Slashdot Mirror
McAfee Worried Over "Ambiguous" Open Source Licenses
willdavid writes to tell us InformationWeek is reporting that McAfee, in their annual report, has warned investors that "ambiguous" open source licenses "may result in unanticipated obligations regarding [McAfee] products." "McAfee said it's particularly troubling that the legality of terms included in the GNU/General Public License -- the most widely used open source license -- have yet to be tested in court. 'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission. Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software's source code to end users or customers. Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."
If your buisness doesn't agree with the license DON'T use it.
You can't have your cake and sell it too !!
Don't want to be bound to the terms of the GPL? Don't use GPL code!
Just another piece of FUD.
If you're worried about "uncertainties" with respect to any software license, don't include code in your application that might cause those licensing terms to apply to it. End of story.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
there is no free lunch. these manufacturers are seeing the "gold mine" open source software as a way to do less work. Well, you've got to comply with the terms of the license if you distribute it. no 2 ways about it.
"McAfee's warning may have been prompted by the fact the Software Freedom Law Center, an open source advocacy group, recently filed a series of lawsuits against alleged GPL violators."
The article isn't very clear on this point but it sounds like McAfee is almost admitting they violated the GPL and are about to end up in court.
"Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering"
Uh, that's the very idea of the GPL. It lets people who bought the product use it in any way they see fit, which includes "tamnpering" with it. It even allows you to redistribute it. The only thing it prevents is redistribution under a different license without permission. Didn't anyone give McAfee the memo?
The article talks more about lawsuits regarding GPL license violations than it does about security issues.
Much security software is already open-source: encryption, firewall, virus scan, etc. The fact is that there is no inherent security problem with GPL software. McAfee just appears to have a problem with the licensing.
Yes it seems like they would like to have their open source cake and eat it too.
By their logic it would be trivial to hack into a Linux computer because it is open-source, and next to impossible to hack into a Microsoft computer.
Do you guys have a clue as to what goes into the risks section of an SEC filing? Pretty much anything conceivable. That way if it happens it is harder to get sued by an ambulance chasing lawyer who found *one* unhappy shareholder and filed a class action suit. So if you are a publicly traded company you probably should have a risk enumerated that a programmer will violate policy and inappropriately incorporate GPL'd code.
> [...] that any conditions imposed regarding distribution of a copyrighted work is at the whim of the copyright holder.
No. The conditions are still subject to
a) common law
Extreme example: you can't demand the firstborn for the use or distribution of the work.
b) interpretation by court
The legal meaning is finally determined by judges.
"Between strong and weak, between rich and poor [...], it is freedom which oppresses and the law which sets free"
Their best bet is to tighten up on their recruitment and code review processes. That would certainly beat complaining that it MAY turn out that some of their employees may be breaking various laws and that if they are then the victims may be gosh darned unreasonable about it.
> When all software out there is Open Source, leaks will be found and closed.
When all software is open source, there will be so much of it that the scope for virus infection is wider and products that monitor system calls and does intrusion detection will have more market.
McAffee's real problem is that Windows gets more and more locked down and fine grained capability permissions are being applied. The days of the blanket anti-virus product are numbered in the business world balanced against the rise of the dedicated software administrator.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
They have a very simple solution, then, don't they? Do their own graft, write their own damn software, and stop freeloading off the community.
I'm old enough to remember when discussions on Slashdot were well informed.
If you don't have sufficient code review processes in place, and you don't know where your employees are copying code from, that's very much your problem. McAfee may be that unprofessional, but if they are they deserve everything that's coming to them.
I'm old enough to remember when discussions on Slashdot were well informed.
Quite a few bugs are obvious to the experienced programmer.
Many are not obviously bugs, but are obviously "bad practice" which will often lead to bugs.
Once a proficient programmer re-factors "ugly" (full of "bad practice") code, most flaws also become obvious.
Do their own graft, write their own damn software, and stop freeloading off the community.
What kind of leftie, tree-hugging nonsense is that? Expecting corporations to accept responsibility when there is shareholder value to consider, quarterly numbers to make and fat bonuses to earn.
Accountability...I can't believe such a radical concept will ever fly. The American corporate way is to have our cake, eat it too and expense the bill as entertainment.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Considering that the GPL only comes into play when you DISTRIBUTE the code in question, the NVidia driver's been
pretty much something of a non-issue.
You can't legally distribute to someone an install done this way, or provide an installation that ships directly with the NVidia
drivers, but you can ship a Linux install that can make it easy for someone and you can always turn it off/remove the offending
binary blob when you hand someone a machine you've been using the driver on. Since usage is not controlled by the GPL grant,
and there's no directly infringing pieces involved everyone just grouses about the blob NVidia provides, asks if they'll ever
do like AMD and Intel are in the process of doing, and goes on.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
And there's good reason for this. You don't necessarily know the provenance of the source code.
Here's an example: I was doing evaluations of the two open source identification products available today (from Black Duck and Palamida), and I found an instance where it appeared that code that was originally released under the GPL had found it's way into code that was released under the Apache license. I did some due diligence on this, looking back in the repositories to see when the initial checkins had been done to determine which project had the code first. Admittedly, that's not fool proof, but was the best I could do under the circumstances.
So, now imagine if someone in good faith takes the code from the Apache licensed project and uses it in their proprietary product. They comply with the Apache license. Then someone from the GPL project comes along and says "Hey! You're using OUR code that was made available under the GPL, you have to release the source code for your product." Legally speaking, that could be the result. And some people don't want to take that chance.
Refactoring isn't just "any random change of the code".
Refactoring means modifications of the code that are not supposed to alter its functionality. Things like renaming variables or moving code or data from one place to another.
I re-factor a lot of code, much of it I did not write (but sometimes its my old code where I didn't get it perfect or account for future developments).
Semantic transformations of code that do not alter functionality allow you to remain relatively sure that you are not breaking anything (especially if there's good test coverage) while fixing a bad design, or after having found a novel way to reduce code duplication or such. Once code duplication and tight coupling was removed or reduced, adding new functionality, finding and fixing bugs is much easier.