these laws, you have to declare all assets, including intellectual property. Their rationale is that using open-source software, you may be in violation of the law if you do not review and declare that usage.
As was pointed out last time this was discussed on slashdot, a company would only be in trouble if they were already doing something illegal: violating the GPL. If you violate the GPL, then you're misrepresenting your ownership of IP (claiming to have a license you don't), and thus are also violating Sarbanes-Oxley.
So what's the problem? If a company follows the GPL, then everything is fine. They have nothing to worry about. If they violate the GPL, then they're breaking multiple laws. So, as always, companies should make sure that what they are doing is legal. This in no way diminishes the extent to which GPL software can be used in commercial environments. Wasabi acts as if there is some tremendous additional legal burden to using GPL software. However it seems that Sarbanes-Oxley would equally apply if you mis-represented your ownership of non-GPL software. So there's no difference. (You can read the Software Freedom Law Center white paper for a more complete explanation.)
Some think that these situations are unintended consequences of laws that have "good" effects. Sarbanes-Oxley was intended, from the start, to be the ultimate way for governmentto control any corporation at will.
The law was initially meant to "fix" problems such as the Enron fiasco, but if you rewind just a few years, you see that most of these fiascos came directly out of trying to take advantage of loopholes in previous laws. The SEC colludes with the rest of the all powerful federal government to constantly keep non-preferred companies on their toes, while giving excessive power to the cronies. Sarbanes-Oxley will have the same effect.
The one light in Congress, Dr. Ron Paul, made an excellent note regarding Sarbanes-Oxley and the cost it will pass on to consumers. The Mises Institute also has a ton of great articles and blog posts regarding the horrors of this law.
It is time to realize that government is NOT good at regulating business, except from the point of view of the cronies. Bills like this will rarely be used for their original intent, and the un?-intended consequence in the long run is to see criminals made of innocents that had nothing to do with the law's purpose.
Instead of voting, I think we need to start pitching money in a hat to buy rope for those who violate their oath to uphold the Constitution.
violators of GPL are violators of Sarbanes-Oxley.
solution: don't violate the GPL.
You can never equivocate too much.
Does the GPL Violate Sarbanes-Oxley?
[E]ssentially counsels users of the free software license that they have no need to worry.
Coming soon:
Does peanut butter taste like fish?
No
Is water wet?
Yes
Short and informative - this is great stuff!
I meta-moderate because I care.
SOX requires strict change management controls over financial systems. When we went through our audit, the auditing company was mostly concerned with how changes were made to these systems, what management controls were in place to monitor these changes, and the processes that were in place to ensure their integrity. None of the OSS software used in these processes was given a second glance beyond the aforementioned items. As an example, our use of Nessus as one the our tools for network audits and our archive of Nessus scans was applauded.
Just my Experience.
What would use of software have to do with the GPL... The user does not have to accept the terms of the GPL to USE the software...
The phrase "more better" is acceptable English. suck it grammar Nazis
Quoting a response by the Software Freedom Law Center:
you had me at #!
I contacted Wasabi hoping to buy some tools from them for BSD development on embedded platforms. When I asked about a platform they didn't support, the proceeded to criticize that CPU and Linux saying they were underpowered and immature, basically, they want you to buy their favorite CPU. Sadly, this company is made from NetBSD developers, who I had previously thought were among the less rabid BSD zealots.
I stayed with Linux for embedded systems, and probably will forever, unless embedded BSD is freed from the grips of these people.
How can GPL (or using GPL'ed software) violate the SOX, if GPL'ed software is used as the license permits? Reading the article didn't give me any insight about this issue.
You can not get in trouble for using software you have a license to use. Period. If you follow the GPL, you have a license to use OSS. Break the GPL, and well, you don't have that license anymore. Ditto with normal software. If you violate an EULA, or steal software, you don't have a license anymore. Using software you don't have a license to is a SOx violation, regardless of whether the software is free or not.
I speak from experience and people can and will use SOX as an excuse for anything and everything. The problem is auditors are now trying to understand technology and they just don't get it.
/etc/shadow hahahahahahhaa.. It's hilarious.
The basics of SOX is that your CEO must sign that the proper controls are in place to ensure that all changes made to production systems that affect the reporting of financial information are approved changes.
Companies can take this to mean that changes to your firewalls, mail servers and webserver need to be logged and monitored with scrutiny. And they will even send "auditors" in to take screenshots of
Realistically it is impossible to be 100% SOX compliant and profitable. This bill will be gone within 5 years and other countries without silly laws like this will prosper in the meantime.
So yes. If there is a not an audit trail in place where someone approves of applying that patch to the linux kernel on all production machines then you are not SOX compliant. Just like if someone doesn't approve installing that critical service pack from microsoft. Without approval and test cases you will fail your SOX audit unless you pay the extortion^H^H^H^H^H^H^H^H^H fee that anderson^H^H^H^H^H^H^H accenture is charging these days.
According to SOX you need to give an account on who owns all your IP.
The counterlink given in this article is just as biased.
Here is the problem. You run linux and your software is an asset used to help run your company. Who owns it? Does Linus own the kernel? What about the distro owner? How about the 250 people who contributed to the kernel?
Wasabi is saying that you need to keep track of all the thousands of kernel and FOSS developers since they own the copyright on the code in your accounting reports. Since that is impossible you therefore break the SOX law and your business can be held liable.
The GPL is not an EULA but just a license for the code. The issue of proper credit and who owns what is what the fud is all about.
This will scare some of the suits from using linux but they would typically find a reason not to use it anyway.
http://saveie6.com/
Does this actually have anything to do with the article? No
The Article says that violating the GPL may be a SOX violation, but no more so than any other EULA.I've seen a lot of complaints about Zonk; SM is worse.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
The Founders of this insane country have got to be spinning in their graves.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
I knew the founders of Wasabi Systems, here in NYC. The original "brains" behind the startup, which planned a "Red Hat for NetBSD", got screwed by his lawyer partner in the late 1990s, and left. No surprise to hear their business model is lying about GPL (Linux) in press releases.
--
make install -not war
Software sucks. Open Source sucks less.
People who think for themselves will one day realize that in the end, it's all about FREEDOM. Corporations do not have your best interests at heart and never will. The GPL is where the future of free software is, and only the GPL. People who bitch and moan about things will one day thank the GPL for being what it is. Corporations are becoming stronger. GPL software can never be stopped by anyone, ever, anytime.
The Government in notorious for telling you that you need to comply with regulations without telling you how to comply. This sounds great at first, but this also leaves you open for penalties later if they determine that the methods you chose were insufficient. There is nothing in Sarbanes-Oxley that restricts the use of any specific sort of software to comply.... as long as if/when they investigate you they determine that you are/were in compliance.
Is this an 'innocent until proven guilty' world or a 'guilty until proven innocent' world?
I tend to take a decidedly buddhist view when it comes to that, nothing to do with the religion (before I get a religious flamewar going here), but I believe in moderation. Completely distrusting everyone is no worse than complete trusting everyone. You have to strike a balance - the way our world works depends upon it. Buisness depend upon trusting that the average consumer is not a theif (someone should tell the RIAA that, before they strangle the music industry), relationships depend upon trusting that the person you are with will be true to you, in whatever way that means to you.
~ Wizardry Dragon
From my growing experience with SOX, I probably violate it every time I take a piss without capturing it.
'' Here is the problem. You run linux and your software is an asset used to help run your company. Who owns it? Does Linus own the kernel? What about the distro owner? How about the 250 people who contributed to the kernel? ''
That is really very simple. Your company can just make a statement like: "In our company, we are using 500 copies of Linux and 500 copies of OpenOffice. Both Linux and OpenOffice are owned by their respective copyright holders; we are using this software under the GPL license. We are also using 500 copies of Windows XP and Microsoft Office which are both owned by Microsoft; we are allowed to do this because we paid Microsoft lots of money for the licenses. "
If in reality you only paid for 100 licenses of Windows XP and Microsoft Office and someone finds out, then you are not only in trouble with Microsoft, but also with SOX. And should you be violating the terms of the GPL license in such a way that you are not allowed to use Linux and OpenOffice (and I am not quite sure at the moment how you would do that), then you are also in trouble with SOX.
Under the MS EULA, once you upgrade your software, you have no rights to use the older version(s). This means that if the 'upgrade' breaks your mission-critical software you are so toast.
If you don't revert your software, then your mission-critical software wll remain broken until Microsoft deigns to fix the issue.
If you do revert your software then you're in violation of the EULA and subject to having Microsoft demand that you delete the entire package at any time.
With the GPL, you're only likely to run into problems if you want to distribute the software without distributing the full source. You can sometimes get away with not publishing the source to isolated parts of software written by you, but at that point you're running on the border and should talk to lawyers to make sure that you're not crossing over the line.
Free Software: Like love, it grows best when given away.
The Wasabi Whitepaper itself says it doesn't:
"None of this applies to companies who merely use GPL software, such as those who run Linux on their servers, as long as their software was created in a compliant way. In addition, none of this applies to companies using non-GPL open source software, such as BSD; in the case of BSD, there is no requirement to make modifications open source. Rather, the requirements discussed here apply to companies who modify GPL software, such as embedded OEMs
using Linux."
This is only about companies releasing products with GPL software.
Actually it would be good for Open Source if it was a violation. It would be leverage to use against these infringing embeded companies.
The reason why they're making their case against the GPL is important. Proprietors are saying that the GPL makes them nervous, they don't like the commons the GPL creates and maintains. Proprietors want to discourage everyone from using and developing GPL-covered code so that they have less competition and won't have to spend their time lobbying governments around the world to help make Free Software implementations of various programs impossible. Thus this is just another legal risk FUD case against the most widely used Free Software license, the GNU GPL which fails to mention what the Software Freedom Law Center points out:
And when it comes to GPL-covered software being so complicated to deal with, the SFLC has this to say:
Digital Citizen