Checking For GPL Compliance, When the Code Is Embedded

← Back to Stories (view on slashdot.org)

Checking For GPL Compliance, When the Code Is Embedded

Posted by timothy on Friday April 16, 2010 @06:26PM from the thank-you-bruce-perens-for-busybox dept.

Excerpting from ComputerWorld UK, ChiefMonkeyGrinder writes with word of what sounds like a very cool tool: "Open source software is everywhere these days. In particular, Linux is being used increasingly to power embedded systems of all kinds. That's good, but it's also a challenge, because the free software used in such products may not always be compliant with all the licences it is released under, notably the GNU GPL. For companies that sell such embedded systems using open source, it can be hard even finding out what exactly is inside, let alone whether it is compliant. Enter the new Binary Analysis Tool."

48 of 75 comments (clear)

Re:Frist post by SimonTheSoundMan · 2010-04-16 23:37 · Score: 1

I left the country.
Re:Frist post by Dayofswords · 2010-04-16 23:52 · Score: 2, Informative

haha..... you didn't, right?
There are bears out there!

--
Someday we'll hit the human carrying capacity. And the band will just play on.
I do not see how that would work ... by Taco+Cowboy · 2010-04-16 23:53 · Score: 1, Redundant

There are so many types of microprocessors on the market it's almost impossible to de-assembly everything.
But I might be wrong.

--
Muchas Gracias, Señor Edward Snowden !
1. Re:I do not see how that would work ... by K.+S.+Kyosuke · 2010-04-17 08:40 · Score: 1
  
  And the remaining 55 % are eight-bit MCUs... Hey, wait! Something does not compute here.
  
  --
  Ezekiel 23:20
2. Re:I do not see how that would work ... by Bing+Tsher+E · 2010-04-17 08:54 · Score: 1
  
  I'd say it's well above 55%. There is a multiplier effect that clouds the understanding of many people, who have almost zero understanding of what variant of x86 processor their box contains. Every PeeCee out there has at least a handful of small 4 and 8 bit embedded controllers in it or connected to it. So by the nature of the way PCs are designed, the motherboard, all the plug in cards and storage devices, peripherals, keyboard and mouse have small processors in them. By this very nature, there is a one-to-many correlation of x86 processors to the rest of the population of processors in the world.
So.. by qreeves · 2010-04-17 00:09 · Score: 5, Funny

We're going to take on big companies with a BAT?
Way to go .. by roguegramma · 2010-04-17 00:45 · Score: 2, Informative

Technical requirements
* A Fedora GNU/Linux installation
* python (2.6 or higher preferred, but not 3)
* python-magic
* GNU binutils (for readelf and strings)
* e2tools http://freshmeat.net/projects/e2tools/ (optional)
* squashfs tools (4.0 highly recommended)
* module-init-tools (for modinfo)
* gzip (for zcat)
* xz (for lzma)
* PyLucene (latest version possible)
* OpenJDK, Apache Ant and dependencies to build PyLucene

--
Hey don't blame me, IANAB
1. Re:Way to go .. by selven · 2010-04-17 01:08 · Score: 1
  
  Ok, so the software has some dependencies. Isn't the Linux package management system designed to take care of all that with one command?
2. Re:Way to go .. by Schraegstrichpunkt · 2010-04-17 04:38 · Score: 1
  
  Unfortunately I don't think you can "apt-get install fedora".
  But you can "apt-get install gentoo", though it won't do what you probably think it does.
  
  --
  http://outcampaign.org/
3. Re:Way to go .. by hduff · 2010-04-17 05:20 · Score: 1
  
  Not all package managers handle dependencies as well as others. An app like this should include a script to check for them and provide some useful, non-cryptic error messages if necessary.
  But it's sad that a specific Linux distro is a dependency. That means that the developers took some shortcuts and didn't write distro-agnostic scripts. Lazy.
  
  --
  "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
4. Re:Way to go .. by Sir_Lewk · 2010-04-17 05:36 · Score: 1
  
  Not all package managers handle dependencies as well as others. An app like this should include a script to check for them and provide some useful, non-cryptic error messages if necessary.
  Nonsense, this is a very standard, and non-exotic list of dependencies (aside from the apparent Fedora dependency, I agree that is lazy). Packagers for different distros need only package this software for their distro as they package any other piece of software, and the user will never have to care what dependencies it required. If a package manager can't handle a package with a list of dependencies this simple, then there is clearly a bug with the package manager, not the software.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
5. Re:Way to go .. by Sir_Lewk · 2010-04-17 05:50 · Score: 1
  
  Followup:
  From the README file:
  
  "The binary analysis tool is fairly self contained and can run without too many dependencies. The tools have been written and tested on Fedora 11 and 12, but should run without (m)any modifications on other Linux distributions."
  It seems the Fedora dependency is listed somewhat in error, probably the result of someone being a tad too conservative.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
6. Re:Way to go .. by icebraining · 2010-04-17 08:35 · Score: 1
  
  Yeah, but if you're using Debian or Ubuntu, I'm pretty sure APT won't be able to install Fedora!
  
  --
  Dilbert RSS feed
Re:Why? by selven · 2010-04-17 01:12 · Score: 1

Do you really not understand the difference between downloading something for personal enjoyment and commercial distribution?
Also, I really would like some proof that the downloading crowd and the GPL enforcement crowd are made up of the same people.
Re:GNU GPL?!? Come on! by selven · 2010-04-17 01:14 · Score: 2, Funny

GNU is Not Unix General Public License
I fail to see the redundancy here.
False positives...? by nlewis · 2010-04-17 01:39 · Score: 2, Interesting

Are we to believe then that, unlike every single piece of virus-scanning software ever, this binary scanning utility will never encounter a false positive? What happens when it shows some product as containing OSS, but it doesn't?
And with that in mind, even if you *do* identify a product as containing OSS, how do you prove it without access to the source code? The company could simply claim it was a false positive (regardless of whether or not that happened to be true), and you would be left with the burden of proving the tool wasn't flawed.
Of course, there are also the false negatives...
1. Re:False positives...? by publiclurker · 2010-04-17 02:27 · Score: 2, Insightful
  
  Of course, there are also people who enjoy reading machine code dumps with their morning coffee. Tools like this simple help them to know where to concentrate there efforts.
2. Re:False positives...? by nlewis · 2010-04-17 06:32 · Score: 1
  
  Which just brings us right back to my second point - how do you *prove* it without access to the source?
3. Re:False positives...? by DAldredge · 2010-04-17 07:00 · Score: 1
  
  You sue them. Just like the MPAA/RIAA.
4. Re:False positives...? by RAMMS+EIN · 2010-04-17 07:40 · Score: 2, Interesting
  
  ``What happens when it shows some product as containing OSS, but it doesn't?''
  That's a good question, and that's why we have things like "innocent until proven guilty" and rights for criminal suspects and people who have been put under arrest.
  In other words, as long as we all stay civilized, false positives needn't be a big problem. You inform the company that you believe their product may contain software whose license puts certain requirements on the company that it doesn't seem to be fulfilling, and then they get a chance to convince you that everything is in order and it's just a false positive.
  If you are not convinced, I suppose you can always bring the case to court and force disclosure and investigation. But experience up to now seems to indicate that companies who are violating the terms of the GPL usually change their ways before things get that far.
  
  --
  Please correct me if I got my facts wrong.
5. Re:False positives...? by publiclurker · 2010-04-17 11:15 · Score: 1
  
  Unless they are tweaking the binaries after they are compiled, you won't really need the source code. Just compare what they have with the compiled results of whatever open source project you think is being stolen.
6. Re:False positives...? by pclminion · 2010-04-20 10:48 · Score: 1
  
  If you are not convinced, I suppose you can always bring the case to court and force disclosure and investigation. But experience up to now seems to indicate that companies who are violating the terms of the GPL usually change their ways before things get that far.
  So, with no evidence other than some abstract mathematical metric, you're going to make me invest tens of thousands of dollars to prove to you that I haven't violated the GPL in some way? Sounds an awful lot like "guilty until you can prove yourself innocent" to me. By the way, I'll be sending you a bill for wasting my time after proving myself to your silly satisfaction.
Re:Why? by AusIV · 2010-04-17 02:32 · Score: 4, Insightful

I agree. Many people view open source software as a better alternative to pirated software. Also worth noting: pirating commercial software lets the business keep mindshare. Adobe doesn't pursue students who pirate Photoshop because they would rather hook kids on photoshop so they'll buy it later than see them get adapt to a cheaper (or open source) alternative and never become a customer. The same is true for Windows: Microsoft would rather see people pirate Windows than switch to Linux; at least that way they keep the mindshare.
In general, I think piracy is as much an enemy of open source software as it is commercial software. There could be people who oppose software piracy but support movie and music piracy, but I think very often people take the same stance on piracy across the board.
Re:Isn't this like DRM for Open Source... by DarkOx · 2010-04-17 05:00 · Score: 4, Informative

Its not hypocrisy at all but a cleaver response. The GPL was originally created because RMS felt that the way software was being produced, sold, and controlled with licensing, patents, and copyright was not good for people, the economy, and especially the general principle of freedom.
He and others first lobbied to try and get the rules changed, many continue that effort. In the mean time he did the next best thing. He co-opted the rules and created a license that preserves things he felt were important that others were using the same rules to take away. He then put in lots of effort to ensure there would be a concentration of value protected by that license such that others would want to access it. The four freedoms would for the most part exist in the natural state; that is a world free of patents, and copyright. You might not always have the source to something you bought but it would be a pretty tough world to sell software in competitively without offering the code.
So what the GPL is really designed to do is say, look we don't think the system should work this way and that there should be these rules but ok if you get to use them than so can we. If you don't like it than you have to adopt our position that the copyright and patent system at least where software is concerned is broken and throw out your rules.
were using the same rules to take away. Most of the freedoms would probably exist

--
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
give me a break by Sir_Lewk · 2010-04-17 05:19 · Score: 1

If you think that is bad, you should take a look at all the dependencies Firefox has....
Hell, if you already have a standard GNU/Linux installation, then half that list is already installed!

--
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
It is only like DRM if you don't know what DRM is. by Sir_Lewk · 2010-04-17 05:30 · Score: 2, Interesting

This tool is to be used voluntarily by people wishing to preform an audit of software packages they have acquired. DRM is shipped with software that you receive, and is non-voluntarily run on the consumers computer, to check for compliance.
This would be like DRM if we were writing code into open source projects that would phone home if the company tried to violate the GPL. This is not what is happening at all. (nor would it even be feasibly possible, since open source DRM is a laughable concept)
This is not ensuring compliance by technical means, this is detecting non-compliance by technical means. After it is established that non-compliance exists, the standard practice is to politely contact the company and seek to resolve the issue in a professional manner.
(this happens a lot more than you might think, generally speaking the only times you hear about non-compliant companies is when they are unwilling to resolve the issue, or when someone decides to take the opportunity to get some publicity for themselves.)

--
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Re:Isn't this like DRM for Open Source... by pseudonomous · 2010-04-17 05:37 · Score: 2, Insightful

It's not at all like DRM, it's a forensics tool. DRM takes your file/software/whatever and asks "is this an authorized copy? should I let the user access/run this file?", this software looks at software that's already been compiled and is being used and determines if it likely came from known source code. Nor is this tool limited to use with open source software, it's just that tool itself is open-source.
Re:But Does It by awshidahak · 2010-04-17 05:46 · Score: 1

Yes... it does. Problem solved, move on.
Re:Isn't this like DRM for Open Source... by TubeSteak · 2010-04-17 06:38 · Score: 1

So it is Evil for a company to say illegal coping and sharing of our software that we put a lot of time, money and development into is given away for free while we still have all these expenses to pay for, and we should try to find a way to make sure we curve this behavior so we can get the money we earned.
But it Haled when a tool is made to make sure Software companies are making software that uses Open Source Software and they are not following the rules of the license.
1. Your comparison of the "Binary Analysis Tool" and DRM is shaky at best
The "Binary Analysis Tool" is an auditing tool, not a license enforcement mechanism like the DRM in Assassin's Creed 2.
2. Most individual copyright infringement is for non-commercial purposes.
Most companies that are engaging in copyright infringement are doing so for commercial purposes.
Do you see the difference?
The law treats commercial and non-commercial infringement very differently.

--
[Fuck Beta]
o0t!
something called a court order by RobertLTux · 2010-04-17 07:05 · Score: 1

see the trick is if you find GNUSort traces in Evil Incs file mangler then as the owner of GNUSort you can file a lawsuit and then get them to prove that the source is "clean".

--
Any person using FTFY or editing my postings agrees to a US$50.00 charge
1. Re:something called a court order by Bing+Tsher+E · 2010-04-17 08:45 · Score: 1
  
  Isn't the burden of proof on the party filing the law suit? Otherwise, I can see where a pretty adventurous circus could ensue, resulting in the deepest pockets almost always winning.
2. Re:something called a court order by Grishnakh · 2010-04-19 06:11 · Score: 1
  
  That's what "discovery" is for. In a case like this, if the defendant refuses to prove to the plaintiff that there's no violation (by showing the source code), to the plaintiff's satisfaction, then the plaintiff files a lawsuit, and part of the Discovery process is that the defendant MUST provide the source code to the plaintiff for examination. If the source code shows a violation, then the defendant can either get skewered in court, or settle out-of-court. If it shows no violation, then the plaintiff can drop the case (and the defendant can feel stupid for spending money on lawyers when they could have just showed the source code to begin with instead of letting it get to Court).
  Parties in a lawsuit aren't allowed to keep secrets from each other.
Confused by bonch · 2010-04-17 07:11 · Score: 1

I thought Slashdot was opposed to copyright law? The GPL is a copyright license, so why would we care about compliance with a copyright?
1. Re:Confused by Obsi · 2010-04-17 07:39 · Score: 1
  
  The Slashdot groupthink is opposed to over-the-top copyright law and secretly-drafted legislation, not against reasonable (read: 14 years) copyright terms.
  For someone with such a low UID you should know this.
2. Re:Confused by Bing+Tsher+E · 2010-04-17 08:39 · Score: 1
  
  Speaking as someone who has used the Linux kernel a long time, and who has several of the 1992 and 93 releases on published CD-ROM media, that is very interesting. Big chunks of the Free Software out there are up for grabs in a 14-year copyright world.
  Almost all of GNU Emacs falls into that category, and the 1996 Linux kernel is looking pretty useful for embedding purposes.
3. Re:Confused by tlhIngan · 2010-04-17 16:16 · Score: 1
  
  Speaking as someone who has used the Linux kernel a long time, and who has several of the 1992 and 93 releases on published CD-ROM media, that is very interesting. Big chunks of the Free Software out there are up for grabs in a 14-year copyright world.
  Almost all of GNU Emacs falls into that category, and the 1996 Linux kernel is looking pretty useful for embedding purposes.
  The problem is, there is very few 14-year old software that still is relevant today unchanged. Embedded a 14-year old Linux kernel may work for some projects, but others tend to want more recent technology, like SATA, USB, better networking/firewall, etc. Heck, under a 14 year copyright, Windows 95 is free and clear and use - which makes it pretty useless since few software apps will run on it today. Heck, there probably aren't drivers for all but the most basic hardware supported today still working.
  14 years of technology progress is huge. So even if it was in public domain, no one really would want to use it. Lack of support is huge - no modern features, no drivers for modern hardware, post-1996 bug fixes are unavailable, etc. It'll be a huge undertaking just to use some public domain code.
  Hell, you might as well use Windows 95, that's free and clear as well. In another year, WIn95 OSR2 will be free as well.
  The only real software at risk are those packages that are so mature, that once they've been written, there really has been no reason to update it. But those are very few, and even the most slowly developed of all open-source apps have done a release in the past 14 years. Or everyone else has moved onto alternatives that are under more active development.
Re:Isn't this like DRM for Open Source... by dfghjk · 2010-04-17 07:31 · Score: 1

I love how people like to make up the history of Stallman and the GPL.
Re:Why? by DAldredge · 2010-04-17 07:33 · Score: 1

Why should downloading the works of others without their permission for personal enjoyment be OK?
Re:Isn't this like DRM for Open Source... by Bing+Tsher+E · 2010-04-17 08:48 · Score: 1

It's a form of Raymondism. Which isn't yet a registered religion, but easily could be.
And then what? by viking80 · 2010-04-17 12:11 · Score: 1

Discovered that Cisco is using GPL software and not complying with neither disclosing it nor making it available. Good an clear documentation as well.
I was not able to find anyone interested at all.

--
don't cut it off www.mgmbill.org
Re:It is only like DRM if you don't know what DRM by Sir_Lewk · 2010-04-17 12:33 · Score: 1

Curious why you would be curious...

--
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Re:Why? by mr_mischief · 2010-04-17 13:23 · Score: 1

There are multitudes of people ignoring copyright on commercial music. There are multitudes of people ignoring copyright on Microsoft Windows and Microsoft Office. It's an epic failure to say that the people using Linux and OpenOffice must be the ones illegally copying music. The MS pilferers are already breaking copyright law. Therefore, I'd suspect that most people breaking copyright law for music are the ones also doing so for their OS.
Re:Why? by pnewhook · 2010-04-17 23:43 · Score: 1

Looks like you are case in point. Prove its wrong.

--
Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
Re:Why? by pnewhook · 2010-04-17 23:47 · Score: 1

It's an epic failure to say that the people using Linux and OpenOffice must be the ones illegally copying music.
Thats not what I said at all. I was talking about people who dowload illegally would be the first to defend defend GPL. Are you saying that the only people who support GPL are Linux/OpenOffice users? Pretty small group if that's true.

--
Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
DRM vs GPL by stefanPryor · 2010-04-18 07:28 · Score: 1

As I see it, a comparison of DRM and the GPL that basically equates the two, is pretty flawed.
The purpose of DRM is more or less, to restrict and control what users of software can do with that software.
Users of GPL software, on the other hand, are guaranteed certain rights by the GPL, such as the right to have access to the source code of the software they receive.
The tool mentioned in the article will help users to ensure that their rights under the GPL are being protected.
If a company distributes GPLed software, the users are entitled to the source code. This tool makes it easier for users to enforce their rights.
Really, it seems to me that the GPL is basically incompatible with DRM.
Such fine historical revisionism! by judeancodersfront · 2010-04-19 06:45 · Score: 1

he never tried to lobby anyone. His motivation stems from his days at the MIT lab when he got angry over his buddies leaving lab to go pursue careers at proprietary companies.

He then created a psudeo-religion by declaring 'freedoms' instead of simply writing an open source that required derivative works to also be open.

It may seem deceptive to wrap your desires in 'freedoms' but your post is proof that it works....really well.
that's a poor rationalization for piracy by judeancodersfront · 2010-04-19 06:54 · Score: 1

for a business that has an 80% piracy rate they could care less about any mindshare from pirates who take away potential sales. Companies would rather have less piracy and more sales with which they could spend on advertising. Most software companies are small and medium businesses that need every sale they can get.
1. Re:that's a poor rationalization for piracy by AusIV · 2010-04-19 15:46 · Score: 1
  
  I'm not trying to rationalize piracy, I'm disputing with pnewhook's argument that open source developers are the same people who advocate piracy. Assuming open source developers are at all interested in market share, then their interests are served when people use their software instead of pirating commercial software. When I say that pirating commercial software lets businesses keep their mindshare I'm not saying it's always a good thing for those businesses, just that it's a bad thing for their open source competitors.