Symantec May Violate Linux GPL in Norton Core Router

An anonymous reader writes: For years, embedded device manufacturers have been illegally using Linux. Typically, they use Linux without publishing their device's source code, which Linux's GNU General Public License version 2 (GPLv2) requires them to do. Well, guess what? Another vendor, this time Symantec, appears to be the guilty party. This was revealed when Google engineer and Linux security expert Matthew Garrett was diving into his new Norton Core Router. This is a high-end Wi-Fi router. Symantec claims it's regularly updated with the latest security mechanisms. Garrett popped his box open to take a deeper look into Symantec's magic security sauce.

What he found appears to be a Linux distribution based on the QCA Software Development Kit (QSDK) project. This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system. For Symantec's purposes, QSDK and OpenWrt are an excellent choice. Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management. This enables Symantec to easily customize its router with updated security features. But -- and it's a big but -- if it's indeed based on QSDK and OpenWrt, Symantec needs to share the Norton Core Router's code with the world.

big but

https://www.youtube.com/watch?v=UVKsd8z6scw

Re:big but

Sorry, that was the wrong link. It was supposed to be:

https://www.youtube.com/watch?v=0yfJQUoxN3U

Re:big but

I think you meant this

https://www.youtube.com/watch?v=_JphDdGV2TU

not share with "the world" just "customers"

The GPL doesn't require public release, only honouring requests from people who have been legitimately given the binary, i.e. customers. They may choose to do this by releasing it anyone who wants to down-load it but that's their choice.

Re:not share with "the world" just "customers"

[HelpTheNewOverlord]

Yes, but the customer has the right to release it to the public as well. So in this case there is no real difference.

Re:not share with "the world" just "customers"

I've no idea if this opinion is common or if it's the same AC who appears to peddle it every time but it's wrong. GPL V2 gives 3 options to distributing binaries, one of which must be met.

1. 1. Accompany the binaries with the complete source code.
2. 2. Accompany the binaries with a written offer, valid for 3 years, to give any third party the complete source for no more than your cost.
3. 3. Pass on a written offer you received under the second option but ONLY for noncommercial distribution where you received such an offer.

So unless you provide the source with the binaries the only way you can commercially distribute is if you will give anyone the source for no more than cost.

Re:not share with "the world" just "customers"

[Spazmania]

The difference is that Symantec doesn't have to care about anyone who isn't a paying customer. They just can't demand an NDA for the customer to see the code.

Re:not share with "the world" just "customers"

[FatdogHaiku]

Seeing that the software was "based on QSDK and OpenWrt", would "cost" include wages paid to anyone that helped customize, configure, test, etc. for each product?
Just wondering...

Re:not share with "the world" just "customers"

[johnw]

The GPL doesn't require public release, only honouring requests from people who have been legitimately given the binary, i.e. customers.

Not true - whilst it doesn't require public release (in the sense of publishing it on a web site or similar) the licence does require that they make the source code available to anyone who asks for it - there is no restriction to just customers or anything like that.

b) Accompany it with a written offer, valid for at least three
        years, to give any third party, for a charge no more than your
        cost of physically performing source distribution, a complete
        machine-readable copy of the corresponding source code, to be
        distributed under the terms of Sections 1 and 2 above on a medium
        customarily used for software interchange; or,

Note the

any third party

bit.

They could avoid this requirement by giving all their customers the source code with the units, but then there's nothing to stop their customers passing it on.

Re:not share with "the world" just "customers"

[johnw]

The difference is that Symantec doesn't have to care about anyone who isn't a paying customer.

Yes they do - the GPLv2 is perfectly clear on this.

Re:not share with "the world" just "customers"

No, they don't.

All they have to do is offer the source to people who own the router and be done with it.

There is no requirement to put a download link up for anyone to download it.

numbnuts

Re:not share with "the world" just "customers"

[Bruce+Perens]

One of those people is Matthew, who would definitely upload his copy to a public web site.

Re:not share with "the world" just "customers"

[Bruce+Perens]

Well, your question isn't all that clear. If you mean should the QSDK and OpenWRT people be paid, technically they could demand monetary damages but the community principles that most of them adhere to say they prioritize compliance over damages. An developer support organization like SFLC may ask for some damages for the purpose of supporting its own activities.

If you are asking if their own employees and consultants should be paid, they usually are. But the cost, even with the source code distribution necessary for license compliance, is very small compared to making your own kernel. You can buy a proprietary kernel, but in general they aren't as good and they can be very costly. For example you can get Nucleus. Which supposedly is good enough to support nuclear plants, but if you want modern networking facilities, you may have to pay big bucks for them to be added.

Re:not share with "the world" just "customers"

[david_thornley]

That applies if the binaries are distributed, not otherwise. It's perfectly legal to keep modified GPLed code to yourself, and RMS is fine with it. It is true that, if you distribute the binaries, you have a responsibility to give copies of the source to people not your customers.

Re:not share with "the world" just "customers"

[mjg59]

There is no requirement to put up a download link, but there is a requirement to provide the source code to any third party that asks for it

Re:not share with "the world" just "customers"

Your source code will be dispatched via Zip disks in the next 12 to 16 weeks. Can't read it? Oh that's too bad.

Re:not share with "the world" just "customers"

No, the license states "no more than your cost of physically performing source distribution"

Re:not share with "the world" just "customers"

[jrumney]

Not if they give the source code with the router. The requirement to give it to anyone who asks applies if they give a written notice with the device giving details of how to request source code.

Re:not share with "the world" just "customers"

[mjg59]

They didn't provide the source code with the router.

Re:not share with "the world" just "customers"

It doesn't seem pointless to not just provide source but whatever is cheaper I guess.

I am a fan of the GPL but the source isn't as nearly as useful to the average user, even if that user is a programmer.

What percentage of people that use Linux for any purpose actually has any use for the source, outside compiling tarballs?

Re:not share with "the world" just "customers"

[FatdogHaiku]

Ah, that was what I was wondering.
Sorry to have been unclear.
Thanks

Re:not share with "the world" just "customers"

[FatdogHaiku]

What I was wondering was what kind of costs Symantec could attempt to recoup for providing the source... I think the AC below covered it.
Thanks Bruce, keep up the great work.

Re: not share with "the world" just "customers"

[Bruce+Perens]

No significant cost. Take it easy.

Re:not share with "the world" just "customers"

[johnw]

It's perfectly legal to keep modified GPLed code to yourself,...

True enough, but that's not the case under discussion.

The assertion made was that if you distribute binaries you need only offer the source to people to whom you have given the binaries. This is just plain wrong, as I explained.

Re:not share with "the world" just "customers"

[johnw]

No, they don't.

All they have to do is offer the source to people who own the router and be done with it.

Just repeatedly posting this nonsense isn't going to make it true. Read the GPLv2 (and the relevant section has already been posted in this discussion) and realize that you are wrong.

(Interestingly - if they shipped the source code with the router that would fulfil the licence requirements, but just offering it to people who already have the router wouldn't.)

Re:not share with "the world" just "customers"

Your source code will be dispatched via Zip disks in the next 12 to 16 weeks. Can't read it? Oh that's too bad.

GPL2 Section 3 b. : "Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange"

You might have a hard time arguing that Zip disks are a "medium customarily used for software interchange" unless you're talking about ancient customs! :)

Re:not share with "the world" just "customers"

[RockDoctor]

That applies if the binaries are distributed,

The binaries have been distributed on a memory device, buried in a fancy case that says "Symantec Core Router" (or something - whatever this device is).

The non-distributed case is for products that are not sold as such, but kept entirely in-house. If you build your own Widget and only use it on your own sites, then you're not distributing it (Google's millions of servers probably fall in this category). If you build a Widget which is used as a tool only by your staff working as contractors on other companies sites, that probably doesn't count as distributing it either (it's still not public). Quite how far you go before it is "distributed", I'm not sure, but it's somewhere beyond that level.

Re:not share with "the world" just "customers"

Nope, only to those who download/buy the binary.

If company A sells GPL program B and Johnny Shithead who has never bought B has no right to getting the source code from A.

The code will likely be available from somewhere but A is under no obligation to do anything for Mr. Shithead.

numbnuts

Re:not share with "the world" just "customers"

You have not read the GPL.

You must provide the source code with the binary UNLESS you provide a written offer to provide source code to anyone who asks...not just those to whom you distributed binaries.

Re:not share with "the world" just "customers"

[mjg59]

GPLv2 3(b):

Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code

Re:not share with "the world" just "customers"

Sorry, you are wrong.

There is always a way to get it but a distributor is under no obligation to host a source download server.

numbnuts

Re:not share with "the world" just "customers"

Read the fucking license, dumbass. It depends on how you distribute.

If you don't include source, you must include a written offer to provide source to ANY third party.

Done arguing. The license terms are there. Learn something or fuck off.

Minor correction

For years, embedded device manufacturers have been illegally using Linux.

Ahem. They have been illegally copying Linux. You're allowed to use Linux without any terms. Copying is the activity that Congress passed laws to restrict.

It's a minor detail, as long as everyone reading your words understands what you really meant. But imagine the various conclusions that a Trump-level intellect might make, and the misinformation they would spread. That's why you should really say what you mean, rather than having faith in readers.

Re:Minor correction

[Provocateur]

It's not a semantic thing, is it?

But "Trump-level intellect," that's rich; mind if I use it?

Re:Minor correction

imagine what a Hillary-level intellect might do with this: you'd be droned before breakfast....

Re:Minor correction

Does Mickey Mouse wear a Donald Trump wristwatch?

Re:Minor correction

[Archangel+Michael]

Trump-level intellect

You sound like Trump when you say that.

How about you rise above Trump level insults, mkay?

Re: Minor correction

Bazinga! You sure showed them your smarts. BIGLY.

Re: Minor correction

[Archangel+Michael]

You forgot to mention Russians and Porn Stars.

Re: Minor correction

[thunderclees]

Bill and Hillary?

Re: Minor correction

We know whom Starr made a Porn Star, so Hillary must be the Russian.

Re:Minor correction

[drinkypoo]

Ahem. They have been illegally copying Linux. You're allowed to use Linux without any terms. Copying is the activity that Congress passed laws to restrict.

If we're going to pick nits, let's pick them: They have been illegally distributing Linux. The license under which Linux is distributed gives you the right to make an unlimited number of copies for personal use. You do not incur any obligations under this license until you distribute a binary based upon it.

Re:Minor correction

[cascadingstylesheet]

But imagine the various conclusions that a Trump-level intellect might make

Yes, you might end up as President or something. Be careful!

Re:Minor correction

[Bruce+Perens]

Sorry, Martin, it really is unlicensed copying that is the violation. The way it works is when you violate the license, the copyright holder (plaintiff) goes to court and says "the defendant is infringing my copyright by making unlicensed copies". The defendant answers with their defense: "I am not violating copyright because I have a license". The plaintiff then shows all of the ways that the defendant is not honoring the license terms, and thus demonstrates that the act of copying was unlicensed and that for the defendant, all rights were reserved and are thus being infringed. The tort is making unlicensed copies.

Re:Minor correction

[Bruce+Perens]

If you violate the GPL, what you are charged with is making unlicensed copies. The thing everyone gets wrong about that is that the license then becomes your defense and you have to prove that you were complying with the license, in order to defend yourself. And of course if you've been brought to court over this, you probably can't.

Re: Minor correction

Here, let me fix that for you:

Hillary and Bill

Re:Minor correction

I can make a million copies of a GPL program and as long as I don't distribute it, Stallman can get bent.

Hell, I could install a GPL'ed binary on my organizations machines and I still wouldn't have to give source to each user, not that they could do anything with it anyway.

numbnuts

Re:Minor correction

Yes, that is in fact how the GPL works. The GPL is not a usage license and has no say in how you use the software. The GPL is a software conveyance license; it works when a holder of the software GPL work conveys a copy of the software to some other person. In your example, you're not actually conveying a copy of the GPL software to anybody so therefore the GPL has no meaning.

This could have been avoided

[OrangeTide]

If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.

But most companies would rather try to save some money and effort doing things the wrong way. Violating software licenses along the way, hoping they won't get caught. In the long run that strategy is most costly.

Re:This could have been avoided

I came to the comments to say just this. The BSDs are the way to go if you're going to make closed commercial software. We don't mind, and we welcome any donations or patches as a way of saying thanks!~

Re:This could have been avoided

[nnull]

They don't care. The product is out and then discontinued in a year or two. Rinse and repeat.

Re:This could have been avoided

You won't get any. No thanks either, sucker.

Re:This could have been avoided

[thegarbz]

If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.

So far more effort required on their part vs ... just uploading the source code on the web? Yeah I can see why QSDK.

Re:This could have been avoided

[Kludge]

But most companies would rather try to save some money and effort doing things the wrong way.... .

It probably would have cost Symantec a lot of money, not just some, to get BSD running on their router hardware. OpenWRT was written to run on hardware found in routers.

In the long run that strategy is most costly.

Evidence? What is "most costly" about releasing the source code for their hardware? Will people stop buying their routers just because the source code is available? Historically I have found this to the contrary. Routers that support 3rd party firmware tend to sell for more money than than the ones that do not.

Re:This could have been avoided

Single threaded, giant locked crap? Doing it "the right way"?

I guess, if your main concern is to avoid sharing anything at all with rest of the word. Fucking crab.

Re:This could have been avoided

We're fine with that as well. Least our code is being used.

Re:This could have been avoided

[OrangeTide]

I've worked for a companies that struggle with uploading source (I mainly work as a Linux system software developer for embedded products).
Cisco has trouble with this, because they are incompetent. NVIDIA, because they are paranoid about trade secrets.
Amazon was good about sharing source when I worked there, but they've gone down hill as that team got bigger and more paranoid.

Re:This could have been avoided

[OrangeTide]

Giant lock on your single CPU router SoC is not a big deal.

The removal of the BKL is even recent in the Linux kernel (2010?), and it isn't making our typical 1-10 core environments faster or better. I think engineering for a purpose is more important than an expansive feature list.

If you wanted to make a massive parallel cluster then you really should run Linux, like many super computers do. (sorry FreeBSD!)

Re:This could have been avoided

[sjames]

Releasing the source isn't costly. NOT honoring the license by releasing the source is what can get costly.

Re: This could have been avoided

Unlike Linux

Re:This could have been avoided

[MrMr]

I think you've just described copyright law.

Re:This could have been avoided

Recent? I know ageing does horrible things to your perception of time, but we are writing 2018 now. 2010 was _eight years_ ago.

Point is though that there is a right way, and that way isn't the FreeBSD way.

Re:This could have been avoided

In the long run that strategy is most costly.

Evidence?

As the bulk of the Linux code is already released, mirroring it or even pointing a URL at it is only a few minutes of work.
As for their custom changes, they would need to write ALL the code that consists of "their changes." They know exactly what license it needs to be and exactly what needs to be specified to any 3rd party programmers if it wasn't coded in-house. Adding the words "It must be GPL licensed" to the email is seconds worth of time.

The more costly option of violating copyright law is $150,000 per infraction.

So even at $300/hour minimum one hour, that is $300 to paste a URL on their site and add 5 words to an email.
Assuming only ONE end product was sold, that would be $300 < $150000
Assuming two items sold, that would be $300 < $300000
Three items sold is $300 < $450000

Note that complying with the license is at most $300 and doesn't change no matter how many products are sold.
However violating the license multiplies by each product sold and *only* goes up.

Even if their programmer charges $150000/hour then it is still cheaper to obide by the license than what it would cost for 2+ products to be sold. But you may find it difficult to convince anyone here they are paying $150000/hour to an outside programming contractor...

So there's your evidence.

Re:This could have been avoided

[Bruce+Perens]

There isn't really a BSD distribution comparable to OpenWRT. I suspect the BSD license is one reason for that. A lot of people don't want to spend their free time producing corporate welfare. If a corporation wants to participate, they expect the corporation to return value to the Free Software community.

Re:This could have been avoided

We're fine with that as well. Least our code is being used.

I think "used" should be capitalized in your sentence to better reflect things.

Re:This could have been avoided

[Bruce+Perens]

I really do charge companies to fix their GPL violations. Many of them have looked at the cost and decided to keep violating. I can't, unfortunately, tell you who they are. But if you don't believe that their infringement is wilful, I can tell you for sure that many companies are wilful infringers.

Re:This could have been avoided

[OrangeTide]

Point is though that there is a right way, and that way isn't the FreeBSD way.

Point noted, but dismissed as not applicable in this context. Thank you for your contribution.

Re:This could have been avoided

[tlhIngan]

If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.

But most companies would rather try to save some money and effort doing things the wrong way. Violating software licenses along the way, hoping they won't get caught. In the long run that strategy is most costly.

The problem is, most SoCs run Linux. The problem is SoC vendors really only support Linux. Getting one to support BSD is quite iffy - if they've even heard of it at all.

And unfortunately, it's impossible to port it yourself - modern SoCs are so complex and poorly documented that one really cannot port it over without a lot of help from the SoC vendor. Even getting register lists from some of them is like pulling teeth.

Re:This could have been avoided

What do you expect when the few people actually taking them to court then get shat on by certain other people in the community?
The end result is a through-the-backdoor relicensing to BSD in a way that benefits the fraudsters while the honest people have all the disadvantages.
You'd almost have to be an idiot to respect the GPL as a company the way things are going, nothing to gain and only to lose by doing it.

Re:This could have been avoided

[OrangeTide]

And unfortunately, it's impossible to port it yourself

That's my old job from Cisco.

Even getting register lists from some of them is like pulling teeth.

Sorry about that. That's my current job at NVIDIA. It's not as straight forward as zipping up our documents and handing them over.

Re:This could have been avoided

[OrangeTide]

Most corporations do not want to join your religion, or don't understand it.

They are free to develop in-house. But yeah to leverage a community driven projects like OpenWRT means that a community of open source advocates and the needs of a corporation would have to align. Or one or two crackpot BSD fanatics do it just to prove a point.

Now there are consultants that have their own BSD distros for embedded systems. You can hire them to get access to it. That's not the same model that Free Software advocates are used to, but it is a model that does make sense in the corporate world.

Re: This could have been avoided

[Bruce+Perens]

Consultant - private BSD is not a model used extensively, most companies are still using Linux and other GPL software regardless of what they feel about the terms, simply because it has what they need and it's more mature with a larger development community. And by the way, this has nothing to do with religion and its offensive for you to imply that it does.

Re:This could have been avoided

The problem with the BSD's is that configuring it for any use from server to desktop to embedded is a major ball-ache.

numbnuts

Re: This could have been avoided

[OrangeTide]

Consultant - private BSD is not a model used extensively,

I never said it was common. Popularity doesn't alter the point.

most companies are still using Linux and other GPL software regardless of what they feel about the terms

For the ones that use it but don't comply with the terms pay a price. A price that is likely higher than the costs of porting the kernel to their board/SoC.

with a larger development community.

Really businesses don't care too much about that. The value of a large community is debatable. Especially if you can't share secret unreleased products on a public forum. I run into this one frequently at my current job. In some cases we reached out and hired people in those large communities.

Re: This could have been avoided

[Bruce+Perens]

I learned how fruitless going your own way was when I worked for HP. Around 2000, they budgeted a Billion dollars to add IPV6 to HP-UX. This was of course completely insane.

Then I had Symbian for a consulting customer. And they were really adamant that the Symbian OS was their strong point and really all of the value in their company, and they had just spent a similarly astronomical amount to put IPV6 in it. I suggested they port their GUI to Linux, but it turned out their GUI came from SONY or they had more than one and didn't like any of them. Of course I watched the Symbian ship sink, unable to convince them to do anything to save themselves.

Ultimately, systems programming is not what sells your hardware. What sells it is only what the customer sees, and that's the GUI, the application software, some hardware features but not most of them, and the performance (so your OS should not be slow or crash, because the customer sees that).

So, it makes the most sense for a business to get all of its systems programming from the source that is the best and requires the least extra work - like porting - and then move all of the dollars saved to stuff the customer sees.

If it costs you more to use BSD rather than just getting your GPL compliance in order, you lose.

Re:This could have been avoided

Thank you so much for your work on the GPL Bruce, if you ever feel it is a thankless job, well, I assure your it is not.

Re:This could have been avoided

[thegarbz]

It's interesting that you haven't mentioned any that are ignorant. Not sure if this is a good or bad thing.

Re: This could have been avoided

[OrangeTide]

I can't really blame Symbian for thinking they can succeed when RIM and Apple succeeded even if Palm failed.

Systems programming makes the system work and met its requirement. It is the bare minimum necessary to have a product. And isn't at all about selling the hardware. My contributions don't sell more Kindles or SHIELDs or Switches. My team makes sure devices can be manufactured and run without a flood or support calls. And to the original point, that it meets requirements like not disclosing IP the company wishes to protect.

So, it makes the most sense for a business to get all of its systems programming from the source that is the best and requires the least extra work - like porting - and then move all of the dollars saved to stuff the customer sees.

Assuming everyone has the same needs and goals are aligned. Which is frequently not the case.

Re: This could have been avoided

yes, but it is probably much easier to find developers with linux experience these days, thus cheaper

Re:This could have been avoided

[ebvwfbw]

Freebsd is a great OS, if the year is 1990. By 1995 there were arguments over this. By 2000 a few arguments over this. By 2010, nobody that knows what they're talking about would say - hey let's develop under BSD. Now I wish it would just die and go away along with debian. We should all get unified instead of having so many different versions out there.

Re:This could have been avoided

[sad_]

true, now you try to do the same with their software!

Re:This could have been avoided

[OrangeTide]

Different systems for different people is better than a unified computing platform. Not that there is much difference between FreeBSD and Linux architecturally. They are both POSIX and try to emulate the user experience of a decades old OS. It's rare to find software that will only run on one of them.

If you want a monocultural of operating systems you could switch to Windows. That one has the most weight behind it in terms of numbers and is standardized by a central authority (Microsoft). If everyone used Windows we could have all the benefits you are imagining that will occur when we "get unified".

Re:This could have been avoided

And unfortunately, it's impossible to port it yourself - modern SoCs are so complex and poorly documented that one really cannot port it over without a lot of help from the SoC vendor. Even getting register lists from some of them is like pulling teeth.

Seriously?

How is it possible for a SoC manufacturer to support Linux and keep the code secret? Are they just distributing binary BLOB kernel modules to dodge the GPL?

Re:No they are not.

Wrong, even if they just use an off the shelf openWRT firmware image, they have to provide a way for you to have the source code. Additionally the declaration that it is licensed under the GPL.

How difficult is it to show source?

[QuietLagoon]

Geesh, even my TV's manufacturer makes the source code available... http://oss.sony.net/Products/L...

Re:How difficult is it to show source?

[sinij]

It isn't difficult until lawyers and suits show up. Then it becomes impossible.

Re:How difficult is it to show source?

It isn't difficult until lawyers and suits show up. Then it becomes impossible.

I think you're describing any activity.

I like big buts

and I cannot lie

This approach is absolutely counterproductive

[sinij]

This dogmatic approach to OS is absolutely counterproductive. So what if they used Linux? Even if they publish the source, it won't include drivers, so it isn't like you will be able to compile and use it.

Re:This approach is absolutely counterproductive

[iggymanz]

Not counterproductive at all, there is a purpose that is for the customer's benefit to the GPL. How do you know the drivers they chose to use aren't GPL?

Re:This approach is absolutely counterproductive

[sinij]

How do you know the drivers they chose to use aren't GPL?

WAG based on how other products of this type usually work.

Re:This approach is absolutely counterproductive

This dogmatic approach to OS is absolutely counterproductive. So what if they used Linux?

Tell you what, start pirating Symantec's software, and see if they come after you for copyright infringement.

If you don't wish to comply with the GPL for Linux, you are entirely free to fuck off an not use Linux. If you use Linux, you have to accept the license, just like with every other piece of software.

If a company like Symantec is just going to steal other people's work and pass it off as their own, why should we refrain from stealing their work? Symantec doesn't get to take the stance that pirating their software is bad, but it's OK if they pirate someone else's. And I assure you, they would not accept you pirating their software.

As has been pointed out, the *BSD licenses basically say "hey, you want to take this and do something with it and turn it into closed source, be our guests". Linux, however, has said that you don't get to do that.

This isn't dogmatic, this is copyright law and software licenses. And the assholes who run corporations don't get to decide to take Linux and not abide by the terms and conditions.

It really is as simple as the fact that if you're not willing to follow the license agreement, don't use the software.

There is no software company on the planet who can make the argument they didn't know this, because this has been well known for 20+ years. It's hardly a secret.

Which means Symantec are assholes who feel they can do just ignore that, and profit off other people's work by stealing it. Allowing corporations to get away with that isn't dogmatic. It's holding them to the exact same fucking standards the use to protect their own work, which means they have no valid excuse for ripping off stuff from other people.

Corporate greed doesn't give them the right to software piracy. They don't have some inherent right to use that software any more than you have a right to theirs.

Their own website says:

Symantec respects the intellectual property rights of others and responds to notices of alleged infringement.

and

Report software piracy and other suspicious activity. Learn about types of piracy, fraud and other abuse (including Tech Support Scams), what are their consequences and how to avoid becoming a victim.

Sorry, but there is no way in hell you can accept a company like Symantec ignoring the terms of the GPL and pretending it's not a big fucking deal. Because they can't possibly not know they're breaking the law.

Fuck that, stop making excuses for them. This isn't 'counterproductive', this is the entire point of the fucking GPL.

Re:This approach is absolutely counterproductive

[iggymanz]

See, if they complied with the GPL2 we'd know the answer to that. Very useful thing for the customer.

For what many of these vendors want to do, the BSD license is more useful.

Re:This approach is absolutely counterproductive

[Bruce+Perens]

Even if they publish the source, it won't include drivers, so it isn't like you will be able to compile and use it.

Actually, they are obligated to provide the drivers. Some people (never me) used to think that dynamically linking device drivers protected them from the GPL. But besides the other arguments that dynamic linking is not protective, we've just had the Oracle v. Google case declare that APIs are copyrightable, overturning what we thought we knew for 20 years from CAI v. Altai. One effect of this new court precedent is that it doesn't matter how you link, it's using the API that makes your code a derivative work.

Of course some future case could change this - and in general Free Software folks have good reasons not to want APIs to be copyrightable. But you can take that decision to court and win your infringement case, and most likely the folks you charge don't want to argue this up to the Supreme court rather than release their device driver.

Re:This approach is absolutely counterproductive

... we've just had the Oracle v. Google case declare that APIs are copyrightable ... One effect of this new court precedent is that it doesn't matter how you link, it's using the API that makes your code a derivative work.

I don't see the connection between Oracle v. Google and the issue of dynamic linking. The case had nothing to do with using an API. Oracle objected to Google creating their own independent implementation of the Java API.

Re:This approach is absolutely counterproductive

Your outright negative cliche over-the-top highly opinionated (os of choice) supporter stance makes me support Symantec more because no one likes a outright negative cliche over-the-top highly opinionated (os of choice) supporter.

Also i'd say dishonoring a license is not stealing it, it is however an infringement of sorts open to legal.

Otherwise you could say 'If you look at my painting you must quack like a duck', anyone who does not quack is STEALING MY PAINTINGS ARGHHH

Re:This approach is absolutely counterproductive

Even if they publish the source, it won't include drivers, so it isn't like you will be able to compile and use it.

Actually, they are obligated to provide the drivers.

Not if your driver just uses standard kernel syscalls. If so, it is not a derivative work according to Linus.

dipshit

Copying is the activity that Congress passed laws to restrict.

copying is what you do when you install the firmware onto the devices you're manufacturing.

Read-only firmware is good - most of the time

[davidwr]

Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management.

For devices like this, firmware should have a hardware-enforced read-only setting that is on by default. Signed binaries are only as "secure" as the master signing keys, and if I can't install my own firmware I don't really "own" it, now do I?

If I want to flash my firmware, I should have to toggle a switch.

Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.

Re:Read-only firmware is good - most of the time

[Dutch+Gun]

If I want to flash my firmware, I should have to toggle a switch.

Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.

I think your risk assessment needs re-assessing.

What do you think is more likely: that a) a vulnerability will be found in the router's firmware which requires patching, or b) that the encryption keys will be lost, the update domain hi-jacked or intercepted, and the bad actor will manage to deliver an update package complete with malware, signed with stolen keys?

I'd bet a goodly sum that option a) is vastly more likely to occur than b), simply based on history. And yet you want to disable automatic updates by default? For consumer-oriented products, that seems completely backwards to me.

Re:Read-only firmware is good - most of the time

The way OpenWRT and distros based on it work is that the same flash that holds the OS, NVRAM variables and starting rootfs also holds an overlayfs. No way to only make a portion of commodity flash used in cheap routers portable, though I'm sure it's possible and has been done.

Be nice if they made flash chips that have write protect for specific regions but I'm sure that would cause the price if it to rise a penny and we can't ha.ve that

Not... really

[DeathToBill]

If Symantec are distributing Linux, then they need to make the source code for Linux available to their customers. If their system is based on OpenWRT, then they need to make the source code for OpenWRT available. Saying "Symantec needs to share the Norton Core Router's code with the world" is essentially saying that every piece of software written for Linux has to be open source - and it just ain't so. The GPL may be viral, but it's not that viral.

Re:Not... really

If they make changes to GPL'd code, then they have to make those changes available along with the full source required to run the changes. If you just use binaries compiled from an official release, then there is no requirement to distribute anything. If they have the GPL clause disclosed in their manual and they are using a stock image for say a Yocto build environment, then there really isn't a reason for them to distribute anything if their software sits on top.

Re:Not... really

Sure there is. Even if you are just redistributing binaries you need to provide the source code.

Re:Not... really

[countach]

They don't have to distribute copies of Linux code unless they modified it. They just have to make sure users can get the code if they want, and if it's unmodified then users can get it from the usual places.

Re:Not... really

No, numbnuts.

If you are merely redistributing code with no changes, they can just point to the Linux repos and whatever other GPL software they use and be done with it.

They don't even have to provide compiling instructions.

Re:Not... really

[Bruce+Perens]

No. They are required by the license to distribute the source code themselves, whether or not they modified it. They can't satisfy the license obligation by pointing to a public web site, because the public web site is not itself obligated to stay running for the purpose of satsifying Symantec's license obligation.

Re:Not... really

[Bruce+Perens]

A lot of people get this wrong. If you redistribute GPL code, you are responsible to redistribute the source code too. Directly, and even if you never modified anything. You can't point to anyone else's web site because those people aren't obligated to keep their web sites going to satisfy your license obligation.

Re:Not... really

[Bruce+Perens]

I guess everyone on Slashdot knows better, but taking legal advice from Anonymous Coward is considered harmful :-)

Re:Not... really

Are you claiming that it isn't enough?

Show me where it says the source has to come from the distributors website and compilation instructions are required.

Re:Not... really

Wrong, if that site goes down just point to another.

There is no requirement to host a code download server to distribute GPL programs.

numbnuts

Re:Not... really

[Doc+Right]

Exactly. Unless they made changes to OpenWRT itself, they're well within their use rights. They're under no obligation to publish their source code for a program that runs under a specific Linux distro. If that were the case, Linux would die overnight.

Re:Not... really

So you can't show where the GPL requires the distributor to host a source repo?

Color me not shocked.

This is why people don't respect you anymore, you are a dispenser of FUD and outright lies.

Mother May I

Symantec May Violate Linux GPL in Norton Core Router

May? As in given permission to? Then they aren't in violation.

Re:No they are not.

A simple statement that the source is freely available elsewhere is sufficient to fulfill this requirement.

semantic thing

It isn't a semantic thing at all. It is a /legal/ thing. The GPL v2 license agreement requires sharing the code if you /distribute/ it. Selling routers that contain the code is distribution.

This could have been free.

Saving WHAT money and effort? They're both free. Releasing source code is a NO effort thing.

Re:This could have been free.

[OrangeTide]

Releasing source code is a NO effort thing.

I spend such a tremendous quantity of time on this in my current job that I'm a little offended.

Re:This could have been free.

Maybe free (or close to it) in cost, but not free as in commercially beneficial. If I were running a company making routers and my engineers figured out that changing a few things in an open-source distribution made things run a lot better or fixed some issues, the last thing I want to do is give away that work when instead I could hold it in-house and release a better router than everyone else's. I'm not looking out for "the community" unless I've named the corporate bank account "community." My obligation is to make more money, full stop.

BSD is a much more sensible license for corporations. Release source only for what you want to release, sit on what is competitively advantageous.

Do these people ever use Open BSD? Just Wonderin

[shoor]

My understanding is that Open BSD is the most secure of the OS's and uses the BSD license which is 'looser' as in, it lets you get away with more.

My speculation is laziness, so many hands have developed so much software around Linux, OpenWRT being a good example, that the programmers hired by these companies can just drop the stuff in.

But maybe there's more to it than that, which is why I'm posting the question.

This is why I'm against the soft-shoe approach

[Trailer+Trash]

This is why I'm against the soft-shoe approach to GPL violations in every case. Symantec is a large enough company and the people working there absolutely know what their responsibilities are. We need people who'll go after them for statutory damages to make an example.

Re:This is why I'm against the soft-shoe approach

[i.r.id10t]

Get a commit to the kernel tree accepted and when your copyright is violated go after them how you will.

Then again, wasn't there a recent thing here about someone doing just that and not getting support for his/her/its efforts?

Re:This is why I'm against the soft-shoe approach

Rather "shat on by (the corporate-sponsored part of?) the community", not just "not getting support".

Re:This is why I'm against the soft-shoe approach

[Trailer+Trash]

My understanding of that story was that the guy was going after companies that were not the size of Symantec and possibly weren't aware of their obligations.

Re:No they are not.

Given you can't even spell it correctly . . . you just might be.

Re:Do these people ever use Open BSD? Just Wonderi

I imagine if it was easy to port OpenBSD to router hardware while filling the typical duties of these routers someone would already have a project that does just that. I wouldn't call Symantec lazy for not reinventing the wheel, but in this case I would call them guilty of violating the terms of the copyright for that project.

seems to be legal to me

https://www.symantec.com/about/legal/repository

Open Source Software. Certain Symantec products may include open source software, which is subject to the applicable open source license. To request a copy of open source software for your licensed Symantec product in accordance with the applicable open source license, please submit an e-mail request to opensource@symantec.com, including your full name, product name, product software version, product open source component(s), and your country of residence. Upon receipt, we will be able to promptly process your request in accordance with the applicable open source license.

A written offer to produce the source code upon request is all that is required by the GPLv2. Did Garrett actually try this channel before launching aspersions against Symantec?

Re:No they are not.

[johnw]

A simple statement that the source is freely available elsewhere is sufficient to fulfill this requirement.

Again - not true. This option is available only in the case of non-commercial distribution. If you want a copy of Linux and I fling you one of my old CDs then I don't need to make you an offer of the source as well.

If OTOH, I sell CDs of Linux as a business, I do need to make provision for you to be able to ask for the source as well.

c) Accompany it with the information you received as to the offer
        to distribute corresponding source code. (This alternative is
        allowed only for noncommercial distribution and only if you
        received the program in object code or executable form with such
        an offer, in accord with Subsection b above.)

The text of the GPLv2 is freely available and very comprehensible - why don't people read it?

Information wants to be free

fuck copyright.. including the GPL

Re:Information wants to be free

You do realize that MIT or BSD licensed code is copyrighted don't you?

Until all copyright laws are abolished, good luck with that numbnuts, you can't do shit with third party code without an explicit license.

Nice Headline, but not much substance to it

Folks,

I have been working with linux and the open-source community for many (read many for you kids) years. The GPLv2 license is simple that if you have used anything that is released under the license, then you need to make that available to your customers as well. This includes any modifications you may have made to the original software. The accepted line for this has been that as long as you are not linking anything with the GPL software, you do not have to make your software open as well. This gets even more interesting as the apps that have been written that are dynamically linked with standard libraries are also not subject to being released under the same license. This last part is sometimes debated by a lot of folks and GPLv3 makes this use even more complex, as it puts restrictions on how the software can be used.

So what does Symantec need to do here? Simple, own up that they are using the QSDK and as long as they have not made any changes to this, they just need to point folks to the release tarball. If all that they have done is add some new binaries in the filesystem then that is not a violation of the GPL. However, if they have made changes to the packages that openwrt builds, then they need to publish that.

Re:Nice Headline, but not much substance to it

[internet-redstar]

The GPLv2 license is simple that if you have used anything that is released under the license, then you need to make that available to your customers as well. This includes any modifications you may have made to the original software. The accepted line for this has been that as long as you are not linking anything with the GPL software, you do not have to make your software open as well. This gets even more interesting as the apps that have been written that are dynamically linked with standard libraries are also not subject to being released under the same license. This last part is sometimes debated by a lot of folks and GPLv3 makes this use even more complex, as it puts restrictions on how the software can be used.

So what does Symantec need to do here? Simple, own up that they are using the QSDK and as long as they have not made any changes to this, they just need to point folks to the release tarball. If all that they have done is add some new binaries in the filesystem then that is not a violation of the GPL. However, if they have made changes to the packages that openwrt builds, then they need to publish that.

This might be what you feel is the meaning of the GPL, but that isn't what the GPL states.
When a customer asks for the source code of the GPL licensed software, Symantec is legally obligated to provide it.
Also, they are (legally) required to add the GPL (and other licenses) additions to their EULA. Including where to write to, to obtain the source code.
They are not required to 'publish' anything. Merely provide the source code when asked for it (including possible changes to openwrt builds). They might find it practical to 'publish' or 'collaborate upstream', but are under no legal obligation to do so.

Re: Nice Headline, but not much substance to it

[Brockmire]

Wow, no need for $50k annual license for Qualcomm closed source drivers anymore. Their drivers have always been shit, but the ones in OpenWRT are just shit.

Wouldn't That Be True

[Greyfox]

Wouldn't that be true only if they actually modified any of the original source? If they've made no modifications to any of the packages, then all the source for the thing is still freely available. Just not from them.

Re:Wouldn't That Be True

[david_thornley]

In which case it costs them approximately nothing to distribute the source, and it won't reveal any secrets. They're required to make the source available, and they're responsible for keeping it available. If they want to have a third party do that, they need to make sure the third party continues to do that.

Re:No they are not.

[Bruce+Perens]

Just in case anyone didn't already realize, this AC is wrong :-)

Yes and no!

[internet-redstar]

YES, they need to distribute the source code of the GPL components to customers who ask for it.
NO, they do not need to release the source code of their proprietary software components as long as they are stand-alone programs (just like Oracle doesn't need to release the source code of their expensive database). A mix of OpenSource components and proprietary software is perfectly fine.
YES, they also should add the correct license statement additions into their EULA.
In Europe, we http://www.linuxbe.com/ can help, in the US, they can ask Bruce Perens if something would be confusing...
GPL compliance IS important, but lets not turn it into a witch hunt.

GNU-Linux

[Latent+Heat]

They have been illegally copying GNU-Linux? Or at they just breaking the law with the Linux kernel and not using any of the GNU utilities?

Grsecurity

Any news on grsecurity's gpl 2 violation?

Big Overstatement

[SwashbucklingCowboy]

"Symantec needs to share the Norton Core Router's code with the world."

1. Not the world, but with customers, though practically speaking, might as well be the world.

2. Not all of the code, but all of the GPL and LGPL code and anything linked to the GPL code and strictly speaking, if they statically linked LGPL code, then at a minimum the object files needed to recreate the executables.