McAfee Worried Over "Ambiguous" Open Source Licenses

← Back to Stories (view on slashdot.org)

McAfee Worried Over "Ambiguous" Open Source Licenses

Posted by ScuttleMonkey on Friday January 4, 2008 @09:36PM from the play-by-the-rules-and-no-one-gets-hurt dept.

willdavid writes to tell us InformationWeek is reporting that McAfee, in their annual report, has warned investors that "ambiguous" open source licenses "may result in unanticipated obligations regarding [McAfee] products." "McAfee said it's particularly troubling that the legality of terms included in the GNU/General Public License -- the most widely used open source license -- have yet to be tested in court. 'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission. Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software's source code to end users or customers. Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."

30 of 315 comments (clear)

I don't get it by noz · 2008-01-04 21:38 · Score: 5, Interesting

Are they worried because they've used GPL licensed code in their products?
1. Re:I don't get it by davester666 · 2008-01-04 21:45 · Score: 5, Interesting
  
  Yes. And to correct the article, they aren't really worried about having to release code may "leave ... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.
  
  --
  Sleep your way to a whiter smile...date a dentist!
2. Re:I don't get it by Broken+Toys · 2008-01-04 21:47 · Score: 5, Insightful
  
  "McAfee's warning may have been prompted by the fact the Software Freedom Law Center, an open source advocacy group, recently filed a series of lawsuits against alleged GPL violators."
  
  The article isn't very clear on this point but it sounds like McAfee is almost admitting they violated the GPL and are about to end up in court.
3. Re:I don't get it by unlametheweak · 2008-01-04 22:03 · Score: 4, Insightful
  
  The article talks more about lawsuits regarding GPL license violations than it does about security issues.
  
  Much security software is already open-source: encryption, firewall, virus scan, etc. The fact is that there is no inherent security problem with GPL software. McAfee just appears to have a problem with the licensing.
  
  Yes it seems like they would like to have their open source cake and eat it too.
4. Re:I don't get it by Anonymous Coward · 2008-01-04 22:16 · Score: 5, Interesting
  
  No, they are worried that if governments begin using "infected"[*] open source products, they [McAfee] might be forced to support those open source products. And they are afraid that their code will be contaminated by the GPL *license* (note: not code).
  
  Let me put it another way..
  1. You create a program for counting beans, it's written for Microsoft Windows
  2. 40% of your important customers (government) switches to Linux
  3. Because you want to keep you clients, you port your application to Linux.
  In order to get access to the proper low-level interfaces (that you imagine you need for your bean counter), you start writing some kernel support functions.
  4. You deliever your application to your government. You are happy, the government is happy.
  5. One day, someone posts a "Company X are in violation of the GPL!" to Slashdot -- and all hell breaks loose. Your lawers tell you that "Yes, we have to open source all our products, because they have all been contaminated by the GPL, becase we touched the linux kernel source (which is GPL)!".
  6. You shut down your business, and live on welfare for the rest of your life.
  
  The only thing which has happened here is that McAfee has proclaimed that GPL is viral (it infects innocent suspects' code).
  
  I suspect that McAfee has been offered a Great Deal by someone, in exchange for publicly stating that the GPL is viral.
  
  And no, I don't believe they are using GPL code. That's not what this is about. They are afraid of their (important) customers demanding McAfee support GPL products.
5. Re:I don't get it by unlametheweak · 2008-01-04 22:18 · Score: 5, Insightful
  
  Yes. And to correct the article, they aren't really worried about having to release code may "leave ... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits. I would suspect that it would be easier to run automated programs for finding buffer over-runs, etc, rather than phishing through thousands of lines of code looking for a non-obvious vulnerability (anybody who has ever coded knows that ALL coding mistakes are non-obvious... as soon as they press the compile button :P).
  
  By their logic it would be trivial to hack into a Linux computer because it is open-source, and next to impossible to hack into a Microsoft computer.
6. Re:I don't get it by ricegf · 2008-01-04 23:16 · Score: 4, Interesting
  
  You post doesn't make sense - or maybe I'm not following you? Anyone can write a Linux application and use any license they like (or stated another way, quite a few Linux applications are proprietary - the proprietary Flash plugin, for instance). McAfee wouldn't need to release their product under the GPL just to run it on Linux.
  
  And if they want to write a kernel support function that compiles with Linux and is also part of their product, they can dual-license (GPL when it's compiled with Linux, proprietary when part of their product). As long as they hold copyright, they aren't limited at all.
  
  What they seem to be saying is that they compile code written by someone else and released under only the GPL in their products. They can't change the license on code on which someone else holds copyright, so they are distributing that code in violation of the license (or, more precisely, in violation of copyright). Either they must "cure" the violation (e.g., by releasing their source code or replacing the GPL'd code), or acquire a commercial license from the copyright holder (if available).
  
  I must be missing something between step 3 and 5 in your post.
7. Re:I don't get it by Bert64 · 2008-01-04 23:28 · Score: 4, Informative
  
  GPL code does not "infect innocent suspects' code"...
  If you choose to use GPL code in your product, then you must agree to the terms under which you are permitted to do so. These companies cross license code between each other all the time with a plethora of different licensing requirements. For example Microsoft will license a lot of code to you, such as wma/wmv codecs and drm, under the condition that you pay them for each copy you distribute as part of one of your products.
  The only difference with the GPL is the requirements which you must abide by in order to distribute. Don't like the terms? Then write your own, or license code from somewhere else under different terms, or merely change the way you use the GPL code so that compliance no longer bothers you.
  
  All this garbage about "releasing the source makes our products less secure" is ridiculous... Open source software has a very good track record when it comes to security, just look at OpenBSD for instance, and then you have apps like qmail for which the source has been available for years without huge numbers of holes. And Solaris hasn't suddenly seen a rash of new vulnerabilities since being open sourced.
  If code is well written, it doesn't matter who can see the source code. If it's poorly written you can understand why someone wouldn't want to be embarrassed by it's release, but if it's full of holes people will still reverse engineer the binaries to find them.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
8. Re:I don't get it by Simon+Brooke · 2008-01-04 23:43 · Score: 3, Insightful
  
  Yes. And to correct the article, they aren't really worried about having to release code may "leave ... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.
  They have a very simple solution, then, don't they? Do their own graft, write their own damn software, and stop freeloading off the community.
  
  --
  I'm old enough to remember when discussions on Slashdot were well informed.
9. Re:I don't get it by Simon+Brooke · 2008-01-05 00:00 · Score: 4, Informative
  
  If you mess with kernel support functions you have to use the GPL because the Linux kernel is GPL'd. That is what the GP's post is about.
  Wrong
  
  If you link against the Linux kernel (or part of it), then you have to use GPL. Very few programs do this. Even kernel modules do not have to do this, provided they use the correct API.
  
  If you copy code from the Linux kernel, then you have to use the GPL. Incidentally, this applies even if you don't copy verbatim - if you copy the structure and then change variable and function names, you still have to use GPL.
  
  But if you have a piece of code which you wrote in its entirety, and which is only linked against the Linux kernel when on Linux, then it only has to be GPL'd when actually linked to the Linux kernel. The version you ship on Windows or Mac OS X can be licensed any way you like.
  
  Anyone who tells you different is just spreading FUD. Version Two of the GPL is a very simple document and is easy to read. It means just what it says, there's nothing complex behind it. Version Three is a little more prolix, but it still means just what it says. Go read it yourself; don't listen to people who are trying to mislead you.
  
  --
  I'm old enough to remember when discussions on Slashdot were well informed.
10. Re:I don't get it by Anonymous Coward · 2008-01-05 00:57 · Score: 3, Interesting
  
  Mysterious tfa quote.
  McAfee frequently cautions other companies about the latest bugs and computer viruses, but the security software maker is now warning that its own business could be in jeopardy -- not from some form of malware but from the fact that its products rely heavily on open source software.
  Reporting error from the article writer or straight from the horse's mouth that McAfee been violating the GPL?
11. Re:I don't get it by Peaker · 2008-01-05 01:24 · Score: 3, Insightful
  
  anybody who has ever coded knows that ALL coding mistakes are non-obvious... as soon as they press the compile button :P
  
  Quite a few bugs are obvious to the experienced programmer.
  
  Many are not obviously bugs, but are obviously "bad practice" which will often lead to bugs.
  
  Once a proficient programmer re-factors "ugly" (full of "bad practice") code, most flaws also become obvious.
12. Re:I don't get it by Machtyn · 2008-01-05 01:47 · Score: 3, Informative
  
  By their logic it would be trivial to hack into a Linux computer because it is open-source, and next to impossible to hack into a Microsoft computer. That's what I gleaned from the headline. According to McAfee's logic, if the source is open it means it is less secure. I suppose they've never had the benefit of thousands of friendly eyes pouring over their code in the hopes of helping them improve their code.
  
  I'm of the belief that there are more people wanting to do good than bad. Of course, McAfee probably can only see the attacks they receive on their product by the nefarious trying to bypass their systems. From all that I can tell, McAfee is the Gateway (computers) of the AV world, it's useful if you aren't too worried about quality.
  
  /sorry, early in the morning. thoughts may be incomplete and incoherent.
13. Re:I don't get it by HangingChad · 2008-01-05 02:15 · Score: 5, Insightful
  
  Do their own graft, write their own damn software, and stop freeloading off the community.
  What kind of leftie, tree-hugging nonsense is that? Expecting corporations to accept responsibility when there is shareholder value to consider, quarterly numbers to make and fat bonuses to earn.
  Accountability...I can't believe such a radical concept will ever fly. The American corporate way is to have our cake, eat it too and expense the bill as entertainment.
  
  --
  That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
As opposed to... by Anonymous Coward · 2008-01-04 21:39 · Score: 5, Funny

their EULA which has been rigorously tested time to time in International Court of Justice.
What's the problem? by zebslash · 2008-01-04 21:40 · Score: 5, Insightful

Don't want to be bound to the terms of the GPL? Don't use GPL code!
Just another piece of FUD.
1. Re:What's the problem? by Cally · 2008-01-04 23:22 · Score: 3, Informative
  
  I don't get this. They do use GPL'd code, and they do respect the license.
  
  --
  "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Fine. by palegray.net · 2008-01-04 21:44 · Score: 4, Insightful

If you're worried about "uncertainties" with respect to any software license, don't include code in your application that might cause those licensing terms to apply to it. End of story.

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
just lazy companies. by bark · 2008-01-04 21:47 · Score: 5, Insightful

there is no free lunch. these manufacturers are seeing the "gold mine" open source software as a way to do less work. Well, you've got to comply with the terms of the license if you distribute it. no 2 ways about it.
1. Re:just lazy companies. by ajs318 · 2008-01-04 23:11 · Score: 4, Informative
  
  No.
  
  When you link a GPL work against a non-GPL work, you create a derivative work. As long as you are authorised to possess both works, the derivative work you create is initially permitted by the Law of the Land, as Fair Dealing (Fair Use in some jurisdictions), and any apparent prohibition in the licence terms is unenforcible precisely because a promise not to do something the Law of the Land already says you can do is worthless.
  
  However, the terms of both licences now apply to the derivative work as a whole. If the restrictive licence said "You must not distribute the Source Code to others", that would conflict with the GPL's requirement to distribute the Source Code. Therefore, the only way you can comply with both licences at once is not to distribute the software at all (aka "Liberty or Death").
  
  The key point is, you don't need a licence to create that Derivative Work. You need one to distribute it. None of which would be an issue, by the way, if software vendors just distributed the frigging Source Code already.
  
  --
  Je fume. Tu fumes. Nous fûmes!
Since when do software licenses... by JonathanR · 2008-01-04 21:49 · Score: 4, Interesting

...require testing in court?

I would have thought that Copyright law was pretty unambiguous, and that any conditions imposed regarding distribution of a copyrighted work is at the whim of the copyright holder.

This would apply to any distribution license.

No need to test anything in court, unless you wish to discuss the finer detials of Copyright Law itself.
1. Re:Since when do software licenses... by sinthetek · 2008-01-04 22:01 · Score: 5, Interesting
  
  Sounds to me like that is just an excuse; I think it is fairly likely they are just trying to stir up trouble for FOSS community with SEC. They have a lot at stake if you think about it. AV companies' prime source of revenue is MS and it's adoption is declining while *nix -based systems' are increasing. They have little experience with *nix software probably and know most people won't see much need for a *nix AV solution and there are several to compete with already.
  
  I could be wrong but seems like this and similar complaints about FOSS are from entities with self-serving interests rather than interests of society/world at large. A lot of it is just FUD hoping to encourage paranoia in businesses and slow FOSS adoption
McAffee is just wrong by inode_buddha · 2008-01-04 21:54 · Score: 4, Informative

It has been tested in both USA and Euro courts, If you've been reading Groklaw at all in the last few years. And no, I don't mean SCO.

--
C|N>K
Obviously they are worried by houghi · 2008-01-04 22:18 · Score: 4, Interesting

When all software out there is Open Source, leaks will be found and closed. That would mean no more virusses. That would mean no more McAfee.

What is the best defence they can come up with? FUD!

If anybody is dependent on closed source and the slow process of bringing out patches, it is these guys. In an ideal world they should not even exist.

--
Don't fight for your country, if your country does not fight for you.
1. Re:Obviously they are worried by DrSkwid · 2008-01-04 23:35 · Score: 3, Insightful
  
  > When all software out there is Open Source, leaks will be found and closed.
  
  When all software is open source, there will be so much of it that the scope for virus infection is wider and products that monitor system calls and does intrusion detection will have more market.
  
  McAffee's real problem is that Windows gets more and more locked down and fine grained capability permissions are being applied. The days of the blanket anti-virus product are numbered in the business world balanced against the rise of the dedicated software administrator.
  
  --
  There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:Simple Solution: Avoid The Kooky And Viral GPL by Urkki · 2008-01-04 22:29 · Score: 3, Informative

Or, to put it more simply: If you want to use some copyrighted software, you need a license. If you can't get a license you want to accept, then you don't get a license, and can't use the software.

Very very simple.
Re:Lone programmer, against company policy by Anonymous Coward · 2008-01-04 23:16 · Score: 4, Insightful

You are seriously mistaken. You are assuming that it is company policy to inappropriately incorporate GPL'd code. It may be against policy but a programmer may get lazy and do it on his own. Then when that's identified, they have to remove the code, if necessary pulling the product. Or comply with whatever license the copyright holder is prepared to grant them. This is EXACTLY the same position as if the lazy programmer had infringed on a previous employer's code, or on leaked Microsoft code or... any other copyright infringement at all.

Their best bet is to tighten up on their recruitment and code review processes. That would certainly beat complaining that it MAY turn out that some of their employees may be breaking various laws and that if they are then the victims may be gosh darned unreasonable about it.
Re:I vote with my euros by Paradigm_Complex · 2008-01-04 23:17 · Score: 3, Interesting

While you may not have meant it, your comment pokes at another plausible reason for McAfee to dislike FOSS. After switching to Linux a ways back, I never even had a reason to buy McAfee products. Their business is dependent on vulnerable software for them to come in and protect; clearly any solid development model would be a threat to their wellbeing. It's not (just?) problems with FOSS software that bothers McAfee, it's FOSS's strengths, too.

--
"A witty saying proves nothing." - Voltaire
HEY MCAFEE! by martin-boundary · 2008-01-04 23:26 · Score: 3, Informative

How about your write your OWN DAMN CODE instead of complaining, or just STEAL Theo De Raadt's. He WON'T mind AT ALL, honest :)
GPL puts end-user freedom above all else by noidentity · 2008-01-04 23:47 · Score: 4, Interesting

Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering.

Translation: "Some manufacturers have voiced concerns that the requirement could leave important user-restriction features or copyright fair-use prevention features in their products open to rightful destruction."
They fail to grasp the most important aspect of GPL: every end-user is also the master of said software; it is not up to anyone else to decide what he can and can't do. Features which keep the end-user out are not part of (publicly distributed) GPL software, period.