Slashdot Mirror

← Back to Stories (view on slashdot.org)

Does Using GPL Software Violate Sarbanes-Oxley?

Posted by ryuzaki0 on from the dispelling-fud dept.

Anonymous Coward writes "eWeek is reporting that The Software Freedom Law Center has published a white paper that dismisses recent publications from embedded systems seller Wasabi Systems. Wasabi recently released statements focusing on alleged GNU General Public License violations in relation to the Sarbanes-Oxley Act of 2002. The white paper, titled "Sarbanes-Oxley and the GPL: No Special Risk," essentially counsels users of the free software license that they have no need to worry."

18 of 272 comments (clear)

  1. CSPAN called by Anonymous Coward · · Score: 5, Funny

    they want their boring back.

    1. Re:CSPAN called by Firehed · · Score: 4, Funny

      Error 404: Funny not found.

      --
      How are sites slashdotted when nobody reads TFAs?
  2. More info on SOX by kebes · · Score: 5, Informative

    In case you have no clue what "Sarbanes-Oxley" is, you can check out official info and the Wikipedia article. Basically it is a set of laws that place limits on what companies (and those working for them, especially upper management) can do. This has mostly to do with declaring assets and transfers of money. It tries to prevent companies from defrauding investors and so on. These laws were enacted after the Enron scandal.

    Wasabi's complaint is that under these laws, you have to declare all assets, including intellectual property. Their rationale is that using open-source software, you may be in violation of the law if you do not review and declare that usage.

    As was pointed out last time this was discussed on slashdot, a company would only be in trouble if they were already doing something illegal: violating the GPL. If you violate the GPL, then you're misrepresenting your ownership of IP (claiming to have a license you don't), and thus are also violating Sarbanes-Oxley.

    So what's the problem? If a company follows the GPL, then everything is fine. They have nothing to worry about. If they violate the GPL, then they're breaking multiple laws. So, as always, companies should make sure that what they are doing is legal. This in no way diminishes the extent to which GPL software can be used in commercial environments. Wasabi acts as if there is some tremendous additional legal burden to using GPL software. However it seems that Sarbanes-Oxley would equally apply if you mis-represented your ownership of non-GPL software. So there's no difference. (You can read the Software Freedom Law Center white paper for a more complete explanation.)

    1. Re:More info on SOX by Jeffrey+Baker · · Score: 4, Insightful

      More importanly, you can substitute any other license for "GPL" in the parent post. If you misappropriate software under any license, you could have some liability. Duh.

    2. Re:More info on SOX by booch · · Score: 5, Insightful

      In almost EVERY argument against the GPL, you can substitute any other license for "GPL", and the argument would still hold true.

      One of the biggest arguments against the GPL is that if you use it in your own code, you have to agree to its terms. In the case of the GPL, those terms mean that your code must be GPLed. Other licenses set other terms; many licenses don't even ALLOW you to use their code in your code. In any case, if you don't follow the terms, you can be sued for copyright violation. So you always have a choice, no matter what the license -- either follow the license, or get sued.

      --
      Software sucks. Open Source sucks less.
    3. Re:More info on SOX by zero1101 · · Score: 5, Informative

      One of the biggest arguments against the GPL is that if you use it in your own code, you have to agree to its terms. In the case of the GPL, those terms mean that your code must be GPLed.

      This is an extremely misleading statement, if not outright false. Your code must only be GPLed *if you redistribute it*. There are, unfortunately, plenty of cases where PHB's decide not to use GPL software because they don't understand this. And apparently neither do many Slashdot readers.

    4. Re:More info on SOX by Tony+Hoyle · · Score: 4, Informative

      In practice though GPL stuff isn't enforced...

      Witness the number of embedded devices (particularly routers) where you can't get the source code to the GPL parts, and where you can, they're hard linked to closed source binaries with 'no unauthorised distribution' clauses (Yes I mean you Broadcom!).

      So it's perfectly legal to modify the GPL bits, but illegal to distribute the resultant code... thus the GPL is defeated by apathy because nobody cares.

  3. The original article says ... by gregor_b_dramkin · · Score: 5, Insightful

    violators of GPL are violators of Sarbanes-Oxley.

    solution: don't violate the GPL.

    --
    You can never equivocate too much.
  4. Coming soon to slashdot: by endrue · · Score: 5, Funny

    Does the GPL Violate Sarbanes-Oxley?
    [E]ssentially counsels users of the free software license that they have no need to worry.

    Coming soon:

    Does peanut butter taste like fish?
    No

    Is water wet?
    Yes

    Short and informative - this is great stuff!

    --
    I meta-moderate because I care.
    1. Re:Coming soon to slashdot: by General+Alcazar · · Score: 5, Funny

      In English, water implies liquid state:

      Solid H2O: Ice
      Liquid H2O: Water
      Gaseous H2O: Steam
      Plasma H2O: Profit!

  5. SOX is change management over financial systems by futuresheep · · Score: 4, Interesting

    SOX requires strict change management controls over financial systems. When we went through our audit, the auditing company was mostly concerned with how changes were made to these systems, what management controls were in place to monitor these changes, and the processes that were in place to ensure their integrity. None of the OSS software used in these processes was given a second glance beyond the aforementioned items. As an example, our use of Nessus as one the our tools for network audits and our archive of Nessus scans was applauded.

    Just my Experience.

  6. Since when is the GPL a EULA by Tweekster · · Score: 4, Interesting

    What would use of software have to do with the GPL... The user does not have to accept the terms of the GPL to USE the software...

    --
    The phrase "more better" is acceptable English. suck it grammar Nazis
  7. Sarbanes-Oxley is a joke by rfolstad · · Score: 4, Interesting

    I speak from experience and people can and will use SOX as an excuse for anything and everything. The problem is auditors are now trying to understand technology and they just don't get it.

    The basics of SOX is that your CEO must sign that the proper controls are in place to ensure that all changes made to production systems that affect the reporting of financial information are approved changes.

    Companies can take this to mean that changes to your firewalls, mail servers and webserver need to be logged and monitored with scrutiny. And they will even send "auditors" in to take screenshots of /etc/shadow hahahahahahhaa.. It's hilarious.

    Realistically it is impossible to be 100% SOX compliant and profitable. This bill will be gone within 5 years and other countries without silly laws like this will prosper in the meantime.

    So yes. If there is a not an audit trail in place where someone approves of applying that patch to the linux kernel on all production machines then you are not SOX compliant. Just like if someone doesn't approve installing that critical service pack from microsoft. Without approval and test cases you will fail your SOX audit unless you pay the extortion^H^H^H^H^H^H^H^H^H fee that anderson^H^H^H^H^H^H^H accenture is charging these days.

  8. Re:Intended Consequences of laws by dada21 · · Score: 4, Interesting

    Yes, let them go wild. It will teach the average "investor" that there is no such thing as a free lunch. You should NEVER put your money into a business that you don't have faith in or trust. If you make it government's job to make people "tell the truth" you'll get lies covered by legal loopholes.

    The problem starts with the Fed (Greenspan, Bernanke and their inflationary cycle) that makes money worthless over time so we seek to invest it to at least break even. The problem is made worse by the same inflationary cycle that makes our salaries go up slower than the inflationary cost of living increases (which go up because of the money printing). It goes downhill from there -- the SEC makes investors believe they're protected, which in a free market is a fallacy. You are only protected through contracts, not through law forcing people to act a certain way. Beyond contracts you protect yourself by doing business with people with a history (see eBay's feedback system).

    This is all a mess, made worse by people who have faith in others. I have no faith in others except those who have proven their trustworthiness to me. This is why I only invest in businesses I have direct contact with.

  9. Re:Intended Consequences of laws by jdavidb · · Score: 4, Insightful

    Instead of requiring companies to do anything, how about telling people that they really shouldn't put their money anywhere but where they trust?

    Our culture has accepted a lie about trust. We believe that it is the obligation of people to extend trust, and that it is a moral failing when they do not. In reality, the exact opposite is true. Nobody should be trusted until they have proved themselves trustworthy. If person A fails to trust person B, that is solely and completely person B's responsibility. It is not person A's fault. A has to earn B's trust.

    This was clear to me during my dating days in an online singles community when I'd hear women who had just been jilted say, "How can I ever trust anyone again?" Well, the problem is that they were extending trust to people who had not yet earned it, and those people performed as could be expected. Then these women were viewing it as somehow their own moral obligation to trust people after that. In reality they were receiving an education that was pointing them to the obvious conclusion that it was not their responsibility to trust people who have not earned it.

    Extending that to business is left as an exercise for the reader; I've had more success in dating than I have in business. ;)

    --
    Secession is the right of all sentient beings.
  10. Wasabi Burns by Doc+Ruby · · Score: 4, Interesting

    I knew the founders of Wasabi Systems, here in NYC. The original "brains" behind the startup, which planned a "Red Hat for NetBSD", got screwed by his lawyer partner in the late 1990s, and left. No surprise to hear their business model is lying about GPL (Linux) in press releases.

    --

    --
    make install -not war

  11. Thats no better than what you complain about by Wizardry+Dragon · · Score: 5, Insightful

    Is this an 'innocent until proven guilty' world or a 'guilty until proven innocent' world?

    I tend to take a decidedly buddhist view when it comes to that, nothing to do with the religion (before I get a religious flamewar going here), but I believe in moderation. Completely distrusting everyone is no worse than complete trusting everyone. You have to strike a balance - the way our world works depends upon it. Buisness depend upon trusting that the average consumer is not a theif (someone should tell the RIAA that, before they strangle the music industry), relationships depend upon trusting that the person you are with will be true to you, in whatever way that means to you.

    ~ Wizardry Dragon

  12. Re:Worded poorly. by ShieldW0lf · · Score: 5, Informative

    Situation One: Your company owns the copyright to the software outright, released it under the GPL, and doesn't accept contributions. No problems. Situation Two: Your company distributes GPL software that it didn't write, with or without modifications. Your company recogizes that this is not its intellectual property, and never should have been, being that it wasn't written by them, and doesn't claim it as an asset. No problems. Situation Three: Your company distributes GPL software that it didn't write, with modifications. Your company fails to recognize that part of this software was never theirs in the first place and that the rest of it is not an economic asset because they do not have the ability to control access to it in exchange for money, but you try to pull some bullshit with the numbers to make it seem like an asset. By doing this, you're misleading your investors and committing fraud. You have a problem. But the problem isn't with the law. The law is working exactly as it should. If you're an OEM using open source software that you sourced externally for free and modified, it's not your property, and you shouldn't be listing it at all. If you've built your business around this lie, you're SUPPOSED to be fucked. That's what the law is for.

    --
    -1 Uncomfortable Truth