Slashdot Mirror
Do Build Environments Give Companies an End Run Around the GPL?
Malvineous writes "I have two devices, from two different companies (who shall remain nameless, but both are very large and well-known) which run Linux-based firmware. The companies release all their source code to comply with the GPL, but neither includes a build environment or firmware utilities with the code. This means that if you want to alter the free software on the device, you can't — there is no way to build a firmware image or install it on the devices in question, effectively rendering the source code useless. I have approached the companies directly and while one of them acknowledges that it is not fully GPL-compliant, due to other license restrictions it cannot make the build environment public, and the company does not have the resources to rewrite it. I have approached the FSF but its limited resources are tied up pursuing more blatant violations (where no code at all is being released.) Meanwhile I am stuck with two devices that only work with Internet Explorer, and although I have the skills to rewrite each web interface, I have no way of getting my code running on the devices themselves. Have these companies found a convenient way to use GPL code, whilst preventing their customers from doing the same?"
so we can vilify them, castigate them, and otherwise snark.
---- Teach Peace. It's Cheaper Than War.
For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
http://www.gnu.org/licenses/gpl-2.0.html
It's a straight up violation. Go find the author of the software... any author of any part of the software will do.. and invite them to sue the manufacturer. Direct them to the Software Freedom Law Center.
How we know is more important than what we know.
The loophole being proposed is just a variant of Tivoization. And the GPLv3 already fixes it, and anything else that gives out source while not giving you everything you need to build it.
GNU GENERAL PUBLIC LICENSE Version 3 Free Software Foundation, Section 1, "Source Code.": The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work.
The GPL does not allow authors to hide or refrain from distributing any build scripts or information required to build/install the binaries.
They cannot have a "secret" build environment, the GPL requires that they reveal all scripts and information about the build environment.
I don't understand why the FSF would not pursue this with full vigor. Obviously you cannot exercise your freedom to modify code, if the vendor does not distribute the pieces required to build and install a binary.
As far as I can read it, the corresponding source definition in clause 1, GPLv3 covers that situation
The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.
My reading of "all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work" would cover the build environment. They could arguing that the build tools and environment are general purpose tools, etc used unmodified. I'd have to think that if that were the case you wouldn't be having any problems trying to make modifications though.
Have these companies found a convenient way to use GPL code, whilst preventing their customers from doing the same?
Yes - it's called "having more lawyers than you."
What are you going to do about it, sue? You can always sue...if you actually have the resources to fight it out. And even if you actually get it to stick, it could be years down the road before you actually get access.
Regarding your specific case, can you reverse-engineer a solution?
No, the build environment doesn't provide an end-run around the GPL. Both v2 and v3 of the GPL require the distributor to provide the scripts that control the build. In GPLv2 it's in section 3, in GPLv3 it's in section 1. GPLv3 also covers this again in section 6, in a more general form when it discusses installation information.
It sounds like you don't work for either of these companies. So why are you protecting them?
If you really want them to do the right thing, start making a stink about it. There's very little chance anything is going to change because one guy asked them to. There's at least some chance that they will if the companies start getting a bloody nose from it.
AccountKiller
Is it a license violation to use GPL code in a Windows program that's built with Visual Studio, given the author is unlikely to provide a copy of Visual Studio on request? You cannot rebuild the application, even given the entire source code, without access to a non-GPL piece of software you don't have access to.
You might not like it. You might even think it's against the spirit of something or other. But it's not a GPL violation.
You could argue that one difference is that Visual Studio is available to anyone prepared to pay for it. I'm sure that the build environment for the device you're talking about is also available to anyone prepared to pay for it. It likely costs more than you'd want to pay, though.
Like the GPL says, they need to supply everything necessary to compile, install, and run the software, except for perhaps the utility you'd use to burn the EPROM. The media they choose to distribute it on is irrelevant. It could be chiseled into stone tablets.
But this is largely irrelevant, as nobody with half a brain uses ROM firmware. Flash allows you to correct firmware errors later.
If a job's not worth doing, it's not worth doing right.
He can't sue, because unless he is the author of one of the piece of software distributed on he device he doesn't have standing. I'm not sure that bad press is something to be concerned about though - does Microsoft get bad press when they go after people distributing machines pre-installed with Windows without complying with the license agreement (i.e. paying them)?
I am TheRaven on Soylent News
No sympathy for them, if they cannot comply with the license they are engaged in commercial copyright infringement and should be thankful you gave them an opportunity to fix it rather than going straight for statutory damages.
However the FSF has limited funds and they do have to pick their battles wisely. If all you can do about the situation is bump your FSF contribution then do it.
As for a practical workaround for your benefit, do you have the ability to write arbitrary bytes to the firmware? If so you should be able do this in a hexeditor. It wouldnt be trivial though - quite a few hours of work, depending on the specifics of how they screwed their HTML up so badly and how it's encoded. You might be able to shortcircuit it a bit by simply determining what IE sends to the device to perform each task, and then scripting your own pages that result in the correct bits being sent to the device. Would have to look at the actual device in-depth to determine which route is most practical.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
(from same link)
If the compiler is a special case then you have a problem there. If the target device is some special dedicated OS, it all comes under this exception? Notice that they do not require to release the compiler (unless is was adapted for this target).
Also remember a term called Tivoization. You are starting the same discussion all over again.
But they are missing the largeste advantage of the GPL. They can have free mod version and bug fixes if they release their complete environment.
This only adds bad press to Linux.
WTF? Making a company comply with a license gives "bad press" ? I think that current way (asking, nagging, offering help, refusing to take any serious step) is worse - it promotes idea that GPL and other free licenses don't really matter - you can ignore them all you want and in worst case they can string along the community by releasing small bits and "discussing the situation" until the product becomes obsolete anyway.
OTOH an offer to cooperate with freeing up the firmware? Sign an NDA on a tool-set for the company, then release a free version.
Sure. Why not become unpaid employee. It is the company's responsibility. If they are incapable of understanding license of software they distribute, then maybe it is time to fire (and sue for damages) their lawyers.
Simply reverse-engineer it with manufacturer's cooperation, access to docs and tools, then "hack" it in a blessed way that doesn't violate the company's licenses and complies with GPL. I'm sure they would be glad if someone helped them comply with GPL instead of forcing them to do it themselves.
Well, they did not comply with the license, so it has been automatically revoked, isn't that right?
"They could arguing that the build tools and environment are general purpose tools, etc used unmodified. I'd have to think that if that were the case you wouldn't be having any problems trying to make modifications though."
Would that it were that simple. There's lots of things out there where you can't just download the source and do a "make clean; make".... do you have the right libraries? (glibc version hell) The right version of the tools? (there's more than one version of gcc out there) The provider of the software might not even know... they just make it on their box, it goes ok, and they package up the source and distribute it.
Don't ever sign an NDA. That's horrible advice.
If the build-system has to be reverse-engineered for this company to avoid being held accountable for their commercial infringement of copyright, it's on them to get it done. And the person implementing the new build-system will need to be working in a clean room, without ever seeing the old build system, so there is no call for an NDA there. Get one person to analyse and document the function of the old one, and write the specification, then the person who does the new build system only sees that spec.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
As others have pointed out, GPLs 2 and 3 both require the release of the build-prerequisites. If, as one of the unnamed companies claims, they used GPL code and proprietary build prerequisites that they cannot legally release, than their lawyer(s) fucked up big. Just because the GPL doesn't ask for money, and some of its friends have long hair, doesn't make it any less binding than whatever license governs their build environment. They've put themselves in the untenable situation of having two binding licenses that cannot both be satisfied(and losing redistribution rights for their firmware would probably hurt if they don't have the resources to re-do their build environment).
However, in practice, to uphold a right, no matter how solidly enshrined in law, generally takes time and money(particularly in civil cases, where the state won't provide you even a shitty lawyer). As long as they aren't the most blatant, the SFLC and their ilk probably won't go after them(especially if their hardware is uncommon or obscure; from a strategic standpoint, the SFLC probably cares more about improvements to OSS software flowing back to the community, and buildability on common devices than they do about buildability on obscure stuff). You might have slightly better luck if you can identify the specific authors/copyright holders of all the GPL code used in the firmware. Particularly for the company that put itself in a license bind, any of the authors could decide to sue them, possibly for real money, if they so chose.
For you personally, though, you are probably SOL. If you have to ask slashdot, you probably don't have the lawyers you need. About all you can do is make noise about the situation, naming names, ideally, and hope that somebody with firepower takes interest.
I thought we hated copyright because it rewards people for too long now etc.
The company is not depriving anyone else of using the code so therefore there is no harm in it and no value lost etc etc etc
Funny how we want it both ways, huh?
As others have posted, they are meant to give you a copy of the build scripts. These scripts may not work outside of their environment (due to hard coded paths, etc), but they are meant to give you those scripts.
But nothing in the GPL says that they have to give you the firmware utilities used to load a new firmware on.
The GPL doesn't require that hardware that has GPL code be modifiable to include updated versions of code. Build systems are a distraction here: a more direct form of the problem is that the GPL code is burned into ROM, and even the GPLv3's Tivoization section (number 6, paragraph starting "If you convey...") explicitly permits that. It would be dumb if it didn't. While it may well be the case that for GPLv3 (and not GPLv2) failing to give you a usable build environment for compiling modifying code so you can run it on your "User Product" is a violation, this is forgetting a large part of the purpose of free software.
The point of free software is that the software, the code, is free for the community to use. Thinking about free software as simply the ability to modify code within its original context causes us to forget opportunities for reusability that benefit the entire free software community, well past the lifetime of this one device, and encourages behavior where modified code isn't usable on other devices or in entirely different contexts. I've written a bit more about this on my blog, with some examples of times when thinking about "free software"/"open source" only within the context of the original product has caused the free software ecosystem as a whole — the thing that's causing large companies to want to embed free software in their hardware devices in the first place — to be left behind.
Are you talking about makefiles and scripts, or are you talking about a proprietary compiler used to generate the code? There's a huge difference.
cat
Some companies are still in the IT stone age. For example, one company - with which I just got an account - sells flatrates to video games for a monthly fee. So far so good but they actually use an IE-only plug-in that relies on ActiveX and only runs as administrator. And that's the "updated new version" of their client :D
Admittedly it's supposed to run on FF eventually ... some time in the future ... promise ;)
After getting the "our developers are working on it" runaround for months and months when Linksys didn't issue new drivers without the Broadcom vulnerability for my WPC54G v.4 adapter, rendering it totally useless, I decided to never, never, again buy Linksys equipment.
So you might be right that the firmware of the Linksys device I bought was upgradable, but that's useless if you have no way to make custom firmware and the vendor doesn't issue bug fixes for its original firmware.
The company I work for builds our custom software environment for specialty networking hardware on top of FreeBSD specifically so we can avoid crap like this. We also employ people to make contributions back to the FreeBSD project as well, so we're not mooches, but seriously... this is why so many companies don't want to get involved with Linux or GPL solutions.
It's an interesting problem with the GPL license text. There is a big difference between the "components released with the operating system" depending on whether you are talking about the full embedded SDK (often licensed for $$$ to product developers) or the final run-time OS (distributed in the product that goes to end-users). To which does the license text refer? Even back when GPLv2 was being authored, many Unix systems did not include compilers in the base release but they could be obtained by anybody willing to purchase licenses; developers would ship binaries of GPL source built with these commercial compilers, and nobody saw it as a problem that end-users could not rebuild it without also purchasing the compiler.
So, a reasonable interpretation says that the article's complaint is invalid, e.g. end users can obtain an SDK just like the product vendor did, and then modify their product instance as they see fit. However, a complicating factor is that these embedded SDKs are often heavily customized for a product vendor, and are not off the shelf systems another vendor (or end-user) could obtain. Where do you draw the line between generally available platforms and for-hire, integrated product build tools that can lead to lock-down?
A strict interpretation would be that one cannot use GPL source code in embedded products using traditional embedded development tools, because those tools have incompatible licensing terms which prevent end-user modification of systems. This is similar to the patent issue addressed in GPLv3.
Sorry but the hypocrisy of your statement is so in my face I have to say something.
You are keeping the identity of these companies secret for what end? It's GPL there for open there for it should not be a secret.
If you say something this community might be able to help you. Maybe one of us has already discovered solutions to your technical problem. When something like this comes up slashdot usually coughs up pages of useful links. It can be rather fun and interesting at times.
Sadly you are keeping it secret. Thus the helpfulness of this community is next to zip.
Because you are keeping things secret it would not be all too far fetched to believe that you are actually trying to alter the code is such a way as to derive money from it. Say by either selling an after market mod or by selling it back to the mystery vendor(s).
Please don't cry about the big companies keeping secrets if you can't even get that out with out keeping a secret.
P.S. Most likely no violation was made. Hardware and build env's are not governed by source code GPL. Unless of course the hardware or build env is also derived from a GPL reference.
First, we have not specified which GPL version is applicable, or if there are specific exemptions to it. Here is the applicable section under GPLv1:
"Source code for a work means the preferred form of the work for making
modifications to it. For an executable file, complete source code means
all the source code for all modules it contains; but, as a special
exception, it need not include source code for modules which are standard
libraries that accompany the operating system on which the executable
file runs, or for standard header files or definitions files that
accompany that operating system."
Nothing there about build scripts or tools to build.... Let's take a look at GPLv3 (section 1):
"The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work."
I see the section regarding build scripts, but embedded devices often do not include the ability to build on the device itself, presenting a big difference from the desktop world where you would typically config, build, install all from source. I still think that simply including the settings/defines/prerequisites would suffice. Note that the section above also specifically excludes general purpose tools. Since installation is often accomplished either through external flashing device or embedded flash utility (general purpose tool), these would be excluded.
Yeah, I've read the GPL. I'm not sure I like where things are going in v2 and v3. On the embedded devices that I work with (for instance FreeRTOS), the licenses are GPLv1 for the overall OS and tasking system. They also include a specific exemption for custom tasks/routines which doesn't require you to release unless you change the OS.
Ultimately, it boils out to defining which device, which specific license and which specific files are involved. None of that's been done, so to assume the most radicalized position here doesn't make sense.
That's not how I read that clause. While it does make the mention that you don't need to distribute any freely available or common tools required to build that source, it seems to me like they spell it out pretty clearly that otherwise you need to distribute everything needed to build, install and run that thing. (But I am not a laywyer.)
Otherwise it would be trivial to make the source need parsing through a script that only runs on my internal and proprietary modified Brainfuck interpreter, and then through a Lisp program that only runs on an old version of Autocad that's still installed somewhere in the company, before it compiles.
In your particular case, sure, you can develop with Visual Studio, but surely you can take the time to write a makefile that can be run at the command prompt. In fact, it's been years since I worked with Visual Studio, but I seem to remember it did that for me itself. And they wouldn't even force you to use gcc, since the command line versions of the MS compilers were free last I heard.
(And frankly if they don't have an automatic build machine, and the scripts that that needs, i.e., if they're in the kind of situation where tgey can only build on some dev's machine in their Visual Studio, with whatever sources they may or may not have checked out at the time... they're not the kind of company I'd want to buy anything from in the first place.)
Plus, if I understand the summary right, even if he managed to compile the binary code, the tools to install (and thus also to run it) are missing too. I'd say that's against the letter and spirit of that clause right there. The idea was to be able to make changes, not to just have a bit of source to open in an editor, but not be able to actually run any changes or, for that matter, even know if it's the right source. How would you know for something you can't even compile, and certainly not run?
And it's hard not to ascribe it to malice there. Whatever proprietery protocols they use to upload that firmware, surely they're encapsulated in a bunch of classes and functions that are just called from whatever environment they use. It's trivial to pack the same in a small command line utility.
(And again, if they're that joined at the hip to whatever environment is usually used to upload that firmware, that they can't separate the classes that do the uploading from the rest of the beast... it sure doesn't sound like the kind of company I'd trust to program my VCR, much less the firmware for anything.)
A polar bear is a cartesian bear after a coordinate transform.
Umm no. Nothing has been stolen. There appears to be an ongoing and deliberate commercial infringement of copyright.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
as long as you have access to the proper equipment (CD burner + blank discs) there is nothing that stops you from creating usable 'custom' copies. I'd think the same applies to code in ROM, it's just that the necessary equipment is not typically found on your average home computer.
Some video game consoles use custom cartridge bus protocols, some of which are encrypted and/or patented. Before the NoPass crack led to SLOT-1 cards, there wasn't any published way to make your own Nintendo DS-compatible ROM chip that wasn't just shellcode to get the DS executing code from the GBA slot. But if the ROM is in a user-removable cartridge, as in the case of almost every game console since the Atari VCS, the licensee under the GPL would still have to provide Installation Information because the licensee "retains the ability to install modified object code on the User Product" through a cartridge.
Does the GPL require the source code to run on the same piece of hardware? The OP can't build an run new firmware on his router, but can he build and run it on his x86 linux machine with standard tools? If *that* can be done, is it really still a violation? The modified source code has been re-contributed to society. I know that's not really what the OP wants to accomplish though...
The two are related, and both are desirable. However, they are mostly two different issues. You have the source and can put it on to any hardware for which you have proper access. Your problem here isn't the software license. It's the hardware license. You also need to get hardware for which you are granted the proper access. The distinction is clear, and I'm not sure why there is so much confusion.
I doubt the intent of the license was to prohibit writing applications in certain languages while still opening the code.
Such languages are called Java-trapped. Java itself used to be Java-trapped until Sun released OpenJDK.
My employer works in a market where we can trust our partners about as far as we can throw them. They would rip us off in a heartbeat given the chance, and have in the past, and we don't have the resources to deal with it in court. We're happy to contribute our modifications of GPL code back to the community, and we do, but the constraints of the embedded environment require that most of our value-add proprietary code is in scripting languages, so it would be trivial for any of them to rip us off if we handed out the build scripts. We don't go out of our way to obfuscate things, but we don't make it easy to modify our firmware either.
As a consequence of this, GPLv3 is a strict no-go for us, and the same is true for many other small companies in the cut-throat embedded world. If we could trust our partners, or we could afford to litigate when they attempt to screw us over, we'd gladly be as open as possible, but as it stands we can't afford to give away our proprietary code in the process of complying with the GPLv3, so GPLv2 is as Free as we go.
Posted anonymously for what I hope are extremely obvious reasons.
2 can play at that game.
Enjoy this.
you had me at #!
so you couldn't put that in the firmware anyway.
This is actually a non issue, as you already have a licensed copy in your current firmware (which you could obtain either with the "backup old firware before flashing" option, or get it straight from Netgear's firmware repository).
The problem will only arise if you decide to publish your upgraded firmware on the net: you could only distribute the GPL bits, not the proprietary ones. There are 2 legal way to do then :
- Provide a small utility to save the proprietary part out of a legal copy, and the final user will use it to add the missing propretary bit from the new firmware using his/her own legal copy.
(That's the way it's done with Google Android, for example: licensed partner like HTC not only have a full built of the opensource system, but also a couple of proprietary Google Apps. The standard procedure with 3rd party firmwares is : backup google apps, flash custom firmware, restore google apps).
- in the specific case of a router, the html interface is rather basic and is a tiny part of the firmware. One could pretty much dump it and use some 3rd party alternative. (OpenWrt's LuCi is an example, as are various embed Linux distros with names ending in "-wall". But you could also go for full geekness and do everything on CLI over SSH).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]