Symantec May Violate Linux GPL in Norton Core Router

An anonymous reader writes: For years, embedded device manufacturers have been illegally using Linux. Typically, they use Linux without publishing their device's source code, which Linux's GNU General Public License version 2 (GPLv2) requires them to do. Well, guess what? Another vendor, this time Symantec, appears to be the guilty party. This was revealed when Google engineer and Linux security expert Matthew Garrett was diving into his new Norton Core Router. This is a high-end Wi-Fi router. Symantec claims it's regularly updated with the latest security mechanisms. Garrett popped his box open to take a deeper look into Symantec's magic security sauce.

What he found appears to be a Linux distribution based on the QCA Software Development Kit (QSDK) project. This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system. For Symantec's purposes, QSDK and OpenWrt are an excellent choice. Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management. This enables Symantec to easily customize its router with updated security features. But -- and it's a big but -- if it's indeed based on QSDK and OpenWrt, Symantec needs to share the Norton Core Router's code with the world.

not share with "the world" just "customers"

The GPL doesn't require public release, only honouring requests from people who have been legitimately given the binary, i.e. customers. They may choose to do this by releasing it anyone who wants to down-load it but that's their choice.

Re:not share with "the world" just "customers"

[HelpTheNewOverlord]

Yes, but the customer has the right to release it to the public as well. So in this case there is no real difference.

Re:not share with "the world" just "customers"

I've no idea if this opinion is common or if it's the same AC who appears to peddle it every time but it's wrong. GPL V2 gives 3 options to distributing binaries, one of which must be met.

1. 1. Accompany the binaries with the complete source code.
2. 2. Accompany the binaries with a written offer, valid for 3 years, to give any third party the complete source for no more than your cost.
3. 3. Pass on a written offer you received under the second option but ONLY for noncommercial distribution where you received such an offer.

So unless you provide the source with the binaries the only way you can commercially distribute is if you will give anyone the source for no more than cost.

Re:not share with "the world" just "customers"

[Spazmania]

The difference is that Symantec doesn't have to care about anyone who isn't a paying customer. They just can't demand an NDA for the customer to see the code.

Re:not share with "the world" just "customers"

[FatdogHaiku]

Seeing that the software was "based on QSDK and OpenWrt", would "cost" include wages paid to anyone that helped customize, configure, test, etc. for each product?
Just wondering...

Re:not share with "the world" just "customers"

[johnw]

The GPL doesn't require public release, only honouring requests from people who have been legitimately given the binary, i.e. customers.

Not true - whilst it doesn't require public release (in the sense of publishing it on a web site or similar) the licence does require that they make the source code available to anyone who asks for it - there is no restriction to just customers or anything like that.

b) Accompany it with a written offer, valid for at least three
        years, to give any third party, for a charge no more than your
        cost of physically performing source distribution, a complete
        machine-readable copy of the corresponding source code, to be
        distributed under the terms of Sections 1 and 2 above on a medium
        customarily used for software interchange; or,

Note the

any third party

bit.

They could avoid this requirement by giving all their customers the source code with the units, but then there's nothing to stop their customers passing it on.

Re:not share with "the world" just "customers"

[Bruce+Perens]

One of those people is Matthew, who would definitely upload his copy to a public web site.

Re:not share with "the world" just "customers"

[Bruce+Perens]

Well, your question isn't all that clear. If you mean should the QSDK and OpenWRT people be paid, technically they could demand monetary damages but the community principles that most of them adhere to say they prioritize compliance over damages. An developer support organization like SFLC may ask for some damages for the purpose of supporting its own activities.

If you are asking if their own employees and consultants should be paid, they usually are. But the cost, even with the source code distribution necessary for license compliance, is very small compared to making your own kernel. You can buy a proprietary kernel, but in general they aren't as good and they can be very costly. For example you can get Nucleus. Which supposedly is good enough to support nuclear plants, but if you want modern networking facilities, you may have to pay big bucks for them to be added.

Re:not share with "the world" just "customers"

[mjg59]

There is no requirement to put up a download link, but there is a requirement to provide the source code to any third party that asks for it

Re:not share with "the world" just "customers"

[jrumney]

Not if they give the source code with the router. The requirement to give it to anyone who asks applies if they give a written notice with the device giving details of how to request source code.

Re:not share with "the world" just "customers"

[mjg59]

They didn't provide the source code with the router.

Re:not share with "the world" just "customers"

[FatdogHaiku]

Ah, that was what I was wondering.
Sorry to have been unclear.
Thanks

Re:not share with "the world" just "customers"

[FatdogHaiku]

What I was wondering was what kind of costs Symantec could attempt to recoup for providing the source... I think the AC below covered it.
Thanks Bruce, keep up the great work.

Re: not share with "the world" just "customers"

[Bruce+Perens]

No significant cost. Take it easy.

Re:not share with "the world" just "customers"

[johnw]

It's perfectly legal to keep modified GPLed code to yourself,...

True enough, but that's not the case under discussion.

The assertion made was that if you distribute binaries you need only offer the source to people to whom you have given the binaries. This is just plain wrong, as I explained.

Re:not share with "the world" just "customers"

[johnw]

No, they don't.

All they have to do is offer the source to people who own the router and be done with it.

Just repeatedly posting this nonsense isn't going to make it true. Read the GPLv2 (and the relevant section has already been posted in this discussion) and realize that you are wrong.

(Interestingly - if they shipped the source code with the router that would fulfil the licence requirements, but just offering it to people who already have the router wouldn't.)

Re:not share with "the world" just "customers"

[RockDoctor]

That applies if the binaries are distributed,

The binaries have been distributed on a memory device, buried in a fancy case that says "Symantec Core Router" (or something - whatever this device is).

The non-distributed case is for products that are not sold as such, but kept entirely in-house. If you build your own Widget and only use it on your own sites, then you're not distributing it (Google's millions of servers probably fall in this category). If you build a Widget which is used as a tool only by your staff working as contractors on other companies sites, that probably doesn't count as distributing it either (it's still not public). Quite how far you go before it is "distributed", I'm not sure, but it's somewhere beyond that level.

Re:not share with "the world" just "customers"

[mjg59]

GPLv2 3(b):

Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code

Minor correction

For years, embedded device manufacturers have been illegally using Linux.

Ahem. They have been illegally copying Linux. You're allowed to use Linux without any terms. Copying is the activity that Congress passed laws to restrict.

It's a minor detail, as long as everyone reading your words understands what you really meant. But imagine the various conclusions that a Trump-level intellect might make, and the misinformation they would spread. That's why you should really say what you mean, rather than having faith in readers.

Re:Minor correction

[Provocateur]

It's not a semantic thing, is it?

But "Trump-level intellect," that's rich; mind if I use it?

Re:Minor correction

imagine what a Hillary-level intellect might do with this: you'd be droned before breakfast....

Re:Minor correction

[Archangel+Michael]

Trump-level intellect

You sound like Trump when you say that.

How about you rise above Trump level insults, mkay?

Re: Minor correction

[Archangel+Michael]

You forgot to mention Russians and Porn Stars.

Re: Minor correction

[thunderclees]

Bill and Hillary?

Re:Minor correction

[cascadingstylesheet]

But imagine the various conclusions that a Trump-level intellect might make

Yes, you might end up as President or something. Be careful!

Re:Minor correction

[Bruce+Perens]

Sorry, Martin, it really is unlicensed copying that is the violation. The way it works is when you violate the license, the copyright holder (plaintiff) goes to court and says "the defendant is infringing my copyright by making unlicensed copies". The defendant answers with their defense: "I am not violating copyright because I have a license". The plaintiff then shows all of the ways that the defendant is not honoring the license terms, and thus demonstrates that the act of copying was unlicensed and that for the defendant, all rights were reserved and are thus being infringed. The tort is making unlicensed copies.

Re:Minor correction

[Bruce+Perens]

If you violate the GPL, what you are charged with is making unlicensed copies. The thing everyone gets wrong about that is that the license then becomes your defense and you have to prove that you were complying with the license, in order to defend yourself. And of course if you've been brought to court over this, you probably can't.

This could have been avoided

[OrangeTide]

If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.

But most companies would rather try to save some money and effort doing things the wrong way. Violating software licenses along the way, hoping they won't get caught. In the long run that strategy is most costly.

Re:This could have been avoided

I came to the comments to say just this. The BSDs are the way to go if you're going to make closed commercial software. We don't mind, and we welcome any donations or patches as a way of saying thanks!~

Re:This could have been avoided

[nnull]

They don't care. The product is out and then discontinued in a year or two. Rinse and repeat.

Re:This could have been avoided

[thegarbz]

If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.

So far more effort required on their part vs ... just uploading the source code on the web? Yeah I can see why QSDK.

Re:This could have been avoided

[Kludge]

But most companies would rather try to save some money and effort doing things the wrong way.... .

It probably would have cost Symantec a lot of money, not just some, to get BSD running on their router hardware. OpenWRT was written to run on hardware found in routers.

In the long run that strategy is most costly.

Evidence? What is "most costly" about releasing the source code for their hardware? Will people stop buying their routers just because the source code is available? Historically I have found this to the contrary. Routers that support 3rd party firmware tend to sell for more money than than the ones that do not.

Re:This could have been avoided

[OrangeTide]

I've worked for a companies that struggle with uploading source (I mainly work as a Linux system software developer for embedded products).
Cisco has trouble with this, because they are incompetent. NVIDIA, because they are paranoid about trade secrets.
Amazon was good about sharing source when I worked there, but they've gone down hill as that team got bigger and more paranoid.

Re:This could have been avoided

[OrangeTide]

Giant lock on your single CPU router SoC is not a big deal.

The removal of the BKL is even recent in the Linux kernel (2010?), and it isn't making our typical 1-10 core environments faster or better. I think engineering for a purpose is more important than an expansive feature list.

If you wanted to make a massive parallel cluster then you really should run Linux, like many super computers do. (sorry FreeBSD!)

Re:This could have been avoided

[sjames]

Releasing the source isn't costly. NOT honoring the license by releasing the source is what can get costly.

Re:This could have been avoided

[MrMr]

I think you've just described copyright law.

Re:This could have been avoided

[Bruce+Perens]

There isn't really a BSD distribution comparable to OpenWRT. I suspect the BSD license is one reason for that. A lot of people don't want to spend their free time producing corporate welfare. If a corporation wants to participate, they expect the corporation to return value to the Free Software community.

Re:This could have been avoided

[Bruce+Perens]

I really do charge companies to fix their GPL violations. Many of them have looked at the cost and decided to keep violating. I can't, unfortunately, tell you who they are. But if you don't believe that their infringement is wilful, I can tell you for sure that many companies are wilful infringers.

Re:This could have been avoided

[OrangeTide]

Point is though that there is a right way, and that way isn't the FreeBSD way.

Point noted, but dismissed as not applicable in this context. Thank you for your contribution.

Re:This could have been avoided

[tlhIngan]

If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.

But most companies would rather try to save some money and effort doing things the wrong way. Violating software licenses along the way, hoping they won't get caught. In the long run that strategy is most costly.

The problem is, most SoCs run Linux. The problem is SoC vendors really only support Linux. Getting one to support BSD is quite iffy - if they've even heard of it at all.

And unfortunately, it's impossible to port it yourself - modern SoCs are so complex and poorly documented that one really cannot port it over without a lot of help from the SoC vendor. Even getting register lists from some of them is like pulling teeth.

Re:This could have been avoided

[OrangeTide]

And unfortunately, it's impossible to port it yourself

That's my old job from Cisco.

Even getting register lists from some of them is like pulling teeth.

Sorry about that. That's my current job at NVIDIA. It's not as straight forward as zipping up our documents and handing them over.

Re:This could have been avoided

[OrangeTide]

Most corporations do not want to join your religion, or don't understand it.

They are free to develop in-house. But yeah to leverage a community driven projects like OpenWRT means that a community of open source advocates and the needs of a corporation would have to align. Or one or two crackpot BSD fanatics do it just to prove a point.

Now there are consultants that have their own BSD distros for embedded systems. You can hire them to get access to it. That's not the same model that Free Software advocates are used to, but it is a model that does make sense in the corporate world.

Re: This could have been avoided

[Bruce+Perens]

Consultant - private BSD is not a model used extensively, most companies are still using Linux and other GPL software regardless of what they feel about the terms, simply because it has what they need and it's more mature with a larger development community. And by the way, this has nothing to do with religion and its offensive for you to imply that it does.

Re: This could have been avoided

[OrangeTide]

Consultant - private BSD is not a model used extensively,

I never said it was common. Popularity doesn't alter the point.

most companies are still using Linux and other GPL software regardless of what they feel about the terms

For the ones that use it but don't comply with the terms pay a price. A price that is likely higher than the costs of porting the kernel to their board/SoC.

with a larger development community.

Really businesses don't care too much about that. The value of a large community is debatable. Especially if you can't share secret unreleased products on a public forum. I run into this one frequently at my current job. In some cases we reached out and hired people in those large communities.

Re: This could have been avoided

[Bruce+Perens]

I learned how fruitless going your own way was when I worked for HP. Around 2000, they budgeted a Billion dollars to add IPV6 to HP-UX. This was of course completely insane.

Then I had Symbian for a consulting customer. And they were really adamant that the Symbian OS was their strong point and really all of the value in their company, and they had just spent a similarly astronomical amount to put IPV6 in it. I suggested they port their GUI to Linux, but it turned out their GUI came from SONY or they had more than one and didn't like any of them. Of course I watched the Symbian ship sink, unable to convince them to do anything to save themselves.

Ultimately, systems programming is not what sells your hardware. What sells it is only what the customer sees, and that's the GUI, the application software, some hardware features but not most of them, and the performance (so your OS should not be slow or crash, because the customer sees that).

So, it makes the most sense for a business to get all of its systems programming from the source that is the best and requires the least extra work - like porting - and then move all of the dollars saved to stuff the customer sees.

If it costs you more to use BSD rather than just getting your GPL compliance in order, you lose.

Re:This could have been avoided

[thegarbz]

It's interesting that you haven't mentioned any that are ignorant. Not sure if this is a good or bad thing.

Re: This could have been avoided

[OrangeTide]

I can't really blame Symbian for thinking they can succeed when RIM and Apple succeeded even if Palm failed.

Systems programming makes the system work and met its requirement. It is the bare minimum necessary to have a product. And isn't at all about selling the hardware. My contributions don't sell more Kindles or SHIELDs or Switches. My team makes sure devices can be manufactured and run without a flood or support calls. And to the original point, that it meets requirements like not disclosing IP the company wishes to protect.

So, it makes the most sense for a business to get all of its systems programming from the source that is the best and requires the least extra work - like porting - and then move all of the dollars saved to stuff the customer sees.

Assuming everyone has the same needs and goals are aligned. Which is frequently not the case.

Re:This could have been avoided

[ebvwfbw]

Freebsd is a great OS, if the year is 1990. By 1995 there were arguments over this. By 2000 a few arguments over this. By 2010, nobody that knows what they're talking about would say - hey let's develop under BSD. Now I wish it would just die and go away along with debian. We should all get unified instead of having so many different versions out there.

Re:This could have been avoided

[sad_]

true, now you try to do the same with their software!

Re:This could have been avoided

[OrangeTide]

Different systems for different people is better than a unified computing platform. Not that there is much difference between FreeBSD and Linux architecturally. They are both POSIX and try to emulate the user experience of a decades old OS. It's rare to find software that will only run on one of them.

If you want a monocultural of operating systems you could switch to Windows. That one has the most weight behind it in terms of numbers and is standardized by a central authority (Microsoft). If everyone used Windows we could have all the benefits you are imagining that will occur when we "get unified".

Re:No they are not.

Wrong, even if they just use an off the shelf openWRT firmware image, they have to provide a way for you to have the source code. Additionally the declaration that it is licensed under the GPL.

How difficult is it to show source?

[QuietLagoon]

Geesh, even my TV's manufacturer makes the source code available... http://oss.sony.net/Products/L...

Re:How difficult is it to show source?

[sinij]

It isn't difficult until lawyers and suits show up. Then it becomes impossible.

dipshit

Copying is the activity that Congress passed laws to restrict.

copying is what you do when you install the firmware onto the devices you're manufacturing.

Read-only firmware is good - most of the time

[davidwr]

Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management.

For devices like this, firmware should have a hardware-enforced read-only setting that is on by default. Signed binaries are only as "secure" as the master signing keys, and if I can't install my own firmware I don't really "own" it, now do I?

If I want to flash my firmware, I should have to toggle a switch.

Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.

Re:Read-only firmware is good - most of the time

[Dutch+Gun]

If I want to flash my firmware, I should have to toggle a switch.

Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.

I think your risk assessment needs re-assessing.

What do you think is more likely: that a) a vulnerability will be found in the router's firmware which requires patching, or b) that the encryption keys will be lost, the update domain hi-jacked or intercepted, and the bad actor will manage to deliver an update package complete with malware, signed with stolen keys?

I'd bet a goodly sum that option a) is vastly more likely to occur than b), simply based on history. And yet you want to disable automatic updates by default? For consumer-oriented products, that seems completely backwards to me.

Not... really

[DeathToBill]

If Symantec are distributing Linux, then they need to make the source code for Linux available to their customers. If their system is based on OpenWRT, then they need to make the source code for OpenWRT available. Saying "Symantec needs to share the Norton Core Router's code with the world" is essentially saying that every piece of software written for Linux has to be open source - and it just ain't so. The GPL may be viral, but it's not that viral.

Re:Not... really

[countach]

They don't have to distribute copies of Linux code unless they modified it. They just have to make sure users can get the code if they want, and if it's unmodified then users can get it from the usual places.

Re:Not... really

[Bruce+Perens]

No. They are required by the license to distribute the source code themselves, whether or not they modified it. They can't satisfy the license obligation by pointing to a public web site, because the public web site is not itself obligated to stay running for the purpose of satsifying Symantec's license obligation.

Re:Not... really

[Bruce+Perens]

A lot of people get this wrong. If you redistribute GPL code, you are responsible to redistribute the source code too. Directly, and even if you never modified anything. You can't point to anyone else's web site because those people aren't obligated to keep their web sites going to satisfy your license obligation.

Re:Not... really

[Bruce+Perens]

I guess everyone on Slashdot knows better, but taking legal advice from Anonymous Coward is considered harmful :-)

Re:This approach is absolutely counterproductive

[iggymanz]

Not counterproductive at all, there is a purpose that is for the customer's benefit to the GPL. How do you know the drivers they chose to use aren't GPL?

Re:This approach is absolutely counterproductive

[sinij]

How do you know the drivers they chose to use aren't GPL?

WAG based on how other products of this type usually work.

Re:This approach is absolutely counterproductive

This dogmatic approach to OS is absolutely counterproductive. So what if they used Linux?

Tell you what, start pirating Symantec's software, and see if they come after you for copyright infringement.

If you don't wish to comply with the GPL for Linux, you are entirely free to fuck off an not use Linux. If you use Linux, you have to accept the license, just like with every other piece of software.

If a company like Symantec is just going to steal other people's work and pass it off as their own, why should we refrain from stealing their work? Symantec doesn't get to take the stance that pirating their software is bad, but it's OK if they pirate someone else's. And I assure you, they would not accept you pirating their software.

As has been pointed out, the *BSD licenses basically say "hey, you want to take this and do something with it and turn it into closed source, be our guests". Linux, however, has said that you don't get to do that.

This isn't dogmatic, this is copyright law and software licenses. And the assholes who run corporations don't get to decide to take Linux and not abide by the terms and conditions.

It really is as simple as the fact that if you're not willing to follow the license agreement, don't use the software.

There is no software company on the planet who can make the argument they didn't know this, because this has been well known for 20+ years. It's hardly a secret.

Which means Symantec are assholes who feel they can do just ignore that, and profit off other people's work by stealing it. Allowing corporations to get away with that isn't dogmatic. It's holding them to the exact same fucking standards the use to protect their own work, which means they have no valid excuse for ripping off stuff from other people.

Corporate greed doesn't give them the right to software piracy. They don't have some inherent right to use that software any more than you have a right to theirs.

Their own website says:

Symantec respects the intellectual property rights of others and responds to notices of alleged infringement.

and

Report software piracy and other suspicious activity. Learn about types of piracy, fraud and other abuse (including Tech Support Scams), what are their consequences and how to avoid becoming a victim.

Sorry, but there is no way in hell you can accept a company like Symantec ignoring the terms of the GPL and pretending it's not a big fucking deal. Because they can't possibly not know they're breaking the law.

Fuck that, stop making excuses for them. This isn't 'counterproductive', this is the entire point of the fucking GPL.

Do these people ever use Open BSD? Just Wonderin

[shoor]

My understanding is that Open BSD is the most secure of the OS's and uses the BSD license which is 'looser' as in, it lets you get away with more.

My speculation is laziness, so many hands have developed so much software around Linux, OpenWRT being a good example, that the programmers hired by these companies can just drop the stuff in.

But maybe there's more to it than that, which is why I'm posting the question.

This is why I'm against the soft-shoe approach

[Trailer+Trash]

This is why I'm against the soft-shoe approach to GPL violations in every case. Symantec is a large enough company and the people working there absolutely know what their responsibilities are. We need people who'll go after them for statutory damages to make an example.

Re:This is why I'm against the soft-shoe approach

[i.r.id10t]

Get a commit to the kernel tree accepted and when your copyright is violated go after them how you will.

Then again, wasn't there a recent thing here about someone doing just that and not getting support for his/her/its efforts?

Re:This is why I'm against the soft-shoe approach

[Trailer+Trash]

My understanding of that story was that the guy was going after companies that were not the size of Symantec and possibly weren't aware of their obligations.

Re:This approach is absolutely counterproductive

[iggymanz]

See, if they complied with the GPL2 we'd know the answer to that. Very useful thing for the customer.

For what many of these vendors want to do, the BSD license is more useful.

Re:No they are not.

[johnw]

A simple statement that the source is freely available elsewhere is sufficient to fulfill this requirement.

Again - not true. This option is available only in the case of non-commercial distribution. If you want a copy of Linux and I fling you one of my old CDs then I don't need to make you an offer of the source as well.

If OTOH, I sell CDs of Linux as a business, I do need to make provision for you to be able to ask for the source as well.

c) Accompany it with the information you received as to the offer
        to distribute corresponding source code. (This alternative is
        allowed only for noncommercial distribution and only if you
        received the program in object code or executable form with such
        an offer, in accord with Subsection b above.)

The text of the GPLv2 is freely available and very comprehensible - why don't people read it?

Wouldn't That Be True

[Greyfox]

Wouldn't that be true only if they actually modified any of the original source? If they've made no modifications to any of the packages, then all the source for the thing is still freely available. Just not from them.

Re:Wouldn't That Be True

[david_thornley]

In which case it costs them approximately nothing to distribute the source, and it won't reveal any secrets. They're required to make the source available, and they're responsible for keeping it available. If they want to have a third party do that, they need to make sure the third party continues to do that.

Re:This approach is absolutely counterproductive

[Bruce+Perens]

Even if they publish the source, it won't include drivers, so it isn't like you will be able to compile and use it.

Actually, they are obligated to provide the drivers. Some people (never me) used to think that dynamically linking device drivers protected them from the GPL. But besides the other arguments that dynamic linking is not protective, we've just had the Oracle v. Google case declare that APIs are copyrightable, overturning what we thought we knew for 20 years from CAI v. Altai. One effect of this new court precedent is that it doesn't matter how you link, it's using the API that makes your code a derivative work.

Of course some future case could change this - and in general Free Software folks have good reasons not to want APIs to be copyrightable. But you can take that decision to court and win your infringement case, and most likely the folks you charge don't want to argue this up to the Supreme court rather than release their device driver.

Re:No they are not.

[Bruce+Perens]

Just in case anyone didn't already realize, this AC is wrong :-)

Yes and no!

[internet-redstar]

YES, they need to distribute the source code of the GPL components to customers who ask for it.
NO, they do not need to release the source code of their proprietary software components as long as they are stand-alone programs (just like Oracle doesn't need to release the source code of their expensive database). A mix of OpenSource components and proprietary software is perfectly fine.
YES, they also should add the correct license statement additions into their EULA.
In Europe, we http://www.linuxbe.com/ can help, in the US, they can ask Bruce Perens if something would be confusing...
GPL compliance IS important, but lets not turn it into a witch hunt.

Re:Nice Headline, but not much substance to it

[internet-redstar]

The GPLv2 license is simple that if you have used anything that is released under the license, then you need to make that available to your customers as well. This includes any modifications you may have made to the original software. The accepted line for this has been that as long as you are not linking anything with the GPL software, you do not have to make your software open as well. This gets even more interesting as the apps that have been written that are dynamically linked with standard libraries are also not subject to being released under the same license. This last part is sometimes debated by a lot of folks and GPLv3 makes this use even more complex, as it puts restrictions on how the software can be used.

So what does Symantec need to do here? Simple, own up that they are using the QSDK and as long as they have not made any changes to this, they just need to point folks to the release tarball. If all that they have done is add some new binaries in the filesystem then that is not a violation of the GPL. However, if they have made changes to the packages that openwrt builds, then they need to publish that.

This might be what you feel is the meaning of the GPL, but that isn't what the GPL states.
When a customer asks for the source code of the GPL licensed software, Symantec is legally obligated to provide it.
Also, they are (legally) required to add the GPL (and other licenses) additions to their EULA. Including where to write to, to obtain the source code.
They are not required to 'publish' anything. Merely provide the source code when asked for it (including possible changes to openwrt builds). They might find it practical to 'publish' or 'collaborate upstream', but are under no legal obligation to do so.

Re: Nice Headline, but not much substance to it

[Brockmire]

Wow, no need for $50k annual license for Qualcomm closed source drivers anymore. Their drivers have always been shit, but the ones in OpenWRT are just shit.

Re:This could have been free.

[OrangeTide]

Releasing source code is a NO effort thing.

I spend such a tremendous quantity of time on this in my current job that I'm a little offended.

GNU-Linux

[Latent+Heat]

They have been illegally copying GNU-Linux? Or at they just breaking the law with the Linux kernel and not using any of the GNU utilities?

Big Overstatement

[SwashbucklingCowboy]

"Symantec needs to share the Norton Core Router's code with the world."

1. Not the world, but with customers, though practically speaking, might as well be the world.

2. Not all of the code, but all of the GPL and LGPL code and anything linked to the GPL code and strictly speaking, if they statically linked LGPL code, then at a minimum the object files needed to recreate the executables.