McAfee Worried Over "Ambiguous" Open Source Licenses

willdavid writes to tell us InformationWeek is reporting that McAfee, in their annual report, has warned investors that "ambiguous" open source licenses "may result in unanticipated obligations regarding [McAfee] products." "McAfee said it's particularly troubling that the legality of terms included in the GNU/General Public License -- the most widely used open source license -- have yet to be tested in court. 'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission. Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software's source code to end users or customers. Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."

McAffee is just wrong

[inode_buddha]

It has been tested in both USA and Euro courts, If you've been reading Groklaw at all in the last few years. And no, I don't mean SCO.

Re:just lazy companies.

[ajs318]

No.

When you link a GPL work against a non-GPL work, you create a derivative work. As long as you are authorised to possess both works, the derivative work you create is initially permitted by the Law of the Land, as Fair Dealing (Fair Use in some jurisdictions), and any apparent prohibition in the licence terms is unenforcible precisely because a promise not to do something the Law of the Land already says you can do is worthless.

However, the terms of both licences now apply to the derivative work as a whole. If the restrictive licence said "You must not distribute the Source Code to others", that would conflict with the GPL's requirement to distribute the Source Code. Therefore, the only way you can comply with both licences at once is not to distribute the software at all (aka "Liberty or Death").

The key point is, you don't need a licence to create that Derivative Work. You need one to distribute it. None of which would be an issue, by the way, if software vendors just distributed the frigging Source Code already.

Re:I don't get it

[Bert64]

GPL code does not "infect innocent suspects' code"...
If you choose to use GPL code in your product, then you must agree to the terms under which you are permitted to do so. These companies cross license code between each other all the time with a plethora of different licensing requirements. For example Microsoft will license a lot of code to you, such as wma/wmv codecs and drm, under the condition that you pay them for each copy you distribute as part of one of your products.
The only difference with the GPL is the requirements which you must abide by in order to distribute. Don't like the terms? Then write your own, or license code from somewhere else under different terms, or merely change the way you use the GPL code so that compliance no longer bothers you.

All this garbage about "releasing the source makes our products less secure" is ridiculous... Open source software has a very good track record when it comes to security, just look at OpenBSD for instance, and then you have apps like qmail for which the source has been available for years without huge numbers of holes. And Solaris hasn't suddenly seen a rash of new vulnerabilities since being open sourced.
If code is well written, it doesn't matter who can see the source code. If it's poorly written you can understand why someone wouldn't want to be embarrassed by it's release, but if it's full of holes people will still reverse engineer the binaries to find them.

Re:I don't get it

[Simon+Brooke]

If you mess with kernel support functions you have to use the GPL because the Linux kernel is GPL'd. That is what the GP's post is about.

Wrong

If you link against the Linux kernel (or part of it), then you have to use GPL. Very few programs do this. Even kernel modules do not have to do this, provided they use the correct API.

If you copy code from the Linux kernel, then you have to use the GPL. Incidentally, this applies even if you don't copy verbatim - if you copy the structure and then change variable and function names, you still have to use GPL.

But if you have a piece of code which you wrote in its entirety, and which is only linked against the Linux kernel when on Linux, then it only has to be GPL'd when actually linked to the Linux kernel. The version you ship on Windows or Mac OS X can be licensed any way you like.

Anyone who tells you different is just spreading FUD. Version Two of the GPL is a very simple document and is easy to read. It means just what it says, there's nothing complex behind it. Version Three is a little more prolix, but it still means just what it says. Go read it yourself; don't listen to people who are trying to mislead you.