Do Build Environments Give Companies an End Run Around the GPL?

Malvineous writes "I have two devices, from two different companies (who shall remain nameless, but both are very large and well-known) which run Linux-based firmware. The companies release all their source code to comply with the GPL, but neither includes a build environment or firmware utilities with the code. This means that if you want to alter the free software on the device, you can't — there is no way to build a firmware image or install it on the devices in question, effectively rendering the source code useless. I have approached the companies directly and while one of them acknowledges that it is not fully GPL-compliant, due to other license restrictions it cannot make the build environment public, and the company does not have the resources to rewrite it. I have approached the FSF but its limited resources are tied up pursuing more blatant violations (where no code at all is being released.) Meanwhile I am stuck with two devices that only work with Internet Explorer, and although I have the skills to rewrite each web interface, I have no way of getting my code running on the devices themselves. Have these companies found a convenient way to use GPL code, whilst preventing their customers from doing the same?"

It would be nice to name names

[postbigbang]

so we can vilify them, castigate them, and otherwise snark.

Re:It would be nice to name names

[QuantumG]

As if we don't know it's Cisco.

Re:It would be nice to name names

[A+Commentor]

Netgear had the same problem. It was probably about 4-5 years ago, they had a nice router that ran Linux and had a USB port for supporting a harddrive. I saw that Netgear provide the source, I emailed their open source person, and he was providing the things I ask for. I ended up picking up the router during one of Fry's sales and thought I was all set to build my own firmware. I attempted to build the new firmware, everything completed successfully, but I couldn't find the firmware to install. I emailed netgear again, the response was along the lines of: "Oh no, you can't build the firmware image, we don't give out that tool, and also our html pages are copyrighted, so you couldn't put that in the firmware anyway." As others have stated, this is what TIVO did and why GPL v3 was created. With GPL v2, it would be a much harder fight to win, and again it would need to be the copyright holders of the software, who need to file suit, not the customer.

Find an author

[QuantumG]

For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.

http://www.gnu.org/licenses/gpl-2.0.html

It's a straight up violation. Go find the author of the software... any author of any part of the software will do.. and invite them to sue the manufacturer. Direct them to the Software Freedom Law Center.

Re:Find an author

[Xtifr]

Direct them to the Software Freedom Law Center.

Indeed, it's worth another reminder that the FSF is not in the job of policing GPL abuse. They publish the license for others to use, but they're only going to (only can) try to enforce it for code they actually own. Asking the FSF to intervene in a random GPL case is sort of like asking the printers to intervene in a dispute between you and your car lease company, simply because they printed the lease forms.

Furthermore, while the GPL is intended to grant freedoms to you and other third parties, it is, by the fact that it leverages existing laws, difficult for a third party to enforce. It's easy to imagine the following dialog:

You: They won't give me all the code as required by the license.
Them: The license itself says its not mandatory and we don't have to accept it.
You: It also says that if you don't accept it, then normal copyright law applies, and they don't have permission to use the code.
Them: That's as may be, but you have no standing to sue us over the copyrights.
Judge: Agreed, case dismissed.

Of course, this means that they will have more-or-less admitted to copyright violation in open court, which is a pretty risky strategy, but suddenly, you're out a bunch of money and facing a dead end. Better, as QuantumG suggested, to get ahold of the copyright holders up front.

Re:Find an author

[RivieraKid]

Since the OP has given us no details as to the specifics of the two cases, it's impossible to offer any kind of rational comment.

Though, for your information, the GPL does not "infect" anything. It is a copyright license like any other except that it puts most of the control in the hands of the beholder. To the extent that it "infects" anything, that's all the choice of the developer. Don't want to follow the terms of the GPL? Simple, don't use code that is covered by the GPL in your product. It's exactly the same as any other copyright license. If you don't agree to the terms, don't use it. It's not rocket science, and it's not some kind of virus that needs to be stamped out.

By the way, due to the lack of information from the OP, it's not even clear if the FSF has any standing here - mentioning that they are not willing/able/prepared to fight the good fight is worthless when they may not even own the copyright allegedly being infringed.

I'm more inclined to believe this is something the FSF doesn't want to push as they'll most certainly loose ground on this one, regardless of the outcome of any legal battle.

I'm more inclined to believe this is something the FSF simply don't have the right to push for the reason mentioned above.

they'll just make it obvious that GPL has no place anywhere near commercial software, which again, would be a huge blow for GPL software in general.

Are you confusing commercial with proprietary?

You REALLY REALLY don't want to push this one. Just ignore that clause like everyone else and everyone will be better off for it.

You see, there's the problem right there: Exactly what clause are these alleged companies accused of violating? They've provided the source code, Hell, the OP doesn't even mention what version of the GPL they think the companies are violating. I mean, really - how are we supposed to discuss the issue in such a scenario?

Re:Find an author

[fuzzyfuzzyfungus]

In the case of embedded devices, BusyBox license violations are generally the order of the day...

Re:Find an author

[abulafia]

The problem with saying that GPL is not viral in that you just don't have to use it, is missing the point. The issue here is that it is hard to tell when one has violated the GPL.

Well, no, it isn't missing the point. It _is_ the point. If it is so difficult for you to understand if you're violating the license, simply don't go near GPL code. This makes it extremely simple to know you are not violating it.

The issue here is that it is hard to tell when one has violated the GPL. In your own discussion, you say that without specifics, you can't tell whether a violation occurred. In my opinion, the OP presented a reasonably generalized story.

The GPL is one of the easier licenses out there to understand, and there are reams of discussion about what it means. Try to understand the license that, say, Oracle grants you without a copyright lawyer at your elbow.

With other software, you can just buy the software, and know that since you paid money you have a reasonable right to use it.

Try arguing that with the BSA if they show up for an audit. Seriously.

More generally, the problem here, at least I think, is between chair and keyboard. Just because you think the license is weird does not make it so. If copyright law in general is complex and nonintuitive (and it is), that has nothing to do with the GPL.

If you're just dinking around with code and manage to make a mistake in how you release it, nobody is going to come after you with guns blazing and daggers flying - they'll point out the mistake and let you correct it. And even if they did (possible, I just don't think it would happen), you can stop distributing the code. If you're commercially distributing your code in hardware, you likely have an IP lawyer on retainer anyway who can explain it to you. The problem comes in for shops that either (a) base a business model on exploiting GPLed code with no intention of complying, or (b) are being intentionally careless, like these vendors.

and, I can't resist:

Look at the diversity of opinion on this very slashdot page as proof of my point.

Your median /. poster's grasp of IP law is similar to Sarah Palin's understanding of foreign policy. That they both can see the respective objects from home just makes them aggressively stupid in their analysis. (And at least, as a politician, Palin has an excuse.)

GPLv3

[selven]

The loophole being proposed is just a variant of Tivoization. And the GPLv3 already fixes it, and anything else that gives out source while not giving you everything you need to build it.

Re:GPLv3

I find this concept of moderating based on factual correctness quaint but interesting.

Re:GPLv3

[gringer]

Mod parent down, I don't like the tone of that comment.It needs to be dropped a couple of semitones.

Re:GPLv3

[Anonymous+Brave+Guy]

And the GPLv3 already fixes it, and anything else that gives out source while not giving you everything you need to build it.

Which may explain the almost complete absence of GPLv3 code in the software world.

In the embedded world, for example, your chances of getting permission to release the specs for any major chip to meet these requirements to the letter are probably zero. Several of the major players in the industry design chips but outsource the manufacture, and the whole ecosystem is so locked down under NDAs that anyone trying to get detailed specs out in public would wish it was only Microsoft's entire legal team suing them. That means GPLv3 software is basically useless in most of the embedded development world.

Much the same probably applies to systems software, so many of those working on OSS operating systems, device drivers, etc. are similarly unable to work with GPLv3 code.

The original GPL was a reasonable idea and made a lot of sense to a lot of people. GPLv3 is RMS and co's attempt to turn that popularity into a vehicle for their minority views on software development, and I guess we can see now how little of the community's support of the GPL was really down to believing in the FSF's political stance, and how much was just pragmatism.

Re:GPLv3

[wrook]

This has got to be the craziest post I've seen in a long time.

Last summer CNet reported that 50% of GPL projects hosted by google code were GPLv3. That works out to at least 56,000 projects. http://news.cnet.com/8301-13505_3-10294452-16.html This information took me 30 seconds to find on google. Before making wild ass comments, please do some research.

Now, you may have meant that GPLv3 code is rare on embedded devices. This may very well be true. But at least look up the numbers and tell us what they are rather than making outrageous comments backed up by nothing.

Also asserting that RMS is trying to capitalize on the popularity of the GPL to ram home his minority views is completely ridiculous. The GPL has ALWAYS been his vehicle for ramming home his minority views. Did you honestly think the GPL was popular when it was first released???? RMS and the GPL popularized these ideas in the first place. v2 isn't working exactly the way he wanted it to, so he changed it. What kind of warped view of the world do you have to have to think this is unreasonable?

Finally, if industry is accepting the GPL because it is pragmatic, then that is a good thing. I'm sorry that you can't see beyond the end of your nose to see that v3 addresses pragmatic issues. It might not be for you. That's great. Choose another license. But take a look at some of the messages here. For example, vendors are allegedly shipping software for their wireless routers with vulnerabilities. Fixes exist for those vulnerabilities, but the customer can not apply the fix because they can't load a custom build. Things like this do not endear customers to their suppliers. Generally speaking, having the ability to fix your own problems is a good thing. This is one of the pragmatic issues that v3 fixes. The license is a promise by the vendor that these kinds of things won't happen. It is something that an informed consumer can base their purchase on if it is important to them.

I happen to think it is important to me. Many other people here happen to think it is important to them. Obviously you do not. I think you are letting your bias cloud your judgement, but that's up to you.

It's still a GPL violation

[mysidia]

GNU GENERAL PUBLIC LICENSE Version 3 Free Software Foundation, Section 1, "Source Code.": The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work.

The GPL does not allow authors to hide or refrain from distributing any build scripts or information required to build/install the binaries.

They cannot have a "secret" build environment, the GPL requires that they reveal all scripts and information about the build environment.

I don't understand why the FSF would not pursue this with full vigor. Obviously you cannot exercise your freedom to modify code, if the vendor does not distribute the pieces required to build and install a binary.

Obvious answer, old answer.

[kurokame]

Have these companies found a convenient way to use GPL code, whilst preventing their customers from doing the same?

Yes - it's called "having more lawyers than you."

What are you going to do about it, sue? You can always sue...if you actually have the resources to fight it out. And even if you actually get it to stick, it could be years down the road before you actually get access.

Regarding your specific case, can you reverse-engineer a solution?

Re:Obvious answer, old answer.

[RivieraKid]

He can't sue, because he has no standing. He's not the copyright owner.

No end run

[Todd+Knarr]

No, the build environment doesn't provide an end-run around the GPL. Both v2 and v3 of the GPL require the distributor to provide the scripts that control the build. In GPLv2 it's in section 3, in GPLv3 it's in section 1. GPLv3 also covers this again in section 6, in a more general form when it discusses installation information.

Re:No end run

[harlows_monkeys]

The submitter didn't say that the scripts that control the build are missing. He said they don't provide a build environment. If I distribute GPL code that I build with Visual Studio, I don't have to distribute Visual Studio. I just have to distribute the project file (or whatever it is nowadays--haven't don't Windows in a long time).

It sounds like both companies are distributing embedded software for a hardware device. It's quite possible that the things they aren't distributing are part of some third-party expensive development environment, that they are using off the shelf. If that's the case, there's no GPL violation, as long as they distribute everything the submitter would need to build and install the software if he were to go obtain from that third party the development environment.

TIme to name names.

[Vellmont]

It sounds like you don't work for either of these companies. So why are you protecting them?

If you really want them to do the right thing, start making a stink about it. There's very little chance anything is going to change because one guy asked them to. There's at least some chance that they will if the companies start getting a bloody nose from it.

Re:Don't sue...

[qbast]

This only adds bad press to Linux.

WTF? Making a company comply with a license gives "bad press" ? I think that current way (asking, nagging, offering help, refusing to take any serious step) is worse - it promotes idea that GPL and other free licenses don't really matter - you can ignore them all you want and in worst case they can string along the community by releasing small bits and "discussing the situation" until the product becomes obsolete anyway.

OTOH an offer to cooperate with freeing up the firmware? Sign an NDA on a tool-set for the company, then release a free version.

Sure. Why not become unpaid employee. It is the company's responsibility. If they are incapable of understanding license of software they distribute, then maybe it is time to fire (and sue for damages) their lawyers.

Simply reverse-engineer it with manufacturer's cooperation, access to docs and tools, then "hack" it in a blessed way that doesn't violate the company's licenses and complies with GPL. I'm sure they would be glad if someone helped them comply with GPL instead of forcing them to do it themselves.

Well, they did not comply with the license, so it has been automatically revoked, isn't that right?

build tools? Re:No, they're just non compliant

"They could arguing that the build tools and environment are general purpose tools, etc used unmodified. I'd have to think that if that were the case you wouldn't be having any problems trying to make modifications though."

Would that it were that simple. There's lots of things out there where you can't just download the source and do a "make clean; make".... do you have the right libraries? (glibc version hell) The right version of the tools? (there's more than one version of gcc out there) The provider of the software might not even know... they just make it on their box, it goes ok, and they package up the source and distribute it.

Legally, no. Practically, yes.

[fuzzyfuzzyfungus]

As others have pointed out, GPLs 2 and 3 both require the release of the build-prerequisites. If, as one of the unnamed companies claims, they used GPL code and proprietary build prerequisites that they cannot legally release, than their lawyer(s) fucked up big. Just because the GPL doesn't ask for money, and some of its friends have long hair, doesn't make it any less binding than whatever license governs their build environment. They've put themselves in the untenable situation of having two binding licenses that cannot both be satisfied(and losing redistribution rights for their firmware would probably hurt if they don't have the resources to re-do their build environment).

However, in practice, to uphold a right, no matter how solidly enshrined in law, generally takes time and money(particularly in civil cases, where the state won't provide you even a shitty lawyer). As long as they aren't the most blatant, the SFLC and their ilk probably won't go after them(especially if their hardware is uncommon or obscure; from a strategic standpoint, the SFLC probably cares more about improvements to OSS software flowing back to the community, and buildability on common devices than they do about buildability on obscure stuff). You might have slightly better luck if you can identify the specific authors/copyright holders of all the GPL code used in the firmware. Particularly for the company that put itself in a license bind, any of the authors could decide to sue them, possibly for real money, if they so chose.

For you personally, though, you are probably SOL. If you have to ask slashdot, you probably don't have the lawyers you need. About all you can do is make noise about the situation, naming names, ideally, and hope that somebody with firepower takes interest.

My Linksys experience

[Mathinker]

After getting the "our developers are working on it" runaround for months and months when Linksys didn't issue new drivers without the Broadcom vulnerability for my WPC54G v.4 adapter, rendering it totally useless, I decided to never, never, again buy Linksys equipment.

So you might be right that the firmware of the Linksys device I bought was upgradable, but that's useless if you have no way to make custom firmware and the vendor doesn't issue bug fixes for its original firmware.

Re:My Linksys experience

[natehoy]

Many Cisco/Linksys routers are, but I wouldn't call it "most" any more. They started building them using a closed-source OS about 3-4 years ago, and actually converted the WRT54G and WRT54GS to it mid-stream. Later, they re-released the Linux version of the WRT54G under the model name "WRT54GL".

Having said all that, Linksys has been pretty good about releasing the source code of those things they use GPL-licensed code for. Unfortunately, they tend to use the Broadcomm radios for which source code is not available, though they do publish their wrappers that control the Broadcomm binary driver.

Re:My Linksys experience

[billcopc]

Not true anymore. Many of them have been switched to the very restrictive vxWorks platform.

The big problem with GPL violations, and by extension poor customer service, is there is never enough backlash to deter these heinous practices. We can groan until we're blue in the face, Cisco/Linksys will continue to sell flaky hardware and buggy, unmaintained firmware/drivers and endless spin doctoring. These days their business is 90% sales & marketing, 10% development. That's why the router you buy today is no better than the one you bought a decade ago. They don't give a crap, they can just slap a new ugly plastic box around the same cheap old guts and print more money.

Even their enterprise gear has taken a nose-dive. They have about two dozen different 24-port switch SKUs, and they even have the nerve to give you detailed comparison grids, highlightly precisely how little they differ. How many ways can one shuffle managed vs unmanaged (why even bother anymore), and POE vs non-POE ? They need to fire half their marketing staff and beat the other ones until they stop telling the engineers what to build. Having a uniform product line means greater efficiencies in both production and support. Modern business 101, for crying out loud!

Re:My Linksys experience

[jythie]

We are not talking about desktop applications that someone grabs off TBP. The two situations are you describe are completely differnt ends of the process.... end user pirating software and upstream developer exerting control over a downstream product. What we have in the original situation was a downstream hobbist wanting access to the internal development tools of an upstream developer based off someone upstream from that company being FOSS, but wanting tools that were not FOSS. Or more specificly, someone bought a device that was closed (but used some open components) and then wants to edit the device, but wants the upstream company's help doing it (i.e. releasing their development tools). That produces not only MUCH more work for the company (build enviroments are not something that can be trivially packaged up if they are not designed to be), but also produces a horrible PR situation since, no matter how much tinkerers claim otherwise, the original company still ends up getting the blame when user modifications break the product. I got really, really sick of dealing with those support issues over time.

Re:My Linksys experience

[Hal_Porter]

That's more to do with vxworks requiring less memory (and thus the hardware can be made cheaper), you can still try to flash linux onto those devices but they don't work very well due to the limited amount of memory/flash...
They still sell linux based devices, but these are no longer the lowest and cheapest routers they offer - the vxworks ones are the new bargain bucket.

It's not just less memory - vxWorks is very frugal with CPU usage too. I've seen 486 clone at 33Mhz maxing out the bandwidth on a network card while running an FTP demon out of flash memory.

The reason is that vxWorks is a very simple OS. It doesn't have much in the way of protection - all the code runs in Ring 0 on x86. So calls into the OS are just regular calls - you don't need to switch from Ring 3 to Ring 0. It can use the MMU but it doesn't usually have per process address spaces. So you don't need to flush the TLB on a process switch.

The kernel is very small and simple - it's vfs layer is only a line of two of code before jumping into a filesystem. And read() in a filesystem is very simple too - 99% of the time it just returns data from a cache buffer. TCP/IP implements zbuf to avoid copying. So the end result is that the 486 fetching a file over FTP from flash is only executing a few thousand instructions for each read - mostly copying from a buffer cache to a packet. Most the code/data probably fits in the on chip I/D cache. Which was good luck in this case, because this particular board had rather slow DRAM.

Now vxWorks isn't free in any sense - I believe it costs a buck or so per unit which is rather expensive. Still if you were switching to Linux in this system you'd need a faster CPU, more flash and more Ram. That would cost more than a vxWorks license.

This is why we don't use GPL stuff

[bsDaemon]

The company I work for builds our custom software environment for specialty networking hardware on top of FreeBSD specifically so we can avoid crap like this. We also employ people to make contributions back to the FreeBSD project as well, so we're not mooches, but seriously... this is why so many companies don't want to get involved with Linux or GPL solutions.

Why are you keeping secrets?

[upuv]

Sorry but the hypocrisy of your statement is so in my face I have to say something.

You are keeping the identity of these companies secret for what end? It's GPL there for open there for it should not be a secret.

If you say something this community might be able to help you. Maybe one of us has already discovered solutions to your technical problem. When something like this comes up slashdot usually coughs up pages of useful links. It can be rather fun and interesting at times.

Sadly you are keeping it secret. Thus the helpfulness of this community is next to zip.

Because you are keeping things secret it would not be all too far fetched to believe that you are actually trying to alter the code is such a way as to derive money from it. Say by either selling an after market mod or by selling it back to the mystery vendor(s).

Please don't cry about the big companies keeping secrets if you can't even get that out with out keeping a secret.

P.S. Most likely no violation was made. Hardware and build env's are not governed by source code GPL. Unless of course the hardware or build env is also derived from a GPL reference.

GPLv2 vs. GPLv3 in the embedded world

My employer works in a market where we can trust our partners about as far as we can throw them. They would rip us off in a heartbeat given the chance, and have in the past, and we don't have the resources to deal with it in court. We're happy to contribute our modifications of GPL code back to the community, and we do, but the constraints of the embedded environment require that most of our value-add proprietary code is in scripting languages, so it would be trivial for any of them to rip us off if we handed out the build scripts. We don't go out of our way to obfuscate things, but we don't make it easy to modify our firmware either.

As a consequence of this, GPLv3 is a strict no-go for us, and the same is true for many other small companies in the cut-throat embedded world. If we could trust our partners, or we could afford to litigate when they attempt to screw us over, we'd gladly be as open as possible, but as it stands we can't afford to give away our proprietary code in the process of complying with the GPLv3, so GPLv2 is as Free as we go.

Posted anonymously for what I hope are extremely obvious reasons.