Palm sued over GPL violation in muPDF
As you can see in this techworld post.
Apparently they are using the GPL licensed muPDF library and link it against
their proprietary PDF viewing application. If that is true, then it would be a
very straight-forward, FAQ-type violation. muPDF is not LGPL but GPL licensed,
thus you cannot create derivative works without licensing them under GPL, too.
The whole license management and even software release management at Palm
seems to be very sloppy. For example, based on the object code and disassembly,
I can prove that the source code for libpurpleadapter on opensource.palm.com
does not (or no longer) correspond to the object code that they ship.
What's particularly surprising is that Palm actually is forcing Artifex to go
to court over this issue. You would expect such a straight-forward issue
to be resolved fairly quickly and settled out of court, before it ever escalates
or turns into a PR disaster.
You would expect a company that is regularly building and releasing firmware
images to have an automatic process that packages the source code as part of the
build process. In fact, Palm uses OpenEmbedded to build their images, and it
is a standard feature of OpenEmbedded to create the corresponding source tarballs
for everything it builds.
Furthermore, the Palm kernel contains several binary-only modules that indicate
MODULE_LICENSE("GPL") in it - which is clearly not true. If you inquire about
the sources, they will respond that they will not provide the sources.
[ /linux/gpl-violations |
permanent link ]
Palm Pre GSM model source code available
Last night I got an e-mail by palm, that following-up to my request, the source code releases for the WebOS 1.1.2 and 1.1.3 releases have been uploaded to opensource.palm.com.
I think the response time was very quick, and I thank them for that. However,
still sad that one has to remind them of it. Let's hope with future releases
they have a fully automatic process for that.
Just to be very clear: The GPL does not state that you have to automatically
have the source code on a web site. But the way how Palm's written offer is
phrased, they say that you should visit the website to download the sources.
In that case, the web site of course needs to contain the sources...
Additionally they also offer the source code on a storage medium, if you write
them snail mail to a specific address - which is a good safeguard since the GPL
says it has to be made available on a storage medium commonly used for software
interchange.
[ /linux/gpl-violations |
permanent link ]
TI tries to stop alternative operating systems on its calculators by the DMCA
Apparently, TI has been trying to use the DMCA and U.S. copyright to stop
third-party developers from working on or distributing alternative operating
systems for some of their calculators.
The stock OS that TI is shipping uses a cryptographic signature process to
prevent the user from booting any non-TI operating system. However, the
signature verification was broken and people have managed to run their
own software, developed independent from TI's software.
TI is not claiming that the DMCA DRM restrictions are applicable to this case,
and that the signature process constitutes a DRM system. This is obviously
bogus to any technical person. The TI firmware is not encrypted, and you can
copy and run it on other hardware or an emulator if you please. The protection
mechanism is rather the other way around: The hardware authenticates the OS.
The Electronic Frontier Foundation has taken
up the case and is defending some of the affected people from the community
against TI.
As you can see from the EFF letter to TI, the EFF cites a number of precedent cases where the courts have ruled in very similar cases that such mechanism is not a DRM system on the software.
That precedent summarized in the EFF letter is actually very exciting to me.
It is directly applicable to all kinds of locked-down devices. Let's assume
we're talking about a Linux-powered device like the Tivo, Motorola MAGX phones,
the G1 phone (non ADP-Version). They all use GPL Licensed software that is
cryptographically signed to prevent the user from exercising his Freedom to run
modified versions of the GPL licensed program.
Precedent that indicates that such a system does not constitute DRM as
protected by the DMCA means there is a lot more freedom for people to break
such systems and freely talk about how it was performed, as well as distribute
alternate software images for the respective devices - as long as the code they
use is either their own or Free Software and does not contain proprietary bits
of the device vendor.
[ /linux/gpl-violations |
permanent link ]
Palm Pre GSM Version sells in Germany - No corresponding source code
Some 4 months ago, I wrote about Palm shipping the Palm Pre CDMA version in a GPL incompliant
way. You should assume that the company has learned about their mistakes
and created opensource.palm.com as a
site to host their source code, compliant with the GPL and other Free Software
licenses
Yesterday, the Palm Pre GSM model started to ship in Germany through O2
Telefonica. The WebOS version installed on the device is 1.1.2, and they are
doing an OTA upgrade to 1.1.3.
Both of those versions are not available on the Palm opensource website!
Again the same mistake!
I wonder how much this tells us about the development procedures and release
management inside Palm. We know they use OpenEmbedded to build their packages
and filesystem image. OpenEmbedded can automatically generate the source code
tarballs (+ patches), so the entire process of putting them up at the website
could and should be automatized. No manual intervention, no mistakes, no
license violations.
I have asked my lawyers to send a letter to Palm, demanding immediate release
of the complete corresponding source code. If they do not comply, I am prepared
to take legal action against O2 who is distributing the devices in Germany. I
desperately hope we do not have to escalate to this point. If we go there, I'd
better not imagine how upset O2 will be about Palm and how this will affect their
business relationship.
It is so easy for Palm to have that source code on their website. We
know that for technical reasons (see above). Why are they deliberately exposing
themselves to the legal risk? Why are they willing to accept all the negative
PR from them not respecting copyright and the GPL?
Please don't get me wrong. I am not set out to continuously complain about
Palm. I would like to see more Linux phones. But why do they have to do
everything wrong they can do wrong? Why do they not have somebody to advise
them on playing nicely with the legal requirements of the technology they use?
[ /linux/gpl-violations |
permanent link ]
Netgear trying to fool their users with "Open Source Router"
Two days ago, Netgear has
announced the so-called "Open Source" WNR3500L router, together with an equally "Open Source" MyOpenRouter community.
The problem with this Open Source router is: It ships with binary-only kernel modules. Not only is this extremely Closed Source, but it also
- has very practical security implications: You can never update your Linux kernel to get the latest security fixes, but have to run vulnerable old kernel versions
- is a very questionable legal practise. Netgear as the vendor is simply
relying on the fact that none of the authors who have written parts of the
kernel against which their binary-only module links will ever make copyright claims against them
One would have hoped that Netgear did thoroughly study the Open Source market
that they're trying to address. Apparently they either did not do that, or
they chose to ignore the values/rules by which this community works, or they had
somebody with limited understanding to advise them on this.
If anyone has a relationship with Netgear and contacts to the product manager
responsible for this product, I would like to ask them for an introduction to
that product manager. I would be very happy to help them understand the
embarrassment and PR impact that they are putting themselves into by releasing
an "Open Source" product that is in fact legally questionable and proprietary.
There are people in the various communities (like OpenWRT or OpenMoko) who have
a very clear understanding of what it takes to create a true Open Source
product to address the Open Source market. Why are they not asking those
experts?
Netgear, you can do much better than that!
[ /linux/gpl-violations |
permanent link ]
GPL case in Denmark potentially involving NDS Viasat A/S and/or Samsung
As you can at this website, somebody
has discovered what seems very clear GPL violations in a device called "Samsung
DSB-H670N". At the moment it is not clear who is the actual cause of the GPL
violation.
However, what is outstanding about this case is that an individual on its own
tries to bring the respective companies into compliance. I think it serves as
a great example what somebody can do even if he is not one of the clear copyright
holders and just keeps insisting enough and communicating with the companies
involved.
I'm definitely looking forward to see how this turns out. gpl-violations was
not involved in any sort. We're continuing with many cases at any time, so
don't worry. I just thought this particular action is worth mentioning to the
interested reader. Maybe some other people get inspired by it and also stand
up for their rights to the source code of GPL licensed programs.
[ /linux/gpl-violations |
permanent link ]
Launch of International FOSS Law Review
I'm a bit late with this, but the occasional reader of my blog might be
interested to hear about the launch of
ifosslr.org: International Free and Open Source
Software Law Review, the only legal journal that focuses entirely on legal
aspects of FOSS, which obviously includes license and specifically GPL related
issues.
If you look
at the editorial committee, you will realize many prominent names in this
field.
It's very good to see this, as it means that more lawyers now have a resource
for enhancing and sharing their knowledge about legal aspects of FOSS.
I have heard about this project from its beginning in the Legal Network of the
FSFE Freedom Task Force. I know there has been a lot of (volunteer) work into
the publication of this first edition/volume. Thanks to everyone involved,
from authors to editors to people who took care of administrative issues.
[ /linux/gpl-violations |
permanent link ]
NerdAlert podcast / radio show
Today, I was invited for an interview with the German nerd alert podcast. The show was also
broadcasted live via the free public FM radio station FSK Hamburg.
Much of the interview is about my work at gpl-violations.org, but we also covered
quite a bit about Openmoko as well as OpenBSC. I had a good time in the
more-than-one hour interview, despite it somehow being too short to cover
more about the motivation and reasons behind each of the projects....
I'm not sure if the podcast is available yet, but I suppose it will be
accessible from the homepage
of todays show.
[ /linux/gpl-violations |
permanent link ]
ScummVM settles GPL duspute with Mistic software
As you can see from this press
release, ScummVM alleged Mistic Software and its distributors from infringing
the GNU GPL in some proprietary games based on ScummVM.
As it seems, this case was now settled. The press release does not make any
statement on how the actual GPL issues were solved (i.e. "where is the source
code"), but I would assume they would not want to settle unless the conditions
of the GPL are fulfilled...
If anyone has more information, I'm interested to learn about that.
[ /linux/gpl-violations |
permanent link ]
I'll be talking about GPL violations at LiSoG on July 1st in Munich
At the LiSoG meeting on July 1st, I'll be presenting on GPL violations and their international enforcement.
The LiSoG meetings have been repeatedly pointed out to me as some of the best
Linux meetings out there, with a lot of professionals from the Munich area
being present. I'm happy to be invited to join and present, even if it means
I'll have to escape for a day from my most exciting project in Hamburg.
So if you happen to be in the Munich area and interested in meeting with a
crowd of Linux people and/or interested in hearing about GPL enforcement
efforts, feel free join.. But you have to to register [for free], as per
instructions on the page linked above.
[ /linux/gpl-violations |
permanent link ]
Palm Pre is shipping GPL incompliant
As it has been reported at many places online, the Palm Pre has started to ship
as a CDMA model in the United States. However, as it seems, at this time it is
not GPL compliant and thus a copyright infringement!
The Pre undoubtedly contains Linux and other GPL licensed software. So it
ships with the GPL license text as well as a written offer indicating to obtain
the source code. So far so good.
But if you contact the respective address, you get a response like this:
Hello Harald and thanks for your email.
We are in the process of preparing the packages and our modifications
to upload them to our open source web site - http://opensource.palm.com.
We expect to have all packages and modifications uploaded and available
to the public in about 2 weeks from today.
If you prefer to get the packages and our modifications on a CD/DVD,
please provide us with your mailing address and we will gladly ship it to
you as soon as they are available on our web site.
Please let us know if you have any further questions.
All the best,
Palm Open Source Team
I think it is a bad sign that they write they are in the process of
preparing the packages and our modifications. This sounds suspiciously
like "we didn't think about it early enough and now we need to reproduce the
soruce code that was used for actually compiling the build that is installed
on the devices".
Since when did the object code exist before the source code? If you compile
e.g. the Linux kernel, you _have_ the source code before you generate the object
code. So you should be easily able to make the source code available at the
same time as the object code!
I would have expected much more from a company like Palm. If you as a
commercial entity want to use GPL licensed software, you don't have to pay one
cent in licensing or any royalties. All that you have to do is to make sure
you have the complete corresponding source code that was used for
compiling the actual binaries available at the time you start shipping the
object code.
Providing a written offer and then delaying is not good GPL compliance practise
and introduces legal [and thus business] risks that could have been easily
avoided. Let's hope the source code is really complete and corresponding
within those two weeks. And let's hope they never repeat this with another
product, or with software/firmware updates for the Pre.
[ /linux/gpl-violations |
permanent link ]
Some notes about the FSFE FTF Legal Workshop
I'm currently on the train heading back home from Amsterdam, where the last two
days I've been attending the 2009 Legal Workshop of the Legal Network of the
Free Software Foundation Europe.
I have to admit that it was a big surprise to me that the constructive
atmosphere and the quality of the presentations, panels and hallway discussions
has even improved beyond the already exceptional level last year.
So even if some of the more technical readers of this blog would find it hard
to agree: It can actually be a lot of fun to spend two days locked up in a
conference room full of 40 lawyers :)
It was very clear that the Free Software license compliance has moved ahead
quite a bit since its early days. We have had a number of independent lawyers
as well as corporate legal counsels from various backgrounds, as well as
some folks like myself with a very technical background but a vested
interest in legal aspects of FOSS.
Let me report on some of the most exciting parts of the workshop, at least
from my perspective:
- An official representative of WIPO reporting on their recent considerations
regarding collaborative creative work such as FOSS and the creative commons
projects
- Very insightful talks about software patents and the various new projects
like the Open Innovation Network, LinuxDefenders, Peer-to-Patent, etc.
I believe the significance of this work for the future of FOSS cannot be
underestimated, no matter of which jurisdiction you are in.
- This year, two legal experts from Taiwan were attending and received
considerable attention given the many problems that FOSS has both
legally and technically with products from the Taiwanese industry
- Last, but not least, I have made some very interesting new contacts from
people involved in Linux on mobile phones
Thanks a lot to the FSFE and particularly Shane's excellent work in putting the
Legal Network and the conference together. Thanks also to the sponsors of the
workshop, including Canonical and Black Duck.
[ /linux/gpl-violations |
permanent link ]
German radio station to talk with me about GPL Violations
Tomorrow at 2pm CET, I'll have a live interview in the Breitband show at the nation wide Deutschlandradio station. The show covers the
topic "Open Source and Business", and they want to talk to me for a couple of
minutes about the side-effects of businesses getting involved with
copyleft-style FOSS without respecting the rules as put forward by the
licenses.
[ /linux/gpl-violations |
permanent link ]
Talking to ASUS about preventing further GPL violations
Had a very productive meeting today with various representatives from ASUS
about how to make sure they don't continue their rather unfortunate series
of GPL violations in the last year.
It was a very good and productive atmosphere and I'm confident that they
are now committing the required resources and effort in fixing the mostly
organizational issues that prevent them every so often from fulfilling
their obligations under the GPL.
But in the end, what counts are hard facts. Let's look at the situation
again in one year and see what kind of progress one of Taiwans leading
companies has made in this regard.
[ /linux/gpl-violations |
permanent link ]
Free Software Foundation lawsuit against Cisco
As covered at lwn and other sites,
the Free Software Foundation (FSF) has filed a lawsuit against Cisco. This came
as a big surprise to me, but a very welcome one.
At gpl-violations.org, we had our fair share of dealing with Cisco (and
particularly Linksys, a Cisco division). Never we have received any entirely
satisfactory response. Sure, when you notify them of some GPL infringement, they
will take some steps here and there. But in all those years, I have not seen
a case where there was a thorough response. Whatever was disclosed as 'GPL
source' was incomplete, didn't compile, and with the next firmware release there
was again no source code for that new release. And then came the next product,
sourced-in from a different OEM, and the entire process had to re-start from
scratch.
Yes, they have gone and hired some engineer[s] to explicitly deal with the GPL
related issues, like they have taken other steps in the right direction. But it
was always superficial. Never addressing the problem at the root, i.e. have a
proper in-house business process and supply chain license management to ensure
the next product is not yet again a copyright infringement on GPL licensed
software. It is so easy to resolve at the source, and so hard to fix later.
So the FSF's decision to take this problem to court is the most appropriate
response that one can think of. A company of the size of Linksys clearly has
the manpower, skill and resources - as well as the economic power on their
suppliers - to once and all resolve any GPL licensing issues they might have.
Not only to the bare minimum that they might think, but all the way to leave
any legal grey area whatsoever. Only if there is a demonstration of a
_factual_ legal risk rather than a virtual legal risk, they will get the
motivation necessary to just 'stay clean' and not try to bend the license to
its extremes.
So you might think "why did you (i.e. gpl-violations.org) not take it to
court?" For once, I only hold copyright on certain parts of the Linux kernel,
and not for large amounts of code they use. Also, a number of the particularly
problematic products were not shipped into the German jurisdiction, and thus
a case could not be made over here. Furthermore, many of the violations are not
as clear black or white as most of the other cases that we take on. So the
amount of work and resources required in such a case would probably draw away
too much attention from all the other cases that we have.
But once again, I really welcome the FSF's action. It's funny how the historic
cycle closes. Originally I started gpl-violations.org because I thought the
FSF strategy was not aggressive/efficient enough in making Linksys/Cisco GPL
compliant in the infamous WRT54G case five years ago. Now, it seems that even
the tolerance and patience of the FSF has found an end.
Oh, and don't get me wrong: I never wanted to criticize the FSF for what they
did back then. They had and have their own strategy of what they think about
their own copyright. It's just that my strategy was different. It's up to
every author or rights holder to decide which legal strategy fits best.
[ /linux/gpl-violations |
permanent link ]
gpl-violations.org report in Financial Times Deutschland
The German business newspaper Financial Times Deutschland has published
an
article about my GPL enforcement work. To the best of my knowledge, it is
the first such article in a general newspaper. All previous coverage was in
publications or magazines tailored to the IT industry.
However, the content is of very low quality, and the actual facts are wrong in
a number of cases. First of all, why go to a personal level and describe myself
as having a 'Harry Potter hairstyle', and then calling me "a mixture between
bill gates and a heavy-metal fan". I hereby deny any similarity with Bill
Gates. I had my hair style like this even in the nineties (before growing it
long around 1997-2000 and then cutting it again in 2001). And I listen to a
lot of weird music, though heavy metal is generally not on my playlist.
Anyway, what is the point of all of that? How does this help people to
evaluate the risk of GPL violations?
Further down, the article has claims like "the driver software of the router
also contained some lines of code that were originally written by Welte".
First of all, it is the firmware, not the driver. Secondly, it is more than a
couple of lines (since a couple of lines would probably not constitute a
copyrightable work).
The article also explicitly states that I am not fighting for money, but "out
of principle". Despite that, it also claims "The first couple of companies are
shivering expecting the destruction of their book value". That's illogical.
Furthermore, there are claims that I have focused on
companies that only used small amount of open source. To the contrary: The
majority of the products that I've enforced so far contain 75% or more open
source software. Only small portions were added by the respective vendors.
To the contrary, there was a recent article in the Berliner Morgenpost paper one of the CCC Leaders which was really well-researched and of high quality. Even that one gets some minor facts wrong, but still portrays a realistic picture.
[ /linux/gpl-violations |
permanent link ]
Receiving the 2008 Open Source Award
According to reports here
and here
I had the honor of being the recipient of one of the the 2008 Google+O'Reilly Open Source Awards entitled Defender of Rights", presented by Google and O'Reilly.
I'm obviously very happy to see that my work has been recognized this way.
Following the FSF Award in March, this is definitely a big honor. Did anyone
else receive both awards in the same year so far? ;)
Thanks to the committee for the trust they put in my work. I'd also like to
use this opportunity to thank again my lawyer Dr. Till Jaeger and his law firm
JBB, as well as Armijn Hemel, who has been
running the day-to-day gpl-violations.org operations for quite some time now.
[ /linux/gpl-violations |
permanent link ]
Victory: Skype withdraws appeals case, judgement from lower court accepted
The court hearing in the "Welte vs. Skype Technologies SA" case went pretty
well. Initially the court again suggested that the two parties might reach
some form of amicable agreement. We indicated that this has been discussed
before and we're not interested in settling for anything less than full GPL
compliance.
The various arguments by Skype supporting their claim that the GPL is violating
German anti-trust legislation as well as further claims aiming at the GPL being
invalid or incompatible with German legislation were not further analyzed by the
court. The court stated that there was not enough arguments and material
brought forward by Skype to support such a claim. And even if there was some
truth to that, then Skype would not be able to still claim usage rights under
that very same license.
The lawyer representing Skype still continued to argue for a bit into that
direction, which resulted one of the judges making up an interesting analogy
of something like: "If a publisher wants to publish a book of an author that
wants his book only to be published in a green envelope, then that might seem
odd to you, but still you will have to do it as long as you want to publish the
book and have no other agreement in place".
In the end, the court hinted twice that if it was to judge about the case,
Skype would not have very high chances. After a short break, Skype decided to
revoke their appeals case and accept the previous judgement of the lower court
(Landgericht Muenchen I, the decision was in my favor) as the final judgement.
This means that the previous court decision is legally binding to Skype, and we
have successfully won what has probably been the most lengthy and time
consuming case so far.
[ /linux/gpl-violations |
permanent link ]
Tomorrow: Court hearing in Welte vs. Skype GPL case
Tomorrow at 10:30am at the Oberlandesgericht Muenchen
(higher regional court of Munich) there will be an oral hearing in the "Welte
vs. Skype Technologies SA" case. The hearing is to be held in room E.06.
This case is about a GPL violation of Skype, related to their sales of Wifi
Skype phones based on the Linux operating system kernel.
I'm fighting as part of the gpl-violations.org project in enforcing the GPL
against Skype since February 2007. Initially Skype didn't respond, we then
applied for a preliminary injunction. That injunction was granted by the
court in June 2007, but Skype chose to file an appeals case against it.
The court hearing tomorrow is exactly to debate about this appeal.
Interestingly, Skype is arguing against the validity of the GPL as a whole,
asserting that it is violating anti-trust regulation and similarly strange
claims.
[ /linux/gpl-violations |
permanent link ]
Report from FSFE FTF Licensing and Legal workshop
I'm on seven-hour train ride back from Amsterdam, where I've been attending the
first Licensing and Legal workshop of the Freedom Task Force (FTF) of the Free Software Foundation Europe (FSFE).
While having a somewhat lengthy name, the FTF has been doing great work on
bringing together a large group of legal and technical experts in the field
of Free Software licensing. So far this was all 'virtual', happening on
mailing lists.` The meeting in Amsterdam was the first of its kind, and was a huge success.
By the nature of the FSFE, most of the people were from Europe, though there
were attendees from the US and even Australia, too.
There were many interesting and surprisingly interactive workshops. It was
also a good opportunity to meet Armijn (the second half of gpl-violations.org)
and Shane (full-time manager of the FSFE FTF), as well as many lawyers, both
corporate legal counsel and from law firms.
The interest in Armijns presentation about gpl-violations.org and Till Jaeger's
overview about the legal cases we've handled over the years in Germany were
very well received and there was more interest and questions than the short
time permitted.
What was really good for me to see is that large consumer electronics companies
in Europe and the US are now implementing internal business processes to ensure
GPL and other FOSS license compliance. They're also increasingly using very
clear contractual language throughout their supply chain to minimize the potential
risk of any "hidden" GPL surprises in products they source from OEM/ODM
companies.
[ /linux/gpl-violations |
permanent link ]
Meeting between gpl-violations.org and FSFE FTF
The last two days, I enjoyed a meeting between gpl-violations.org and the FSF Europe Freedom Task Force.
Participating were Armijn Hemel (whom I have to thank to assure
gpl-violations.org doesn't die while I was in Taiwan for OpenMoko), Shane
Coughland (who is doing an excellent job coordinating the FTF) and myself.
For a couple of hours we've also been joined by Till Jaeger, who has handled
all the legal cases of gpl-violations.org so far.
This meeting has been over-due, mostly because I basically dropped off the
planet for way too long time. We've discussed all the current matters
regarding strategies for license enforcement, current cases, progress of the
FTF legal and technical networks, as well as future plans for incorporating the
gpl-violations.org project.
Yes, you have read correctly. I've been planning to do this for quite some
time, and I'm confident that 2008 will finally be the year in which this
happens. It's too early to talk about any details, but this is the logical
step to assure both financial and legal independence of the project from my
person, as well as scalability. As you might know, we have a couple of hundred
reported violations and can only cherry-pick those we consider particularly
important.
In any case, it was a very productive meeting. I seriously believe it has
helped to make all of us work together in a coherent manner, i.e. increased
productivity and effectiveness for a long-term strategy to increase the amount
of free software license compliance in the industry.
[ /linux/gpl-violations |
permanent link ]
HTC TyTN II / Kaiser doesn't look like a GPL violation!
There have been numerous rumors floating around the net that the HTC TyTN II
(aka Kaiser) might be a GPL violation due to a number of strings in the firmware image referring to Linux and vmlinux.
I've done some analysis on this subject, and posted my preliminary results in this posting to lkml earlier today.
So as indicated, I do not see any reason to believe there is a GPL violation
with regard to the Linux kernel in the MSM7200 modem side as used in the
abovementioned device.
So please stop those rumors now. I'm obviously not opposed to people being
watchful and report/investigate potential GPL violations. But before you call
it an actual violation, please rather make sure that you have some evidence!
[ /linux/gpl-violations |
permanent link ]
Slowly getting back to work on gpl-violations.org
Today I've finally started to pro-actively work on gpl-violations.org again. I
haven't been able to do any work on it for almost 1.5 years due to my intense involvement with OpenMoko.
Among my first tasks was to update the ssl certificate for our internal
Request Tracker, which apparently expired quite some time ago. After that, I
went through all RT tickets and deleted tons of spam from it. Now it finally
looks like I can start working with it again :)
I'm also trying to catch up with all the gpl-violations.org related email, but
please give me a couple of weeks, there's just way too much of it :(
[ /linux/gpl-violations |
permanent link ]
Some more thoughts on the results of GPL enforcement
Just a small personal note: Yes, this blog is currently seeing close to no
updates. This is because I'm literally working every minute that I'm awake,
with no time for anything else.
But to get to the main point of this entry: The results we see from GPL
enforcement. I don't want to write about the legal results, since they have
always been successful, in 100+ violations that I've been dealing with so far.
I'd rather want to talk about other results. They mainly fall into two
categories:
Structural results, how I like to call them, show that the vendors
/ "the industry" now understand the GPL [better] and thus adopt policies and
business practises that are more likely to be GPL compliant from now on. This
is good, since it has the potential to prevent further GPL violations down the
road, presuming license compliance is something that we value and strive for.
But how does Free Software actually benefit from GPL enforcement? I'm talking
about the actual software, and not the movement, the community, the advocates,
etc.
How many times have you seen some code coming out of a "GPL code release" from
one of the many (mostly embedded) vendors that was actually useful to be
contributed back to an existing Free Software project, or even that spawned a
new Free Software project? I for my part am certain to say: Zero. The actual
number might be close to zero, but very small anyways.
The next logical question is to ask ourselves, why it is like that. First of
all, the code quality is usually extremely bad. Looking at kernel patches from
the various vendors, I'd say the code quality is _by far_ off any scale that
would ever even remotely be considered to be suitable for upstream inclusion.
Not only do those vendors not care about any CodingStyle (which could be easily
fixed), but they ignore any existing standard API's (why use them if we can
reinvent our own?), don't ever spend a single second on portability issues such
as SMP, DMA safe allocations, endian issues, 32/64bit, etc. This code is
"throw-away software". Fire and forget. The complete opposite of the
long-term maintainability goals of about any FOSS project I know.
I would be the most embarrassed man if I ever was involved with any such
software. Having your name associated with such poor quality would be like a
stigma. Any technical person would laugh. And yet, the managers of those
respective companies proudly announce the availability of their so-called "GPL
code releases". If they only understood how ridiculous they make themselves in
the technical community. It's like if they were proudly presenting a drawing
from a three-year-old kid as the new Picasso. They just don't notice because
the number of people with a taste of art is apparently larger than the number
of people with a taste of source code quality and aesthetics.
The next big problem is the perpetual preference of vendors, even in a market
with only six month product life-cycles, to use ages old software to base their
code on. Of what use is e.g. an obscure netfilter patch that was developed
against kernel 2.4.18, something that is many years old and of no relevance to
current stable kernels or even current development?
Now you might argue "What about projects like OpenWRT?". While they are no
doubt very useful, it is quite simple. Those projects mainly benefit only the
customers of the (probably formerly GPL infringing) embedded devices.
Therefore, they benefit specific customers, and not Free Software Users in
general. Even if OpenWRT or others invest huge amounts of work and manage to
clean up / re-implement some of the awkward sources released by embedded
manufacturer X, and push it into the upstream project (e.g. Linux kernel), it
is something that most often only a very specific user base that benefits from
it. All the really interesting bits, if there are any at all, are kept
proprietary by the respective manufacturers, using legally extremely
questionable practises such as binary-only kernel modules.
If one thinks a bit more, this whole sad process could have envisioned before.
It's a myth to believe that Linux and other FOSS is so popular in the embedded
market because vendors think it is more reliable, or secure, or even because of
the maintainability, audit-ability, or even the benefits that users and
developers get from being able to run modified versions of the software. If
they were, we would see clean code and regular security updates. In reality
almost every product is one gaping security nightmare. None of those potential benefits are of any interest to embedded vendors.
The response to the 'why' question is quite simple: They use GNU/Linux because
this way they can avoid per-unit royalties that are very popular with
alternative (proprietary) embedded OS's. It's a cheap commodity. Thus, it's
not surprising how they treat GPL compliance. Disgruntled, not understanding
the issues behind, releasing only the most incomplete non-building source code
snippets that make any reasonable developer vomit at first sight. And since
they themselves lack the skilled developers internally (they're not cheap!),
their management goes ahead and releases something that is embarrassing. If I
wanted to evaluate the technical skill-set of a company before making
large-scale business with them, I'd [have somebody] look at their source code
releases. It can tell a lot about technical expertise and corporate style :)
Please don't get me wrong. I'm not complaining that there is any legal
shortcoming in those "GPL Code Releases" though there often is, but that is not
the point of this article). But if somebody asks me, how much the actual Free
Software source code benefits from the code that was released by the vendors,
my honest reply would be simple and sad: None.
While this whole post might sound bitter and resignated, and like I wanted to
give up GPL enforcement since it's not worth it: This is not the message that
I want to put out. GPL enforcement remains important. I never assumed that
there would be a lot of actual mainline-mergeable source code coming out of it,
so I'm not disappointed with the enforcement. I just have the constant feeling
that many people are driven by misconceptions, and nobody outside the hacker
community really knows what's going on on a technical level.
[ /linux/gpl-violations |
permanent link ]
gpl-violations.org prevails in court case against D-Link on the GPL
A couple of weeks ago, I mentioned
in this blog that there was legal victory in a ground-breaking court case
on the validity and enforcibility of the GPL.
Today, I have released this press release stating some more details on the case, including the name of the defendant: D-Link.
I'm quite happy to see that our arguments have convinced the court outright,
and that we didn't have to go through a lengthy procedure of calling several
prominent kernel developers as witnesses, and getting statements from technical
experts or the like.
If you're interested in the (German) judgement of 16 pages, you can find it at my lawyers'
website. An English translation is in the works, but will take another
week or so.
We've already received some press coverage, mainly in Germany so far.
Interestingly, in a statement of D-Link quoted
by heise.de, D-Link seems determined to not take this to a higher court...
which means that this judgement will soon be considered legally binding,
and be one more tiny step in the clarification of legal questions on the GPL.
I'd like to thank my fellow developers Werner Almesberger and David Woodhouse,
as well as my lawyer Dr. Till Jaeger and his colleagues for all their support
and work. A lot of time and effort was spent in preparation of this case, and
as it turned out, exactly that preparation brought the case to a quick ending.
[ /linux/gpl-violations |
permanent link ]
Victory!
Today I have receive news that we've won the first regular civil court case on
the GPL in Germany. This is really good news, since so far we've only had a
hand full of preliminary injunctions been granted (and an appeal case against
an injunction), but not a regular civil trial.
The judge has ruled, but the details of the court order have not been publicised yet.
I'll publicised the full details as soon as thus details are available in the
next couple of weeks.
[p.s.: If you're from the press: Don't bother asking me about further details
on who the defendant was, or whatever else. Patience. All shall be revealed
soon]
[ /linux/gpl-violations |
permanent link ]
10 common misunderstandings about the GPL
I'd just like to point out the excellent article on
10 common misunderstandings about the GPL by Bruce Byfield.
Meanwhile I'm still working in India, just returned back from Mumbai to
Bangalore. Two more days and I'll be back to Germany. For one week, at least.
[ /linux/gpl-violations |
permanent link ]
GPLv3 conference in bangalore
It's already four days ago, but I just couldn't find some time to write about
it in this blog. The 4th international conference on GPLv3, held in Bangalore/India.
I've been to three of those four confrences now, and I guess that makes me the
only one apart from the FSF to judge how it actually went, compared to other events.
And I'm sorry that I have to say that it was by far the worst of these events :(
- They closed down registration at some fixed limit (270?) because the auditorium couldn't
hold more people. However, since the registration was free, only 50% fo the people who
registered were actually present. And this at the expense of people apparently have been
turned away after the quota was filled. Now we had a half-empty auditorium, and people
who wanted to come but were rejected.
- The programme. Basically RMS and Eben did not only give there usual (every time updated)
great presentations on the spirit and the wording of the current license draft. But then
they were kept alone on the stage to reply to questions for about the same time. Nobody
else but them was giving any presentations on something that is really GPLv3 related.
- The panels. What is the point of a "business panel" if all(most) you have
represented there is some small three-men-in-a-garage companies that are run by
free software enthusiasts? Where have beeen the Infosys, Wipro, ... companies?
Don't they have something to say about the GPLv3?
- The audience. How can you come to a conference on the GPLv3 and then ask questions
that
- everybody knows will upset rms because they use Linxu with no GNU/ in front
- are totally unrelated (how can I make Autocad work on Linux
- reveal that you haven't even bothered reading the GPLv3 draft
Where were the GPL-savyy lawyers, free software developers and industry representatives
that had made their way to the Barcelona and Porto Alegre event?
- The [non-existing] moderation. Why was there nobody stopping all that
off-topic crap like endless discussions on why gnucash isn't conforming the
Indian accounting standards. I'm sure those are important problems to be
adressed (and somebody should just hack that code into gnucash if he has a need
for it). But who the hell cares about this on a conference specialized to
license questions?
[ /linux/gpl-violations |
permanent link ]
Travelling to a gpl-violations.org related court hearing tomorrow
Tomorrow morning I'll have the pleasure of travelling to Frankfurt,
where the first court hearing in a particular gpl-violations.org case will
happen.
Those of you who follow my actions closely (closer than the practically
non-existing PR work of gpl-violations.org allows) will notice that this is
actually the first 'regular court case'. So far we settled everything either
out-of-court, or sooner or later after a preliminary injunction, or an appeals
case thereof.
In this particular case the defendant claims that the GPL is not applicable to
them for a number of reasons, but at the same time argues that he still has the
right to use the software, despite not having obtained any kind of license.
I don't yet wan to disclose the identity of the defendant yet, but I'll
certainly post some more information on this pretty soon. You will all know
the company, though. A very popular vendor of embedded networking gear.
[ /linux/gpl-violations |
permanent link ]
Interview on gpl-violations.org with groklaw.net
There seems to be "interview season", since just after the lwn.net
interview, groklaw.net has now
published this
interview with me on gpl-violations.org.
The interview was taken by Sean Daly, who has also been taking care of the
audio and video recordings at the 3rd
international GPLv3 Conference in Barcelona last week.
Let's hope that those interviews will raise some more awareness and prevent more
violations from ever ending up in our request tracker.
[ /linux/gpl-violations |
permanent link ]
[ /linux/gpl-violations |
permanent link ]
Meeting up with Armijn Hemel
During my short trip to Amsterdam, I had a chance to meet with Armijn for a
couple of hours. It's always good to meet people face-to-face when you're working
with them a lot, especially on delicate issues such as GPL enforcement.
We've decided on how to optimize our work-flow and how to improve internal
documentation of the individual cases. The usual thing when you're used to working
on something alone (i.e. knowing everything off your head) as opposed to other
people getting involved, etc.
Anyway, I'm extremely pleased that somebody is helping me out. There's also
another friend of mine who's starting to get involved in the project, mainly on
technical issues such as verification of the source code offered by the various
(formerly?) infringing entities.
[ /linux/gpl-violations |
permanent link ]
OpenWRT terminates GPL License to SveaSoft
It might not be something new to you at all, but it was new to me, since it
happened during my holidays: OpenWRT has
sent SveaSoft a note of terminating of rights under the GPL.
I've had SveaSoft on my radar several times, but the whole situation seems to
be so messy, and there seems to be a history of different violations with each
and every release they made. Also, there seems to be quite some confusion on
the whereabouts of the developer[s?], which makes it difficult to find an
applicable jurisdiction.
[ /linux/gpl-violations |
permanent link ]
How to boot your own kernel on the Thecus N2100 - and prove it violates the GPL
My latest candidate for gpl-violations.org (and hopefully the last before
finally leaving for holidays): The Thecus
N2100 and N4100 NAS devices.
The Thecus boxes seem nice, at first sight. Apparently somebody recognized the
need for a bit more performance, so there's an Intel IOP 80219 with 64bit PCI-X
support, DDR400 memory (actually in a socket), an empty miniPCI slot (great!),
USB2.0 ports, and SATA (yay). This should definitely be more promising than the
usual 33MHz 32bit PCI / IDE / MIPS / SDRAM based smaller NAS boxes. The only
thing really lacking with those Intel I/O processors is a hardware crypto unit.
Who wants to have unencrypted storage these days?
Looking at the software, the problems start. First, there is no NFS support.
iTunes, SMB/CIFS, HTTP, FTP - but no NFS :( Secondly, the web configuration
frontend requires flash. Duh! How can you use something as ugly and
proprietary as flash for something as simple as a web configuration frontend
for an embedded box. God knows.
Anyway, let's get back to the GPL issue. As usual, I cannot make such a claim
without verifying it. First of all, the devices (and their firmware updates)
ship without a copy of the GPL, any indication that GPL licensed software was
used, no written offer and no source code.
But well, where the heck do I know from (and can prove) that they actually run
Linux? I won't disclose the reason for my initial hints, since I don't want
future vendors of future products to know how they can avoid me ;)
But anyway, let's assume I was surprised to see a nmap fingerprint that
indicates Linux on the box and now want to go further.
Looking at the firmware update images, they appear to be scrambled / encrypted
somehow. At least there is no gzip/bzip2/LZMA/ext3/cramfs/romfs/... signature
to be found in them. And even if the firmware updates contain Linux, this
doesn't actually prove anything about the software pre-installed on the device.
The running device also doesn't offer any ports apart from the SMB-related ones
and http(s). So we're stuck.
This is where I usually take the device apart, carefully analyze it's hardware and
go looking for a serial port with my Oscilloscope probe. Unfortunately the PCB
of the N2100 didn't seem to have one. It took me some time to figure out that the
serial port connector (there's actually a standard 9pin header) is on the SATA
backplane rather than on the CPU board ;)
Hooking up a serial console, you can see RedBoot wait for one second and then execute
a boot script that loads initrd and kernel, finally executes it. Yay!. Too bad that
the actual kernel seems to lack support for a serial console. So all you get
is the 'Uncompressing
Linux.........................................................................................
done, booting the kernel.' line. Together with the firmware scrambling/crypto,
this is definitely an attempt to hide the use of GPL licensed software and/or otherwise
lock the user out of the device.
Unfortunately hex-dumping the whole memory contents from RedBoot via the serial port,
and parsing it on the host side seemed like a rather clumsy - and otherwise
unproductive approach to finding proof of GPL licensed software in the device.
Luckily, you can interrupt RedBoot and configure the network device, set up
TFTP, cross-compile a kernel for the IOP 80219, and boot that. After some twisting
of the .config, I got it to boot without any crashes, and even the RedBoot partition
table is correctly recognized and parsed.
So now I'm running Linux on the device, great. But still I can't prove that the
device actually ships GPL licensed software in an incompliant way. So all that
is missing is a NFS-root capable installation of Debian-arm that we can boot into,
and which we can use to read out the mtd partitions.
Oh, and yes. While I appreciate their love for the netfilter project and it's software:
There's absolutely no place in a NAS box for having ip_conntrack linked statically into
the kernel - unless you voluntarily want to loose performance. At least to my knowledge,
performance of NAS devices counts. So, Thecus, in your own interest: disable ip_conntrack
in the kernels you ship.
[ /linux/gpl-violations |
permanent link ]
Buried alive in GPL violations
It's not funny anymore. The current rate at which new GPL violations get
reported and/or discovered, especially from the appliance/embedded market
is really alarming.
For example, I haven't yet seen a single Linux-based NAS product that was
even remotely license compliant when first analyzing it. And I'm not only
talking about the SoHo NAS boxes with one or two hard disk drives, but even
about enterprise storage systems.
On the Enterprise end We're now also Seine carrier grade network equipment such
as SONET/SDH switches, metropolitan area Ethernet, DSLAMS and the like.
Also, in some areas of business, competing companies seem to make the same
mistake again, rather than learning from their competitor. Some time ago I had
to resolve GPL issues with Maxtor Shared Storage drives, when they were first
released. Now I found out that Western Digital has similar systems called
NetCenter. Ordered one, and it came without GPL license text, written offer
or source code.
Finally, there is one good example though. For a very long time, a product
that I analyzed was actually GPL compliant. It's good to see that there are a
few who get it right, from the beginning: The APC NetBotz family of products.
The manual contains a reference to the source code, which can be obtained from
ftp://ftp.netbotz.com/gpl/.
Anyway, I need a break (see my holiday related post). Hopefully I'll get back
from that trip rested, with lots of energy and an extra portion of patience.
This has become more of a burden than I ever thought.
The second and third quarter of this year definitely are the right time to
think of a way to incorporate gpl-violations.org as an NGO/non-for-profit.
One that can actually pay somebody hunting down those cases, doing the
day-by-day work. I have a dream that in some point in the future I can once
again concentrate on cool and interesting development, like most other hackers
do.
[ /linux/gpl-violations |
permanent link ]
Another unproductive day of GPL enforcement.
I'm feeling terrible. The second day in a row where I didn't find time to
write a single line of code, merge any contributed patches, squash any bugzilla
entry. Not even to speak of paid-for work.
While I used to spend about 30% of my time with GPL enforcement related work,
it now peaks at about 70% for the last two weeks. This is not a good sign.
So apart from talking to lawyers, proof reading legal paperwork, negotiating
with allegedly infringing companies and the like, I now also start having
trouble doing test purchases. Not only refuse some retailers to take orders
from me, but also if I actually place an order it raises new problems.
The last web store I ordered a test purchase from now asked me for a complete,
readable copy of both sides of my ID card. WTF ?!? This is totally against any
data protection laws. There is absolutely no requirement for them to know my
passport photograph, id card number, size or eye colour. So as a follow-up I
had to write an official complaint with the Berlin data protection agency - as
if I didn't have any other work to do.
Also, for the last months, I find myself giving about EUR 10k in 0% interest
loans to GPL infringing companies. That's the amount of money spent for test
purchases that I had to do to confirm GPL violations but which hasn't yet been
reimbursed.
About the only positive thing in the course of my work day was producing the Chaosradio Express issue on
gpl-violations, which Tim and I did earlier this evening.
Oh, and the best thing that happened today in general, is that the German
Federal Constitutional Court has invalidated a recent law that allowed the government
to order the military to shoot a passenger plane which was abducted by terrorists.
At least some people still have a sane view on human rights.
[ /linux/gpl-violations |
permanent link ]
More TI AR7 related GPL violations
Out of all the embedded network devices that had GPL issues, the Texas
Instruments AR7 based devices probably have the worst GPL compliance history
I've ever seen. The time has come to properly rant about this.
It's yet unclear whether this is TI's own fault, or just the fault of their
OEM/ODM manufacturers. But I'm more than determined to find out.
Anyway, the list of problems with TI AR7 based devices is so incredibly long,
that I don't even know where to start.
First of all, re-engineering their devices (for GPL compliance audits and legal
action following up to such an audit) is incredibly difficult because they've
added LZMA compression to both the kernel image (vmlinux) and squashfs.
Now what's so difficult about this? You might argue that the LZMA algorithm is
(L)GPL licensed and publicly available. As is the original kernel source code,
and the squashfs code. Also, you might know that numerous individuals have already released
patches to add LZMA to kernel boot, initrd and squashfs.
However, there are various methods (with/without LZMA header, with/without
p7zip header, etc.), and there simply is no standard on how to build a system from the algorithm.
Getting to the actual infringements. So far I've seen devices that
- remove the "(C) Netfilter Core Team" message that is usually printed during boot-up
- modify existing netfilter/iptables code, like add HTTP reply support to ipt_REJECT
- add binary-only new netfilter/iptables targets, like ipt_PNAT
- add new binary kernel modules that have "MODULE_LICENSE(GPL)" without providing source code
There are many other potential issues, on whose GPL compatibility (or lack thereof) I do not want to
comment at this time, such as their binary only drivers for the DSL chipset, the WLAN driver.
Interestingly, all of the Vendors of TI AR7 based devices with whom I had
contact on the GPL issues showed equally little interest into bringing their
products into compliance. Now this could all just be a coincidence. But my
personal guess is that they just forward whatever questionable policy they get
from their upstream chipset and reference software development kit provider:
TI.
You might wander about the device manufacturers in question? I'm still a bit
hesitant in disclosing names. One of the first companies running into GPL
trouble with TI AR7 was D-Link. Another company with anything but the cleanest
GPL history on TI AR7 based devices is AVM, who produce the overly popular and
widely branded FritzBox devices.
There is another brand that is sold in significant quantities, at least in the
German market. We're on the brink of applying for the next gpl-violations.org
preliminary injunction, so I won't be able to say any names.
[and now, after some five hours of gpl-violations related device re-engineering
before getting up, I'll finally try to find some time go get some breakfast.]
[ /linux/gpl-violations |
permanent link ]
Austrian Health Card System now GPL compliant
It's already been at some point at the End of 2005, but now I finally got
around writing a press release on this subject:
gpl-violations.org has enforced yet another high-profile (at least in the
German speaking continental European world) case of a GPL violation. Instead of repeating myself, you might want to read this release or the German version.
My real problem is a lack of time, and it's more than a pity that
gpl-violations.org didn't have a press release for nine months - even though
those were full of successful enforcement work. I hereby promise to improve my
public relations work.
[ /linux/gpl-violations |
permanent link ]
First GPLv3 draft
As almost every reader of this journal will know, the first GPLv3 draft has been published, and
everyone is invited to comment on it.
I obviously already left some comments, though I still want to write up a
somewhat larger article on my thoughts on it. This journal entry is not that article ;)
In general, I'm quite relieved. I had somewhat mixed expectations - but
almost everything looks quite fine, and there are hardly any issues. I obviously
like the DRM countermeasures.
From a gpl enforcement point of view, it is very good to see that the "complete
corresponding source code" has been specified in more detail. This should save
us from the hassle of ever again starting the discussion (nit-picking) on
whether "scripts to control compilation and installation" (GPLv2) really only
means scripts, or whether it also covers other methods controlling compilation and
installation.
What is a real problem, and I hope this can still be resolved, is the new "60
days" grace period that was introduced. With GPLv2, the right to distribute
the software was automatically revoked in the case non-conformant distribution
has happened. In the v3 draft, there is a grace period where the rights _may_
be terminated, and only 60 days after being notified by one of the copyright
holders.
The intention of it is to take care of "inadvertent violation". As harmless
and reasonable as this sounds, this change has the potential to render most of
the current enforcement success of gpl-violations.org impossible in the future.
From all the 60+ cases that we've enforced, I cannot tell you one case where
the defendant would not claim that the violation was inadvertent. So in
reality, inadvertent basically means "we didn't care". However, the whole
point of the gpl enforcement exercise is to raise awareness and make them care
before it is too late.
The 60 days grace period is not acceptable. On the one hand, we (in Germany)
basically loose the ability to apply for preliminary injunctions. PI's are
only granted in case of urgency, which translates (depending on the court) to
something like 30 days. So if I know for more than 30 days that somebody is
infringing on my copyright (and don't get the matter resolved with him in that
period of time), then I can't consider this matter as urgent.
The 60 days grace period is also not acceptable, because it would basically
reduce the motivation to comply with the license in the first place. So for
EvilCorp Inc. it is perfectly possible to design a product using GPL licensed
software, not comply with the license, ship the product, wait for a copyright
holder to send a notice, make sure that I ship all the remaining in-stock
products that do not contain a written offer, GPL text and/or source code in
the 60 remaining days, and then start behaving GPL compliant. If such behaviour has
no consequences at all, why would anyone behave different in the first place?
[ /linux/gpl-violations |
permanent link ]
Today marks the first discovery of a ulogd GPL violation
It's actually not really all that important, but today I found the first
product that distributes my ulogd program in a GPL incompliant way.
To my biggest surprise, it's not a Firewall/Router/WLAN device, but rather a
NAS. Still have to figure out where, how and why they use ulogd on it, but it's there (and no source code [offer]).
[ /linux/gpl-violations |
permanent link ]
|