2004-08-20 23:25:45 +00:00
|
|
|
% Tutorial Text for the Detailed Study and Analysis of GPL and LGPL course
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2014-02-15 23:16:41 +00:00
|
|
|
% License: CC-By-SA-4.0
|
|
|
|
|
|
|
|
% The copyright holders hereby grant the freedom to copy, modify, convey,
|
|
|
|
% Adapt, and/or redistribute this work under the terms of the Creative
|
|
|
|
% Commons Attribution Share Alike 4.0 International License.
|
|
|
|
|
|
|
|
% This text is distributed in the hope that it will be useful, but
|
|
|
|
% WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
|
|
|
|
% You should have received a copy of the license with this document in
|
|
|
|
% a file called 'CC-By-SA-4.0.txt'. If not, please visit
|
|
|
|
% https://creativecommons.org/licenses/by-sa/4.0/legalcode to receive
|
|
|
|
% the license text.
|
2004-01-14 19:47:10 +00:00
|
|
|
|
|
|
|
|
2014-02-20 17:50:53 +00:00
|
|
|
\part{Case Studies in GPL Enforcement}
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2014-02-20 17:50:53 +00:00
|
|
|
{\parindent 0in
|
|
|
|
This part is: \\
|
|
|
|
\begin{tabbing}
|
2014-11-09 16:09:56 +00:00
|
|
|
Copyright \= \copyright{} 2003, 2004, 2014 \hspace{1mm} \= \hspace{1.mm} \= \kill
|
2014-11-06 21:59:48 +00:00
|
|
|
Copyright \> \copyright{} 2014 \> Bradley M. Kuhn. \\
|
2014-11-09 16:09:56 +00:00
|
|
|
Copyright \> \copyright{} 2014 \> Denver Gingerich \\
|
|
|
|
Copyright \> \copyright{} 2003, 2004, 2014 \> Free Software Foundation, Inc. \\
|
2014-02-20 17:50:53 +00:00
|
|
|
\end{tabbing}
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2014-12-18 00:52:15 +00:00
|
|
|
\vspace{.2in}
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2014-03-20 13:59:16 +00:00
|
|
|
\begin{center}
|
2014-04-24 23:26:02 +00:00
|
|
|
|
2014-02-15 23:16:41 +00:00
|
|
|
The copyright holders hereby grant the freedom to copy, modify, convey,
|
|
|
|
Adapt, and/or redistribute this work under the terms of the Creative Commons
|
|
|
|
Attribution Share Alike 4.0 International License. A copy of that license is
|
2014-11-06 22:02:23 +00:00
|
|
|
available at \url{https://creativecommons.org/licenses/by-sa/4.0/legalcode}.
|
2014-03-20 13:59:16 +00:00
|
|
|
\end{center}
|
2014-12-17 23:33:10 +00:00
|
|
|
|
|
|
|
\vfill
|
|
|
|
|
2014-12-22 21:10:06 +00:00
|
|
|
This work is primarily composed of the many contributions it
|
2014-12-17 23:33:10 +00:00
|
|
|
receives as a public, collaborative project. Please
|
|
|
|
\href{https://gitorious.org/copyleft-org/tutorial/history/master:enforcement-case-studies.tex}{review
|
|
|
|
its Git logs} for full documentation of all contributions.
|
|
|
|
|
|
|
|
|
2004-01-14 19:47:10 +00:00
|
|
|
}
|
2004-08-20 23:25:45 +00:00
|
|
|
% =====================================================================
|
|
|
|
% START OF SECOND DAY SEMINAR SECTION
|
|
|
|
% =====================================================================
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2004-08-20 23:25:45 +00:00
|
|
|
\chapter*{Preface}
|
|
|
|
|
|
|
|
This one-day course presents the details of five different GPL
|
|
|
|
compliance cases handled by FSF's GPL Compliance Laboratory. Each case
|
|
|
|
offers unique insights into problems that can arise when the terms of
|
2014-03-20 17:31:54 +00:00
|
|
|
the GPL are not properly followed, and how diplomatic negotiation between
|
2004-08-20 23:25:45 +00:00
|
|
|
the violator and the copyright holder can yield positive results for
|
|
|
|
both parties.
|
2004-01-14 19:47:10 +00:00
|
|
|
|
|
|
|
Attendees should have successfully completely the course, a ``Detailed
|
2004-08-20 23:25:45 +00:00
|
|
|
Study and Analysis of the GPL and LGPL,'' as the material from that
|
|
|
|
course forms the building blocks for this material.
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2004-08-20 23:25:45 +00:00
|
|
|
This course is of most interest to lawyers who have clients or
|
|
|
|
employers that deal with Free Software on a regular basis. However,
|
|
|
|
technical managers and executives whose businesses use or distribute
|
|
|
|
Free Software will also find the course very helpful.
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2004-02-12 21:08:33 +00:00
|
|
|
\bigskip
|
|
|
|
|
|
|
|
These course materials are merely a summary of the highlights of the
|
2004-08-20 23:25:45 +00:00
|
|
|
course presented. Please be aware that during the actual GPL course, class
|
|
|
|
discussion supplements this printed curriculum. Simply reading it is
|
|
|
|
not equivalent to attending the course.
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2014-03-21 02:12:06 +00:00
|
|
|
%FIXME-LATER: write these
|
2014-02-20 17:56:09 +00:00
|
|
|
|
2014-03-21 02:12:06 +00:00
|
|
|
%\chapter{Not All GPL Enforcement is Created Equal}
|
2014-02-20 17:56:09 +00:00
|
|
|
|
2014-03-21 02:12:06 +00:00
|
|
|
%\section{For-Profit Enforcement}
|
|
|
|
|
|
|
|
%\section{Community and Non-Profit Enforcement}
|
2014-02-20 17:56:09 +00:00
|
|
|
|
|
|
|
\chapter{Overview of Community Enforcement}
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2004-08-20 23:25:45 +00:00
|
|
|
The GPL is a Free Software license with legal teeth. Unlike licenses like
|
2014-03-20 17:31:54 +00:00
|
|
|
the X11-style or various BSD licenses, the GPL (and by extension, the LGPL) is
|
2004-08-20 23:25:45 +00:00
|
|
|
designed to defend as well as grant freedom. We saw in the last course
|
2014-03-20 17:31:54 +00:00
|
|
|
that the GPL uses copyright law as a mechanism to grant all the key freedoms
|
2004-01-15 23:19:24 +00:00
|
|
|
essential in Free Software, but also to ensure that those freedoms
|
2004-01-16 20:00:33 +00:00
|
|
|
propagate throughout the distribution chain of the software.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
|
|
|
\section{Termination Begins Enforcement}
|
|
|
|
|
2014-03-20 17:31:54 +00:00
|
|
|
As we have learned, the assurance that Free Software under the GPL remains
|
|
|
|
Free Software is accomplished through various terms of the GPL: \S 3 ensures
|
2004-01-15 23:19:24 +00:00
|
|
|
that binaries are always accompanied with source; \S 2 ensures that the
|
2004-02-12 21:08:33 +00:00
|
|
|
sources are adequate, complete and usable; \S 6 and \S 7 ensure that the
|
2014-03-20 17:31:54 +00:00
|
|
|
license of the software is always the GPL for everyone, and that no other
|
|
|
|
legal agreements or licenses trump the GPL. It is \S 4, however, that ensures
|
2004-02-12 21:08:33 +00:00
|
|
|
that the GPL can be enforced.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2004-08-20 23:25:45 +00:00
|
|
|
Thus, \S 4 is where we begin our discussion of GPL enforcement. This
|
|
|
|
clause is where the legal teeth of the license are rooted. As a copyright
|
2014-03-20 17:31:54 +00:00
|
|
|
license, the GPL governs only the activities governed by copyright law ---
|
2004-08-20 23:25:45 +00:00
|
|
|
copying, modifying and redistributing computer software. Unlike most
|
2014-03-20 17:31:54 +00:00
|
|
|
copyright licenses, the GPL gives wide grants of permission for engaging with
|
2004-08-20 23:25:45 +00:00
|
|
|
these activities. Such permissions continue, and all parties may exercise
|
2014-03-20 17:31:54 +00:00
|
|
|
them until such time as one party violates the terms of the GPL\@. At the
|
2004-02-12 21:08:33 +00:00
|
|
|
moment of such a violation (i.e., the engaging of copying, modifying or
|
2014-03-20 17:31:54 +00:00
|
|
|
redistributing in ways not permitted by the GPL) \S 4 is invoked. While other
|
|
|
|
parties may continue to operate under the GPL, the violating party loses their
|
2004-02-12 21:08:33 +00:00
|
|
|
rights.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2004-08-20 23:25:45 +00:00
|
|
|
Specifically, \S 4 terminates the violators' rights to continue
|
2014-03-20 17:31:54 +00:00
|
|
|
engaging in the permissions that are otherwise granted by the GPL\@.
|
2004-08-20 23:25:45 +00:00
|
|
|
Effectively, their rights revert to the copyright defaults ---
|
|
|
|
no permission is granted to copy, modify, nor redistribute the work.
|
|
|
|
Meanwhile, \S 5 points out that if the violator has no rights under
|
2014-03-20 17:31:54 +00:00
|
|
|
the GPL, they are prohibited by copyright law from engaging in the
|
2004-08-20 23:25:45 +00:00
|
|
|
activities of copying, modifying and distributing. They have lost
|
|
|
|
these rights because they have violated the GPL, and no other license
|
|
|
|
gives them permission to engage in these activities governed by copyright law.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
|
|
|
\section{Ongoing Violations}
|
|
|
|
|
2004-08-20 23:25:45 +00:00
|
|
|
In conjunction with \S 4's termination of violators' rights, there is
|
2014-04-03 00:57:55 +00:00
|
|
|
one final industry fact added to the mix: rarely does one engage in a
|
2004-08-20 23:25:45 +00:00
|
|
|
single, solitary act of copying, distributing or modifying software.
|
|
|
|
Almost always, a violator will have legitimately acquired a copy of a
|
|
|
|
GPL'd program, either making modifications or not, and then begun
|
|
|
|
distributing that work. For example, the violator may have put the
|
|
|
|
software in boxes and sold them at stores. Or perhaps the software
|
|
|
|
was put up for download on the Internet. Regardless of the delivery
|
2004-02-12 21:08:33 +00:00
|
|
|
mechanism, violators almost always are engaged in {\em ongoing\/}
|
2014-03-20 17:31:54 +00:00
|
|
|
violation of the GPL\@.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2004-01-16 20:00:33 +00:00
|
|
|
In fact, when we discover a GPL violation that occurred only once --- for
|
2004-01-15 23:19:24 +00:00
|
|
|
example, a user group who distributed copies of a GNU/Linux system without
|
2004-02-12 21:08:33 +00:00
|
|
|
source at one meeting --- we rarely pursue it with a high degree of
|
2004-08-20 23:25:45 +00:00
|
|
|
tenacity. In our minds, such a violation is an educational problem, and
|
|
|
|
unless the user group becomes a repeat offender (as it turns out, they
|
|
|
|
never do), we simply forward along a FAQ entry that best explains how user
|
2014-03-20 17:31:54 +00:00
|
|
|
groups can most easily comply with the GPL, and send them on their merry way.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
|
|
|
It is only the cases of {\em ongoing\/} GPL violation that warrant our
|
2004-08-20 23:25:45 +00:00
|
|
|
active attention. We vehemently pursue those cases where dozens, hundreds
|
2004-01-15 23:19:24 +00:00
|
|
|
or thousands of customers are receiving software that is out of
|
2004-08-20 23:25:45 +00:00
|
|
|
compliance, and where the company continually offers for sale (or
|
2004-02-12 21:08:33 +00:00
|
|
|
distributes gratis as a demo) software distributions that include GPL'd
|
2004-08-20 23:25:45 +00:00
|
|
|
components out of compliance. Our goal is to maximize the impact of
|
2004-02-12 21:08:33 +00:00
|
|
|
enforcement and educate industries who are making such a mistake on a
|
|
|
|
large scale.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
|
|
|
In addition, such ongoing violation shows that a particular company is
|
2004-08-20 23:25:45 +00:00
|
|
|
committed to a GPL'd product line. We are thrilled to learn that someone
|
2004-01-16 20:00:33 +00:00
|
|
|
is benefiting from Free Software, and we understand that sometimes they
|
2004-08-20 23:25:45 +00:00
|
|
|
become confused about the rules of the road. Rather than merely
|
2014-03-20 17:07:33 +00:00
|
|
|
giving us a postmortem to perform on a past mistake, an ongoing violation
|
2004-08-20 23:25:45 +00:00
|
|
|
gives us an active opportunity to educate a new contributor to the GPL'd
|
2004-01-15 23:19:24 +00:00
|
|
|
commons about proper procedures to contribute to the community.
|
|
|
|
|
2004-08-20 23:25:45 +00:00
|
|
|
Our central goal is not, in fact, to merely clear up a particular violation.
|
2004-02-12 21:08:33 +00:00
|
|
|
In fact, over time, we hope that our compliance lab will be out of
|
2004-08-20 23:25:45 +00:00
|
|
|
business. We seek to educate the businesses that engage in commerce
|
2004-02-12 21:08:33 +00:00
|
|
|
related to GPL'd software to obey the rules of the road and allow them to
|
2004-08-20 23:25:45 +00:00
|
|
|
operate freely under them. Just as a traffic officer would not revel in
|
2004-02-12 21:08:33 +00:00
|
|
|
reminding people which side of the road to drive on, so we do not revel in
|
2004-08-20 23:25:45 +00:00
|
|
|
violations. By contrast, we revel in the successes of educating an
|
2014-03-20 17:31:54 +00:00
|
|
|
ongoing violator about the GPL so that GPL compliance becomes a second-nature
|
2004-02-12 21:08:33 +00:00
|
|
|
matter, allowing that company to join the GPL ecosystem as a contributor.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2004-01-16 20:00:33 +00:00
|
|
|
\section{How are Violations Discovered?}
|
|
|
|
|
2014-03-20 17:31:54 +00:00
|
|
|
Our enforcement of the GPL is not a fund-raising effort; in fact, FSF's GPL
|
2004-02-12 21:08:33 +00:00
|
|
|
Compliance Lab runs at a loss (in other words, it is subsided by our
|
2004-08-20 23:25:45 +00:00
|
|
|
donors). Our violation reports come from volunteers, who have encountered,
|
2004-01-16 20:00:33 +00:00
|
|
|
in their business or personal life, a device or software product that
|
2004-08-20 23:25:45 +00:00
|
|
|
appears to contain GPL'd software. These reports are almost always sent
|
2004-02-12 21:08:33 +00:00
|
|
|
via email to $<$license-violation@fsf.org$>$.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
|
|
|
Our first order of business, upon receiving such a report, is to seek
|
2004-08-20 23:25:45 +00:00
|
|
|
independent confirmation. When possible, we get a copy of the software
|
|
|
|
product. For example, if it is an offering that is downloadable from a
|
|
|
|
Web site, we download it and investigate ourselves. When it is not
|
2004-01-16 20:00:33 +00:00
|
|
|
possible for us to actually get a copy of the software, we ask the
|
2004-02-12 21:08:33 +00:00
|
|
|
reporter to go through the same process we would use in examining the
|
|
|
|
software.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
|
|
|
By rough estimation, about 95\% of violations at this stage can be
|
2004-08-20 23:25:45 +00:00
|
|
|
confirmed by simple commands. Almost all violators have merely made an
|
|
|
|
error and have no nefarious intentions. They have made no attempt to
|
|
|
|
remove our copyright notices from the software. Thus, given the
|
2004-02-12 21:08:33 +00:00
|
|
|
third-party binary, {\tt tpb}, usually, a simple command (on a GNU/Linux
|
|
|
|
system) such as the following will find a Free Software copyright notice
|
|
|
|
and GPL reference:
|
2004-01-16 20:00:33 +00:00
|
|
|
\begin{quotation}
|
2004-02-12 21:08:33 +00:00
|
|
|
{\tt strings tpb | grep Copyright}
|
2004-01-16 20:00:33 +00:00
|
|
|
\end{quotation}
|
|
|
|
In other words, it is usually more than trivial to confirm that GPL'd
|
|
|
|
software is included.
|
|
|
|
|
|
|
|
Once we have confirmed that a violation has indeed occurred, we must then
|
2004-08-20 23:25:45 +00:00
|
|
|
determine whose copyright has been violated. Contrary to popular belief,
|
2014-03-20 17:31:54 +00:00
|
|
|
FSF does not have the power to enforce the GPL in all cases. Since the GPL
|
2004-01-16 20:00:33 +00:00
|
|
|
operates under copyright law, the powers of enforcement --- to seek
|
2004-08-20 23:25:45 +00:00
|
|
|
redress once \S 4 has been invoked --- lie with the copyright holder of
|
|
|
|
the software. FSF is one of the largest copyright holders in the world of
|
|
|
|
GPL'd software, but we are by no means the only one. Thus, we sometimes
|
2004-02-12 21:08:33 +00:00
|
|
|
discover that while GPL'd code is present in the software, there is no
|
|
|
|
software copyrighted by FSF present.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
|
|
|
In cases where FSF does not hold copyright interest in the software, but
|
|
|
|
we have confirmed a violation, we contact the copyright holders of the
|
2014-03-20 17:31:54 +00:00
|
|
|
software, and encourage them to enforce the GPL\@. We offer our good offices
|
2004-08-20 23:25:45 +00:00
|
|
|
to help negotiate compliance on their behalf, and many times, we help as a
|
|
|
|
third party to settle such GPL violations. However, what we will describe
|
2004-02-12 21:08:33 +00:00
|
|
|
primarily in this course is FSF's first-hand experience enforcing its own
|
2014-03-20 17:31:54 +00:00
|
|
|
copyrights and the GPL\@.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2004-01-15 23:19:24 +00:00
|
|
|
\section{First Contact}
|
|
|
|
|
|
|
|
The Free Software community is built on a structure of voluntary
|
2004-08-20 23:25:45 +00:00
|
|
|
cooperation and mutual help. Our community has learned that cooperation
|
2004-01-16 20:00:33 +00:00
|
|
|
works best when you assume the best of others, and only change policy,
|
|
|
|
procedures and attitudes when some specific event or occurrence indicates
|
2004-08-20 23:25:45 +00:00
|
|
|
that a change is necessary. We treat the process of GPL enforcement in
|
|
|
|
the same way. Our goal is to encourage violators to join the cooperative
|
|
|
|
community of software sharing, so we want to open our hand in friendship.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
|
|
|
Therefore, once we have confirmed a violation, our first assumption is
|
|
|
|
that the violation is an oversight or otherwise a mistake due to confusion
|
2004-08-20 23:25:45 +00:00
|
|
|
about the terms of the license. We reach out to the violator and ask them
|
2004-01-16 20:00:33 +00:00
|
|
|
to work with us in a collaborative way to bring the product into
|
2004-08-20 23:25:45 +00:00
|
|
|
compliance. We have received the gamut of possible reactions to such
|
2004-01-16 20:00:33 +00:00
|
|
|
requests, and in this course, we examine four specific examples of such
|
|
|
|
compliance work.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
% FIXME: make this section properly TeX-formatted
|
2014-11-07 12:35:19 +00:00
|
|
|
\chapter{ThinkPenguin Wireless Router: Excellent CCS}
|
2014-11-11 16:40:38 +00:00
|
|
|
\label{pristine-example}
|
2014-11-07 12:35:19 +00:00
|
|
|
|
|
|
|
Too often, case studies examine failure and mistakes. Indeed, most of the
|
|
|
|
chapters that follow herein will consider the myriad difficulties discovered
|
|
|
|
in community-oriented GPL enforcement for the last two decades. However, to
|
2014-11-09 22:21:19 +00:00
|
|
|
begin, this is a case study in how copyleft compliance can indeed be done correctly.
|
2014-11-07 12:35:19 +00:00
|
|
|
|
|
|
|
This example is, in fact, more than ten years in the making. Since almost
|
|
|
|
the inception of for-profit corporate adoption of Free Software, companies
|
|
|
|
have requested a clear example of a model citizen to emulate. Sadly, while
|
2014-11-07 12:38:12 +00:00
|
|
|
community-oriented enforcers have vetted uncounted thousands of ``Complete,
|
2014-11-09 22:21:19 +00:00
|
|
|
Corresponding Source'' (CCS) candidates from hundreds of companies, this
|
|
|
|
particular CCS release described herein is the first ever declared a ``pristine
|
2014-11-07 12:38:12 +00:00
|
|
|
example''.
|
|
|
|
|
|
|
|
% FIXME (above): link to a further discussion of CCS in the compliance guide
|
|
|
|
% when a good spot exists, then (below) link to a ``CCS iteration''
|
|
|
|
% discussion in compliance-guide.tex when one exists. (the ``iteration
|
|
|
|
% process'' is discussed in~\ref{} of this guide)
|
2014-11-07 12:35:19 +00:00
|
|
|
|
|
|
|
Of course, most CCS examined for the last decade has (eventually) complied
|
|
|
|
with the GPL, perhaps after many iterations of review by the enforcer.
|
2014-11-09 22:21:19 +00:00
|
|
|
However, in the experience of the two primary community-oriented enforcers
|
|
|
|
(Conservancy and the FSF), such CCS results routinely
|
|
|
|
``barely comply with GPL's requirements''. To use an academic analogy:
|
2014-11-07 12:35:19 +00:00
|
|
|
while a ``C'' is certainly a passing grade, any instructor prefers to
|
2014-11-07 15:50:14 +00:00
|
|
|
disseminate to the class an exemplar sample that earned an ``A''.
|
2014-11-07 12:35:19 +00:00
|
|
|
|
2014-11-07 15:24:09 +00:00
|
|
|
Fortunately, thanks in large part to the FSF's
|
2014-11-07 17:52:38 +00:00
|
|
|
``Respects Your Freedom'' (RYF) certification campaign\footnote{\href{http://www.fsf.org/resources/hw/endorsement/respects-your-freedom}{RYF is
|
2014-11-07 12:35:19 +00:00
|
|
|
a campaign by FSF to certify products that truly meet the principles of
|
|
|
|
software freedom}. Products must meet
|
|
|
|
\href{http://www.fsf.org/resources/hw/endorsement/criteria}{strict
|
|
|
|
standards for RYF certification}, and among them is a pristine example of
|
2014-11-09 22:21:19 +00:00
|
|
|
CCS\@.}, a few electronics products on the market meet
|
|
|
|
a higher standard of copyleft compliance. As such, for the first
|
2014-11-07 12:35:19 +00:00
|
|
|
time in the history of copyleft, CCS experts have pristine examples to study
|
|
|
|
and present as exemplars worthy of emulation.
|
|
|
|
|
|
|
|
This case study therefore examines the entire life-cycle of a GPL compliance
|
2014-11-09 22:21:19 +00:00
|
|
|
investigation: from product purchase, to source request, to CCS review, and concluding
|
|
|
|
in a final compliance determination.
|
2014-11-07 12:39:59 +00:00
|
|
|
Specifically, this chapter discusses the purchase, CCS provision, and a
|
|
|
|
step-by-step build and installation analysis of a specific, physical,
|
2014-11-09 22:21:19 +00:00
|
|
|
embedded electronics product:
|
2014-11-18 02:22:02 +00:00
|
|
|
\href{https://www.thinkpenguin.com/gnu-linux/free-software-wireless-n-broadband-router-gnu-linux-tpe-nwifirouter2}{the
|
2014-11-07 15:50:14 +00:00
|
|
|
``TPE-NWIFIROUTER'' wireless router by ThinkPenguin}.\footnote{The FSF of
|
2014-11-09 22:21:19 +00:00
|
|
|
course performed a thorough CCS check as part of its certification process.
|
2014-11-07 12:43:07 +00:00
|
|
|
The analysis discussed herein was independently performed by Software
|
2014-11-09 22:21:19 +00:00
|
|
|
Freedom Conservancy without reviewing the FSF's findings. Thus, this
|
|
|
|
analysis is ``true to form'', and explains the typical procedures Conservancy
|
|
|
|
uses when investigating a potential GPL violation. In this case, obviously, no
|
2014-11-07 12:43:07 +00:00
|
|
|
violation was uncovered.}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:53:12 +00:00
|
|
|
\section{Consumer Purchase and Unboxing}
|
|
|
|
|
|
|
|
The process for copyleft compliance investigation, when properly conducted,
|
|
|
|
determines whether users inclined to exercise their rights under a copyleft
|
|
|
|
license will be successful in their attempt. Therefore, at every stage, the
|
|
|
|
investigator seeks to take actions that reasonably technically knowledgeable
|
|
|
|
users would during the ordinary course of their acquisition and use of
|
2014-11-09 22:21:19 +00:00
|
|
|
copyleft-covered products. As such, the investigator typically purchases the device on the
|
2014-11-07 12:53:12 +00:00
|
|
|
open market to verify that distribution of the copylefted software therein
|
2014-11-07 15:54:25 +00:00
|
|
|
complies with binary distribution requirements (such as those
|
2014-11-07 12:53:12 +00:00
|
|
|
\tutorialpartsplit{discussed in \textit{Detailed Analysis of the GNU GPL and
|
2014-11-09 22:21:19 +00:00
|
|
|
Related Licenses}}{discussed earlier in \S~\ref{GPLv2s3} and
|
2014-11-07 15:54:25 +00:00
|
|
|
\S~\ref{GPLv3s6}}).
|
2014-11-07 12:53:12 +00:00
|
|
|
|
2014-11-07 13:08:15 +00:00
|
|
|
% FIXME: Above is my only use of \tutorialpartsplit in this chapter. I just
|
|
|
|
% got lazy and that should be fixed by someone.
|
|
|
|
|
2014-11-07 13:07:25 +00:00
|
|
|
\label{thinkpenguin-included-ccs}
|
|
|
|
|
|
|
|
Therefore, the investigator first purchased the TPE-NWIFIROUTER through an
|
|
|
|
online order, and when the package arrived, examined the contents of the box.
|
|
|
|
The investigator immediately discovered that ThinkPenguin had taken advice
|
2014-11-09 22:21:19 +00:00
|
|
|
from \S~\ref{offer-for-source}, and exercised
|
|
|
|
\hyperref[GPLv2s3a]{GPLv2\S3(a)} and \hyperref[GPLv3s6]{GPLv3\S6}, rather than
|
2014-11-07 13:14:58 +00:00
|
|
|
using the \hyperref[offer-for-source]{problematic offer for source
|
2014-11-09 22:21:19 +00:00
|
|
|
provisions}. This choice not only accelerated the investigation (since there
|
|
|
|
was no CCS offer to ``test''), but also simplified the compliance requirements for
|
2014-11-07 13:07:25 +00:00
|
|
|
ThinkPenguin.
|
2014-11-07 12:53:12 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{Root Filesystem and Kernel Compilation}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 13:39:24 +00:00
|
|
|
The CD found in the box was labeled ``libreCMC v1.2.1 source code'', and
|
2014-11-09 22:21:19 +00:00
|
|
|
contained 407 megabytes of data. The investigator copied this ISO to a
|
|
|
|
desktop GNU/Linux system and
|
2014-11-07 13:52:22 +00:00
|
|
|
examined its contents. Upon doing so, the investigator immediately found a
|
|
|
|
file called ``README'' at the top-level directory:
|
2014-11-07 13:39:24 +00:00
|
|
|
|
|
|
|
\lstset{tabsize=2}
|
|
|
|
\begin{lstlisting}[language=bash]
|
2014-11-09 21:44:00 +00:00
|
|
|
$ dd if=/dev/cdrom of=libreCMC_v1.2.1_SRC.iso
|
|
|
|
$ mkdir libCMC
|
|
|
|
$ sudo mount -o loop ./libreCMC_v1.2.1_SRC.iso libCMC
|
|
|
|
mount: block device /path/to/libreCMC_v1.2.1_SRC.iso
|
|
|
|
is write-protected, mounting read-only
|
|
|
|
$ ls -1 libCMC
|
|
|
|
bin
|
|
|
|
librecmc-u-boot.tar.bz2
|
|
|
|
librecmc-v1.2.1.tar.bz2
|
|
|
|
README
|
|
|
|
u-boot_reflash
|
|
|
|
$ cat libCMC/README
|
|
|
|
...
|
2014-11-07 13:39:24 +00:00
|
|
|
\end{lstlisting}
|
|
|
|
\label{thinkpenguin-toplevel-readme}
|
2014-11-09 22:21:19 +00:00
|
|
|
The investigator therefore knew immediately to begin the CCS check should
|
|
|
|
begin with a study of the contents of ``README''. Indeed, that file contained the appropriate
|
|
|
|
details to start the build:
|
2014-11-07 13:39:24 +00:00
|
|
|
\begin{quotation}
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
In order to build firmware images for your router, the following needs to be
|
2014-11-07 13:39:24 +00:00
|
|
|
installed:
|
|
|
|
|
|
|
|
gcc, binutils, bzip2, flex, python, perl, make, find, grep, diff, unzip,
|
|
|
|
gawk, getopt, libz-dev and libc headers.
|
|
|
|
|
|
|
|
Please use ``make menuconfig'' to configure your appreciated configuration
|
|
|
|
for the toolchain and firmware. Please note that the default configuration is
|
|
|
|
what was used to build the firmware image for your router. It is advised that
|
|
|
|
you use this configuration.
|
|
|
|
|
|
|
|
Simply running ``make'' will build your firmware. The build system will
|
|
|
|
download all sources, build the cross-compile toolchain, the kernel and all
|
|
|
|
chosen applications.
|
|
|
|
|
|
|
|
To build your own firmware you need to have access to a GNU/Linux system
|
|
|
|
(case-sensitive filesystem required).
|
|
|
|
\end{quotation}
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
In other words, the first ``script'' that investigator ``ran'' was the above.
|
|
|
|
This was not a software script, rather the processor for the script was the investigator's own
|
|
|
|
brain --- like a script of a play. Less glibly stated: instructions written in
|
|
|
|
English are usually necessary for the build and installation operations
|
|
|
|
that demand actual intelligence.
|
|
|
|
In this case, the investigator ascertained the host system requirements
|
|
|
|
for construction of this embedded firmware.
|
|
|
|
|
|
|
|
GPL does not give specific guidance on the form or location of
|
|
|
|
``scripts used to control compilation and installation of the executable''
|
|
|
|
and/or ``Installation Information''. Community-oriented GPL enforcers apply a
|
|
|
|
``reasonableness standard'' to evaluate such instructions. If an investigator of
|
2014-11-07 13:39:24 +00:00
|
|
|
average skill in embedded firmware construction can surmise the proper
|
|
|
|
procedures to build and install a replacement firmware, the instructions are
|
2014-11-09 22:21:19 +00:00
|
|
|
likely sufficient to meet GPL's requirements. Fortunately, in this case, the
|
|
|
|
instructions are more abundant and give extra detail.
|
2014-11-07 13:39:24 +00:00
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
Nevertheless, these instructions offer more options than the reader
|
|
|
|
typically sees in other CCS candidates. More typically, top-level build
|
|
|
|
instructions name an exact host distribution to use, such as
|
2014-11-07 16:03:21 +00:00
|
|
|
``Debian 7 installed on an amd64 system with the following packages
|
2014-11-09 22:21:19 +00:00
|
|
|
installed''. Of course, if the build will fail on any other system,
|
|
|
|
instructions \textit{should} include such details. However, this CCS builds
|
|
|
|
on a wide range of distributions, and thus it was appropriate (and preferred)
|
|
|
|
that the build instructions do not specify a specific distribution.
|
2014-11-07 13:51:07 +00:00
|
|
|
|
|
|
|
\label{thinkpenguin-specific-host-system}
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
In this specific case, the developers of the libreCMC project (a Free
|
|
|
|
Software project that forms the base system for the TPE-NWIFIROUTER) have
|
|
|
|
clearly made an effort to ensure the CCS builds on a variety of host systems.
|
|
|
|
The investigator was in fact dubious upon seeing these instructions, since
|
|
|
|
finicky embedded build processes usually require a very specific host system.
|
|
|
|
Fortunately, it seems such doubts were generally unfounded (although the
|
|
|
|
investigator did find
|
|
|
|
\hyperref[thinkpenguin-glibc-214-issue]{a minor annoyance that could be
|
|
|
|
resolved with more detailed instructions}).
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 14:09:46 +00:00
|
|
|
Anyway, since these instructions did not specify a specific host system, the
|
2014-11-09 22:21:19 +00:00
|
|
|
investigator simply used his own amd64 Debian GNU/Linux 6 desktop system. Before
|
2014-11-07 14:09:46 +00:00
|
|
|
beginning, the investigator used the following command:
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 14:09:46 +00:00
|
|
|
\lstset{tabsize=2}
|
|
|
|
\begin{lstlisting}[language=bash]
|
2014-11-09 21:44:00 +00:00
|
|
|
$ dpkg --list | egrep '^iii' | less
|
2014-11-07 14:09:46 +00:00
|
|
|
\end{lstlisting}
|
|
|
|
|
|
|
|
to verify that the required packages listed in the README were
|
2014-11-07 15:13:36 +00:00
|
|
|
installed\footnote{The ``dpkg'' command is a Debian-specific way of
|
2014-11-07 14:09:46 +00:00
|
|
|
finding installed packages.}.
|
|
|
|
|
|
|
|
|
|
|
|
Next, the investigator then extracted the primary source package with the
|
|
|
|
following command:
|
|
|
|
|
|
|
|
\lstset{tabsize=2}
|
|
|
|
\begin{lstlisting}[language=bash]
|
2014-11-09 21:44:00 +00:00
|
|
|
$ tar --posix -jxpf libCMC/librecmc-v1.2.1.tar.bz2
|
2014-11-07 14:09:46 +00:00
|
|
|
\end{lstlisting}
|
|
|
|
|
|
|
|
The investigator did notice an additional source release, entitled
|
|
|
|
``librecmc-u-boot.tar.bz2''. The investigator concluded upon simple
|
|
|
|
inspection that the instructions found in ``u-boot\verb0_0reflash'' were
|
|
|
|
specific instructions for that part of the CCS\@. This was a minor
|
2014-11-09 22:21:19 +00:00
|
|
|
annoyance, and ideally the ``README'' would so-state, but the CCS filesystem
|
|
|
|
layout met the reasonableness standard; the skilled investigator determine the correct
|
2014-11-07 14:09:46 +00:00
|
|
|
course of action with a few moments of study.
|
|
|
|
|
|
|
|
The investigator then noted the additional step offered by the ``README'',
|
|
|
|
which read:
|
|
|
|
\begin{quotation}
|
|
|
|
Please use ``make menuconfig'' to configure your appreciated configuration
|
|
|
|
for the toolchain and firmware. Please note that the default configuration is
|
|
|
|
what was used to build the firmware image for your router. It is advised that
|
|
|
|
you use this configuration.
|
|
|
|
\end{quotation}
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
This instruction actually exceeds GPL's requirements.
|
2014-11-07 14:09:46 +00:00
|
|
|
Specifically, the instruction guides users in their first step toward
|
|
|
|
exercising the freedom to modify the software. While the GPL does contain
|
2014-11-07 16:11:41 +00:00
|
|
|
requirements that facilitate the freedom to modify (such as ensuring the CCS is
|
2014-11-09 22:21:19 +00:00
|
|
|
in the ``preferred form \ldots for making modifications to it''), GPL
|
|
|
|
does not require specific instructions explaining how to undertake
|
|
|
|
modifications. This specific instruction therefore exemplifies
|
2014-11-07 14:09:46 +00:00
|
|
|
the exceptional quality of this particular CCS\@.
|
|
|
|
|
|
|
|
%FIXME: add a \hyperref to some ``preferred for for modification'' stuff above.
|
|
|
|
|
|
|
|
However, for purposes of the CCS verification process, typically the
|
|
|
|
investigator avoids any unnecessary changes to the source code during the
|
|
|
|
build process, lest the investigator err and cause the build to fail through
|
|
|
|
his own modification, and thus incorrectly identify the CCS as inadequate.
|
|
|
|
Therefore, the investigator proceeded to simply run:
|
|
|
|
|
|
|
|
\lstset{tabsize=2}
|
|
|
|
\begin{lstlisting}[language=bash]
|
2014-11-09 21:44:00 +00:00
|
|
|
$ cd libCMC
|
|
|
|
$ make
|
2014-11-07 14:09:46 +00:00
|
|
|
\end{lstlisting}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 14:09:46 +00:00
|
|
|
and waited approximately 40 minutes for the build to complete\footnote{Build
|
2014-11-07 21:58:26 +00:00
|
|
|
times will likely vary widely on various host systems.}. The investigator
|
2014-11-07 14:09:46 +00:00
|
|
|
kept a
|
|
|
|
\href{https://gitorious.org/copyleft-org/tutorial/source/master:enforcement-case-studies_log-output/thinkpenguin_librecmc-complete.log}{full
|
|
|
|
log of the build}, which is not included herein due its size (approximately
|
|
|
|
7.2K of text).
|
2014-11-07 14:45:44 +00:00
|
|
|
\label{thinkpenguin-main-build}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 16:11:41 +00:00
|
|
|
Upon completion of the ``make'' process, the investigator immediately found
|
2014-11-07 14:20:07 +00:00
|
|
|
(almost to his surprise) several large firmware files in the ``bin/ar71xx''
|
|
|
|
directory. Typically, this step in the CCS verification process is
|
|
|
|
harrowing. In most cases, the ``make'' step will fail due to a missing
|
|
|
|
package or because toolchain paths are not setup correctly.
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
In light of such experiences, the investigator speculated that ThinkPenguin's engineers did
|
|
|
|
the most important step in self-CCS verification: test one's own instructions
|
2014-11-07 14:20:07 +00:00
|
|
|
on a clean system. Ideally, an employee with similar skills but
|
|
|
|
unfamiliar with the specific product can most easily verify CCS and identify
|
|
|
|
problems before a violation occurs.
|
|
|
|
|
|
|
|
% FIXME: Is there stuff about the above in the compliance guide? If so, link
|
|
|
|
% to it. If not, write it, then link to it. :)
|
|
|
|
|
|
|
|
However, upon completing the ``make'', the investigator was unclear which
|
2014-11-07 14:27:07 +00:00
|
|
|
filesystem and kernel images to install on the TPE-NWIFIROUTER hardware.
|
2014-11-07 14:20:07 +00:00
|
|
|
Ideally, the original ``README'' would indicate which image is appropriate
|
|
|
|
for the included hardware. However, this was ultimately an annoyance rather
|
2014-11-09 22:21:19 +00:00
|
|
|
than a compliance issue. Fortunately,
|
2014-11-07 14:27:07 +00:00
|
|
|
the web UI (see next section) on the TPE-NWIFIROUTER performs firmware image
|
2014-11-07 17:55:49 +00:00
|
|
|
installation. Additionally, the router's version number was specified on the
|
|
|
|
bottom of the device, which indicated which of the differently-versioned images
|
2014-11-09 22:21:19 +00:00
|
|
|
we should install. The investigator would prefer instructions such as
|
|
|
|
those found at
|
|
|
|
\url{http://librecmc.org/librecmc/wiki?name=Tp+MR3020}{instructions similar
|
|
|
|
to these} in the README itself; however, application of the reasonableness
|
|
|
|
standard here again indicates compliance, since a knowledgeable user can easily
|
2014-11-07 14:20:07 +00:00
|
|
|
determine the proper course of action.
|
2004-02-12 21:08:33 +00:00
|
|
|
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{U-Boot Compilation}
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2014-11-07 14:45:44 +00:00
|
|
|
%FIXME: link to u-boot reflash, maybe put it in log-output dir?
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 14:45:44 +00:00
|
|
|
The investigator then turned his attention to the file,
|
2014-11-09 22:21:19 +00:00
|
|
|
``u-boot\verb0_0reflash''. These instructions explained how to
|
2014-11-07 14:45:44 +00:00
|
|
|
build and install the bootloader for the device.
|
2004-02-12 21:08:33 +00:00
|
|
|
|
2014-11-07 21:58:26 +00:00
|
|
|
The investigator followed the instructions for compiling U-Boot, and found
|
2014-11-07 14:45:44 +00:00
|
|
|
them quite straight-forward. The investigator discovered two minor
|
2014-11-07 21:58:26 +00:00
|
|
|
annoyances, however, while building U-Boot:
|
2004-02-12 21:08:33 +00:00
|
|
|
|
2014-11-07 14:45:44 +00:00
|
|
|
\begin{itemize}
|
2004-08-20 23:25:45 +00:00
|
|
|
|
2014-11-07 21:58:26 +00:00
|
|
|
\item The variable \verb0$U-BOOT_SRC0 was used as a placeholder for the name
|
2014-11-07 14:45:44 +00:00
|
|
|
of the extracted source directory. This was easy to surmise and was not a
|
|
|
|
compliance issue (per the reasonableness standard), but explicitly stating
|
2014-11-09 22:21:19 +00:00
|
|
|
that fact at the top of the instructions would be helpful.
|
2004-08-20 23:25:45 +00:00
|
|
|
|
2014-11-07 16:34:59 +00:00
|
|
|
\label{thinkpenguin-glibc-214-issue}
|
2014-11-07 14:45:44 +00:00
|
|
|
\item Toolchain binaries were included and used by default by the build
|
|
|
|
process. These binaries were not the appropriate ones for the
|
|
|
|
investigator's host system, and the build failed with the following error:
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 14:45:44 +00:00
|
|
|
\lstset{tabsize=2}
|
|
|
|
\begin{lstlisting}
|
2014-11-07 15:23:15 +00:00
|
|
|
mips-librecmc-linux-uclibc-gcc.bin: /lib/libc.so.6:
|
|
|
|
version `GLIBC`_2.14' not found
|
2014-11-09 21:44:00 +00:00
|
|
|
(required by mips-librecmc-linux-uclibc-gcc.bin)
|
2014-11-07 14:45:44 +00:00
|
|
|
\end{lstlisting}
|
|
|
|
|
|
|
|
(The
|
|
|
|
\href{https://gitorious.org/copyleft-org/tutorial/source/master:enforcement-case-studies_log-output/thinkpenguin_u-boot-build_fail.log}{complete
|
|
|
|
log output from the failure} is too lengthy to include herein.)
|
|
|
|
|
|
|
|
This issue is an annoyance, not a compliance problem. It was clear from
|
2014-11-09 22:21:19 +00:00
|
|
|
context that these binaries were simply for a different host architecture, and
|
|
|
|
the investigator simply removed ``toolchain/bin'' and created a symlink to
|
2014-11-07 14:45:44 +00:00
|
|
|
utilize the toolchain already built earlier (during the compilation
|
|
|
|
discussed in \S~\ref{thinkpenguin-main-build}):
|
|
|
|
|
|
|
|
\lstset{tabsize=2}
|
|
|
|
\begin{lstlisting}
|
2014-11-09 21:44:00 +00:00
|
|
|
$ ln -s \
|
2014-11-07 15:23:15 +00:00
|
|
|
../../staging_dir/toolchain-mips_34kc_gcc-4.6-linaro_uClibc-0.9.33.2/bin \
|
|
|
|
toolchain/bin
|
2014-11-07 14:45:44 +00:00
|
|
|
\end{lstlisting}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
|
|
|
|
2014-11-07 14:45:44 +00:00
|
|
|
After this change, the U-Boot build completed successfully.
|
|
|
|
\end{itemize}
|
2004-08-20 23:25:45 +00:00
|
|
|
|
2014-11-07 14:45:44 +00:00
|
|
|
The
|
|
|
|
\href{https://gitorious.org/copyleft-org/tutorial/source/master:enforcement-case-studies_log-output/thinkpenguin_u-boot-finish_build.log}{full
|
|
|
|
log of the build} is not included herein due its size (approximately 3.8K
|
|
|
|
of text). After that, the investigator found a new U-Boot image in the
|
|
|
|
``bin'' directory.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 14:48:57 +00:00
|
|
|
\section{Root Filesystem and Kernel Installation}
|
|
|
|
|
|
|
|
The investigator next tested installation of the firmware. In particular,
|
|
|
|
the investigator connected the TPE-NWIFIROUTER to a local network, and
|
|
|
|
visited \url{http://192.168.10.1/}, logged in, and chose the option sequence:
|
|
|
|
``System $\Rightarrow$ Backup / Flash Firmware''.
|
|
|
|
|
|
|
|
From there, the investigator chose the ``Flash new firmware image'' section
|
|
|
|
and selected the
|
|
|
|
``librecmc-ar71xx-generic-tl-wr841n-v8-squashfs-sysupgrade.bin'' image from
|
|
|
|
the ``bin/ar71xx'' directory. The investigator chose the ``v8'' image upon
|
|
|
|
verifying the physical router read ``v8.2'' on its bottom. The investigator
|
|
|
|
chose the ``sysupgrade'' version of the image because this was clearly a
|
|
|
|
system upgrade (as a firmware already came preinstalled on the
|
|
|
|
TPE-NWIFIROUTER).
|
|
|
|
|
2014-11-07 15:14:04 +00:00
|
|
|
Upon clicking ``Flash image\ldots'', the web interface prompted the
|
2014-11-07 14:48:57 +00:00
|
|
|
investigator to confirm the MD5 hash of the image to flash. The investigator
|
|
|
|
did so, and then clicked ``Proceed'' to flash the image. The process took
|
|
|
|
about one minute, at which point the web page refreshed to the login screen.
|
2014-11-09 22:21:19 +00:00
|
|
|
Upon logging in, the investigator was able to confirm in the ``Kernel Log''
|
|
|
|
section of the web interface that the newly built copy of Linux had indeed been
|
2014-11-07 14:48:57 +00:00
|
|
|
installed.
|
|
|
|
|
|
|
|
The investigator confirmed that a new version of ``busybox'' had also been
|
|
|
|
installed by using SSH to connect to the router and ran the command
|
|
|
|
``busybox'', which showed the newly-compiled version (via its date of
|
|
|
|
compilation).
|
|
|
|
|
|
|
|
%FIXME: dg: can you get me a screen shot for the Kernel Log above, and paste
|
|
|
|
%in the output of running busybox ?
|
2014-11-08 17:16:45 +00:00
|
|
|
%FIXME: bkuhn: the screen shot for the Kernel Log is in the log output dir at
|
|
|
|
%thinkpenguin_librecmc-built-kernel_log.png and the BusyBox output is in the
|
|
|
|
%same directory at thinkpenguin_librecmc-built-busybox_output.log - you may want
|
|
|
|
%to only use part of the BusyBox output (maybe even just the login) for brevity
|
2014-11-07 14:50:06 +00:00
|
|
|
|
2014-11-08 19:52:52 +00:00
|
|
|
\section{U-Boot Installation}
|
|
|
|
|
|
|
|
The U-Boot installation process is substantially more complicated than the
|
|
|
|
firmware update. The investigator purchased the optional serial cable
|
|
|
|
along with the TPE-NWIFIROUTER, in order to complete the U-Boot installation
|
2014-11-09 15:17:58 +00:00
|
|
|
per the instructions in ``u-boot\verb0_0reflash'' in its section ``Installing
|
|
|
|
u-boot to your router'', which reads:
|
|
|
|
|
|
|
|
\begin{quotation}
|
|
|
|
\begin{enumerate}
|
|
|
|
|
|
|
|
\item Install and configure any TFTP server on your PC (tftp-hpa).
|
|
|
|
Set a fixed IP address on your PC \ldots and connect it to the router,
|
|
|
|
using RJ45 network cable \ldots
|
|
|
|
|
|
|
|
\item Connect USB to UART adapter to the router and start any application to
|
|
|
|
communicate with it, like PuTTY. \ldots
|
|
|
|
|
|
|
|
\item Power on the router, wait for a line like one of the following and
|
|
|
|
interrupt the process of loading a kernel:
|
|
|
|
\begin{verbatim}
|
2014-11-09 22:21:19 +00:00
|
|
|
Autobooting in 1 seconds
|
|
|
|
(for most TP-Link routers, you should enter tpl at this point)
|
|
|
|
Hit ESC key to stop autoboot: 1 (for 8devices Carambola 2, use ESC key)
|
|
|
|
Hit any key to stop autoboot: 1 (for D-Link DIR-505, use any key)
|
2014-11-09 15:17:58 +00:00
|
|
|
\end{verbatim}
|
|
|
|
\item Set ipaddr and serverip environment variables:
|
|
|
|
\lstset{tabsize=2}
|
|
|
|
\begin{lstlisting}
|
|
|
|
hornet> setenv ipaddr 192.168.1.1
|
|
|
|
hornet> setenv serverip 192.168.1.2
|
|
|
|
\end{lstlisting}
|
|
|
|
|
|
|
|
\end{enumerate}
|
|
|
|
\end{quotation}
|
|
|
|
|
2014-11-09 18:57:14 +00:00
|
|
|
|
|
|
|
%FIXME: image of the serial cable available anywhere to put here:
|
|
|
|
% https://www.adafruit.com/images/970x728/954-02.jpg
|
|
|
|
|
|
|
|
The investigator used the purchased serial cable, which was a USB serial
|
|
|
|
adapter with a male USB type A connector to 4 female jumper wires. The
|
|
|
|
female jumper wires were red, black, white, and green.
|
|
|
|
|
|
|
|
The instructions here were slightly incomplete, since they did not specify
|
|
|
|
how to connect the wires to the router. However, the investigator found
|
|
|
|
general information available online at
|
|
|
|
\url{http://wiki.openwrt.org/toh/tp-link/tl-wr841nd#serial.console} which
|
|
|
|
described the proper procedure. While the ``power'' and ``ground'' cables
|
|
|
|
were obvious, some trial and error was necessary to find the RX and TX
|
|
|
|
cables, but this was easily determined since miswiring TX and RX yields no
|
|
|
|
I/O and proper wiring yields the output as expected. Using the pin gender
|
|
|
|
changer included with the adapter, the investigator was able to stably wire
|
|
|
|
the pins for use once the proper RX and TX connections were determined.
|
|
|
|
|
|
|
|
The investigator then used the recommended 115200 8N1 for serial console
|
|
|
|
settings, leaving all flow control off, and tested both with the
|
|
|
|
\verb0minicom0 and \verb0screen0 commands. The investigator found that if
|
|
|
|
all 4 wires were connected on the USB serial adapter that the router would
|
|
|
|
start without additional power and the console would receive the startup
|
|
|
|
messages. The investigator could replicate the same behavior by omitting the
|
|
|
|
power cable from the USB serial adapter (red wire) and connecting the main
|
|
|
|
power adapter to the router instead.
|
|
|
|
|
|
|
|
At this point, the on-screen messages as described in the installation
|
|
|
|
instructions appeared, but the investigator found that no key events sent via
|
|
|
|
the serial port appeared to reach the U-Boot console. In other words, while
|
|
|
|
the investigator saw both U-Boot and kernel boot messages in the serial
|
|
|
|
console, the investigator was unable to interrupt the boot process as
|
|
|
|
instructed by ``u-boot\verb0_0reflash''. Hitting a key simply did
|
2014-11-09 20:30:20 +00:00
|
|
|
\textit{not} interrupt the boot process and yield the \verb0hornet>0 prompt.
|
2014-11-09 18:57:14 +00:00
|
|
|
|
|
|
|
After additional trial and error over a period of hours, the investigator had
|
|
|
|
finally to consider this question for the first time during the process:
|
|
|
|
``Has ThinkPenguin violated the GPL?'' More specifically, the immediate
|
|
|
|
question was: ``Given this failure, has the distributor met
|
2014-11-09 22:21:19 +00:00
|
|
|
\hyperref[GPLv2s3-build-scripts]{the requirements for `scripts used to
|
2014-11-09 18:57:14 +00:00
|
|
|
control \ldots installation of the executable' (GPLv2)} and
|
|
|
|
\hyperref[GPLv3-installation-information]{necessary `Installation
|
|
|
|
Information' (GPLv3)}?''
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
The appropriate answer to the question (at this specific stage) is ``possibly,
|
2014-11-09 18:57:14 +00:00
|
|
|
but more information is needed''. Embedded installation and configuration is
|
|
|
|
a tricky and complex technical process. While the GPL requires documentation
|
2014-11-09 22:21:19 +00:00
|
|
|
and clear instructions for this process, the investigator did not immediately blame the distributor
|
|
|
|
for what may be an honest, correctable mistake, or an issue legitimately explained by
|
2014-11-09 18:57:14 +00:00
|
|
|
feasible alternative theories.
|
|
|
|
|
|
|
|
In this case, upon remembering the issues of wiring, the investigator wonder
|
|
|
|
if perhaps the power pin was accidentally connected for a moment to the RX
|
|
|
|
pin while live. Such action could easily fry the RX pin, and yield the
|
|
|
|
observed behavior. Since the investigator could not rule out the possibility
|
|
|
|
of accidental connection of power to the RX pin mentioned, the investigator
|
|
|
|
had to assume the instructions would work properly if he had not made that
|
|
|
|
error.
|
|
|
|
|
|
|
|
That conclusion, while correct, also left the investigator with only two
|
|
|
|
option to complete the final verification of the CCS:
|
2014-11-08 19:52:52 +00:00
|
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
|
2014-11-09 18:57:14 +00:00
|
|
|
\item Purchase a new router and cable anew, and reattempt the installation
|
|
|
|
process while taking extra care not to miswire any cables.
|
|
|
|
|
|
|
|
\item Seek assistance from the libreCMC community to find an alternative
|
|
|
|
method of installation.
|
2014-11-08 19:52:52 +00:00
|
|
|
|
|
|
|
\end{itemize}
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
The investigator chose the latter and then contacted a libreCMC developer
|
2014-11-09 18:57:14 +00:00
|
|
|
familiar with the product. That developer, who agreed the the RX pin was
|
|
|
|
likely ruined, described an alternative method for console access using the
|
2014-11-09 22:21:19 +00:00
|
|
|
{\tt netcat}. The libreCMC developer described the process as follows:
|
2014-11-09 18:57:14 +00:00
|
|
|
|
|
|
|
\begin{quotation}
|
|
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
|
|
|
|
\item Change the IP address of the router to 192.168.1.1.
|
|
|
|
|
|
|
|
\item Change the IP address of a desktop GNU/Linux system to 192.168.1.2.
|
|
|
|
|
|
|
|
\item Power on the router while holding the reset button for 7 seconds.
|
|
|
|
|
|
|
|
\item Use the {\tt netcat} command (as below) on the desktop, and press
|
|
|
|
enter to receive U-Boot's prompt:
|
|
|
|
|
|
|
|
\lstset{tabsize=2}
|
|
|
|
\begin{lstlisting}[language=bash]
|
2014-11-09 21:44:00 +00:00
|
|
|
$ nc -u -p 6666 192.168.1.1 6666
|
|
|
|
uboot>
|
2014-11-09 18:57:14 +00:00
|
|
|
\end{lstlisting}
|
|
|
|
\end{itemize}
|
|
|
|
\end{quotation}
|
|
|
|
|
|
|
|
Upon following this procedure, the investigator was able to confirm the
|
2014-11-09 22:21:19 +00:00
|
|
|
(original) shipped version of U-Boot was still installed:
|
2014-11-09 18:57:14 +00:00
|
|
|
\begin{lstlisting}[language=bash]
|
2014-11-09 21:44:00 +00:00
|
|
|
$ nc -u -p 6666 192.168.1.1 6666
|
|
|
|
uboot> version
|
|
|
|
U-Boot 1.1.4 (Jul 28 2014)
|
2014-11-09 18:57:14 +00:00
|
|
|
\end{lstlisting}
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
Thereafter, the investigator followed the instructions from
|
|
|
|
``u-boot\verb0_0reflash''. Specifically, the investigator configured a TFTP server
|
|
|
|
and placed the newly built firmware into \texttt{/srv/tftp}. The investigator
|
|
|
|
also followed the remaining instructions in ``u-boot\verb0_0reflash'', but
|
|
|
|
used the \texttt{netcat} console rather than the serial console, and
|
2014-11-09 18:57:14 +00:00
|
|
|
used U-Boot's \texttt{reset} command to reboot the router.
|
|
|
|
|
|
|
|
Upon reboot, the serial console (still connect with working output) showed
|
|
|
|
the message \texttt{U-Boot 1.1.4 (Oct 17 2014)}, and thus confirmed a
|
|
|
|
successful reflash of the U-Boot image built by the investigator.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{Firmware Comparison}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
Next, to ensure the CCS did indeed correspond to the firmware original
|
2014-11-07 14:56:54 +00:00
|
|
|
installed on the TPE-NWIFIROUTER, the investigator compared the built
|
|
|
|
firmware image with the filesystem originally found on the device itself.
|
2014-11-07 21:58:26 +00:00
|
|
|
The comparison steps were as follows:
|
2014-11-07 14:56:54 +00:00
|
|
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
|
|
|
\item Extract the filesystem from the image we built by running
|
|
|
|
\href{https://gitorious.org/copyleft-org/gpl-compliance-scripts/source/master:find-firmware.pl}{find-firmware.pl}
|
|
|
|
on ``bin/ar71xx/librecmc-ar71xx-generic-tl-wr841n-v8-squashfs-factory.bin''
|
2014-11-07 21:58:26 +00:00
|
|
|
and then running
|
2014-11-07 14:56:54 +00:00
|
|
|
\href{http://www.binaryanalysis.org/en/content/show/download}{bat-extratools}'
|
2014-11-07 21:58:26 +00:00
|
|
|
``squashfs4.2/squashfs-tools/bat-unsquashfs42'' on the resulting
|
|
|
|
morx0.squash, using the filesystem in the new squashfs-root directory for
|
2014-11-07 14:56:54 +00:00
|
|
|
comparison.
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
\item Login to the router's web interface (at \url{http://192.168.10.1/ }) from a computer
|
2014-11-07 12:07:19 +00:00
|
|
|
connected to the router.
|
2014-11-07 14:56:54 +00:00
|
|
|
|
|
|
|
\item Set a password using the provided link at the top (since the router's
|
|
|
|
UI warns that no password is set and asks the user to change it).
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
\item Logged into the router via SSH, using the root user with the
|
2014-11-07 14:56:54 +00:00
|
|
|
aforementioned password.
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
\item Compared representative directory listings and binaries to ensure the set of
|
|
|
|
included files (on the router) is similar to those found in the firmware
|
|
|
|
image that the investigator created (whose contents are now in the local squashfs-root directory). In
|
|
|
|
particular, the investigator did the following comparisons:
|
2014-11-07 14:56:54 +00:00
|
|
|
|
|
|
|
\begin{enumerate}
|
2014-11-09 22:21:19 +00:00
|
|
|
\item Listed the /bin folder (``ls -l /bin'') and confirm the list of files is the same
|
2014-11-07 14:56:54 +00:00
|
|
|
and that the file sizes are similar.
|
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
\item Checked the ``strings'' output of ``/bin/busybox'' to confirm it is similar in both
|
2014-11-07 14:56:54 +00:00
|
|
|
places (similar number of lines and content of lines). (One cannot directly
|
2014-11-07 12:07:19 +00:00
|
|
|
compare the binaries because the slight compilation variations will cause
|
2014-11-07 14:56:54 +00:00
|
|
|
some bits to be different.)
|
2014-11-09 22:21:19 +00:00
|
|
|
\item Repeated the above two steps for ``/lib/modules'', ``/usr/bin'', and other directories with
|
2014-11-07 12:07:19 +00:00
|
|
|
a significant number of binaries.
|
2014-11-07 14:56:54 +00:00
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
\item Checked that the kernel was sufficiently similar. The investigator
|
|
|
|
compared the ``dmesg'' output both before and after flashing the new
|
2014-11-07 14:56:54 +00:00
|
|
|
firmware. As the investigator expected, the kernel version string was
|
|
|
|
similar, but had a different build date and user@host indicator. (The
|
|
|
|
kernel binary itself is not easily accessible from an SSH login, but was
|
|
|
|
retrievable using the U-Boot console (the start address of the kernel in
|
2014-11-07 21:58:26 +00:00
|
|
|
flash appears to be 0x9F020000, based on the boot messages seen in the
|
|
|
|
serial console).
|
2014-11-07 14:56:54 +00:00
|
|
|
\end{enumerate}
|
|
|
|
\end{enumerate}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 15:06:21 +00:00
|
|
|
\section{Minor Annoyances}
|
|
|
|
|
|
|
|
As discussed in detail above, there were a few minor annoyances, none of
|
|
|
|
which were GPL violations. Rather, the annoyances briefly impeded the
|
|
|
|
build and installation. However, the investigator, as a reasonably skilled
|
|
|
|
build engineer for embedded devices, was able to complete the process with
|
|
|
|
the instructions provided.
|
|
|
|
|
|
|
|
To summarize, no GPL compliance issues were found, and the CCS release was
|
2014-11-09 19:05:26 +00:00
|
|
|
one of the best ever reviewed by any investigator at any community-oriented
|
|
|
|
enforcement organization. However, the following annoyances were discovered:
|
2014-11-07 15:06:21 +00:00
|
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
\item Failure to explain how to extract the source tarball and then where to run the
|
|
|
|
``make'' command.
|
|
|
|
\item Failure to explain how to install the kernel and root filesystem on the
|
|
|
|
device; the user must assume the web UI must be used.
|
|
|
|
|
|
|
|
\item Including pre-built toolchain binaries that don't work on all systems,
|
2014-11-09 22:21:19 +00:00
|
|
|
and failure to copy and/or symlink built toolchain binaries in the right location.
|
2014-11-09 19:05:48 +00:00
|
|
|
|
|
|
|
\item Failure to include information in the U-Boot installation instructions for
|
|
|
|
wiring the serial cable.
|
|
|
|
|
|
|
|
\item Ideally, the U-Boot installation instructions would also include the
|
|
|
|
{\tt netcat} method of installation.
|
|
|
|
|
|
|
|
\item Finally, the instructions should note that the new U-Boot firmware
|
2014-11-09 20:40:34 +00:00
|
|
|
should be placed into \texttt{/srv/tftp} when using TFTP on most GNU/Linux
|
2014-11-09 19:05:48 +00:00
|
|
|
desktops.
|
2014-11-07 15:06:21 +00:00
|
|
|
\end{itemize}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-09 19:05:48 +00:00
|
|
|
Thus, no CCS is absolutely perfect, but GPL violation investigators always
|
|
|
|
give the distributors the benefit of any doubts and seek to work with the
|
|
|
|
vendors and improve their CCS for the betterment of their users, customers,
|
|
|
|
and the entire software freedom community.
|
|
|
|
|
2014-11-07 13:07:25 +00:00
|
|
|
\section{Lessons Learned}
|
|
|
|
|
2014-11-07 15:08:13 +00:00
|
|
|
Companies that seek to redistribute copylefted software can benefit greatly
|
|
|
|
from ThinkPenguin's example. Here are just a few of the many lessons that
|
|
|
|
can be learned here:
|
|
|
|
|
2014-11-07 13:07:25 +00:00
|
|
|
\begin{enumerate}
|
|
|
|
|
|
|
|
\item Even though copyleft licenses have them,
|
|
|
|
\hyperref[thinkpenguin-included-ccs]{\bf avoid the offer-for-source
|
2014-11-09 22:21:19 +00:00
|
|
|
provisions}. Not only does including the CCS alongside binary
|
2014-11-07 13:07:25 +00:00
|
|
|
distribution make violation investigation and compliance confirmation
|
2014-11-09 22:21:19 +00:00
|
|
|
substantially easier, but also (and more importantly) doing so
|
2014-11-07 13:07:25 +00:00
|
|
|
\hyperref[offer-for-source]{completes the distributor's CCS compliance
|
|
|
|
obligations at the time of distribution} (provided, of course, that the
|
2014-11-09 22:21:19 +00:00
|
|
|
distributor is otherwise in compliance with the relevant copyleft license).
|
2014-11-07 13:07:25 +00:00
|
|
|
|
2014-11-07 13:39:24 +00:00
|
|
|
\item {\bf Include top-level build instructions in a natural language (such
|
|
|
|
as English) in a \hyperref[thinkpenguin-toplevel-readme]{clear and
|
|
|
|
conspicuous place}.} Copyleft licenses require that someone reasonably
|
2014-11-09 22:21:19 +00:00
|
|
|
skilled in the art can reproduce the build and installation. Typically,
|
|
|
|
instructions written in English are necessary, and often easier than writing
|
|
|
|
programmed scripts. The ``script'' included can
|
2014-11-07 13:39:24 +00:00
|
|
|
certainly be more like the script of a play and less like a Bash script.
|
|
|
|
|
2014-11-07 13:51:07 +00:00
|
|
|
\item {\bf Write build/install instructions to the appropriate level of
|
|
|
|
specificity}. The upstream engineers
|
|
|
|
in this case study \hyperref[thinkpenguin-specific-host-system]{clearly did
|
|
|
|
additional work to ensure functionality on a wide variety of host build
|
|
|
|
systems}; this is quite rare. When in doubt, include the maximum level
|
2014-11-09 22:21:19 +00:00
|
|
|
of detail build engineers can provide with the CCS instructions, but also
|
|
|
|
double-check to investigate if a more generalized solution (such as other
|
|
|
|
host systems) work just as well for the build.
|
2014-11-07 14:13:14 +00:00
|
|
|
|
|
|
|
\item {\bf Seek to adhere to the spirit of copyleft, not just the letter of
|
2014-11-09 22:21:19 +00:00
|
|
|
the license}. Encouragement of users to improve and
|
|
|
|
make their devices better is one of ThinkPenguin's commercial differentiators. Copyleft advocates
|
|
|
|
that other companies have undervalued the large and lucrative
|
|
|
|
market of
|
|
|
|
users who seek hackable devices. By going beyond the
|
2014-11-07 14:13:14 +00:00
|
|
|
mere minimal requirements of GPL, companies can immediately reap the
|
|
|
|
benefits in that target market.
|
2014-11-09 19:06:44 +00:00
|
|
|
|
2014-11-09 22:21:19 +00:00
|
|
|
\item Community-oriented enforcement organizations do not play ``gotcha''\footnote{For lack of a better
|
|
|
|
phrase.} with distributors regarding GPL
|
2014-11-09 19:06:44 +00:00
|
|
|
violations. The goal in the GPL enforcement process is to achieve
|
|
|
|
compliance and correct mistakes and annoyances. Such organizations
|
2014-11-09 22:56:35 +00:00
|
|
|
therefore take an ``innocent until proven guilty $\rightarrow$ assume guilty
|
2014-11-09 22:21:19 +00:00
|
|
|
due to honest error rather than malicious action '' approach. The goal
|
|
|
|
is compliance (in direct contrast with
|
2014-11-09 20:41:03 +00:00
|
|
|
the \hyperref[Proprietary Relicensing]{discussion in \S~\ref*{Proprietary Relicensing} about the
|
2014-11-09 22:21:19 +00:00
|
|
|
proprietary relicensing} business model).
|
2014-11-09 19:06:44 +00:00
|
|
|
|
2014-11-07 13:07:25 +00:00
|
|
|
\end{enumerate}
|
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
\chapter{Bortez: Modified GCC SDK}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
In our first case study, we will consider Bortez, a company that
|
|
|
|
produces software and hardware toolkits to assist OEM vendors, makers
|
|
|
|
of consumer electronic devices.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{Facts}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
One of Bortez's key products is a Software Development Kit (``SDK'')
|
|
|
|
designed to assist developers building software for a specific class of
|
|
|
|
consumer electronics devices.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
FSF received a report that the SDK may be based on the GNU Compiler
|
|
|
|
Collection (which is an FSF-copyrighted collection of tools for software
|
|
|
|
development in C, C++ and other popular languages). FSF investigated the
|
|
|
|
claim, but was unable to confirm the violation. The violation reporter
|
|
|
|
was unresponsive to follow-up requests for more information.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Since FSF was unable to confirm the violation, we did not pursue it any
|
|
|
|
further. Bogus reports do happen, and we do not want to burden companies
|
|
|
|
with specious GPL violation complaints. FSF shelved the matter until
|
|
|
|
more evidence was discovered.
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
FSF was later able to confirm the violation when two additional reports
|
|
|
|
surfaced from other violation reporters, both of whom had used the SDK
|
|
|
|
professionally and noticed clear similarities to FSF's GNU GCC\@. FSF's
|
|
|
|
Compliance Engineer asked the reporters to run standard tests to confirm
|
|
|
|
the violation, and it was confirmed that Bortez's SDK was indeed a
|
|
|
|
modified version of GCC\@. Bortez had ported to Windows and added a number
|
|
|
|
of features, including support for a specific consumer device chipset and
|
|
|
|
additional features to aid in the linking process (``LP'') for those
|
|
|
|
specific devices. FSF explained the rights that the GPL afforded these
|
|
|
|
customers and pointed out, for example, that Bortez only needed to provide
|
|
|
|
source to those in possession of the binaries, and that the users may need
|
|
|
|
to request that source (if \S 3(b) was exercised). The violators
|
|
|
|
confirmed that such requests were not answered.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
FSF brought the matter to the attention of Bortez, who immediately
|
|
|
|
escalated the matter to their attorneys. After a long negotiation,
|
|
|
|
Bortez acknowledged that their SDK was indeed a modified version of
|
|
|
|
GCC\@. Bortez released most of the source, but some disagreement
|
|
|
|
occurred over whether LP was also derivative of GCC\@. After repeated
|
|
|
|
FSF inquiries, Bortez reaudited the source to discover that FSF's
|
|
|
|
analysis was correct. Bortez determined that LP included a number of
|
|
|
|
source files copied from the GCC code-base.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\label{davrik-build-problems}
|
|
|
|
Once the full software release was made available, FSF asked the violation
|
|
|
|
reporters if it addressed the problem. Reports came back that the source
|
|
|
|
did not properly build. FSF asked Bortez to provide better build
|
|
|
|
instructions with the software, and such build instructions were
|
|
|
|
incorporated into the next software release.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
At FSF's request as well, Bortez informed customers who had previously
|
|
|
|
purchased the product that the source was now available by announcing
|
|
|
|
the availability on its Web site and via a customer newsletter.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Bortez did have some concerns regarding patents. They wished to include a
|
|
|
|
statement with the software release that made sure they were not granting
|
|
|
|
any patent permission other than what was absolutely required by the GPL\@.
|
|
|
|
They understood that their patent assertions could not trump any rights
|
|
|
|
granted by the GPL\@. The following language was negotiated into the release:
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\begin{quotation}
|
|
|
|
Subject to the qualifications stated below, Bortez, on behalf of itself
|
|
|
|
and its Subsidiaries, agrees not to assert the Claims against you for your
|
|
|
|
making, use, offer for sale, sale, or importation of the Bortez's GNU
|
|
|
|
Utilities or derivative works of the Bortez's GNU Utilities
|
|
|
|
(``Derivatives''), but only to the extent that any such Derivatives are
|
|
|
|
licensed by you under the terms of the GNU General Public License. The
|
|
|
|
Claims are the claims of patents that Bortez or its Subsidiaries have
|
|
|
|
standing to enforce that are directly infringed by the making, use, or
|
|
|
|
sale of an Bortez Distributed GNU Utilities in the form it was distributed
|
|
|
|
by Bortez and that do not include any limitation that reads on hardware;
|
|
|
|
the Claims do not include any additional patent claims held by Bortez that
|
|
|
|
cover any modifications of, derivative works based on or combinations with
|
|
|
|
the Bortez's GNU Utilities, even if such a claim is disclosed in the same
|
|
|
|
patent as a Claim. Subsidiaries are entities that are wholly owned by
|
|
|
|
Bortez.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
This statement does not negate, limit or restrict any rights you already
|
|
|
|
have under the GNU General Public License version 2.
|
|
|
|
\end{quotation}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
This quelled Bortez's concerns about other patent licensing they sought to
|
|
|
|
do outside of the GPL'd software, and satisfied FSF's concerns that Bortez
|
|
|
|
give proper permissions to exercise teachings of patents that were
|
|
|
|
exercised in their GPL'd software release.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Finally, a GPL Compliance Officer inside Bortez was appointed to take
|
|
|
|
responsibility for all matters of GPL compliance inside the company.
|
|
|
|
Bortez is responsible for informing FSF if the position is given to
|
|
|
|
someone else inside the company, and making sure that FSF has direct
|
|
|
|
contact with Bortez's Compliance Officer.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{Lessons}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
This case introduces a number of concepts regarding GPL enforcement.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf Enforcement should not begin until the evidence is confirmed.}
|
|
|
|
Most companies that distribute GPL'd software do so in compliance, and at
|
|
|
|
times, violation reports are mistaken. Even with extensive efforts in
|
|
|
|
GPL education, many users do not fully understand their rights and the
|
|
|
|
obligations that companies have. By working through the investigation
|
|
|
|
with reporters, the violation can be properly confirmed, and {\bf the
|
|
|
|
user of the software can be educated about what to expect with GPL'd
|
|
|
|
software}. When users and customers of GPL'd products know their
|
|
|
|
rights, what to expect, and how to properly exercise their rights
|
|
|
|
(particularly under \S 3(b)), it reduces the chances for user
|
|
|
|
frustration and inappropriate community outcry about an alleged GPL
|
|
|
|
violation.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf GPL compliance requires friendly negotiation and cooperation.}
|
|
|
|
Often, attorneys and managers are legitimately surprised to find out
|
|
|
|
GPL'd software is included in their company's products. Engineers
|
|
|
|
sometimes include GPL'd software without understanding the requirements.
|
|
|
|
This does not excuse companies from their obligations under the license,
|
|
|
|
but it does mean that care and patience are essential for reaching GPL
|
|
|
|
compliance. We want companies to understand that participating and
|
|
|
|
benefiting from a collaborative Free Software community is not a burden,
|
|
|
|
so we strive to make the process of coming into compliance as smooth as
|
|
|
|
possible.
|
2004-02-12 21:08:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf Confirming compliance is a community effort.} The whole point
|
|
|
|
of making sure that software distributors respect the terms of the GPL is to
|
|
|
|
allow a thriving software sharing community to benefit and improve the
|
|
|
|
work. FSF is not the expert on how a compiler for consumer electronic
|
|
|
|
devices should work. We therefore inform the community who originally
|
|
|
|
brought the violation to our attention and ask them to assist in
|
|
|
|
evaluation and confirmation of the product's compliance. Of course, FSF
|
|
|
|
coordinates and oversees the process, but we do not want compliance for
|
|
|
|
compliance's sake; rather, we wish to foster a cooperating community of
|
|
|
|
development around the Free Software in question, and encourage the
|
|
|
|
once-violator to begin participating in that community.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf Informing the harmed community is part of compliance.} FSF asks
|
|
|
|
violators to make some attempt --- such as via newsletters and the
|
|
|
|
company's Web site --- to inform those who already have the products as
|
|
|
|
to their rights under the GPL\@. One of the key thrusts of the GPL's \S 1 and
|
|
|
|
\S 3 is to {\em make sure the user knows she has these rights\/}. If a
|
|
|
|
product was received out of compliance by a customer, she may never
|
|
|
|
actually discover that she has such rights. Informing customers, in a
|
|
|
|
way that is not burdensome but has a high probability of successfully
|
|
|
|
reaching those who would seek to exercise their freedoms, is essential
|
|
|
|
to properly remedy the mistake.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf Lines between various copyright, patent, and other legal
|
|
|
|
mechanisms must be precisely defined and considered.} The most
|
|
|
|
difficult negotiation point of the Bortez case was drafting language
|
|
|
|
that simultaneously protected Bortez's patent rights outside of the
|
|
|
|
GPL'd source, but was consistent with the implicit patent grant in
|
|
|
|
the GPL\@. As we discussed in the first course of this series, there is
|
|
|
|
indeed an implicit patent grant with the GPL, thanks to \S 6 and \S 7.
|
|
|
|
However, many companies become nervous and wish to make the grant
|
|
|
|
explicit to assure themselves that the grant is sufficiently narrow for
|
|
|
|
their needs. We understand that there is no reasonable way to determine
|
|
|
|
what patent claims read on a company's GPL holdings and which do not, so
|
|
|
|
we do not object to general language that explicitly narrows the patent
|
|
|
|
grant to only those patents that were, in fact, exercised by the GPL'd
|
|
|
|
software as released by the company.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
|
|
|
\end{enumerate}
|
|
|
|
|
2004-01-14 19:47:10 +00:00
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
2014-11-07 12:07:19 +00:00
|
|
|
\chapter{Bracken: a Minor Violation in a GNU/Linux Distribution}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
In this case study, we consider a minor violation made by a company whose
|
|
|
|
knowledge of the Free Software community and its functions is deep.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{The Facts}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Bracken produces a GNU/Linux operating system product that is sold
|
|
|
|
primarily to OEM vendors to be placed in appliance devices used for a
|
|
|
|
single purpose, such as an Internet-browsing-only device. The product
|
|
|
|
is almost 100\% Free Software, mostly licensed under the GPL and related
|
|
|
|
Free Software licenses.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
FSF found out about this violation through a report first posted on a
|
|
|
|
Slashdot\footnote{Slashdot is a popular news and discussion site for
|
|
|
|
technical readers.} comment, and then it was brought to our attention again
|
|
|
|
by another Free Software copyright holder who had discovered the
|
|
|
|
same violation.
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Bracken's GNU/Linux product is delivered directly from their Web site.
|
|
|
|
This allowed FSF engineers to directly download and confirm the
|
|
|
|
violation quickly. Two primary problems were discovered with the
|
|
|
|
online distribution:
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\begin{itemize}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item No source code nor offer for source code was provided for a number
|
|
|
|
of components for the distributed GNU/Linux system; only binaries were
|
|
|
|
available
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item An End User License Agreement (``EULA'') was included that
|
|
|
|
contradicted the permissions granted by the GPL\@
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\end{itemize}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
FSF contacted Bracken and gave them the details of the violation. Bracken
|
|
|
|
immediately ceased distribution of the product temporarily and set forth
|
|
|
|
a plan to bring themselves back into compliance. This plan included the
|
|
|
|
following steps:
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\begin{itemize}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item Bracken attorneys would rewrite the EULA to comply with the GPL and
|
|
|
|
would vet the new EULA through FSF before use
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item Bracken engineers would provide source side-by-side with the
|
|
|
|
binaries for the GNU/Linux distribution on the site (and on CD's, if
|
|
|
|
ever they distributed that way)
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item Bracken attorneys would run an internal seminar for its engineers
|
|
|
|
regarding proper GPL compliance to help ensure that such oversights
|
|
|
|
regarding source releases would not occur in the future
|
2004-01-16 20:00:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item Bracken would resume distribution of the product only after FSF
|
|
|
|
formally restored Bracken's distribution rights
|
|
|
|
\end{itemize}
|
2004-02-12 21:08:33 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
This case was completed in about a month. FSF approved the new EULA
|
|
|
|
text. The key portion in the EULA relating to the GPL read as follows:
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\begin{quotation}
|
|
|
|
Many of the Software Programs included in Bracken Software are distributed
|
|
|
|
under the terms of agreements with Third Parties (``Third Party
|
|
|
|
Agreements'') which may expand or limit the Licensee's rights to use
|
|
|
|
certain Software Programs as set forth in [this EULA]. Certain Software
|
|
|
|
Programs may be licensed (or sublicensed) to Licensee under the GNU
|
|
|
|
General Public License and other similar license agreements listed in part
|
|
|
|
in this section which, among other rights, permit the Licensee to copy,
|
|
|
|
modify and redistribute certain Software Programs, or portions thereof,
|
|
|
|
and have access to the source code of certain Software Programs, or
|
|
|
|
portions thereof. In addition, certain Software Programs, or portions
|
|
|
|
thereof, may be licensed (or sublicensed) to Licensee under terms stricter
|
|
|
|
than those set forth in [this EULA]. The Licensee must review the
|
|
|
|
electronic documentation that accompanies certain Software Programs, or
|
|
|
|
portions thereof, for the applicable Third Party Agreements. To the
|
|
|
|
extent any Third Party Agreements require that Bracken provide rights to
|
|
|
|
use, copy or modify a Software Program that are broader than the rights
|
|
|
|
granted to the Licensee in [this EULA], then such rights shall take
|
|
|
|
precedence over the rights and restrictions granted in this Agreement
|
|
|
|
solely for such Software Programs.
|
|
|
|
\end{quotation}
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
FSF restored Bracken's distribution rights shortly after the work was
|
|
|
|
completed as described.
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{Lessons Learned}
|
2014-10-25 06:56:11 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
This case was probably the most quickly and easily resolved of all GPL
|
|
|
|
violations in the history of FSF's Compliance Lab. The ease with which
|
|
|
|
the problem was resolved shows a number of cultural factors that play a
|
|
|
|
role in GPL compliance.
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\begin{enumerate}
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf Companies that understand Free Software culture better have an
|
|
|
|
easier time with compliance.} Bracken's products were designed and
|
|
|
|
built around the GNU/Linux system and Free Software components. Their
|
|
|
|
engineers were deeply familiar with the Free Software ecosystem, and
|
|
|
|
their lawyers had seen and reviewed the GPL before. The violation was
|
|
|
|
completely an honest mistake. Since the culture inside the company had
|
|
|
|
already adapted to the cooperative style of resolution in the Free
|
|
|
|
Software world, there was very little work for either party to bring the
|
|
|
|
product into compliance.
|
2014-10-25 06:57:52 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf When people in key positions understand the Free Software
|
|
|
|
nature of their software products, compliance concerns are as
|
|
|
|
mundane as minor software bugs.} Even the most functional system or
|
|
|
|
structure has its problems, and successful business often depends on
|
|
|
|
agile response to the problems that do come up; avoiding problems
|
|
|
|
altogether is a pipe dream. Minor GPL violations can and do happen
|
|
|
|
even with well-informed redistributors. However, resolution is
|
|
|
|
reached quickly when the company --- and in particular, the lawyers,
|
|
|
|
managers, and engineers working on the Free Software product lines
|
|
|
|
--- have adapted to Free Software culture that the lower-level
|
|
|
|
engineer already understood
|
2014-10-25 23:45:56 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf Legally, distribution must stop when a violation is
|
|
|
|
identified.} In our opinion, Bracken went above and beyond the call of
|
|
|
|
duty by ceasing distribution while the violation was being resolved.
|
|
|
|
Under GPL \S 4, the redistributor loses the right to distribute the
|
|
|
|
software, and thus they are in ongoing violation of copyright law if
|
|
|
|
they distribute before rights are restored. It is FSF's policy to
|
|
|
|
temporarily allow distribution while compliance negotiations are ongoing
|
|
|
|
and only in the most extreme cases (where the other party appears to be
|
|
|
|
negotiating in bad faith) does FSF even threaten an injunction on
|
|
|
|
copyright grounds. However, Bracken --- as a good Free Software citizen
|
|
|
|
--- chose to be on the safe side and do the legally correct thing while
|
|
|
|
the violation case was pending. From start to finish, it took less
|
|
|
|
than a month to resolve. This lapse in distribution did not, to FSF's
|
|
|
|
knowledge, impact Bracken's business in any way.
|
2014-10-25 23:45:56 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf EULAs are a common area for GPL problems.} Often, EULAs
|
|
|
|
are drafted from boilerplate text that a company uses for all its
|
|
|
|
products. Even the most diligent attorneys forget or simply do not
|
|
|
|
know that a product contains software licensed under the GPL and other
|
|
|
|
Free Software licenses. Drafting a EULA that accounts for such
|
|
|
|
licenses is straightforward; the text quoted above works just fine.
|
|
|
|
The EULA must be designed so that it does not trump rights and
|
|
|
|
permissions already granted by the GPL\@. The EULA must clearly state
|
|
|
|
that if there is a conflict between it and the GPL, with regard to GPL'd
|
|
|
|
code, the GPL is the overriding license.
|
2014-10-25 23:45:56 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf Compliance Officers are rarely necessary when companies are
|
|
|
|
educated about GPL compliance.} As we saw in the Bortez case, FSF asks
|
|
|
|
that a formal ``GPL Compliance Officer'' be appointed inside a
|
|
|
|
previously violating organization to shepherd the organization to a
|
|
|
|
cooperative approach to GPL compliance. However, when FSF
|
|
|
|
sees that an organization already has such an approach, there is no
|
|
|
|
need to request that such an officer be appointed.
|
2014-10-25 23:45:56 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\end{enumerate}
|
2014-10-25 23:45:56 +00:00
|
|
|
|
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
\chapter{Vigorien: Security, Export Controls, and GPL Compliance}
|
2014-10-25 23:45:56 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
This case study introduces how concerns of ``security through obscurity''
|
|
|
|
and regulatory problems can impact GPL compliance matters.
|
2014-10-25 23:45:56 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{The Facts}
|
2014-11-02 17:41:25 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Vigorien distributes a back-up solution product that allows system
|
|
|
|
administrators to create encrypted backups of file-systems on
|
|
|
|
Unix-like computers. The product is based on GNU tar, a backup utility
|
|
|
|
that replaces the standard Unix utility simply called tar, but has
|
|
|
|
additional features.
|
2014-10-25 07:02:26 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Vigorien's backup solution added cryptographic features to GNU tar, and
|
|
|
|
included a suite of utilities and graphical user interfaces surrounding
|
|
|
|
GNU tar to make backups convenient.
|
2014-10-25 07:02:26 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
FSF discovered the violation from a user report, and determined that the
|
|
|
|
cryptographic features were the only part of the product that constituted
|
|
|
|
a derivative work of GNU tar; the extraneous utilities merely made
|
|
|
|
shell calls out to GNU tar. FSF requested that Vigorien come into
|
|
|
|
compliance with the GPL by releasing the source of GNU tar, with the
|
|
|
|
cryptographic modifications, to its customers.
|
2014-10-25 07:02:26 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Vigorien released the original GNU tar sources, but kept the cryptographic
|
|
|
|
modifications proprietary. They argued that the security of their system
|
|
|
|
depending on keeping the software proprietary and that regardless, USA
|
|
|
|
export restrictions on cryptographic software prohibited such a release.
|
|
|
|
FSF disputed the first claim, pointing out that Vigorien had only one
|
|
|
|
option if they did not want to release the source: they would have to
|
|
|
|
remove GNU tar from the software and not distribute it further. Vigorien
|
|
|
|
rejected this suggestion, since GNU tar was an integral part of the
|
|
|
|
product, and the security changes were useless without GNU tar.
|
2014-10-25 07:02:26 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Regarding the export control claims, FSF proposed a number of options,
|
|
|
|
including release of the source from one of Vigorien's divisions overseas
|
|
|
|
where no such restrictions occurred, but Vigorien argued that the problem
|
|
|
|
was insoluble because they operated primarily in the USA\@.
|
2014-11-02 21:49:23 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
The deadlock on the second issue was resolved when those cryptographic
|
|
|
|
export restrictions were lifted shortly thereafter, and FSF again raised
|
|
|
|
the matter with Vigorien. At that point, they dropped the first claim and
|
|
|
|
agreed to release the remaining source module to their customers. They
|
|
|
|
did so, and the violation was resolved.
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-02 21:49:23 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{Lessons Learned}
|
2014-11-02 21:49:23 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\begin{enumerate}
|
2014-11-02 21:49:23 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf Removing the GPL'd portion of the product is always an
|
|
|
|
option.} Many violators' first response is to simply refuse to
|
|
|
|
release the source code as the GPL requires. FSF offers the option to
|
|
|
|
simply remove the GPL'd portions from the product and continue along
|
|
|
|
without them. Every case where this has been suggested has led to
|
|
|
|
the same conclusion. Like Vigorien, the violator argues that the
|
|
|
|
product cannot function without the GPL'd components, and they
|
|
|
|
cannot effectively replace them.
|
2014-11-02 21:49:23 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Such an outcome is simply further evidence that the combined work in
|
|
|
|
question is indeed a modified version of the original GPL'd component.
|
|
|
|
If the other components cannot stand on their own and be useful without
|
|
|
|
the GPL'd portions, then one cannot effectively argue that the work as a
|
|
|
|
whole is not a based on the GPL'd portions.
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf The whole product is not always covered.} In this case,
|
|
|
|
Vigorien had additional works aggregated. The backup system was a suite
|
|
|
|
of utilities, some of which were the GPL and some of which were not. While
|
|
|
|
the cryptographic routines were tightly coupled with GNU tar and clearly
|
|
|
|
made a whole new combined work of both components, the various GUI utilities were separate and
|
|
|
|
independent works merely aggregated with the distribution of the
|
|
|
|
GNU-tar-based product.
|
2014-10-18 22:49:39 +00:00
|
|
|
|
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf ``Security'' concerns do not exonerate a distributor from GPL
|
|
|
|
obligations, and ``security through obscurity'' does not work anyway.}
|
|
|
|
The argument that ``this is security software, so it cannot be released
|
|
|
|
in source form'' is not a valid defense for explaining why the terms of
|
|
|
|
the GPL are ignored. If companies do not want to release source code
|
|
|
|
for some reason, then they should not base the work on GPL'd software.
|
|
|
|
No external argument for noncompliance can hold weight if the work as
|
|
|
|
a whole is indeed a modified version of a GPL'd program.
|
2014-11-02 17:41:25 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
The ``security concerns'' argument is often floated as a reason to keep
|
|
|
|
software proprietary, but the computer security community has on
|
|
|
|
numerous occasions confirmed that such arguments are entirely specious.
|
|
|
|
Security experts have found --- since the beginnings of the field of
|
|
|
|
cryptography in the ancient world --- that sharing results about systems
|
|
|
|
and having such systems withstand peer review and scrutiny builds the
|
|
|
|
most secure systems. While full disclosure may help some who wish to
|
|
|
|
compromise security, it helps those who want to fix problems even more
|
|
|
|
by identifying them early.
|
2014-11-02 17:41:25 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf External regulatory problems can be difficult to resolve.}
|
|
|
|
The GPL, though grounded in copyright law, does not have the power to trump
|
|
|
|
regulations like export controls. While Vigorien's ``security
|
|
|
|
concerns'' were specious, their export control concerns were not. It is
|
|
|
|
indeed a difficult problem that FSF acknowledges. We want compliance
|
|
|
|
with the GPL and respect for users' freedoms, but we certainly do not expect
|
|
|
|
companies to commit criminal offenses for the sake of compliance. We
|
|
|
|
will see more about this issue in our next case study.
|
|
|
|
\end{enumerate}
|
2014-10-18 22:49:39 +00:00
|
|
|
|
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
\chapter{Haxil, Polgara, and Thesulac: Mergers, Upstream Providers and Radio Devices}
|
2014-11-02 17:41:25 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
This case study considers an ongoing (at the time of writing) violation
|
|
|
|
that has occurred. By the end of the investigation period, three
|
|
|
|
companies were involved and many complex issues arose.
|
2014-11-02 17:41:25 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{The Facts}
|
2014-11-02 17:41:25 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Haxil produced a consumer electronics device which included a mini
|
|
|
|
GNU/Linux distribution to control the device. The device was of interest
|
|
|
|
to many technically-minded consumers, who purchased the device and very
|
|
|
|
quickly discovered that Free Software was included without source.
|
|
|
|
Mailing lists throughout the Free Software community erupted with
|
|
|
|
complaints about the problem, and FSF quickly investigated.
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
FSF confirmed that FSF-copyrighted GPL'd software was included. In
|
|
|
|
addition, the whole distribution included GPL'd works from hundreds of
|
|
|
|
individual copyright holders, many of whom were, at this point, up in
|
|
|
|
arms about the violation.
|
2014-11-02 21:49:23 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Meanwhile, Haxil was in the midst of being acquired by Polgara. Polgara
|
|
|
|
was as surprised as everyone else to discover the product was based on
|
|
|
|
GPL'd software; this fact had not been part of the disclosures made during
|
|
|
|
acquisition. FSF contacted Haxil, Polgara, and the product managers
|
|
|
|
who had transitioned into the ``Haxil division'' of the newly-merged
|
|
|
|
Polgara company. Polgara's General Counsel's office worked with FSF on
|
|
|
|
the matter.
|
2014-11-02 21:49:23 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
FSF formed a coalition with the other primary copyright holders
|
|
|
|
to pursue the enforcement effort on their behalf. FSF communicated
|
|
|
|
directly with Polgara's representatives to begin working through the
|
|
|
|
issues on behalf of itself and the Free Software community at large.
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Polgara pointed out that the software distribution they used was mostly
|
|
|
|
contributed by an upstream provider, Thesulac, and Haxil's changes to that
|
|
|
|
code base were minimal. Polgara negotiated with Thesulac to obtain the
|
|
|
|
source, although the issue moved very slowly in the channels between
|
|
|
|
Polgara and Thesulac.
|
2014-10-25 23:49:47 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
FSF encouraged a round-table meeting so that high bandwidth communication
|
|
|
|
could occur between FSF, Polgara and Thesulac. Polgara and Thesulac
|
|
|
|
agreed, and that discussion began. Thesulac provided nearly complete
|
|
|
|
sources to Polgara, and Polgara made a full software release on their
|
|
|
|
Web site. At the time of writing, that software still has some build
|
|
|
|
problems (similar to those that occurred with Bortez, as described in
|
|
|
|
Section~\ref{davrik-build-problems}). FSF continues to negotiate with
|
|
|
|
Polgara and Thesulac to resolve these problems, which have a clear path to
|
|
|
|
a solution and are expected to resolve.
|
2014-10-25 23:49:47 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
Similar to the Vigorien case, Thesulac has regulatory concerns. In this
|
|
|
|
case, it is not export controls --- an issue that has since been resolved
|
|
|
|
--- but radio spectrum regulation. Since this consumer electronic device
|
|
|
|
contains a software-programmable radio transmitter, regulations in (at
|
|
|
|
least) the USA and Japan prohibit release of those portions of the code
|
|
|
|
that operate the device. Since this is a low-level programming issue, the
|
|
|
|
changes to operate the device form a single combined work with the kernel named
|
|
|
|
Linux. A decade later, this situation remains largely unresolved.
|
2014-10-25 23:49:47 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\section{Lessons Learned}
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\begin{enumerate}
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
\item {\bf Community outrage, while justified, can often make negotiation
|
|
|
|
more difficult.} FSF has a strong policy never to publicize names of
|
|
|
|
GPL violators if they are negotiating in a friendly way and operating in
|
|
|
|
good faith toward compliance. Most violations are honest mistakes, and
|
|
|
|
FSF sees no reason to publicly admonish violators who genuinely want to
|
|
|
|
come into compliance with the GPL and to work hard staying in compliance.
|
2014-10-18 22:49:39 +00:00
|
|
|
|
2014-11-07 12:07:19 +00:00
|
|
|
This case was so public in the Free Software community that both Haxil's
|
|
|
|
and Polgara's representatives were nearly shell-shocked by the time FSF
|
|
|
|
began negotiations. There was much work required to diffuse the
|
|
|
|
situation. We empathize with our community and their outrage about GPL
|
|
|
|
violations, but we also want to follow a path that leads expediently
|
|
|
|
to compliance. In our experience, public outcry works best as a last
|
|
|
|
resort, not the first.
|
|
|
|
|
|
|
|
\item {\bf For software companies, GPL compliance belongs on a corporate
|
|
|
|
acquisition checklist. } Polgara was truly amazed that Haxil had used
|
|
|
|
GPL'd software in a major new product line but never informed Polgara
|
|
|
|
during the acquisition process. While GPL compliance is not a
|
|
|
|
particularly difficult matter, it is an additional obligation that comes
|
|
|
|
along with the product line. When planning mergers and joint ventures,
|
|
|
|
one should include lists of GPL'd components contained in the products
|
|
|
|
discussed.
|
|
|
|
|
|
|
|
\item {\bf Compliance problems of upstream providers do not excuse a
|
|
|
|
violation for the downstream distributor.} To paraphrase \S 6, upstream
|
|
|
|
providers are not responsible for enforcing compliance of their
|
|
|
|
downstream, nor are downstream distributors responsible for compliance
|
|
|
|
problems of upstream providers. However, engaging in distribution of
|
|
|
|
GPL'd works out of compliance is still just that: a compliance problem.
|
|
|
|
When FSF carries out enforcement, we are patient and sympathetic when
|
|
|
|
the problem appears to be upstream. In fact, we urge the violator to
|
|
|
|
point us to the upstream provider so we may talk to them directly. In
|
|
|
|
this case, we were happy to begin negotiations with Thesulac. However,
|
|
|
|
Polgara still has an obligation to bring their product into compliance,
|
|
|
|
regardless of Thesulac's response.
|
|
|
|
|
|
|
|
\item {\bf It behooves upstream providers to advise downstream
|
|
|
|
distributors about compliance matters.} FSF has encouraged Thesulac to
|
|
|
|
distribute a ``good practices for GPL compliance'' document with their
|
|
|
|
product. Polgara added various software components to Thesulac's
|
|
|
|
product, and it is conceivable that such additions can introduce
|
|
|
|
compliance. In FSF's opinion, Thesulac is in no way legally responsible
|
|
|
|
for such a violation introduced by their customer, but it behooves them
|
|
|
|
from a marketing standpoint to educate their customers about using the
|
|
|
|
product. We can argue whether or not it is your coffee vendor's fault
|
|
|
|
if you burn yourself with their product, but (likely) no one on either
|
|
|
|
side would dispute the prudence of placing a ``caution: hot'' label on
|
|
|
|
the cup.
|
|
|
|
|
|
|
|
\item {\bf FSF enforcement often avoids redundant enforcement cases from
|
|
|
|
many parties.} Most Free Software systems have hundreds of copyright
|
|
|
|
holders. Some have thousands. FSF is in a unique position as one of
|
|
|
|
the largest single copyright holders on GPL'd software and as a
|
|
|
|
respected umpire in the community, neutrally enforcing the rules of the
|
|
|
|
GPL road. FSF works hard in the community to convince copyright
|
|
|
|
holders that consolidating GPL claims through FSF is better for them,
|
|
|
|
and more likely to yield positive compliance results.
|
|
|
|
|
|
|
|
A few copyright holders engage in the ``proprietary relicensing''
|
|
|
|
business, so they use GPL enforcement as a sales channel for that
|
|
|
|
business. FSF, as a community-oriented, not-for-profit organization,
|
|
|
|
seeks only to preserve the freedom of Free Software in its enforcement
|
|
|
|
efforts. As it turns out, most of the community of copyright holders
|
|
|
|
of Free Software want the same thing. Share and share alike is a
|
|
|
|
simple rule to follow, and following that rule to FSF's satisfaction
|
|
|
|
usually means you are following it to the satisfaction of the entire
|
|
|
|
Free Software community.
|
|
|
|
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
2014-10-18 22:49:39 +00:00
|
|
|
|
|
|
|
|
2004-01-14 19:47:10 +00:00
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
2014-02-20 17:58:44 +00:00
|
|
|
% COMMENT OUT THIS CHAPTER.
|
|
|
|
% FIXME: is this material moot now that we include the compliance guide?
|
|
|
|
% Either way, it should be merged into compliance guide.
|
|
|
|
%\chapter{Good Practices for Compliance}
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2004-01-16 20:00:33 +00:00
|
|
|
Generally, from the experience of GPL enforcement, we glean the following
|
|
|
|
general practices that can help in GPL compliance for organizations that
|
|
|
|
distribute products based on GPL'd software:
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2004-08-20 23:25:45 +00:00
|
|
|
\begin{itemize}
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2004-01-16 20:00:33 +00:00
|
|
|
\item Talk to your software engineers and ask them where they got the
|
2004-08-20 23:25:45 +00:00
|
|
|
components they use in the products they build. Find out if GPL'd
|
2004-01-16 20:00:33 +00:00
|
|
|
components are present.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2004-01-16 20:00:33 +00:00
|
|
|
\item Teach your engineering staff to pay attention to license documents.
|
|
|
|
Give them easy-to-follow policies to get approval for using a Free
|
|
|
|
Software component.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2004-01-16 20:00:33 +00:00
|
|
|
\item Build a ``Free Software Licensing'' committee that handles requests
|
2014-03-20 17:31:54 +00:00
|
|
|
and questions about the GPL and other Free Software licenses.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2014-03-20 17:31:54 +00:00
|
|
|
\item Add ``What parts of your products are under the GPL or other Free
|
2004-01-16 20:00:33 +00:00
|
|
|
Software licenses?'' to your checklist of questions to ask when you
|
|
|
|
consider mergers, acquisitions, or joint ventures.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2004-01-16 20:00:33 +00:00
|
|
|
\item Encourage your engineers to participate collaboratively with GPL'd
|
2004-08-20 23:25:45 +00:00
|
|
|
software development. The more knowledge about the Free Software world
|
2004-01-16 20:00:33 +00:00
|
|
|
your organization has, the better equipped it is to deal with this
|
|
|
|
rapidly changing field.
|
2004-01-15 23:19:24 +00:00
|
|
|
|
2004-01-16 20:00:33 +00:00
|
|
|
\item When someone points out a potential GPL violation in one of your
|
2014-03-20 17:31:54 +00:00
|
|
|
products, do not assume the product line is doomed. The GPL is not a virus;
|
2004-01-16 20:00:33 +00:00
|
|
|
merely having GPL'd code in one part of a product does not necessarily
|
2004-08-20 23:25:45 +00:00
|
|
|
mean that every related product must also be GPL'd. And, even if some
|
2004-01-16 20:00:33 +00:00
|
|
|
software needs to be released that was not before, the product will
|
2004-08-20 23:25:45 +00:00
|
|
|
surely survive. In FSF's enforcement efforts, we have not yet
|
2004-01-16 20:00:33 +00:00
|
|
|
seen a product line die because source was released to customers in
|
2014-03-20 17:31:54 +00:00
|
|
|
compliance with the GPL.
|
2004-01-14 19:47:10 +00:00
|
|
|
|
2004-08-20 23:25:45 +00:00
|
|
|
\end{itemize}
|
2004-01-16 20:00:33 +00:00
|
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
2004-01-14 19:47:10 +00:00
|
|
|
% LocalWords: proprietarize redistributors sublicense yyyy Gnomovision EULAs
|
|
|
|
% LocalWords: Yoyodyne FrontPage improvers Berne copyrightable Stallman's GPLs
|
|
|
|
% LocalWords: Lessig Lessig's UCITA pre PDAs CDs reshifts GPL's Gentoo glibc
|
2004-08-20 23:25:45 +00:00
|
|
|
% LocalWords: TrollTech administrivia LGPL's MontaVista OpenTV Mitek Arce DVD
|
|
|
|
% LocalWords: unprotectable protectable Unfreedonia chipset CodeSourcery Iqtel
|
|
|
|
% LocalWords: impermissibly Bateman faire minimis Borland uncopyrightable Mgmt
|
2014-11-09 22:23:27 +00:00
|
|
|
% LocalWords: franca downloadable Bortez Bortez's Gingerich Michlmayr LGPL
|
|
|
|
% LocalWords: Slashdot sublicensed Vigorien Vigorien's Haxil Polgara GPL'd
|
|
|
|
% LocalWords: Thesulac Polgara's Haxil's Thesulac's SDK CD's tpb CCS RYF cd
|
|
|
|
%% LocalWords: ThinkPenguin TPE NWIFIROUTER Unboxing copylefted GPLv mkdir
|
|
|
|
%% LocalWords: Filesystem libreCMC README tabsize libCMC sudo reflash gcc
|
|
|
|
%% LocalWords: binutils bzip perl getopt libz dev libc menuconfig amd dpkg
|
|
|
|
%% LocalWords: toolchain filesystem thinkpenguin egrep posix jxpf ar UI ln
|
|
|
|
%% LocalWords: ThinkPenguin's versioned bootloader SRC mips librecmc linux
|
|
|
|
%% LocalWords: uclibc symlink tl wr squashfs sysupgrade preinstalled TFTP
|
|
|
|
%% LocalWords: busybox tftp hpa IP RJ UART PuTTY ipaddr serverip setenv nc
|
|
|
|
%% LocalWords: miswiring minicom startup miswire netcat uboot extratools
|
|
|
|
%% LocalWords: morx Login dmesg login ccs toplevel readme differentiators
|
|
|
|
%% LocalWords: hackable Relicensing relicensing toolkits OEM reaudited
|
|
|
|
%% LocalWords: redistributor cryptographic
|