Slashdot Mirror
How Ubiquiti Networks Is Creatively Violating the GPL
New submitter futuristicrabbit writes: Networking company Ubiquiti Networks violates the GPL, but not in the way you'd expect. Not only did the kernel shipped in their router firmware not correspond to the sources given, but their failure to provide the source led to a vulnerability they created being unpatched long after its disclosure. They're maintaining the appearance of compliance without actually complying with the GPL.
GPL requires that you provide complete source code to binaries you distribute that are derived from that source code. That includes any changes that you have made and code you have added.
So either you get a head start from the existing code and then share your changes. Or you write it all yourself. Pretty straight forward tradeoff.
The GPL is designed to avoid the "What's yours is mine and what's mine is mine" scenario where someone uses the code +their changes to always stay one step ahead of the free version and so the GPL requires that they hand over the full source with any changes they made that were used to build whatever product they shipped. If they made changes to the GPL code that were included in the shipped product, they must publish those changes. On the other hand, if they made changes they did not ship with any product(internal releases etc), they are under no obligation to release those changes.
In this case, they are not shipping all of the changes they made to their source code that was used to build their firmware so that is a clear violation of the GPL.
The linked site in TFS is suffering from (possibly slashdot-induced) overload. Here's the text from the linked page:
Four ways Ubiquiti Networks is creatively violating the GPL
Ubiquiti Networks is a company which makes long-range wireless equipment. Admittedly, you can do some pretty amazing stuff with it, but the company has a dark history of securities fraud, violation of U.S. sanctions, trademark and copyright lawsuits and software patents, which isn't as amazing.
In addition to this, they have been violating the GPL. However, because they did it creatively, most people don't know about it, and Ubiquiti still hasn't come into compliance.
Here are four ways that they have succeeded in making the violations hard to notice, and even harder to act upon.
1. Giving the appearance of compliance
'You can find the complete and corresponding source in the GPL archive.'
Ubiquiti had a website set up where you can download tarballs purportedly containing all GPL source for each and every firmware release. (I can't find it any more, but that doesn't mean that it isn't still there.) When you look through these tarballs, they appear to be complete, and there are build instructions which allow you to make your own custom firmware.
It's only when you look closer that you start to notice problems, such as...
2. Refusing to provide the source to their modified bootloader, even though they made changes that introduced security vulnerabilities
Security keys
Up until version 5.5.4 of Ubiquiti's airOS, the locally-modified u-boot bootloader contained a security issue - It was possible to extract the plain-text config from devices running the firmware, without leaving a trace. And the plain-text config contains unencrypted WPA/WPA2/RADIUS passwords.
Even worse than this security issue, was Ubiquiti's response to it. Namely, they:
Refused to provide the source code, even though u-boot is under the GPL
Didn't fix the security issue for a long time after it was publicly disclosed
To this day, Ubiquiti still has not provided the u-boot source code.
3. Providing source code to a version of Linux, just not the one that they actually ship, and hoping that nobody notices
Ubiquiti Source Ubiquiti Binaries
It would be natural to think that the binaries that Ubiquiti provides were compiled from the source code that Ubiquti provides. As it turns out, for a large number of their releases, the kernel source given does not correspond to the kernel in the official firmware images.
As evidence, consider that in version 5.5.4 of the AirMax firmware, the kernel was modified such that the MTD partitions would be read only, however this change cannot be found in the corresponding kernel patches or source.
Such practices make finding violations extremely difficult, and we can't know for certain that they haven't done this with anything else in the GPL tarball. It's possible that this was just a mistake, but remember that people have complained about this without much of a response.
And speaking of complaining...
4. Dragging out GPL code requests for months on end, then inexplicably going silent
Bureaucracy is a challenge to be conquered with a righteous attitude, a tolerance for stupidity, and a bulldozer when necessary
In case you think that I am being mean to Ubiquiti by going public, please note that I have been trying to contact Ubiquiti for the past year about the issue of the u-boot source code. You can see my attempts here, here and here.
In fact, I even got a copyright holder of u-boot to ask for the source, and they still haven't provided it.
From my conversations with Ubiquiti, I have found that they claimed that it's alright to refuse to provide source code to GPL-licensed software if "This decision was taken with the security of the users in mind". Furthermore, my conversations were endlessly delayed by the supposed necessity to forward m
If it weren't for deadlines, nothing would be late.
This is too bad. They are currently the only supported hardware maker for one of ham radio's more interesting projects: A self discovering/healing/organizing mesh network providing WiFi networking over dozens of miles on the portions of the WiFi spectrum available to hams. http://www.broadband-hamnet.org The project still officially supports the venerable Linksys WRT54G, but official support for this router is ending this month and it is a pretty old router. Then again, when you use Ubiquiti hardware and this firmware, I suppose you are no longer violating the GPL! Still, it'd be nice to not give your dollars to a GPL violator.
The GPL is rape in license form. Viral infection of the GPL sounds like an STD left behind by a rapist.
The GPL may be viral, but to correct your metaphor, the only way to catch it is via consensual intercourse with GPL source. There's no rape going on.
If it weren't for deadlines, nothing would be late.
Actually, their stuff is lightyears ahead of most of the 802.11 stuff you can buy for home use (as it is enterprise grade) while being in the same price range.
Horseshit. I've used Ubiquiti crap before. It's terrible, especially for the price. They frequently advertise features that simply are NOT there and have no plans to be there. One of the most egregious examples I found was that they advertised Zero Hand Off capability. That feature was nowhere to be found, and the assumption was "it would just work". Multiple tests found this to be complete and utter bunk. Their next biggest competitor, Ruckus, does it, and offers a quality product.
The GPL is just the terms and conditions that you have to agree to in order to have permission to copy the work, and in particular, to create derivative works from it. The GPL can do this because stuff put under it is copyrighted, and you need the copyright holder's permission to make copies of copyrighted works outside of what would have ordinarily been considered fair use in the first place.... all the GPL does is outline the terms you have to agree to in order to receive such permission. If you don't want to comply, there's no permission given in the first place, so there's actually no unwanted viral aspect to it at all. If the terms are simply disagreeable to you, you may, at your option, try and contact the copyright holder to obtain alternate licensing arrangements for your special case, but the copyright holder is no more obligated to give anyone such permission than Paramount is obligated to give anyone permission to make their own for-profit Star Trek film.
File under 'M' for 'Manic ranting'