Slashdot Mirror
How Ubiquiti Networks Is Creatively Violating the GPL
New submitter futuristicrabbit writes: Networking company Ubiquiti Networks violates the GPL, but not in the way you'd expect. Not only did the kernel shipped in their router firmware not correspond to the sources given, but their failure to provide the source led to a vulnerability they created being unpatched long after its disclosure. They're maintaining the appearance of compliance without actually complying with the GPL.
Isn't outing a manufacturer over product issues more of a Twitter thing?
Interesting, I have been looking at their WISP stuff for awhile, and one thing I liked was they were using lots of COTS and open source software. Funny I would not want to publish my code either, as apparently it was buggy, they would have been lash wipped by Linus!
And in what way is this not how I'd expect?
Sleazy corporation skirts around rules, film at 11.
Lost at C:>. Found at C.
I was expecting three things: fear, surprise, ruthless efficiency, and an almost fanatical devotion to the Pope.
You know, that's a self-inflicted problem, and not deserving of sympathy.
Either you run closed source stuff and write your own stuff, or you comply with the GPL.
It's a bummer if a small company got themselves into a predicament. But, nobody cares.
I know you're not defending them, but honestly if a company decided it wanted to steal someone else's code and not play by the rules of the GPL, that's their own damned problem.
From the sounds of it, they knew damned well they were not compliant.
Lost at C:>. Found at C.
Never attribute to malice that which is adequately explained by stupidity.
Some settling may occur during posting.
Never attribute to stupidity when it's a habitual offender.
ELOI, ELOI, LAMA SABACHTHANI!?
Dude, this isn't binaries which have different checksums. This is binaries which don't in any way correspond to the code they provided.
This is a case of any sufficiently advanced incompetence is indistinguishable from malice.
They're either grossly inept, or knew damned well what they were doing.
Lost at C:>. Found at C.
that is four things ...
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
This issue is why people are leaving... the GPL and going to BSD, MIT, others.
Last time I checked, WiFi routers are still full of GPLed software such as Linux, u-boot and busybox. What's the BSD or MIT alternative? The only manufacturer selling BSD-based routers I know is Apple. I don't think companies such as Linksys, Netgear or TP-Link have the resources to develop their own OS. It's either they use Linux and comply with the GPL, or pay for a proprietary alternative.
Sorry, but what?
Nobody forced the company to use GPL stuff. Nobody forced them to build a product around it.
That they failed to comply with their obligations under the license is their own damned problem.
Use the GPL stuff, don't use the GPL stuff .. it's your choice. But if you choose to use the GPL stuff, you don't get to piss and moan that you don't want to live by the license.
Corporations aren't entitled to use GPL code and not adhere to the license. It's not a situation in which you can just decide how you'll interpret releasing the code.
These corporations which don't trust the GPL are entirely free to piss off and write their own code, or start with something like BSD which says "go ahead, do whatever you want with it".
Lost at C:>. Found at C.
So you are saying that corporations don't trust the GPL because they do not comply with the GPL? Seems like an easy fix isn't it?
This.
It isn't the GPL that has earned distrust here. It's Ubiquiti Networks.
If it weren't for deadlines, nothing would be late.
Dev: we moved to new Gentoo servers over the weekend and the script that exports builds is broken. it dies trying to get to the compliance server
Ops: we shut that thing down, its ancient and would take too much time to patch for heartbleed. besides it only hosted an FTP server with some open source code. use the new server, USCMPSRV013435 to sync the GPL code outside the firewall
PHB: NO DONT i read an article on how GPL code is viral and also Edward Snowden stole Wikileaks 6 months ago from chinese hackers in the presidents internet.
Ops: er...okay...sooo....the last data up there is what we restored from old sparky...
Dev: oh dear thats ancient....we had to patch new GPL'd code into the product to get ipv6 to stop crashing
Good people go to bed earlier.
The linked site in TFS is suffering from (possibly slashdot-induced) overload. Here's the text from the linked page:
Four ways Ubiquiti Networks is creatively violating the GPL
Ubiquiti Networks is a company which makes long-range wireless equipment. Admittedly, you can do some pretty amazing stuff with it, but the company has a dark history of securities fraud, violation of U.S. sanctions, trademark and copyright lawsuits and software patents, which isn't as amazing.
In addition to this, they have been violating the GPL. However, because they did it creatively, most people don't know about it, and Ubiquiti still hasn't come into compliance.
Here are four ways that they have succeeded in making the violations hard to notice, and even harder to act upon.
1. Giving the appearance of compliance
'You can find the complete and corresponding source in the GPL archive.'
Ubiquiti had a website set up where you can download tarballs purportedly containing all GPL source for each and every firmware release. (I can't find it any more, but that doesn't mean that it isn't still there.) When you look through these tarballs, they appear to be complete, and there are build instructions which allow you to make your own custom firmware.
It's only when you look closer that you start to notice problems, such as...
2. Refusing to provide the source to their modified bootloader, even though they made changes that introduced security vulnerabilities
Security keys
Up until version 5.5.4 of Ubiquiti's airOS, the locally-modified u-boot bootloader contained a security issue - It was possible to extract the plain-text config from devices running the firmware, without leaving a trace. And the plain-text config contains unencrypted WPA/WPA2/RADIUS passwords.
Even worse than this security issue, was Ubiquiti's response to it. Namely, they:
Refused to provide the source code, even though u-boot is under the GPL
Didn't fix the security issue for a long time after it was publicly disclosed
To this day, Ubiquiti still has not provided the u-boot source code.
3. Providing source code to a version of Linux, just not the one that they actually ship, and hoping that nobody notices
Ubiquiti Source Ubiquiti Binaries
It would be natural to think that the binaries that Ubiquiti provides were compiled from the source code that Ubiquti provides. As it turns out, for a large number of their releases, the kernel source given does not correspond to the kernel in the official firmware images.
As evidence, consider that in version 5.5.4 of the AirMax firmware, the kernel was modified such that the MTD partitions would be read only, however this change cannot be found in the corresponding kernel patches or source.
Such practices make finding violations extremely difficult, and we can't know for certain that they haven't done this with anything else in the GPL tarball. It's possible that this was just a mistake, but remember that people have complained about this without much of a response.
And speaking of complaining...
4. Dragging out GPL code requests for months on end, then inexplicably going silent
Bureaucracy is a challenge to be conquered with a righteous attitude, a tolerance for stupidity, and a bulldozer when necessary
In case you think that I am being mean to Ubiquiti by going public, please note that I have been trying to contact Ubiquiti for the past year about the issue of the u-boot source code. You can see my attempts here, here and here.
In fact, I even got a copyright holder of u-boot to ask for the source, and they still haven't provided it.
From my conversations with Ubiquiti, I have found that they claimed that it's alright to refuse to provide source code to GPL-licensed software if "This decision was taken with the security of the users in mind". Furthermore, my conversations were endlessly delayed by the supposed necessity to forward m
If it weren't for deadlines, nothing would be late.
They're either grossly inept, or knew damned well what they were doing.
NB, these options are not mutually exclusive.
Red to red, black to black. Switch it on, but stand well back.
I used to work for a company that was meant to be a partner of Ubiquiti -- from the first meeting with Robert, one could tell this was not going to be a "share and share alike" partnership -- more likely it was going to be a one party gives, the other takes partnership. We as partners needed access to some parts of the code, and in meetings said we'd like to get the source, and given that it was built on GPL'd code, we figured it would be a non-issue. How wrong we were. Basically told that was never gonna happen, not for us, nor anyone else that wanted it, it was their IP. Robert's one of Forbe's 10 youngest billionaires. He's gotten stinking rich off others, and refuses to give back. It certainly douses your faith in the human spirit somewhat. Anyway, not that it's much better, but you can always buy from MikroTik (ducks! ;-) )
If you can spare a minute, please do any or all of the following so that we can retain the GPL's power to help the community:
- Raise awareness - upvote it, send it to friends or write a blog post about it
- Write to Ubiquiti requesting the source - their email addresses are support@ubnt.com and info@ubnt.com. You should try both.
- Send me an email telling me what you've done. My email address is riley@openmailbox.org
This is too bad. They are currently the only supported hardware maker for one of ham radio's more interesting projects: A self discovering/healing/organizing mesh network providing WiFi networking over dozens of miles on the portions of the WiFi spectrum available to hams. http://www.broadband-hamnet.org The project still officially supports the venerable Linksys WRT54G, but official support for this router is ending this month and it is a pretty old router. Then again, when you use Ubiquiti hardware and this firmware, I suppose you are no longer violating the GPL! Still, it'd be nice to not give your dollars to a GPL violator.
There's ways around the NDA problem: put that code in a separate place where it interfaces with GPL code, but does not require actually modifying the GPL code with anything NDA-tainted, for instance. If you can't figure out how to do that, then you really have no business working with this stuff. Or just use a proprietary OS like VxWorks.
Yeah, we should all be using closed source shit and live hapily in laa-laa land. Or we could use BSD kind of licenses, create software for free and pay money to get closed source shit back. Wohoo!
Yet another brand of router to avoid.
At least unless there's DD-WRT or something for the hardware, I won't buy one that isn't supported by real open-source software (even if I stick with their router SW).
DD-WRT is hardly a posterchild of open router software, they extensively use binary drivers in their releases, especially on the BCM platform.
OpenWRT is what you want as a baseline.
Actually, their stuff is lightyears ahead of most of the 802.11 stuff you can buy for home use (as it is enterprise grade) while being in the same price range.
That however does not give them an excuse to violate the GPL and just ignore the terms of the agreement.
I hope they realize the error of their ways and fix the issue before they have to be sued into oblivion.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Forget to check the post anonymously box? Be careful, you might get attacked by Stallman and his followers :)
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
The GPL is rape in license form. Viral infection of the GPL sounds like an STD left behind by a rapist.
The GPL may be viral, but to correct your metaphor, the only way to catch it is via consensual intercourse with GPL source. There's no rape going on.
If it weren't for deadlines, nothing would be late.
However, if GPL had been more permissive this whole incident would never have happened.
Of course it wouldn't. And Linux/U-Boot/Busybox wouldn't be as great as they currently are because corporations wouldn't have contributed back to these projects.
The GPL is just the terms and conditions that you have to agree to in order to have permission to copy the work, and in particular, to create derivative works from it. The GPL can do this because stuff put under it is copyrighted, and you need the copyright holder's permission to make copies of copyrighted works outside of what would have ordinarily been considered fair use in the first place.... all the GPL does is outline the terms you have to agree to in order to receive such permission. If you don't want to comply, there's no permission given in the first place, so there's actually no unwanted viral aspect to it at all. If the terms are simply disagreeable to you, you may, at your option, try and contact the copyright holder to obtain alternate licensing arrangements for your special case, but the copyright holder is no more obligated to give anyone such permission than Paramount is obligated to give anyone permission to make their own for-profit Star Trek film.
File under 'M' for 'Manic ranting'
Don't like the license ? That's absolutely fine. But then don't use it and write your goddamn operating system FROM SCRATCH !
Non-Linux Penguins ?
It can't be rape; the router has ways of shutting itself down when that happens.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
No, they used linux because that's what Atheros gave them as a base for the Atheros reference AP implementation.
Please don't make stuff up.
Hardware and software are apples and oranges. Although it would be convenient if open hardware were as easy to make as open software, it's not.
Fact is restrictive open source isnt producing innovation
I've never felt restricted by open-source software. The problem has always been closed systems, for me. Although, I suppose that the licensing issues go to the back of your mind anyhow when you've got a system that won't do what you want, and there is no way for you or anyone else but the vendor to fix it.
It is pitch black. You are likely to be eaten by a grue.