Slashdot Mirror
McAfee Worried Over "Ambiguous" Open Source Licenses
willdavid writes to tell us InformationWeek is reporting that McAfee, in their annual report, has warned investors that "ambiguous" open source licenses "may result in unanticipated obligations regarding [McAfee] products." "McAfee said it's particularly troubling that the legality of terms included in the GNU/General Public License -- the most widely used open source license -- have yet to be tested in court. 'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission. Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software's source code to end users or customers. Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."
Are they worried because they've used GPL licensed code in their products?
If your buisness doesn't agree with the license DON'T use it.
You can't have your cake and sell it too !!
their EULA which has been rigorously tested time to time in International Court of Justice.
Don't want to be bound to the terms of the GPL? Don't use GPL code!
Just another piece of FUD.
If you're worried about "uncertainties" with respect to any software license, don't include code in your application that might cause those licensing terms to apply to it. End of story.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
I am not going to buy McAfee products.
there is no free lunch. these manufacturers are seeing the "gold mine" open source software as a way to do less work. Well, you've got to comply with the terms of the license if you distribute it. no 2 ways about it.
"We have a McAfee product for Linux in the labs, but the company lawyers are worried that someone else runs away with our IP."
...require testing in court?
I would have thought that Copyright law was pretty unambiguous, and that any conditions imposed regarding distribution of a copyrighted work is at the whim of the copyright holder.
This would apply to any distribution license.
No need to test anything in court, unless you wish to discuss the finer detials of Copyright Law itself.
Sure would be a shame to help the community you are trying to profit off of wouldn't it?
I don't understand why they would go whine to the SEC about it though.
"Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering"
Uh, that's the very idea of the GPL. It lets people who bought the product use it in any way they see fit, which includes "tamnpering" with it. It even allows you to redistribute it. The only thing it prevents is redistribution under a different license without permission. Didn't anyone give McAfee the memo?
We used GPL code, and it breaks our business model. I really feel bad for McAfee, not!
"To those who are overly cautious, everything is impossible. "
It has been tested in both USA and Euro courts, If you've been reading Groklaw at all in the last few years. And no, I don't mean SCO.
C|N>K
...that they think they're about to get caught out abusing an Open license in one of their products?
expandfairuse.org
Translation: "We fucked up and didn't do our homework."
Funny they paid a bunch of lawyers to come up with this. If they paid me just half what they paid them I could explain the GNU GPLv3 very thoroughly to them.
When all software out there is Open Source, leaks will be found and closed. That would mean no more virusses. That would mean no more McAfee.
What is the best defence they can come up with? FUD!
If anybody is dependent on closed source and the slow process of bringing out patches, it is these guys. In an ideal world they should not even exist.
Don't fight for your country, if your country does not fight for you.
.... to criminalize such fud, but there are laws against slander and libel. Perhaps teh FSF and EFF should take action.
However the real issues here is not exposing this FUD to those who know better but to those who don't.
So sue to force such FUD spreading companies to undo the FUD they spread by the same means and extent they used to spread it.
1) Don't use any license that requires you disclose your code if you rely on obscurity for your security.
and
2) Only use code owned by others and covered by a strong copyleft in a product, if you are willing to release all the code for that product under a strong copyleft.
It is really not that complicated.
Or, to put it more simply: If you want to use some copyrighted software, you need a license. If you can't get a license you want to accept, then you don't get a license, and can't use the software.
Very very simple.
There is nothing "ambiguous" about the GPL, at least not on the context presented.
Both cases, "security by obscurity" and "keep part of the program proprietary" are simple no goes with regard to the GPL.
What "ambiguous" it really means is that some companies hope they can get away with ignoring the GPL, either directly or by finding some legal loophole.
McAfee correct that either strategy put the company at risk. Just as it puts the company to risk to ignore or circomvent the license of any proprietary software they might use.
Stop the FUD.
Taking aim like this at the GPL smacks of seeking to discredit it in the public/industry's eyes. Any licence agreement has inherent dangers.
Seven Days with Ubuntu Unity
Do you guys have a clue as to what goes into the risks section of an SEC filing? Pretty much anything conceivable. That way if it happens it is harder to get sued by an ambulance chasing lawyer who found *one* unhappy shareholder and filed a class action suit. So if you are a publicly traded company you probably should have a risk enumerated that a programmer will violate policy and inappropriately incorporate GPL'd code.
Don't want to be bound to the terms of the GPL? Don't use GPL code! Just another piece of FUD.
You are seriously mistaken. You are assuming that it is company policy to inappropriately incorporate GPL'd code. It may be against policy but a programmer may get lazy and do it on his own. Hell, it could be a relatively honest mistake like confusing a GPL'd lib for a LGPL'd lib. A GPL related lawsuit would be an appropriate item in the risks section of an SEC filing.
Maybe a big customer moved to a free software anti-virus and they want their salesmen to have something to use while pitching against it.
My little Linux and tech blog
That is the most accurate, yet useless statement I have ever read.
No copyright governs use. Copyright only governs distribution!
Guess what! GPL is copyright!
But thats only because I wouldn't risk lawsuits over ambiguous open source agreements or contracts because that is the surest way to end your career.
Oh you mean foolish like Apple?
What would be foolish is not understanding the terms of the license. Apple ships Mac OSX with GPL components. Linksys and Asus (both after a slight spanking) ship products with GPL components. Even Dell does. The key is understanding the GPL, adhering to it and having a product that is beneficial beyond the GPL code base (notice that all three examples sell hardware... although with Apple their software is not dependent on GPL but rather benefits from it).
Sometimes my arms bend back.
the gpl is about protecting user rights. if you want to screw the user over, that's your decision, just don't expect the gpl to help you.
How about your write your OWN DAMN CODE instead of complaining, or just STEAL Theo De Raadt's. He WON'T mind AT ALL, honest :)
"Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."
:)
HUH? ROFL.
Maybe I'm not thinking this through completely, so forgive my youthful ignorance..... but since when did OPEN SOURCE software NEED copyright protection features?
Last time i checked, I did not enter a cd-key and have to activate say something like.... ohh..... any sourceforge project on a linux box.
I mean seriously... Am I missing something here? Please Tell Me? Confused Minds want to know
Nobody has yes suggested another possibility - that this is FUD that is being produced at the behest of Microsoft. McAffee prsumably depends to an extent on MS being friendly, or at least not antagonistic, and would likely be easily persuaded to spread FUD when MS feel they need to increase their FUD output a bit.
Translation: "Some manufacturers have voiced concerns that the requirement could leave important user-restriction features or copyright fair-use prevention features in their products open to rightful destruction."
They fail to grasp the most important aspect of GPL: every end-user is also the master of said software; it is not up to anyone else to decide what he can and can't do. Features which keep the end-user out are not part of (publicly distributed) GPL software, period.
EULAs cover use however.
Could you not argue that by using a computer program you are copying it?
ie
When you install it, you copy it to your hard drive
when you "run" it you copy into memory, or it's copied to virtual memory
If you hibernate, the whole lot is copied to hard drive
etc
I think in US copyright "if in the normal coures of operation" then there is an exception. The UK and probably most EU countries do not have that, so in theory you need a licence to run the software.
try to make ends meet, you're a slave to money, then you die
My guess is that this warning has arisen from the use of kernel hooks to provide on-demand scanning. I read somewhere that McAfee modifies the Windows kernel to intercept among others file access calls. They might want to do the same for Linux, which would subject the code that provides those hooks to the GPL. It may be the case that McAfee thinks that this code must be secret to ensure the security of their product, and that could be why they are so afraid of the GPL.
How about creating a generic interface for such applications that multiple vendors could use to intercept e.g. file access calls? Or does it already exist?
The GPL is already far less restrictive than most commercial licenses...
Do you think Microsoft would sit idly by if someone took the windows source code that was leaked a couple of years back and created a derivative work? The leaked source could have proved beneficial to projects like Wine, Reactos and Samba etc, but they avoided it because it would be illegal. Given a reversed situation i doubt whether microsoft would behave in such a responsible and ethical manner, but despite their behaviour they do have the same right to govern distribution of their code as anyone else.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Not This Shit Again
cow_2001
Fuck McAfee. Their anti-virus and security products suck anyway; buying a prebuilt machine that comes with this crap on it is about as bad as the ones which come with Norton...I have never met anyone who has worked with windows machines a lot who doesn't dislike both of these products.
It's not so much that they aren't secure enough for various reasons, it's that they impose such an overhead on your machine, occasionally can be difficult to remove, install so much crap, and really impact the user experience in a negative way.
As far as home Anti-virus goes it is my opinion that there are several good options, Grisoft's AVG line primarily - I think Trend isnt bad - I have heard good things about Avast but have no personal experience.
As far as corporate I have experience using Norton's corporate edition which I think is much better than their home offerings, but nowhere near as good as Grisoft's stuff. I switched our company network to AVG network edition a couple of years ago and have been extremely impressed with the result - in addition to being much more reasonable priced I find it much easier to administer locally or via the network; it gives me the information, control, and reporting I need from the administration module and has the same low overhead and and flawless performance as their other stuff.
I have to say that seeing corporations like this fret about possibly having taken advantage of the GPL and possibly getting nailed on it is heart warming.
I can see one thing they'd want to add to the kernel for "on-demand" scanning, it would be an interface to get information about new files, or be able to snoop on file writes or something. Nevermind that it probably already exists (/[id]notify/), they would just need to publish under the GPL the tiny part that is to reside in the kernel and its interfaces. Just like you can implement a proprietary filesystem through Fuse if you want, there would be no GPL requirement on the userland part of the software.
In Germany: http://www.linux.com/articles/57353
In the US: http://www.fsf.org/news/wallace-vs-fsf
And probably in other countries as well...
How many McAffee EULAs have been tested in court?
PS: McAffee, never heard of them. Does it run on Linux? Has anyone greeted our McAffee Overlords? Imagine a McBeowulf Cluster of these...
Ok, if those companies continue stealing OUR (opensource) code, and violating OUR licences, I will forget about the "you must pay" term of their licences. And redistribute their softwares the way I decided To. So we can't use softwares we don't pay for. We can't reditribute their products the way we want. We can't use their patented code. How come they think they can ? It's no fairplay, they can us stealers, cyber-terrorists, but they sell millions of copy of softwares (at high prices) they don't even really OWN.
Segmentation Fault in "Life, Universe and Everything" at line 42. Don't Panic.
Something like inotify doesn't cut it for a virus scanner, since it needs to intercept read / write calls to be able to scan the files before the data is read. Something like systrace on {Net,Open}BSD could do it, but there is a known security vulnerability in that entire approach (which also affects virus scanners on other platforms).
I am TheRaven on Soylent News
This is worrying, I mean, how would users that use mcafee anti virus software feel about this? A company unable to understand a license is probably not good enough to protect your computer...
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
...no warez, no cracks, most software from distro repositories, single command to update all software = 90% of their market is gone. The last 10% are those that would stab themselves in the foot if you didn't give them a gun. Anti-virus companies live off people donwloading infected shit, unpatched software (either because they're lazy OR it'll break their cracked software) and the fact that anybody can setup a professionally looking website with malware. They say Linux is only free if your time is worthless. Well, given the risk pirated software is only free if your data is worthless. Paying adds up on you - a lot. The only sad thing is that if you want to pay, there's rarely an opportunity. So far my solution to that has been wine and vmware. All in all, my conclusion so far is in my sig...
Live today, because you never know what tomorrow brings
Perhaps they are more worried that some of that code will be discovered that they actually copied and pasted it - basically stolen code. I image this scares the hell out of these companies including Microsoft! There isn't too much originality online anymore. Something that appears new has been thought of before and perhaps even used in another time or another application. Many people can write code or should I say put together code and hack it, so-to-speak, but few people can start from scratch and come up with something entirely new without using someone else code, controls, interfaces, or ideas. A lot of times you think you have a new idea, but later learn that many people have thought of this same idea and your "new" idea is not actually new! I don't know the facts, but according to the aritcles and movies /originally/ apple and microsoft stole their products. What really is going on here is they stole the idea and some of the code and changed it to make it their own and call it something else. An apple by another other name is still an apple - or should I say xerox - then microsoft approached apple and stole xerox work from them. In reality, they are all a bunch of crooks.
When you're a public company, and you release an annual report, you are required to list just about every possible risk to your company that you can think of. That way, potential shareholders who read the report and buy stock based on your good news are also exposed to the bad news at the same time.
If your CEO is brilliant, you have to point out that he could die. If you have a gigantic data center, you have to point out that it could get hit by a missile. If you have obvious competitors, you have to point out that they could stomp you. If you don't, you have to point out that new ones could form at any moment. You have to put these in the strongest possible terms; it's the "don't say we didn't warn you" principle.
So, yes: to the extent that McAfee relies on license terms that have not yet been tested in court, they are at risk. Not necessarily a big risk, not even a worrisome risk, but a risk.
To the extent that they use proprietary software, they are ALSO at risk - of undiscovered bugs and reverse engineering. I imagine that's in there somewhere too.
In fact, here is the annual report in question.
The Risk Factors section is about 24 pages long, and includes things like "Failure of our products to work properly or misuse of our products could impact sales, increase costs, and create risks of potential negative publicity and legal liability."
They aren't worried. This is typical of a "full disclosure" of risks that companies give to their investors. They imagine everything that could possibly go wrong, and tell that to the people whose money they took, to cover their asses in case it does go wrong. It doesn't mean they think it will go wrong, any more than Ford thinks you will believe the objects in the mirror are as far away as they appear, or the Coppertone people think you will take their sunscreen internally. They're just covering their asses in cases it happens.
http://alternatives.rzero.com/
And that would be a sensible way to implement a Caged virus-checker: as a Caged module for Fuse, implementing its own filesystem with built-in virus checking.
On the other hand, the Unix security model inherited by Linux includes permissions (which make it much less likely for things to get executed that should not get executed) and ownerships (which make it less likely for things to get modified that should not get modified). Sensible default behaviours (for example, not running as root except when necessary, always saving e-mail attachments and downloaded files with execute OFF and only running binaries that were compiled by you or your OS distributor) go a long way towards minimising the threats. And while there is still a risk due to insecurities in things such as image handling libraries, the probability of those insecurities being discovered is that much a greater if the code is out in the open.
That, I think, is the real threat to McAfee: When everyone in town is or knows a qualified roof mender, you don't need to sell special expensive proprietary drip buckets.
Je fume. Tu fumes. Nous fûmes!
Are you kidding? What trouble could they "stir up for FOSS community with SEC"? Does the SEC suddenly have the ability to punish some SEC-rule-abiding third-party company like Redhat for licensing terms that McAfee claims to have been too stupid to understand? The purpose of the SEC is to make sure that no financial or stock market-related fraud is going on... the SEC exists to make sure that companies like McAfee give stockholders relatively accurate information so they can accurately guage the company's value... hence the reason the report was filed with the SEC.
This report is in NO WAY an effort to somehow impede FOSS... this is entirely a case of McAfee explaining a potentially huge liability to stockholders with as much sugar coating and explaining away as possible. This is akin to an American car company sending stockholders a report in the 70's saying "there's a good chance we're going to get our asses kicked by the Japanese this year, but it's because of unfair trade policies! Don't blame us, and PLEASE DON'T SELL ALL YOUR STOCK IN A MASS PANIC!"
I'll never understand how moderators on Slashdot can justify giving a 5 to some posts.
http://www.sec.gov/Archives/edgar/data/890801/000095013407026067/d52464e10vk.htm
This "fear" of GPL extends way beyond McAffee. A client of mine has forbidden the use of "open source" code in ANY software developed for them. This includes software under very permissive licenses, not just the GPL. I'm sure this was prompted over fear of the "viral nature" of the GPL. I'm not saying that the GPL is a bad thing or is viral, but there is a perception that using GPL or LGPL software is a potential legal risk. In this case, the paranoia has extended to all open source software. I highly doubt my client is the only organization to take a knee-jerk approach. The funny thing is that most commercial development toolkits and whatnot have more onerous software licenses.
They should use BSD licensed code.
How easy is this:
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
So why is open-source such a problem?
EITHER you buy a closed source solution or write the solution yourself.
OR you get the free open source and follow it's usage terms.
I just don't get why all these people selling proprietary solutions seem to feel they can charge but they get to use the open source software for free. There is a cost- and the cost is following the license.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Looks like they pretty explicitly state that they use GPL software in a way that puts them at risk of a lawsuit (they might not get caught by the right copyright owners, so it's just a risk, not a surety). That said, sorry, huge companies don't tell their investors "Hey we're using code illegally, it's likely to land us in court unable to legally sell our products to anyone until we pay a massive fee and open source all of our code" just to make a point about open source.
For a better understanding of what this filing is actually about, please check out my previous post to this thread: http://slashdot.org/comments.pl?sid=406724&cid=21922536
Considering the general quality level of your post, maybe I can entice you to actually read my post by informing you that it includes a great car analogy. FWIW, the article isn't all that long, you could try reading that too.
It shows how copyright hasn't kept up with the times in that even linking against other code is, as far as COPYRIGHT is concerned creates a derived work (with music, you have the same bass line but different rhythm/vocals, you're making a derivative, despite not using much of the original or changing it at all), though dynamic linking against an unmodified library is taken (in the interests of getting any work done) as being OK because you can
a) distribute only the application that links, so no distribution rights needed
b) change the linked library to another work as the individual, so whether it's derived becomes unclear
if you don't like this being a problem, then please get your govenment to change copyright law. FSF can't change it unilaterally.
"Okay, so we're profiting from GPL'd software. Now we're worried about the implications of using that software. OH, don't get us wrong we're not going to stop using it we just want to raise a red flag."
To what end? If companies like this really hope to have the software declared completely free and the GPL nullified then the result will be other programmers having their hard work profited by while they get to keep their works proprietary. How convenient!
and PAY to get it tested completely. Don't leech off the hard work and free testing done by millions of people worldwide so that you can save a hundred grand, you cheap bastard.
That would be the response to someone wanting GPL'd AES code in their propriatory DRM.
And in response to "well you have to say EVERY risk in this sort of report" why did they say "GPL"? Because it's just as risky getting code from the internet under no license (default copyright) and getting MS's code outside the NDA and contract is far more dangerous (say, from the MSDN site, where one fellow has been sued by MS despite the code being there, free and open because he didn't limit it to the professional version only).
So mentioning "GPL" is either redundant (and they are now guilty of omitting worse risks) or malicious (by trashing the license they don't like), which isn't what this report is for.
If they don't want to comply with the GPL (or other licenses) they shouldn't use the code. Seems so obvious along the lines of if you wan both feet don't shoot one off that I can't understand why they would say such a thing? Or are the bits in the article misleading?
Their are plenty of licenses that people are asked to agree to all sorts of terms unrelated to copyright.
i.e., you are legally permitted to obtain a copy of the software because the license grants that right, so long as you agree to the terms. Should you violate them, then you did not obtain the software with the intent of following the license, so in effect you had no right to use the software in the first place.
Qt makes interesting use of GPL, once they started dual licensing. Back in the day, KDE's status was worrisome as Qt license upon which it depended was not free. Qt knew the success of KDE would be critical to their products commercial success, and that they had to make provisions to allow the free software community to use it with impunity, while encouraging commercial vendors to continue on how they have been. They release dual license GPL and Qt, such that if you are ok with GPL, feel free to use it with impunity, but if you want a more commercial license, you can, but it will cost you. One of the major reasons commercial software vendors back Gnome is that fitting into that merely requires the LGPL, and thus they don't have to reciprocate commercially or with contributions.
Of course, LGPL for commonly used libraries is a requirement when having to deal with a platform of diverse licensing (including BSD and others).
XML is like violence. If it doesn't solve the problem, use more.
I though we had debunked the "GPL IS VIRAL!!!11!!1!!" argument long ago.
Their wording is confusing, but they seem to imply that merely *using* GPL software places some onerous requirements on them. That is outright false. (Where using means, 'running the software for its designed purpose' eg, using a GPL editor to edit files, or GPL browser to access the web).
If by 'using' they mean 'taking the code and making it part of the code of our software', then the results of that are *FAR* less onerous than doing the same with proprietary, non-GPL, non 'open source' code. If you take the source code for (for example) part of Microsoft Word or even Notepad, and make it part of your product that you sell, Microsoft is going to sue your pants off and own your company and perhaps your children by the time they are done. Doing so with GPL code merely requires that you also release your product as GPL. In both cases, you have the option of avoiding the repurcussions by NOT including someone else's copyright code as part of your program. (Of course, in the MS case, its pretty much impossible to do anyway since they dont make their source code available to the public)
Consider the case of a supermarket. "Using" their fresh fruit that is on display, could subject you to certain requirements. If you just pick up fruit from their display and eat it, they are going to get upset with you. If you pick it up and walk out of the store with it, they are going to expect you to pay for it. Their is implicit assumption that it isnt just free for the taking - it is there for you to inspect and decide if you want it, and if you do then you choose to buy it. Why should anyone assume anything else about someone's program source code, especially when it is distributed with a very specific license that spells out the terms, and nothing has to be assumed or implied. You can inspect it. If you decide you want it, you can choose to 'buy it'. In this case the cost is the release of the combined product also as GPL.
What do you mean? I don't know about inotify, but in my opinion it wouldn't matter that the data is read, what matters is that it isn't returned to the calling program until hooked programs have signed off on the data. The same would naturally apply to the exec*() family of functions, only that they do not return data, but rather load the data as a new executable image.
>The UK and probably most EU countries do not have that,
Yes they do. Protection for computer programs are coverwed in the EU directive 91/250/EEC, which basically gives a lawful user (not necessarilly owner) of a computer program the right to do, for example compies needed for normal use which includes what you list such as installing and running the program. This is covered in article 5 of the treaty. I can't tell exactly how each member state have implemented the treaty but many have done it more or les exactly as the treaty says. For example Sweden which I am most familiar with has the same text granting such rights (or rather excludes them as being exclusive to the copyright holder) to the user without any authorication, permission or licese needed.
So yes, you are in most countries (if not all) of Europe allowed to install and run computer programs you have lawfully aquired.
Treaty:
http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&numdoc=31991L0250&model=guichett&lg=en
A document that anylises the implementation of the directive (as far as it was in 2000) but also provides some insight into how to interpret the directive:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2000:0199:FIN:EN:PDF
Note for example (in regard for the contract part):
"In the view of the Commission, what was intended by Article 5 (1) and recital 18 was that it
should not be possible to prevent by contract a "lawful acquirer" of a program doing any of
the restricted acts that were required for the use of the program in accordance with its
intended purpose or for correcting errors."
Did McAfee just openly admit that they stole code from GPL'd software? If they did... boy was that... stupid to say the least. Nothing like giving the gpl-violations.org people a nice goal.
Brielle
They have a very simple solution, then, don't they? Do their own graft, write their own damn software, and stop freeloading off the community.
But, you see, that's not what they want. They want the free milk and the cow both.
Am I the only one that doesn't see this as a big suprise? They try to fight viruses don't they? GPL is a prime example target for them.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Why should McAfee care if their AV program gets pulled into the GPL? They make their money by offering subscriptions to their virus definitions, which they should be able to do under the GPL. Sure, if the program's open sourced anyone else could distribute their own definitions, but I doubt they'd be as good as McAfee's -- ClamWin's supposed to be the best open source AV, and in tests it only detects half as many problems as Norton and McAfee.
Les Miserables Volume 1 now up with my reading of
One problem with Macafee's contention that the GPL hasn't been tested in court is that it's wrong. Slashdot reported not long ago about Verizon being sued over GPL violations, and they're just the latest in a long line of companies that when faced with the choice between complying with the GPL and being taken to court have settled with the copyright holders. The fact that so far every company faced with the choice has elected to settle and release the source code as required says much about the strength of the GPL. Companies only go to court when they think the license is weak or questionable enough that they've a reasonable chance of winning. So far, every violator seems to have been told by their lawyers "If they take you into court, you will lose. Settle now.". As a creator I'd rather go with a license that strong than one where the violator's lawyers think it's weak enough they've a chance of arguing their case in front of a judge and winning.
Also, since the GPL is a copyright license and not a contract, any suit against a violator won't be for violation of the GPL. It'll be for violation of copyright law (making and distributing copies without a license to do so from the copyright holder). The GPL, if anything, will be a defense raised by the violator in an attempt to show that they do indeed have a license to distribute copies.
And finally, Macafee's not worried that the terms of the GPL are ambiguous. They're worried that the terms aren't ambiguous, and that if someone catches them using GPL'd code they stand no chance of getting away with it if push comes to legal shove.
I have been reading a fair bit of legal analysis (IANAL) relating to the GPL v2 and have been discussing various ambiguities relating to the GPL v3 with people at the SFLC. These licenses *do* have some ambiguities (though I think they are less of an issue for the GPL v2).
The major issue for the GPL v2 is that it is not 100% clear where the boundary relating to mere aggregation is. In general it is easy to read "a work based on the original work" meaning derivative work (i.e. a transformation or adaption of the original work in the same way that a movie may be based on a book, or a sequel may be based on another book), while aggregation seems to read as a collected or compiled work, but these simple interpretations are at odds with the FSF's interpretations. I.e. dynamic or even static linking would seem to create (possibly non-literal) compilations under copyright law, not derivations even if the linker strips out unused portions (this is because that process would not be creative enough to create a *new* copyrighted work in the form of the new library code). Hence the simple reading of the GPL v2 would seem to allow one to link proprietary applications to, say, GNU Readline. This question has not been resolved in court yet.
The GPL v3 has the same issue, but adds a few more. For example, does section 7, paragraph 2 govern sections of BSD code included verbatim in a GPL v3 application? I.e. must one be allowed to change the license of a file to the GPL v3 in order to call it compatible? (Eben Moglen says "Yes" while Richard Fontana says "No"-- both are members of the SFLC and both were involved in the GPL v3 development process.)
There are also a few false ambiguities-- for example the question as to whether mere use of software inside an organization might ever one to license patents out (the relevant section of the GPL v3 only applies to explicit patent licenses), though clearly one would want to stop using software before filing patent suits due to patent retaliation clauses.
LedgerSMB: Open source Accounting/ERP
don't use opensource in your own products that will be released to the public and you are a profit organization. Its that simple. Most large corporations specifically state, "DO NOT USE OPENSOURCE IN SOFTWARE THAT WILL BE RELEASED TO PUBLIC".
What indemnification does Macafee provide their customers against their customer records being stolen through the use of a trojan or virus?
davecb5620@gmail.com
There are two things that McAfee is going to be worried about:
1. The accidental introduction of GPL'd code into a product.
and the ambiguous one:
2. What constitutes a derivative work. Some Linux kernel developers believe that ANY kernel module is a derivative work of Linux and thus the source should be made available under the GPL. Others, e.g. Linus, believe that if source code was originally developed for another platform and then is ported to Linux that it may not be a derivative work. Who's right, legally speaking? Who knows! As lawyers like to say, something isn't so until a judge says it is.
So write your own and
Shut the fuck up.
Geez.
It's naive to think they would try and get a free ride by stealing code. They have tons of resources to develop their own stuff, and a legal department that would scream bloody murder if anyone asked about GPL'd code. Odds are, they contracted something out, and that developer saw an opportunity to make a quick buck by stripping the licence off open source code and selling it as their own work. Companies that sell a proprietary product are generally very aware that being on the right side of the law when it comes to IP ownership is what keeps them alive. In this case I doubt stealing GPL code was a high-level descision.
-- http://thegirlorthecar.com funny dating game for guys
So as far as I can tell, here's what this story is actually about:
McAfee makes a virus scanner for Linux. Presumably the "on-demand" scanning uses a closed-source kernel module. Some kernel developers (i.e. copyright holders) assert that it violates the GPL to distribute closed-source kernel modules (although NVIDIA's and ATI's lawyers presumably disagree). This has never been tested in court. If one of the kernel copyright holders decided to litigate and won, then McAfee might have to stop selling their product, or significant alter it. Since there is a risk of this happening, they are required to disclose it to investors.
It really is ludicrous to think they are doing this to try to strike against FOSS in some way... I'm sure that if they could legally bury this information without setting themselves up for a future stock price crash when they are sued, then they absolutely would. This is NOT the kind of thing a company puts in an investor report because they want to make a statement. This is the kind of thing CEO's would try so hard to avoid and bury that they'd end up in jail.
Theo, we'd all have a lot more respect for you if you posted flame bait under your real name.
This article is much ado about nothing. This was part of the risk disclosure section in McAfee's annual filing. It is neither indicative of corporate policy nor suggestive of future direction. This kind of CYA is pretty standard with any publicly-reporting company. Their disclosure states that there is a risk of their intellectual property ownership being compromised by the license terms of some of the OSS they use. You, I, and everyone at McAfee knows the chances of this happening are practically non-existent. However, you present this information to the investor so he/she can't sue you if somehow a scenario like this does happen.
I worked for a small public company for awhile, and many of our risk disclosures in our reports were not necessarily reflective of reality. One such disclosure was that our systems ran on Microsoft software, and that if Microsoft went out of business we were basically screwed. I didn't remember seeing a magazine article stating how we were "worried" that Microsoft will be going out of business.
As a corporate lawyer who occasionally handles copyright matters, I can tell you this statement is dead wrong. The only concern a company has is "how much will it cost?" When the cost to settle is less than the cost of defending the case, any good lawyer will advise his/her client appropriately. Now, the cost of settlement may not be strictly cash -- it may include the costs of rewriting code, releasing proprietary code, etc. However, since there hasn't yet been a GPL plaintiff looking for big ca$h, it is usually cheaper to settle. The fact that GPL owners are usually represented by pro bono organizations like EFF is a big reason they don't typically seek a lot of money -- they feel like they are doing it for "the principle of the thing."
Defending a complex copyright case is easily going to run into the millions of dollars, and cast a shadow over your business for two to three years (e.g., SCO v. IBM). If you are Verizon or McAfee, why bother?
From my perspective, McAfee is not only making a valuable point about their own business -- they are making an important statement about the entire OSS movement in general. Many companies are going to avoid developing for Linux, or using open source software simply because they don't understand what the license says (and, in reality, I don't think anyone knows what GPL3.0 says, including the drafters), and they can't conceive of a good enough reason to take the risk.
A good court battle over the GPL in which a court construed (i.e., interprets) the language would be good for everyone except those who use the vagueness of the GPL as a cudgel. An appellate decision (costing another $500,000 or more at least) would be even better. However, so far the stakes involved in catering to the OSS/Linux community just haven't been worth it. In a few years, if more consumers are carrying Symbian phones, and using Walmart special Linux boxes to get their email, it may be a market worth fighting to get into -- right now, I think most companies (not including their IT departments) see it only as a pain in the ass.
I'm a lawyer with excellent karma. Something's gotta be wrong.
It looks like McAfee is managing expectations through filings. Expectation - that there is value to McAfee products on non-windows platforms. Reality - it solves a windows created problem and has no value elsewhere. Sell, they are hiding something.
The whole article could be summed up like this:
McAfee: BAAAAAAAAAAAWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW!
Forgive me if I feel no sympathy for a company that's an obvious ambulance-chaser and now sounds like it may be at best reluctant to support its userbase, and at worst stealing GPL code.
~Eien no Inori wo Sasagete~ Searching for my Hatsumi...
Ambiguous?
Thre is nothing ambiguous in the GPL. It is what it is, and if their software integrates with GPLed software and they do not distribute their source, or think their users cannot further reddistribute the software they are plain bugglars.
If, on the other hand, thy just have isolated GPLed programs that comes along with their products, in the way that is very clearly allowed by the GPL, they should just clarify that and shut up.
-><- no
Well, all along.
The problem is the unspoken secret, everybody is sharing everybody else's code, and the licenses aren't really about anything but a king-of-the-mountain game. This works (they think) as long as everybody is willing to give lip service to the known secret.
But the GPL requires everybody to own up. When the truth about how much code has been borrowed gets out in open court, no license except the GPL and the BSD-style license remains.
(I know BSD-style license is not an approved term, but BSD doesn't own the license I use when I use that kind of license.)
So it is precisely at 6 where they lose complete touch with reality. They can't see that the world can possibly survive the collapse of the licensing system.
Just like so many centuries ago, so many "big" people assumed that the collapse of patronage would mean the end of the world.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Seriously, are these guys trying to rip off the open source community and their accomplishments? If they are worried about the license they should just not use the open source code. Why would anyone think they had the right open source code and then dump on open source because they felt they could have legal difficulties with closed source software? Come on, there's no excuse. You don't want to have the possible problems then keep your hands out of the cookie jar.
You can lead a man with reason but you can't make him think.
"Could you not argue that by using a computer program you are copying it?"
Yes, but so what? Anything *necessary* to use something is use. The terms "use" and "anything necessary for normal use" are synonymous.
If you have to copy something to use it in the ordinary way, then that copying is using the work in its ordinary way.
A great example is coloring books. When you color them in, you are surely creating a derivative work. Why don't you need a special license to do that? Simple -- coloring in a coloring book is the ordinary, expected use.
Everything you do when you use a work is also something else.
But the demands could range anywhere from the original authore getting credit to having to pay them (large piles of) money to just not being given a license.
You do realize that I used the word "may", not "will", with respect to tainting code?
Which means that Microsoft could, if they felt like it, demand that you make your source code public.
You have gone to the absurd. Who is more likely to insist that you make your source code available, the copyright holder of a GPL'd work or Microsoft? Now consider if the particular author is a GPL zealot. "May taint your code" stands.
I think you misunderstand that the GPL is a license, not a contract. When you are accused of copyright violation of a work under the GPL, you may choose to bring up the GPL as a defense by saying, "Gee, Your Honor, I am not violating copyright because I have this license here and I have complied with it." The copyright holder cannot sue you to force you releasing your code because the GPL is not a contract for which performance can be forced. If you do not claim the GPL as a defense or choose to offer compliance as a remedy, the GPL never enters into the case at all and you have the standard choices that any copyright violator has, including ceasing distribution, removing the GPLed code, and paying damages (or settling) for the past violations.
Once you remove the GPLed code from your own, you are free to do whatever you like with it. There are no "GPL-cooties" that infect the ones and zeros as long as you refrain from distributing the infringing parts in the future. The reason the GPL has "never been tested" in court as so many are fond of saying is that by time a case gets there, the violator would be an idiot to bring the GPL into the picture if they were not in compliance. They settle or pay damages and cure the breach (by either complying or removing the infringing code).
IANAL, but I like to dress up like a judge... with a wig and play with the little hammer thingy and ... uh ... oh ... never mind...
If they don't agree to the license, they have no defense to copyright violation. The only defense they have is to accept (and comply with) the license; otherwise, standard copyright penalties apply. The GPL is never tested in court because the court cases end up being about copyright violation, not the GPL. Someone trying to challenge the GPL as "invalid" shoots themselves because they take away their only legal right to use the software. If they say, "I didn't sign it!" Fine. They get hit for copyright violation. No problem. The only thing they could do is try to shoot down some clause of the GPL as "unconscionable" and claim that they complied with the remainder of the license, but I think that would be a rather large stretch. [IANAL]
"Derivative work" is a well-defined unambiguous legal term. A "derivative work" is a work that contains significant pieces of, or all of, an earlier copyrighted work.
That is it. That is all. There is no debate on this. Either a work does contain part of (or all of) an earlier work, or it does not.
Closed-source Nvidia drivers for Linux do not contain bits of Linux itself
Cased closed on that front.
McAfee software products
If McAfee software products do not embed pieces of GPL'd code then I simply cannot understand what McAfee are on about.
Really?
Any cracker worth his salt will have a boot disk or two at hand, especially if he's gained physical access to a machine. Cracking a Windows machine is trivial - I've reset the password on a few boxes myself for those that have forgotten their passwords, and it was dead simple, believe it or not...
You all have Oo.o and Firefox, so get World Wind.
Refactoring isn't just "any random change of the code".
Refactoring means modifications of the code that are not supposed to alter its functionality. Things like renaming variables or moving code or data from one place to another.
I re-factor a lot of code, much of it I did not write (but sometimes its my old code where I didn't get it perfect or account for future developments).
Semantic transformations of code that do not alter functionality allow you to remain relatively sure that you are not breaking anything (especially if there's good test coverage) while fixing a bad design, or after having found a novel way to reduce code duplication or such. Once code duplication and tight coupling was removed or reduced, adding new functionality, finding and fixing bugs is much easier.
In Soviet Russia mCaffe is the favorite Fud blend from US, you insensitive clod!
...a stunned silence fell upon the hall.
http://yahoo.brand.edgar-online.com/fetchFilingFrameset.aspx?dcn=0000950134-07-026067&Type=HTML
in the above paragraph it says what it says in a quite clear language. There are other more obscure paragraphs with "GPL" mentioned, but they mostly say: we do not know what we might be obliged to in regard to third party IP in the USA covered by GPL as well. Rather than saying that they do not have a clue about GPL and that it is evil or something.
...a stunned silence fell upon the hall.
Don't get me wrong. I think FOSS is great for promoting competition, innovation, learning, etc. It certainly doesn't hurt a company to pay for the creation of FOSS (especially since they can then legally leverage a large amount of existing source) when the main reason for development is for use as internal tools. However, I just can't comprehend how people see that as the ideal business model for companies who rely on selling said software.
Of course, I also don't understand how those companies feel they can incorporate (steal) GPL code and still charge for the derived work.
I am all for OSS, but I do kind of understand where McAfee is coming from. At my current employer, I had to work with some lawyers to certify a product complied with all the OSS licenses included in the product. There are terms in the GPL and LGPL that are not clearly defined. The term derivative work is less controversial, at least in my dealings with the GPL/LGPL. With that said, there is still a lot of open discussion. For example, does a kernel module that I insmod into the kernel have to comply with the GPL. Some lawyers call this a derivative work and require the module to comply with the GPL, others don't (e.g. ATI and nVidia).
The term that we had the most trouble with was distribution. When do the terms of the license apply? Our lawyers defined it as any time a contractor or third party works on the product/source. Therefore, we had to verify compliance if we gave a product to a customer to test. We also had to certify compliance (i.e. general source code, etc.) if we had a contractor work on the product. Other lawyers argued that a distribution requires sales or transfer of ownership. I would argue that this is not clear in the license.
We also wanted to provide our customers with a support/test box running Ubuntu Linux. We ended up not being able to do this because we could not certify that the entire Ubuntu distribution complied with all the OSS licenses and by providing Linux box we would be distributing Ubuntu Linux (and therefore must comply with all the terms of all the licenses). One could say that the Ubuntu web site is taking care of all of this. We couldn't be completely sure of this.
Finally, we ran into some issue with things we tried to use were dual licensed. For example, what does one need to do to support both the BSD and GPL license? Or what about GPL and Apache? These are not as trivial as one may think.
Now, I am all for open code and complying with the terms, but there is valid confusion in some of the license terms. I can understand the statement of risk because I like to think we complied with all the terms of the OSS licenses we used (There were 16 different licenses in our product.), I can't be 100% sure.
Just my two cents. Perhaps we overcomplicated things, but this is just my experience.
Duh. It's obvious that gpl liscense requires you to release sourcecode... so in short, if you don't plan to release source, DON'T USE THE DARN GPL! It's that simple. If it's got a gpl liscense, and you have no plans on releasing sourcecode, DON'T USE GPL. Instead use MIT liscensed software in your products or other similar liscenses that don't require source release.
Thats a really poor example, and I expect if you tried to "sell" your colouring book in a gallery your "ordinary expected use" would like not be upheld.
try to make ends meet, you're a slave to money, then you die