Slashdot Mirror
McAfee Worried Over "Ambiguous" Open Source Licenses
willdavid writes to tell us InformationWeek is reporting that McAfee, in their annual report, has warned investors that "ambiguous" open source licenses "may result in unanticipated obligations regarding [McAfee] products." "McAfee said it's particularly troubling that the legality of terms included in the GNU/General Public License -- the most widely used open source license -- have yet to be tested in court. 'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission. Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software's source code to end users or customers. Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."
It has been tested in both USA and Euro courts, If you've been reading Groklaw at all in the last few years. And no, I don't mean SCO.
C|N>K
1) Don't use any license that requires you disclose your code if you rely on obscurity for your security.
and
2) Only use code owned by others and covered by a strong copyleft in a product, if you are willing to release all the code for that product under a strong copyleft.
It is really not that complicated.
Or, to put it more simply: If you want to use some copyrighted software, you need a license. If you can't get a license you want to accept, then you don't get a license, and can't use the software.
Very very simple.
No.
When you link a GPL work against a non-GPL work, you create a derivative work. As long as you are authorised to possess both works, the derivative work you create is initially permitted by the Law of the Land, as Fair Dealing (Fair Use in some jurisdictions), and any apparent prohibition in the licence terms is unenforcible precisely because a promise not to do something the Law of the Land already says you can do is worthless.
However, the terms of both licences now apply to the derivative work as a whole. If the restrictive licence said "You must not distribute the Source Code to others", that would conflict with the GPL's requirement to distribute the Source Code. Therefore, the only way you can comply with both licences at once is not to distribute the software at all (aka "Liberty or Death").
The key point is, you don't need a licence to create that Derivative Work. You need one to distribute it. None of which would be an issue, by the way, if software vendors just distributed the frigging Source Code already.
Je fume. Tu fumes. Nous fûmes!
I don't get this. They do use GPL'd code, and they do respect the license.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Yep which is why Apple can distribute OSX with GPL software and even proprietary GUI hooks to configure it in their OS.
Sometimes my arms bend back.
How about your write your OWN DAMN CODE instead of complaining, or just STEAL Theo De Raadt's. He WON'T mind AT ALL, honest :)
GPL code does not "infect innocent suspects' code"...
If you choose to use GPL code in your product, then you must agree to the terms under which you are permitted to do so. These companies cross license code between each other all the time with a plethora of different licensing requirements. For example Microsoft will license a lot of code to you, such as wma/wmv codecs and drm, under the condition that you pay them for each copy you distribute as part of one of your products.
The only difference with the GPL is the requirements which you must abide by in order to distribute. Don't like the terms? Then write your own, or license code from somewhere else under different terms, or merely change the way you use the GPL code so that compliance no longer bothers you.
All this garbage about "releasing the source makes our products less secure" is ridiculous... Open source software has a very good track record when it comes to security, just look at OpenBSD for instance, and then you have apps like qmail for which the source has been available for years without huge numbers of holes. And Solaris hasn't suddenly seen a rash of new vulnerabilities since being open sourced.
If code is well written, it doesn't matter who can see the source code. If it's poorly written you can understand why someone wouldn't want to be embarrassed by it's release, but if it's full of holes people will still reverse engineer the binaries to find them.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Typing linux init=/bin/sh at the boot prompt is not necessarily trivial. It requires physical access to the machine, and it is evident to an external observer.
Je fume. Tu fumes. Nous fûmes!
Wrong
If you link against the Linux kernel (or part of it), then you have to use GPL. Very few programs do this. Even kernel modules do not have to do this, provided they use the correct API.
If you copy code from the Linux kernel, then you have to use the GPL. Incidentally, this applies even if you don't copy verbatim - if you copy the structure and then change variable and function names, you still have to use GPL.
But if you have a piece of code which you wrote in its entirety, and which is only linked against the Linux kernel when on Linux, then it only has to be GPL'd when actually linked to the Linux kernel. The version you ship on Windows or Mac OS X can be licensed any way you like.
Anyone who tells you different is just spreading FUD. Version Two of the GPL is a very simple document and is easy to read. It means just what it says, there's nothing complex behind it. Version Three is a little more prolix, but it still means just what it says. Go read it yourself; don't listen to people who are trying to mislead you.
I'm old enough to remember when discussions on Slashdot were well informed.
It already exists, it's called Dazuko. It's licensed under the GPL for the Linux kernel, and BSD license for FreeBSD. But the Linux kernel license makes it quite clear that making system calls from user space (essentially all kernel extensions like this just provide extra syscalls and ioctls) does not constitute a derivative work so far as the GPL is concerned. Otherwise any piece of proprietary software running on Linux would be necessarily screwed.
Something like inotify doesn't cut it for a virus scanner, since it needs to intercept read / write calls to be able to scan the files before the data is read. Something like systrace on {Net,Open}BSD could do it, but there is a known security vulnerability in that entire approach (which also affects virus scanners on other platforms).
I am TheRaven on Soylent News
I'm of the belief that there are more people wanting to do good than bad. Of course, McAfee probably can only see the attacks they receive on their product by the nefarious trying to bypass their systems. From all that I can tell, McAfee is the Gateway (computers) of the AV world, it's useful if you aren't too worried about quality.
/sorry, early in the morning. thoughts may be incomplete and incoherent.
See, I'm no expert but I would think that nVidia's graphics drivers would also 'need to much about at kernel level', and they do not use the GPL. I've heard they have a little LGPL bit that connects the kernel and their driver or something like that.
The GPL must be attached to any "derived works" of the Linux kernel. I.e. if you write a module for the Linux kernel it must be GPLed. However, nVidia did not do this - they wrote their driver for Windows. They then took the Windows driver and wrote a GPLed interface library to make it work with Linux. So the interface library is derived from both the non-GPLed driver and the GPLed Linux kernel - the driver itself is not derived from any GPLed code so can remain under a different licence.
It is pretty similar to running your 802.11 drivers under ndiswrapper - the driver was written for Windows, not for Linux, so running it under ndiswrapper doesn't force the driver's code to be GPLed.
http://blog.nexusuk.org
I have been reading a fair bit of legal analysis (IANAL) relating to the GPL v2 and have been discussing various ambiguities relating to the GPL v3 with people at the SFLC. These licenses *do* have some ambiguities (though I think they are less of an issue for the GPL v2).
The major issue for the GPL v2 is that it is not 100% clear where the boundary relating to mere aggregation is. In general it is easy to read "a work based on the original work" meaning derivative work (i.e. a transformation or adaption of the original work in the same way that a movie may be based on a book, or a sequel may be based on another book), while aggregation seems to read as a collected or compiled work, but these simple interpretations are at odds with the FSF's interpretations. I.e. dynamic or even static linking would seem to create (possibly non-literal) compilations under copyright law, not derivations even if the linker strips out unused portions (this is because that process would not be creative enough to create a *new* copyrighted work in the form of the new library code). Hence the simple reading of the GPL v2 would seem to allow one to link proprietary applications to, say, GNU Readline. This question has not been resolved in court yet.
The GPL v3 has the same issue, but adds a few more. For example, does section 7, paragraph 2 govern sections of BSD code included verbatim in a GPL v3 application? I.e. must one be allowed to change the license of a file to the GPL v3 in order to call it compatible? (Eben Moglen says "Yes" while Richard Fontana says "No"-- both are members of the SFLC and both were involved in the GPL v3 development process.)
There are also a few false ambiguities-- for example the question as to whether mere use of software inside an organization might ever one to license patents out (the relevant section of the GPL v3 only applies to explicit patent licenses), though clearly one would want to stop using software before filing patent suits due to patent retaliation clauses.
LedgerSMB: Open source Accounting/ERP
It's just plain stupid. I absolutely hate that term.
It's a "fancy" way of saying "I screwed up, so I'll have to re-organize huge portions of the design, in order to somehow find my way out of this mess." in such a way, as to make the manager think you must be some sort of a genius for using such fancy words.
Whenever I hear a colleague software developer saying
"Some re-factoring might be necessary in order to get that functionality"
followed by an (expected)
"Well, then, go ahead, do it"
in a meeting where we must decide whether we will allow a last minute addition of a critical requirement or not, I feel the urge to jump over the table and ram my fucking foot down the idiot's throat. I KNOW he is talking about a complete re-design of an otherwise good working piece of the code, without actually saying it.
I would really like to know who coined that stupid and unnecessary term in the first place!
unless the boot loader has been configured to disable all such nonsense
So as far as I can tell, here's what this story is actually about:
McAfee makes a virus scanner for Linux. Presumably the "on-demand" scanning uses a closed-source kernel module. Some kernel developers (i.e. copyright holders) assert that it violates the GPL to distribute closed-source kernel modules (although NVIDIA's and ATI's lawyers presumably disagree). This has never been tested in court. If one of the kernel copyright holders decided to litigate and won, then McAfee might have to stop selling their product, or significant alter it. Since there is a risk of this happening, they are required to disclose it to investors.