Harald Welte's blog

Palm sued over GPL violation in muPDF

Apparently they are using the GPL licensed muPDF library and link it against their proprietary PDF viewing application. If that is true, then it would be a very straight-forward, FAQ-type violation. muPDF is not LGPL but GPL licensed, thus you cannot create derivative works without licensing them under GPL, too.

The whole license management and even software release management at Palm seems to be very sloppy. For example, based on the object code and disassembly, I can prove that the source code for libpurpleadapter on opensource.palm.com does not (or no longer) correspond to the object code that they ship.

What's particularly surprising is that Palm actually is forcing Artifex to go to court over this issue. You would expect such a straight-forward issue to be resolved fairly quickly and settled out of court, before it ever escalates or turns into a PR disaster.

You would expect a company that is regularly building and releasing firmware images to have an automatic process that packages the source code as part of the build process. In fact, Palm uses OpenEmbedded to build their images, and it is a standard feature of OpenEmbedded to create the corresponding source tarballs for everything it builds.

Furthermore, the Palm kernel contains several binary-only modules that indicate MODULE_LICENSE("GPL") in it - which is clearly not true. If you inquire about the sources, they will respond that they will not provide the sources.

Palm Pre GSM model source code available

Last night I got an e-mail by palm, that following-up to my request, the source code releases for the WebOS 1.1.2 and 1.1.3 releases have been uploaded to opensource.palm.com.

I think the response time was very quick, and I thank them for that. However, still sad that one has to remind them of it. Let's hope with future releases they have a fully automatic process for that.

Just to be very clear: The GPL does not state that you have to automatically have the source code on a web site. But the way how Palm's written offer is phrased, they say that you should visit the website to download the sources. In that case, the web site of course needs to contain the sources...

Additionally they also offer the source code on a storage medium, if you write them snail mail to a specific address - which is a good safeguard since the GPL says it has to be made available on a storage medium commonly used for software interchange.

TI tries to stop alternative operating systems on its calculators by the DMCA

Apparently, TI has been trying to use the DMCA and U.S. copyright to stop third-party developers from working on or distributing alternative operating systems for some of their calculators.

The stock OS that TI is shipping uses a cryptographic signature process to prevent the user from booting any non-TI operating system. However, the signature verification was broken and people have managed to run their own software, developed independent from TI's software.

TI is not claiming that the DMCA DRM restrictions are applicable to this case, and that the signature process constitutes a DRM system. This is obviously bogus to any technical person. The TI firmware is not encrypted, and you can copy and run it on other hardware or an emulator if you please. The protection mechanism is rather the other way around: The hardware authenticates the OS.

The Electronic Frontier Foundation has taken up the case and is defending some of the affected people from the community against TI.

As you can see from the EFF letter to TI, the EFF cites a number of precedent cases where the courts have ruled in very similar cases that such mechanism is not a DRM system on the software.

That precedent summarized in the EFF letter is actually very exciting to me. It is directly applicable to all kinds of locked-down devices. Let's assume we're talking about a Linux-powered device like the Tivo, Motorola MAGX phones, the G1 phone (non ADP-Version). They all use GPL Licensed software that is cryptographically signed to prevent the user from exercising his Freedom to run modified versions of the GPL licensed program.

Precedent that indicates that such a system does not constitute DRM as protected by the DMCA means there is a lot more freedom for people to break such systems and freely talk about how it was performed, as well as distribute alternate software images for the respective devices - as long as the code they use is either their own or Free Software and does not contain proprietary bits of the device vendor.

Palm Pre GSM Version sells in Germany - No corresponding source code

Some 4 months ago, I wrote about Palm shipping the Palm Pre CDMA version in a GPL incompliant way. You should assume that the company has learned about their mistakes and created opensource.palm.com as a site to host their source code, compliant with the GPL and other Free Software licenses

Yesterday, the Palm Pre GSM model started to ship in Germany through O2 Telefonica. The WebOS version installed on the device is 1.1.2, and they are doing an OTA upgrade to 1.1.3.

Both of those versions are not available on the Palm opensource website!

Again the same mistake!

I wonder how much this tells us about the development procedures and release management inside Palm. We know they use OpenEmbedded to build their packages and filesystem image. OpenEmbedded can automatically generate the source code tarballs (+ patches), so the entire process of putting them up at the website could and should be automatized. No manual intervention, no mistakes, no license violations.

I have asked my lawyers to send a letter to Palm, demanding immediate release of the complete corresponding source code. If they do not comply, I am prepared to take legal action against O2 who is distributing the devices in Germany. I desperately hope we do not have to escalate to this point. If we go there, I'd better not imagine how upset O2 will be about Palm and how this will affect their business relationship.

It is so easy for Palm to have that source code on their website. We know that for technical reasons (see above). Why are they deliberately exposing themselves to the legal risk? Why are they willing to accept all the negative PR from them not respecting copyright and the GPL?

Please don't get me wrong. I am not set out to continuously complain about Palm. I would like to see more Linux phones. But why do they have to do everything wrong they can do wrong? Why do they not have somebody to advise them on playing nicely with the legal requirements of the technology they use?

Netgear trying to fool their users with "Open Source Router"

Two days ago, Netgear has announced the so-called "Open Source" WNR3500L router, together with an equally "Open Source" MyOpenRouter community.

The problem with this Open Source router is: It ships with binary-only kernel modules. Not only is this extremely Closed Source, but it also

has very practical security implications: You can never update your Linux kernel to get the latest security fixes, but have to run vulnerable old kernel versions
is a very questionable legal practise. Netgear as the vendor is simply relying on the fact that none of the authors who have written parts of the kernel against which their binary-only module links will ever make copyright claims against them

One would have hoped that Netgear did thoroughly study the Open Source market that they're trying to address. Apparently they either did not do that, or they chose to ignore the values/rules by which this community works, or they had somebody with limited understanding to advise them on this.

If anyone has a relationship with Netgear and contacts to the product manager responsible for this product, I would like to ask them for an introduction to that product manager. I would be very happy to help them understand the embarrassment and PR impact that they are putting themselves into by releasing an "Open Source" product that is in fact legally questionable and proprietary.

There are people in the various communities (like OpenWRT or OpenMoko) who have a very clear understanding of what it takes to create a true Open Source product to address the Open Source market. Why are they not asking those experts?

Netgear, you can do much better than that!

GPL case in Denmark potentially involving NDS Viasat A/S and/or Samsung

As you can at this website, somebody has discovered what seems very clear GPL violations in a device called "Samsung DSB-H670N". At the moment it is not clear who is the actual cause of the GPL violation.

However, what is outstanding about this case is that an individual on its own tries to bring the respective companies into compliance. I think it serves as a great example what somebody can do even if he is not one of the clear copyright holders and just keeps insisting enough and communicating with the companies involved.

I'm definitely looking forward to see how this turns out. gpl-violations was not involved in any sort. We're continuing with many cases at any time, so don't worry. I just thought this particular action is worth mentioning to the interested reader. Maybe some other people get inspired by it and also stand up for their rights to the source code of GPL licensed programs.

Launch of International FOSS Law Review

I'm a bit late with this, but the occasional reader of my blog might be interested to hear about the launch of ifosslr.org: International Free and Open Source Software Law Review, the only legal journal that focuses entirely on legal aspects of FOSS, which obviously includes license and specifically GPL related issues.

If you look at the editorial committee, you will realize many prominent names in this field.

It's very good to see this, as it means that more lawyers now have a resource for enhancing and sharing their knowledge about legal aspects of FOSS.

I have heard about this project from its beginning in the Legal Network of the FSFE Freedom Task Force. I know there has been a lot of (volunteer) work into the publication of this first edition/volume. Thanks to everyone involved, from authors to editors to people who took care of administrative issues.

NerdAlert podcast / radio show

Today, I was invited for an interview with the German nerd alert podcast. The show was also broadcasted live via the free public FM radio station FSK Hamburg.

Much of the interview is about my work at gpl-violations.org, but we also covered quite a bit about Openmoko as well as OpenBSC. I had a good time in the more-than-one hour interview, despite it somehow being too short to cover more about the motivation and reasons behind each of the projects....

I'm not sure if the podcast is available yet, but I suppose it will be accessible from the homepage of todays show.

ScummVM settles GPL duspute with Mistic software

As you can see from this press release, ScummVM alleged Mistic Software and its distributors from infringing the GNU GPL in some proprietary games based on ScummVM.

As it seems, this case was now settled. The press release does not make any statement on how the actual GPL issues were solved (i.e. "where is the source code"), but I would assume they would not want to settle unless the conditions of the GPL are fulfilled...

If anyone has more information, I'm interested to learn about that.

I'll be talking about GPL violations at LiSoG on July 1st in Munich

At the LiSoG meeting on July 1st, I'll be presenting on GPL violations and their international enforcement.

The LiSoG meetings have been repeatedly pointed out to me as some of the best Linux meetings out there, with a lot of professionals from the Munich area being present. I'm happy to be invited to join and present, even if it means I'll have to escape for a day from my most exciting project in Hamburg.

So if you happen to be in the Munich area and interested in meeting with a crowd of Linux people and/or interested in hearing about GPL enforcement efforts, feel free join.. But you have to to register [for free], as per instructions on the page linked above.

Palm Pre is shipping GPL incompliant

As it has been reported at many places online, the Palm Pre has started to ship as a CDMA model in the United States. However, as it seems, at this time it is not GPL compliant and thus a copyright infringement!

The Pre undoubtedly contains Linux and other GPL licensed software. So it ships with the GPL license text as well as a written offer indicating to obtain the source code. So far so good.

But if you contact the respective address, you get a response like this:

Hello Harald and thanks for your email.

We are in the process of preparing the packages and our modifications
to upload them to our open source web site - http://opensource.palm.com.
We expect to have all packages and modifications uploaded and available
to the public in about 2 weeks from today.

If you prefer to get the packages and our modifications on a CD/DVD,
please provide us with your mailing address and we will gladly ship it to
you as soon as they are available on our web site.

Please let us know if you have any further questions.

All the best,
Palm Open Source Team

I think it is a bad sign that they write they are in the process of preparing the packages and our modifications. This sounds suspiciously like "we didn't think about it early enough and now we need to reproduce the soruce code that was used for actually compiling the build that is installed on the devices".

Since when did the object code exist before the source code? If you compile e.g. the Linux kernel, you _have_ the source code before you generate the object code. So you should be easily able to make the source code available at the same time as the object code!

I would have expected much more from a company like Palm. If you as a commercial entity want to use GPL licensed software, you don't have to pay one cent in licensing or any royalties. All that you have to do is to make sure you have the complete corresponding source code that was used for compiling the actual binaries available at the time you start shipping the object code.

Providing a written offer and then delaying is not good GPL compliance practise and introduces legal [and thus business] risks that could have been easily avoided. Let's hope the source code is really complete and corresponding within those two weeks. And let's hope they never repeat this with another product, or with software/firmware updates for the Pre.

Some notes about the FSFE FTF Legal Workshop

I'm currently on the train heading back home from Amsterdam, where the last two days I've been attending the 2009 Legal Workshop of the Legal Network of the Free Software Foundation Europe.

I have to admit that it was a big surprise to me that the constructive atmosphere and the quality of the presentations, panels and hallway discussions has even improved beyond the already exceptional level last year.

So even if some of the more technical readers of this blog would find it hard to agree: It can actually be a lot of fun to spend two days locked up in a conference room full of 40 lawyers :)

It was very clear that the Free Software license compliance has moved ahead quite a bit since its early days. We have had a number of independent lawyers as well as corporate legal counsels from various backgrounds, as well as some folks like myself with a very technical background but a vested interest in legal aspects of FOSS.

Let me report on some of the most exciting parts of the workshop, at least from my perspective:

An official representative of WIPO reporting on their recent considerations regarding collaborative creative work such as FOSS and the creative commons projects
Very insightful talks about software patents and the various new projects like the Open Innovation Network, LinuxDefenders, Peer-to-Patent, etc. I believe the significance of this work for the future of FOSS cannot be underestimated, no matter of which jurisdiction you are in.
This year, two legal experts from Taiwan were attending and received considerable attention given the many problems that FOSS has both legally and technically with products from the Taiwanese industry
Last, but not least, I have made some very interesting new contacts from people involved in Linux on mobile phones

Thanks a lot to the FSFE and particularly Shane's excellent work in putting the Legal Network and the conference together. Thanks also to the sponsors of the workshop, including Canonical and Black Duck.

German radio station to talk with me about GPL Violations

Tomorrow at 2pm CET, I'll have a live interview in the Breitband show at the nation wide Deutschlandradio station. The show covers the topic "Open Source and Business", and they want to talk to me for a couple of minutes about the side-effects of businesses getting involved with copyleft-style FOSS without respecting the rules as put forward by the licenses.

Talking to ASUS about preventing further GPL violations

Had a very productive meeting today with various representatives from ASUS about how to make sure they don't continue their rather unfortunate series of GPL violations in the last year.

It was a very good and productive atmosphere and I'm confident that they are now committing the required resources and effort in fixing the mostly organizational issues that prevent them every so often from fulfilling their obligations under the GPL.

But in the end, what counts are hard facts. Let's look at the situation again in one year and see what kind of progress one of Taiwans leading companies has made in this regard.

Free Software Foundation lawsuit against Cisco

As covered at lwn and other sites, the Free Software Foundation (FSF) has filed a lawsuit against Cisco. This came as a big surprise to me, but a very welcome one.

At gpl-violations.org, we had our fair share of dealing with Cisco (and particularly Linksys, a Cisco division). Never we have received any entirely satisfactory response. Sure, when you notify them of some GPL infringement, they will take some steps here and there. But in all those years, I have not seen a case where there was a thorough response. Whatever was disclosed as 'GPL source' was incomplete, didn't compile, and with the next firmware release there was again no source code for that new release. And then came the next product, sourced-in from a different OEM, and the entire process had to re-start from scratch.

Yes, they have gone and hired some engineer[s] to explicitly deal with the GPL related issues, like they have taken other steps in the right direction. But it was always superficial. Never addressing the problem at the root, i.e. have a proper in-house business process and supply chain license management to ensure the next product is not yet again a copyright infringement on GPL licensed software. It is so easy to resolve at the source, and so hard to fix later.

So the FSF's decision to take this problem to court is the most appropriate response that one can think of. A company of the size of Linksys clearly has the manpower, skill and resources - as well as the economic power on their suppliers - to once and all resolve any GPL licensing issues they might have. Not only to the bare minimum that they might think, but all the way to leave any legal grey area whatsoever. Only if there is a demonstration of a _factual_ legal risk rather than a virtual legal risk, they will get the motivation necessary to just 'stay clean' and not try to bend the license to its extremes.

So you might think "why did you (i.e. gpl-violations.org) not take it to court?" For once, I only hold copyright on certain parts of the Linux kernel, and not for large amounts of code they use. Also, a number of the particularly problematic products were not shipped into the German jurisdiction, and thus a case could not be made over here. Furthermore, many of the violations are not as clear black or white as most of the other cases that we take on. So the amount of work and resources required in such a case would probably draw away too much attention from all the other cases that we have.

But once again, I really welcome the FSF's action. It's funny how the historic cycle closes. Originally I started gpl-violations.org because I thought the FSF strategy was not aggressive/efficient enough in making Linksys/Cisco GPL compliant in the infamous WRT54G case five years ago. Now, it seems that even the tolerance and patience of the FSF has found an end.

Oh, and don't get me wrong: I never wanted to criticize the FSF for what they did back then. They had and have their own strategy of what they think about their own copyright. It's just that my strategy was different. It's up to every author or rights holder to decide which legal strategy fits best.

gpl-violations.org report in Financial Times Deutschland

The German business newspaper Financial Times Deutschland has published an article about my GPL enforcement work. To the best of my knowledge, it is the first such article in a general newspaper. All previous coverage was in publications or magazines tailored to the IT industry.

However, the content is of very low quality, and the actual facts are wrong in a number of cases. First of all, why go to a personal level and describe myself as having a 'Harry Potter hairstyle', and then calling me "a mixture between bill gates and a heavy-metal fan". I hereby deny any similarity with Bill Gates. I had my hair style like this even in the nineties (before growing it long around 1997-2000 and then cutting it again in 2001). And I listen to a lot of weird music, though heavy metal is generally not on my playlist. Anyway, what is the point of all of that? How does this help people to evaluate the risk of GPL violations?

Further down, the article has claims like "the driver software of the router also contained some lines of code that were originally written by Welte". First of all, it is the firmware, not the driver. Secondly, it is more than a couple of lines (since a couple of lines would probably not constitute a copyrightable work).

The article also explicitly states that I am not fighting for money, but "out of principle". Despite that, it also claims "The first couple of companies are shivering expecting the destruction of their book value". That's illogical.

Furthermore, there are claims that I have focused on companies that only used small amount of open source. To the contrary: The majority of the products that I've enforced so far contain 75% or more open source software. Only small portions were added by the respective vendors.

To the contrary, there was a recent article in the Berliner Morgenpost paper one of the CCC Leaders which was really well-researched and of high quality. Even that one gets some minor facts wrong, but still portrays a realistic picture.

Receiving the 2008 Open Source Award

According to reports here and here I had the honor of being the recipient of one of the the 2008 Google+O'Reilly Open Source Awards entitled Defender of Rights", presented by Google and O'Reilly.

I'm obviously very happy to see that my work has been recognized this way. Following the FSF Award in March, this is definitely a big honor. Did anyone else receive both awards in the same year so far? ;)

Thanks to the committee for the trust they put in my work. I'd also like to use this opportunity to thank again my lawyer Dr. Till Jaeger and his law firm JBB, as well as Armijn Hemel, who has been running the day-to-day gpl-violations.org operations for quite some time now.

Victory: Skype withdraws appeals case, judgement from lower court accepted

The court hearing in the "Welte vs. Skype Technologies SA" case went pretty well. Initially the court again suggested that the two parties might reach some form of amicable agreement. We indicated that this has been discussed before and we're not interested in settling for anything less than full GPL compliance.

The various arguments by Skype supporting their claim that the GPL is violating German anti-trust legislation as well as further claims aiming at the GPL being invalid or incompatible with German legislation were not further analyzed by the court. The court stated that there was not enough arguments and material brought forward by Skype to support such a claim. And even if there was some truth to that, then Skype would not be able to still claim usage rights under that very same license.

The lawyer representing Skype still continued to argue for a bit into that direction, which resulted one of the judges making up an interesting analogy of something like: "If a publisher wants to publish a book of an author that wants his book only to be published in a green envelope, then that might seem odd to you, but still you will have to do it as long as you want to publish the book and have no other agreement in place".

In the end, the court hinted twice that if it was to judge about the case, Skype would not have very high chances. After a short break, Skype decided to revoke their appeals case and accept the previous judgement of the lower court (Landgericht Muenchen I, the decision was in my favor) as the final judgement. This means that the previous court decision is legally binding to Skype, and we have successfully won what has probably been the most lengthy and time consuming case so far.

Tomorrow: Court hearing in Welte vs. Skype GPL case

Tomorrow at 10:30am at the Oberlandesgericht Muenchen (higher regional court of Munich) there will be an oral hearing in the "Welte vs. Skype Technologies SA" case. The hearing is to be held in room E.06.

This case is about a GPL violation of Skype, related to their sales of Wifi Skype phones based on the Linux operating system kernel.

I'm fighting as part of the gpl-violations.org project in enforcing the GPL against Skype since February 2007. Initially Skype didn't respond, we then applied for a preliminary injunction. That injunction was granted by the court in June 2007, but Skype chose to file an appeals case against it.

The court hearing tomorrow is exactly to debate about this appeal.

Interestingly, Skype is arguing against the validity of the GPL as a whole, asserting that it is violating anti-trust regulation and similarly strange claims.

Report from FSFE FTF Licensing and Legal workshop

I'm on seven-hour train ride back from Amsterdam, where I've been attending the first Licensing and Legal workshop of the Freedom Task Force (FTF) of the Free Software Foundation Europe (FSFE).

While having a somewhat lengthy name, the FTF has been doing great work on bringing together a large group of legal and technical experts in the field of Free Software licensing. So far this was all 'virtual', happening on mailing lists.` The meeting in Amsterdam was the first of its kind, and was a huge success.

By the nature of the FSFE, most of the people were from Europe, though there were attendees from the US and even Australia, too.

There were many interesting and surprisingly interactive workshops. It was also a good opportunity to meet Armijn (the second half of gpl-violations.org) and Shane (full-time manager of the FSFE FTF), as well as many lawyers, both corporate legal counsel and from law firms.

The interest in Armijns presentation about gpl-violations.org and Till Jaeger's overview about the legal cases we've handled over the years in Germany were very well received and there was more interest and questions than the short time permitted.

What was really good for me to see is that large consumer electronics companies in Europe and the US are now implementing internal business processes to ensure GPL and other FOSS license compliance. They're also increasingly using very clear contractual language throughout their supply chain to minimize the potential risk of any "hidden" GPL surprises in products they source from OEM/ODM companies.

Meeting between gpl-violations.org and FSFE FTF

The last two days, I enjoyed a meeting between gpl-violations.org and the FSF Europe Freedom Task Force.

Participating were Armijn Hemel (whom I have to thank to assure gpl-violations.org doesn't die while I was in Taiwan for OpenMoko), Shane Coughland (who is doing an excellent job coordinating the FTF) and myself. For a couple of hours we've also been joined by Till Jaeger, who has handled all the legal cases of gpl-violations.org so far.

This meeting has been over-due, mostly because I basically dropped off the planet for way too long time. We've discussed all the current matters regarding strategies for license enforcement, current cases, progress of the FTF legal and technical networks, as well as future plans for incorporating the gpl-violations.org project.

Yes, you have read correctly. I've been planning to do this for quite some time, and I'm confident that 2008 will finally be the year in which this happens. It's too early to talk about any details, but this is the logical step to assure both financial and legal independence of the project from my person, as well as scalability. As you might know, we have a couple of hundred reported violations and can only cherry-pick those we consider particularly important.

In any case, it was a very productive meeting. I seriously believe it has helped to make all of us work together in a coherent manner, i.e. increased productivity and effectiveness for a long-term strategy to increase the amount of free software license compliance in the industry.

HTC TyTN II / Kaiser doesn't look like a GPL violation!

There have been numerous rumors floating around the net that the HTC TyTN II (aka Kaiser) might be a GPL violation due to a number of strings in the firmware image referring to Linux and vmlinux.

I've done some analysis on this subject, and posted my preliminary results in this posting to lkml earlier today.

So as indicated, I do not see any reason to believe there is a GPL violation with regard to the Linux kernel in the MSM7200 modem side as used in the abovementioned device.

So please stop those rumors now. I'm obviously not opposed to people being watchful and report/investigate potential GPL violations. But before you call it an actual violation, please rather make sure that you have some evidence!

Slowly getting back to work on gpl-violations.org

Today I've finally started to pro-actively work on gpl-violations.org again. I haven't been able to do any work on it for almost 1.5 years due to my intense involvement with OpenMoko.

Among my first tasks was to update the ssl certificate for our internal Request Tracker, which apparently expired quite some time ago. After that, I went through all RT tickets and deleted tons of spam from it. Now it finally looks like I can start working with it again :)

I'm also trying to catch up with all the gpl-violations.org related email, but please give me a couple of weeks, there's just way too much of it :(

Some more thoughts on the results of GPL enforcement

Just a small personal note: Yes, this blog is currently seeing close to no updates. This is because I'm literally working every minute that I'm awake, with no time for anything else.

But to get to the main point of this entry: The results we see from GPL enforcement. I don't want to write about the legal results, since they have always been successful, in 100+ violations that I've been dealing with so far.

I'd rather want to talk about other results. They mainly fall into two categories:

Structural results, how I like to call them, show that the vendors / "the industry" now understand the GPL [better] and thus adopt policies and business practises that are more likely to be GPL compliant from now on. This is good, since it has the potential to prevent further GPL violations down the road, presuming license compliance is something that we value and strive for.

But how does Free Software actually benefit from GPL enforcement? I'm talking about the actual software, and not the movement, the community, the advocates, etc.

How many times have you seen some code coming out of a "GPL code release" from one of the many (mostly embedded) vendors that was actually useful to be contributed back to an existing Free Software project, or even that spawned a new Free Software project? I for my part am certain to say: Zero. The actual number might be close to zero, but very small anyways.

The next logical question is to ask ourselves, why it is like that. First of all, the code quality is usually extremely bad. Looking at kernel patches from the various vendors, I'd say the code quality is _by far_ off any scale that would ever even remotely be considered to be suitable for upstream inclusion. Not only do those vendors not care about any CodingStyle (which could be easily fixed), but they ignore any existing standard API's (why use them if we can reinvent our own?), don't ever spend a single second on portability issues such as SMP, DMA safe allocations, endian issues, 32/64bit, etc. This code is "throw-away software". Fire and forget. The complete opposite of the long-term maintainability goals of about any FOSS project I know.

I would be the most embarrassed man if I ever was involved with any such software. Having your name associated with such poor quality would be like a stigma. Any technical person would laugh. And yet, the managers of those respective companies proudly announce the availability of their so-called "GPL code releases". If they only understood how ridiculous they make themselves in the technical community. It's like if they were proudly presenting a drawing from a three-year-old kid as the new Picasso. They just don't notice because the number of people with a taste of art is apparently larger than the number of people with a taste of source code quality and aesthetics.

The next big problem is the perpetual preference of vendors, even in a market with only six month product life-cycles, to use ages old software to base their code on. Of what use is e.g. an obscure netfilter patch that was developed against kernel 2.4.18, something that is many years old and of no relevance to current stable kernels or even current development?

Now you might argue "What about projects like OpenWRT?". While they are no doubt very useful, it is quite simple. Those projects mainly benefit only the customers of the (probably formerly GPL infringing) embedded devices. Therefore, they benefit specific customers, and not Free Software Users in general. Even if OpenWRT or others invest huge amounts of work and manage to clean up / re-implement some of the awkward sources released by embedded manufacturer X, and push it into the upstream project (e.g. Linux kernel), it is something that most often only a very specific user base that benefits from it. All the really interesting bits, if there are any at all, are kept proprietary by the respective manufacturers, using legally extremely questionable practises such as binary-only kernel modules.

If one thinks a bit more, this whole sad process could have envisioned before. It's a myth to believe that Linux and other FOSS is so popular in the embedded market because vendors think it is more reliable, or secure, or even because of the maintainability, audit-ability, or even the benefits that users and developers get from being able to run modified versions of the software. If they were, we would see clean code and regular security updates. In reality almost every product is one gaping security nightmare. None of those potential benefits are of any interest to embedded vendors.

The response to the 'why' question is quite simple: They use GNU/Linux because this way they can avoid per-unit royalties that are very popular with alternative (proprietary) embedded OS's. It's a cheap commodity. Thus, it's not surprising how they treat GPL compliance. Disgruntled, not understanding the issues behind, releasing only the most incomplete non-building source code snippets that make any reasonable developer vomit at first sight. And since they themselves lack the skilled developers internally (they're not cheap!), their management goes ahead and releases something that is embarrassing. If I wanted to evaluate the technical skill-set of a company before making large-scale business with them, I'd [have somebody] look at their source code releases. It can tell a lot about technical expertise and corporate style :)

Please don't get me wrong. I'm not complaining that there is any legal shortcoming in those "GPL Code Releases" though there often is, but that is not the point of this article). But if somebody asks me, how much the actual Free Software source code benefits from the code that was released by the vendors, my honest reply would be simple and sad: None.

While this whole post might sound bitter and resignated, and like I wanted to give up GPL enforcement since it's not worth it: This is not the message that I want to put out. GPL enforcement remains important. I never assumed that there would be a lot of actual mainline-mergeable source code coming out of it, so I'm not disappointed with the enforcement. I just have the constant feeling that many people are driven by misconceptions, and nobody outside the hacker community really knows what's going on on a technical level.

gpl-violations.org prevails in court case against D-Link on the GPL

A couple of weeks ago, I mentioned in this blog that there was legal victory in a ground-breaking court case on the validity and enforcibility of the GPL.

Today, I have released this press release stating some more details on the case, including the name of the defendant: D-Link.

I'm quite happy to see that our arguments have convinced the court outright, and that we didn't have to go through a lengthy procedure of calling several prominent kernel developers as witnesses, and getting statements from technical experts or the like.

If you're interested in the (German) judgement of 16 pages, you can find it at my lawyers' website. An English translation is in the works, but will take another week or so.

We've already received some press coverage, mainly in Germany so far. Interestingly, in a statement of D-Link quoted by heise.de, D-Link seems determined to not take this to a higher court... which means that this judgement will soon be considered legally binding, and be one more tiny step in the clarification of legal questions on the GPL.

I'd like to thank my fellow developers Werner Almesberger and David Woodhouse, as well as my lawyer Dr. Till Jaeger and his colleagues for all their support and work. A lot of time and effort was spent in preparation of this case, and as it turned out, exactly that preparation brought the case to a quick ending.

Victory!

Today I have receive news that we've won the first regular civil court case on the GPL in Germany. This is really good news, since so far we've only had a hand full of preliminary injunctions been granted (and an appeal case against an injunction), but not a regular civil trial.

The judge has ruled, but the details of the court order have not been publicised yet. I'll publicised the full details as soon as thus details are available in the next couple of weeks.

[p.s.: If you're from the press: Don't bother asking me about further details on who the defendant was, or whatever else. Patience. All shall be revealed soon]

10 common misunderstandings about the GPL

I'd just like to point out the excellent article on 10 common misunderstandings about the GPL by Bruce Byfield.

Meanwhile I'm still working in India, just returned back from Mumbai to Bangalore. Two more days and I'll be back to Germany. For one week, at least.

GPLv3 conference in bangalore

It's already four days ago, but I just couldn't find some time to write about it in this blog. The 4th international conference on GPLv3, held in Bangalore/India.

I've been to three of those four confrences now, and I guess that makes me the only one apart from the FSF to judge how it actually went, compared to other events.

And I'm sorry that I have to say that it was by far the worst of these events :(

They closed down registration at some fixed limit (270?) because the auditorium couldn't hold more people. However, since the registration was free, only 50% fo the people who registered were actually present. And this at the expense of people apparently have been turned away after the quota was filled. Now we had a half-empty auditorium, and people who wanted to come but were rejected.
The programme. Basically RMS and Eben did not only give there usual (every time updated) great presentations on the spirit and the wording of the current license draft. But then they were kept alone on the stage to reply to questions for about the same time. Nobody else but them was giving any presentations on something that is really GPLv3 related.
The panels. What is the point of a "business panel" if all(most) you have represented there is some small three-men-in-a-garage companies that are run by free software enthusiasts? Where have beeen the Infosys, Wipro, ... companies? Don't they have something to say about the GPLv3?
The audience. How can you come to a conference on the GPLv3 and then ask questions that
- everybody knows will upset rms because they use Linxu with no GNU/ in front
- are totally unrelated (how can I make Autocad work on Linux
- reveal that you haven't even bothered reading the GPLv3 draft
Where were the GPL-savyy lawyers, free software developers and industry representatives that had made their way to the Barcelona and Porto Alegre event?
The [non-existing] moderation. Why was there nobody stopping all that off-topic crap like endless discussions on why gnucash isn't conforming the Indian accounting standards. I'm sure those are important problems to be adressed (and somebody should just hack that code into gnucash if he has a need for it). But who the hell cares about this on a conference specialized to license questions?

Travelling to a gpl-violations.org related court hearing tomorrow

Tomorrow morning I'll have the pleasure of travelling to Frankfurt, where the first court hearing in a particular gpl-violations.org case will happen.

Those of you who follow my actions closely (closer than the practically non-existing PR work of gpl-violations.org allows) will notice that this is actually the first 'regular court case'. So far we settled everything either out-of-court, or sooner or later after a preliminary injunction, or an appeals case thereof.

In this particular case the defendant claims that the GPL is not applicable to them for a number of reasons, but at the same time argues that he still has the right to use the software, despite not having obtained any kind of license.

I don't yet wan to disclose the identity of the defendant yet, but I'll certainly post some more information on this pretty soon. You will all know the company, though. A very popular vendor of embedded networking gear.

Interview on gpl-violations.org with groklaw.net

There seems to be "interview season", since just after the lwn.net interview, groklaw.net has now published this interview with me on gpl-violations.org.

The interview was taken by Sean Daly, who has also been taking care of the audio and video recordings at the 3rd international GPLv3 Conference in Barcelona last week.

Let's hope that those interviews will raise some more awareness and prevent more violations from ever ending up in our request tracker.

LWN publishes gpl-violations.org related interview

Linux Weekly News has just published the second part of an interview with me. This part is on gpl-violations.org.

Meeting up with Armijn Hemel

During my short trip to Amsterdam, I had a chance to meet with Armijn for a couple of hours. It's always good to meet people face-to-face when you're working with them a lot, especially on delicate issues such as GPL enforcement.

We've decided on how to optimize our work-flow and how to improve internal documentation of the individual cases. The usual thing when you're used to working on something alone (i.e. knowing everything off your head) as opposed to other people getting involved, etc.

Anyway, I'm extremely pleased that somebody is helping me out. There's also another friend of mine who's starting to get involved in the project, mainly on technical issues such as verification of the source code offered by the various (formerly?) infringing entities.

OpenWRT terminates GPL License to SveaSoft

It might not be something new to you at all, but it was new to me, since it happened during my holidays: OpenWRT has sent SveaSoft a note of terminating of rights under the GPL.

I've had SveaSoft on my radar several times, but the whole situation seems to be so messy, and there seems to be a history of different violations with each and every release they made. Also, there seems to be quite some confusion on the whereabouts of the developer[s?], which makes it difficult to find an applicable jurisdiction.

How to boot your own kernel on the Thecus N2100 - and prove it violates the GPL

My latest candidate for gpl-violations.org (and hopefully the last before finally leaving for holidays): The Thecus N2100 and N4100 NAS devices.

The Thecus boxes seem nice, at first sight. Apparently somebody recognized the need for a bit more performance, so there's an Intel IOP 80219 with 64bit PCI-X support, DDR400 memory (actually in a socket), an empty miniPCI slot (great!), USB2.0 ports, and SATA (yay). This should definitely be more promising than the usual 33MHz 32bit PCI / IDE / MIPS / SDRAM based smaller NAS boxes. The only thing really lacking with those Intel I/O processors is a hardware crypto unit. Who wants to have unencrypted storage these days?

Looking at the software, the problems start. First, there is no NFS support. iTunes, SMB/CIFS, HTTP, FTP - but no NFS :( Secondly, the web configuration frontend requires flash. Duh! How can you use something as ugly and proprietary as flash for something as simple as a web configuration frontend for an embedded box. God knows.

Anyway, let's get back to the GPL issue. As usual, I cannot make such a claim without verifying it. First of all, the devices (and their firmware updates) ship without a copy of the GPL, any indication that GPL licensed software was used, no written offer and no source code.

But well, where the heck do I know from (and can prove) that they actually run Linux? I won't disclose the reason for my initial hints, since I don't want future vendors of future products to know how they can avoid me ;) But anyway, let's assume I was surprised to see a nmap fingerprint that indicates Linux on the box and now want to go further.

Looking at the firmware update images, they appear to be scrambled / encrypted somehow. At least there is no gzip/bzip2/LZMA/ext3/cramfs/romfs/... signature to be found in them. And even if the firmware updates contain Linux, this doesn't actually prove anything about the software pre-installed on the device.

The running device also doesn't offer any ports apart from the SMB-related ones and http(s). So we're stuck.

This is where I usually take the device apart, carefully analyze it's hardware and go looking for a serial port with my Oscilloscope probe. Unfortunately the PCB of the N2100 didn't seem to have one. It took me some time to figure out that the serial port connector (there's actually a standard 9pin header) is on the SATA backplane rather than on the CPU board ;)

Hooking up a serial console, you can see RedBoot wait for one second and then execute a boot script that loads initrd and kernel, finally executes it. Yay!. Too bad that the actual kernel seems to lack support for a serial console. So all you get is the 'Uncompressing Linux......................................................................................... done, booting the kernel.' line. Together with the firmware scrambling/crypto, this is definitely an attempt to hide the use of GPL licensed software and/or otherwise lock the user out of the device.

Unfortunately hex-dumping the whole memory contents from RedBoot via the serial port, and parsing it on the host side seemed like a rather clumsy - and otherwise unproductive approach to finding proof of GPL licensed software in the device.

Luckily, you can interrupt RedBoot and configure the network device, set up TFTP, cross-compile a kernel for the IOP 80219, and boot that. After some twisting of the .config, I got it to boot without any crashes, and even the RedBoot partition table is correctly recognized and parsed.

So now I'm running Linux on the device, great. But still I can't prove that the device actually ships GPL licensed software in an incompliant way. So all that is missing is a NFS-root capable installation of Debian-arm that we can boot into, and which we can use to read out the mtd partitions.

Oh, and yes. While I appreciate their love for the netfilter project and it's software: There's absolutely no place in a NAS box for having ip_conntrack linked statically into the kernel - unless you voluntarily want to loose performance. At least to my knowledge, performance of NAS devices counts. So, Thecus, in your own interest: disable ip_conntrack in the kernels you ship.

Buried alive in GPL violations

It's not funny anymore. The current rate at which new GPL violations get reported and/or discovered, especially from the appliance/embedded market is really alarming.

For example, I haven't yet seen a single Linux-based NAS product that was even remotely license compliant when first analyzing it. And I'm not only talking about the SoHo NAS boxes with one or two hard disk drives, but even about enterprise storage systems.

On the Enterprise end We're now also Seine carrier grade network equipment such as SONET/SDH switches, metropolitan area Ethernet, DSLAMS and the like.

Also, in some areas of business, competing companies seem to make the same mistake again, rather than learning from their competitor. Some time ago I had to resolve GPL issues with Maxtor Shared Storage drives, when they were first released. Now I found out that Western Digital has similar systems called NetCenter. Ordered one, and it came without GPL license text, written offer or source code.

Finally, there is one good example though. For a very long time, a product that I analyzed was actually GPL compliant. It's good to see that there are a few who get it right, from the beginning: The APC NetBotz family of products. The manual contains a reference to the source code, which can be obtained from ftp://ftp.netbotz.com/gpl/.

Anyway, I need a break (see my holiday related post). Hopefully I'll get back from that trip rested, with lots of energy and an extra portion of patience. This has become more of a burden than I ever thought.

The second and third quarter of this year definitely are the right time to think of a way to incorporate gpl-violations.org as an NGO/non-for-profit. One that can actually pay somebody hunting down those cases, doing the day-by-day work. I have a dream that in some point in the future I can once again concentrate on cool and interesting development, like most other hackers do.

Another unproductive day of GPL enforcement.

I'm feeling terrible. The second day in a row where I didn't find time to write a single line of code, merge any contributed patches, squash any bugzilla entry. Not even to speak of paid-for work.

While I used to spend about 30% of my time with GPL enforcement related work, it now peaks at about 70% for the last two weeks. This is not a good sign.

So apart from talking to lawyers, proof reading legal paperwork, negotiating with allegedly infringing companies and the like, I now also start having trouble doing test purchases. Not only refuse some retailers to take orders from me, but also if I actually place an order it raises new problems.

The last web store I ordered a test purchase from now asked me for a complete, readable copy of both sides of my ID card. WTF ?!? This is totally against any data protection laws. There is absolutely no requirement for them to know my passport photograph, id card number, size or eye colour. So as a follow-up I had to write an official complaint with the Berlin data protection agency - as if I didn't have any other work to do.

Also, for the last months, I find myself giving about EUR 10k in 0% interest loans to GPL infringing companies. That's the amount of money spent for test purchases that I had to do to confirm GPL violations but which hasn't yet been reimbursed.

About the only positive thing in the course of my work day was producing the Chaosradio Express issue on gpl-violations, which Tim and I did earlier this evening.

Oh, and the best thing that happened today in general, is that the German Federal Constitutional Court has invalidated a recent law that allowed the government to order the military to shoot a passenger plane which was abducted by terrorists. At least some people still have a sane view on human rights.

More TI AR7 related GPL violations

Out of all the embedded network devices that had GPL issues, the Texas Instruments AR7 based devices probably have the worst GPL compliance history I've ever seen. The time has come to properly rant about this.

It's yet unclear whether this is TI's own fault, or just the fault of their OEM/ODM manufacturers. But I'm more than determined to find out.

Anyway, the list of problems with TI AR7 based devices is so incredibly long, that I don't even know where to start.

First of all, re-engineering their devices (for GPL compliance audits and legal action following up to such an audit) is incredibly difficult because they've added LZMA compression to both the kernel image (vmlinux) and squashfs.

Now what's so difficult about this? You might argue that the LZMA algorithm is (L)GPL licensed and publicly available. As is the original kernel source code, and the squashfs code. Also, you might know that numerous individuals have already released patches to add LZMA to kernel boot, initrd and squashfs.

However, there are various methods (with/without LZMA header, with/without p7zip header, etc.), and there simply is no standard on how to build a system from the algorithm.

Getting to the actual infringements. So far I've seen devices that

remove the "(C) Netfilter Core Team" message that is usually printed during boot-up
modify existing netfilter/iptables code, like add HTTP reply support to ipt_REJECT
add binary-only new netfilter/iptables targets, like ipt_PNAT
add new binary kernel modules that have "MODULE_LICENSE(GPL)" without providing source code

There are many other potential issues, on whose GPL compatibility (or lack thereof) I do not want to comment at this time, such as their binary only drivers for the DSL chipset, the WLAN driver.

Interestingly, all of the Vendors of TI AR7 based devices with whom I had contact on the GPL issues showed equally little interest into bringing their products into compliance. Now this could all just be a coincidence. But my personal guess is that they just forward whatever questionable policy they get from their upstream chipset and reference software development kit provider: TI.

You might wander about the device manufacturers in question? I'm still a bit hesitant in disclosing names. One of the first companies running into GPL trouble with TI AR7 was D-Link. Another company with anything but the cleanest GPL history on TI AR7 based devices is AVM, who produce the overly popular and widely branded FritzBox devices.

There is another brand that is sold in significant quantities, at least in the German market. We're on the brink of applying for the next gpl-violations.org preliminary injunction, so I won't be able to say any names.

[and now, after some five hours of gpl-violations related device re-engineering before getting up, I'll finally try to find some time go get some breakfast.]

Austrian Health Card System now GPL compliant

It's already been at some point at the End of 2005, but now I finally got around writing a press release on this subject:

gpl-violations.org has enforced yet another high-profile (at least in the German speaking continental European world) case of a GPL violation. Instead of repeating myself, you might want to read this release or the German version.

My real problem is a lack of time, and it's more than a pity that gpl-violations.org didn't have a press release for nine months - even though those were full of successful enforcement work. I hereby promise to improve my public relations work.

First GPLv3 draft

As almost every reader of this journal will know, the first GPLv3 draft has been published, and everyone is invited to comment on it.

I obviously already left some comments, though I still want to write up a somewhat larger article on my thoughts on it. This journal entry is not that article ;)

In general, I'm quite relieved. I had somewhat mixed expectations - but almost everything looks quite fine, and there are hardly any issues. I obviously like the DRM countermeasures.

From a gpl enforcement point of view, it is very good to see that the "complete corresponding source code" has been specified in more detail. This should save us from the hassle of ever again starting the discussion (nit-picking) on whether "scripts to control compilation and installation" (GPLv2) really only means scripts, or whether it also covers other methods controlling compilation and installation.

What is a real problem, and I hope this can still be resolved, is the new "60 days" grace period that was introduced. With GPLv2, the right to distribute the software was automatically revoked in the case non-conformant distribution has happened. In the v3 draft, there is a grace period where the rights _may_ be terminated, and only 60 days after being notified by one of the copyright holders.

The intention of it is to take care of "inadvertent violation". As harmless and reasonable as this sounds, this change has the potential to render most of the current enforcement success of gpl-violations.org impossible in the future.

From all the 60+ cases that we've enforced, I cannot tell you one case where the defendant would not claim that the violation was inadvertent. So in reality, inadvertent basically means "we didn't care". However, the whole point of the gpl enforcement exercise is to raise awareness and make them care before it is too late.

The 60 days grace period is not acceptable. On the one hand, we (in Germany) basically loose the ability to apply for preliminary injunctions. PI's are only granted in case of urgency, which translates (depending on the court) to something like 30 days. So if I know for more than 30 days that somebody is infringing on my copyright (and don't get the matter resolved with him in that period of time), then I can't consider this matter as urgent.

The 60 days grace period is also not acceptable, because it would basically reduce the motivation to comply with the license in the first place. So for EvilCorp Inc. it is perfectly possible to design a product using GPL licensed software, not comply with the license, ship the product, wait for a copyright holder to send a notice, make sure that I ship all the remaining in-stock products that do not contain a written offer, GPL text and/or source code in the 60 remaining days, and then start behaving GPL compliant. If such behaviour has no consequences at all, why would anyone behave different in the first place?