Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do Build Environments Give Companies an End Run Around the GPL?

Posted by timothy on from the technical-compliance dept.

Malvineous writes "I have two devices, from two different companies (who shall remain nameless, but both are very large and well-known) which run Linux-based firmware. The companies release all their source code to comply with the GPL, but neither includes a build environment or firmware utilities with the code. This means that if you want to alter the free software on the device, you can't — there is no way to build a firmware image or install it on the devices in question, effectively rendering the source code useless. I have approached the companies directly and while one of them acknowledges that it is not fully GPL-compliant, due to other license restrictions it cannot make the build environment public, and the company does not have the resources to rewrite it. I have approached the FSF but its limited resources are tied up pursuing more blatant violations (where no code at all is being released.) Meanwhile I am stuck with two devices that only work with Internet Explorer, and although I have the skills to rewrite each web interface, I have no way of getting my code running on the devices themselves. Have these companies found a convenient way to use GPL code, whilst preventing their customers from doing the same?"

24 of 374 comments (clear)

  1. Find an author by QuantumG · · Score: 5, Informative

    For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.

    http://www.gnu.org/licenses/gpl-2.0.html

    It's a straight up violation. Go find the author of the software... any author of any part of the software will do.. and invite them to sue the manufacturer. Direct them to the Software Freedom Law Center.

    --
    How we know is more important than what we know.
    1. Re:Find an author by fuzzyfuzzyfungus · · Score: 4, Informative

      In the case of embedded devices, BusyBox license violations are generally the order of the day...

  2. GPLv3 by selven · · Score: 5, Informative

    The loophole being proposed is just a variant of Tivoization. And the GPLv3 already fixes it, and anything else that gives out source while not giving you everything you need to build it.

    1. Re:GPLv3 by Anonymous Coward · · Score: 2, Informative

      You don't need the GPLv3 to fix this, though. It's addressed pretty directly in the GPLv2.

      Mod parent down. He's only 50% correct.

    2. Re:GPLv3 by yuhong · · Score: 2, Informative

      Luckily, I don't think that the GPLv3 actually require what you are talking about, nor do I think it was the intent of the GPLv3 to do this.

  3. It's still a GPL violation by mysidia · · Score: 5, Informative

    GNU GENERAL PUBLIC LICENSE Version 3 Free Software Foundation, Section 1, "Source Code.": The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work.

    The GPL does not allow authors to hide or refrain from distributing any build scripts or information required to build/install the binaries.

    They cannot have a "secret" build environment, the GPL requires that they reveal all scripts and information about the build environment.

    I don't understand why the FSF would not pursue this with full vigor. Obviously you cannot exercise your freedom to modify code, if the vendor does not distribute the pieces required to build and install a binary.

    1. Re:It's still a GPL violation by PAjamian · · Score: 2, Informative

      Those would actually qualify as install scripts, see GPL Violations Source Code Release FAQ, specifically this section:

      What are "scripts used to control installation"?

              After having translated software from its source code form into
              executable format, the program quite often needs to be installed into
              the system. The process of installation is often automatized by
              installation scripts. Exactly those scripts are referred to by the
              GPL.

              Please note that this is of special practical importance in the case of
              embedded devices, since the executable program(s) need to be somehow
              installed onto the device. If the user is not given a way to install
              his own (modified) versions of the program, he has no way of exercising
              his freedom to run modified versions of the program.

              Sometimes, the process of installation is not facilitated by scripts, but
              by some other means (such as executable programs). The GPL text only
              mentions the word "scripts". But when reading and interpreting the license,
              it is clearly understood that the license doesn't specifically only mean
              "scripts", but any kind of software programs that are required to install
              a (modified) version of the compiled program.

      --
      Windows is a bonfire, Linux is the sun. Linux only looks smaller if you lack perspective.
  4. No, they're just non compliant by Pop69 · · Score: 3, Informative

    As far as I can read it, the corresponding source definition in clause 1, GPLv3 covers that situation

    The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.

    My reading of "all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work" would cover the build environment. They could arguing that the build tools and environment are general purpose tools, etc used unmodified. I'd have to think that if that were the case you wouldn't be having any problems trying to make modifications though.

  5. No end run by Todd+Knarr · · Score: 4, Informative

    No, the build environment doesn't provide an end-run around the GPL. Both v2 and v3 of the GPL require the distributor to provide the scripts that control the build. In GPLv2 it's in section 3, in GPLv3 it's in section 1. GPLv3 also covers this again in section 6, in a more general form when it discusses installation information.

    1. Re:No end run by harlows_monkeys · · Score: 5, Informative

      The submitter didn't say that the scripts that control the build are missing. He said they don't provide a build environment. If I distribute GPL code that I build with Visual Studio, I don't have to distribute Visual Studio. I just have to distribute the project file (or whatever it is nowadays--haven't don't Windows in a long time).

      It sounds like both companies are distributing embedded software for a hardware device. It's quite possible that the things they aren't distributing are part of some third-party expensive development environment, that they are using off the shelf. If that's the case, there's no GPL violation, as long as they distribute everything the submitter would need to build and install the software if he were to go obtain from that third party the development environment.

  6. Re:It would be nice to name names by Anonymous Coward · · Score: 3, Informative

    Do we? I've never seen a cisco or linksys device you could't load custom firmware onto.

  7. The loophole is bigger... by leuk_he · · Score: 2, Informative

    However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

    (from same link)

    If the compiler is a special case then you have a problem there. If the target device is some special dedicated OS, it all comes under this exception? Notice that they do not require to release the compiler (unless is was adapted for this target).

    Also remember a term called Tivoization. You are starting the same discussion all over again.

    But they are missing the largeste advantage of the GPL. They can have free mod version and bug fixes if they release their complete environment.

  8. Re:Don't sue... by Arker · · Score: 3, Informative

    Don't ever sign an NDA. That's horrible advice.

    If the build-system has to be reverse-engineered for this company to avoid being held accountable for their commercial infringement of copyright, it's on them to get it done. And the person implementing the new build-system will need to be working in a clean room, without ever seeing the old build system, so there is no call for an NDA there. Get one person to analyse and document the function of the old one, and write the specification, then the person who does the new build system only sees that spec.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  9. No, this is missing the point by Geoffreyerffoeg · · Score: 3, Informative

    The GPL doesn't require that hardware that has GPL code be modifiable to include updated versions of code. Build systems are a distraction here: a more direct form of the problem is that the GPL code is burned into ROM, and even the GPLv3's Tivoization section (number 6, paragraph starting "If you convey...") explicitly permits that. It would be dumb if it didn't. While it may well be the case that for GPLv3 (and not GPLv2) failing to give you a usable build environment for compiling modifying code so you can run it on your "User Product" is a violation, this is forgetting a large part of the purpose of free software.

    The point of free software is that the software, the code, is free for the community to use. Thinking about free software as simply the ability to modify code within its original context causes us to forget opportunities for reusability that benefit the entire free software community, well past the lifetime of this one device, and encourages behavior where modified code isn't usable on other devices or in entirely different contexts. I've written a bit more about this on my blog, with some examples of times when thinking about "free software"/"open source" only within the context of the original product has caused the free software ecosystem as a whole — the thing that's causing large companies to want to embed free software in their hardware devices in the first place — to be left behind.

  10. My Linksys experience by Mathinker · · Score: 5, Informative

    After getting the "our developers are working on it" runaround for months and months when Linksys didn't issue new drivers without the Broadcom vulnerability for my WPC54G v.4 adapter, rendering it totally useless, I decided to never, never, again buy Linksys equipment.

    So you might be right that the firmware of the Linksys device I bought was upgradable, but that's useless if you have no way to make custom firmware and the vendor doesn't issue bug fixes for its original firmware.

    1. Re:My Linksys experience by Anonymous Coward · · Score: 1, Informative

      I don't see any indication that there's any GPL code in those drivers, that's an adapter not a router. Most Cisco/Linksys routers are Linux based and are generally fully GPL compliant. Their wireless adapters on the other hand generally have 100% proprietary drivers.

    2. Re:My Linksys experience by natehoy · · Score: 4, Informative

      Many Cisco/Linksys routers are, but I wouldn't call it "most" any more. They started building them using a closed-source OS about 3-4 years ago, and actually converted the WRT54G and WRT54GS to it mid-stream. Later, they re-released the Linux version of the WRT54G under the model name "WRT54GL".

      Having said all that, Linksys has been pretty good about releasing the source code of those things they use GPL-licensed code for. Unfortunately, they tend to use the Broadcomm radios for which source code is not available, though they do publish their wrappers that control the Broadcomm binary driver.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    3. Re:My Linksys experience by Bert64 · · Score: 3, Informative

      That's more to do with vxworks requiring less memory (and thus the hardware can be made cheaper), you can still try to flash linux onto those devices but they don't work very well due to the limited amount of memory/flash...
      They still sell linux based devices, but these are no longer the lowest and cheapest routers they offer - the vxworks ones are the new bargain bucket.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    4. Re:My Linksys experience by Hal_Porter · · Score: 4, Informative

      That's more to do with vxworks requiring less memory (and thus the hardware can be made cheaper), you can still try to flash linux onto those devices but they don't work very well due to the limited amount of memory/flash...
      They still sell linux based devices, but these are no longer the lowest and cheapest routers they offer - the vxworks ones are the new bargain bucket.

      It's not just less memory - vxWorks is very frugal with CPU usage too. I've seen 486 clone at 33Mhz maxing out the bandwidth on a network card while running an FTP demon out of flash memory.

      The reason is that vxWorks is a very simple OS. It doesn't have much in the way of protection - all the code runs in Ring 0 on x86. So calls into the OS are just regular calls - you don't need to switch from Ring 3 to Ring 0. It can use the MMU but it doesn't usually have per process address spaces. So you don't need to flush the TLB on a process switch.

      The kernel is very small and simple - it's vfs layer is only a line of two of code before jumping into a filesystem. And read() in a filesystem is very simple too - 99% of the time it just returns data from a cache buffer. TCP/IP implements zbuf to avoid copying. So the end result is that the 486 fetching a file over FTP from flash is only executing a few thousand instructions for each read - mostly copying from a buffer cache to a packet. Most the code/data probably fits in the on chip I/D cache. Which was good luck in this case, because this particular board had rather slow DRAM.

      Now vxWorks isn't free in any sense - I believe it costs a buck or so per unit which is rather expensive. Still if you were switching to Linux in this system you'd need a faster CPU, more flash and more Ram. That would cost more than a vxWorks license.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    5. Re:My Linksys experience by Lumpy · · Score: 2, Informative

      Which if you really want a linux router, you go the correct route instead of buying low grade dog food stuff like linksys.

      http://shop.gateworks.com/index.php?act=viewProd&productId=53 is one of several out there that run linux and a linux router distro far better than ANYTHING that cisco makes. it allows use of mid and higher end hardware instead of low end broadcom for the wireless networking

      Honestly, anyone that buys a consumer router and then bitches that their non standard OS is not working on it right is a nut. If you want it to run right, get the right hardware.

      Dont use a flat blade screwdriver to remove a JIS screw.

      --
      Do not look at laser with remaining good eye.
  11. Re:It would be nice to name names by Anonymous Coward · · Score: 1, Informative

    Or Tivo, or Netgear, or Pioneer, or Samsung, or....

  12. Re:Obvious answer, old answer. by RivieraKid · · Score: 4, Informative

    He can't sue, because he has no standing. He's not the copyright owner.

    --
    "Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves
  13. The Java trap by tepples · · Score: 2, Informative

    I doubt the intent of the license was to prohibit writing applications in certain languages while still opening the code.

    Such languages are called Java-trapped. Java itself used to be Java-trapped until Sun released OpenJDK.

  14. Copyright: non-issue by DrYak · · Score: 2, Informative

    so you couldn't put that in the firmware anyway.

    This is actually a non issue, as you already have a licensed copy in your current firmware (which you could obtain either with the "backup old firware before flashing" option, or get it straight from Netgear's firmware repository).

    The problem will only arise if you decide to publish your upgraded firmware on the net: you could only distribute the GPL bits, not the proprietary ones. There are 2 legal way to do then :

    - Provide a small utility to save the proprietary part out of a legal copy, and the final user will use it to add the missing propretary bit from the new firmware using his/her own legal copy.
    (That's the way it's done with Google Android, for example: licensed partner like HTC not only have a full built of the opensource system, but also a couple of proprietary Google Apps. The standard procedure with 3rd party firmwares is : backup google apps, flash custom firmware, restore google apps).

    - in the specific case of a router, the html interface is rather basic and is a tiny part of the firmware. One could pretty much dump it and use some 3rd party alternative. (OpenWrt's LuCi is an example, as are various embed Linux distros with names ending in "-wall". But you could also go for full geekness and do everything on CLI over SSH).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]