%include "default.mgp" %default 1 bgrad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %back "blue" %center %size 7 GPL compliance in the Embedded and Mobile Market %center %size 4 by Harald Welte %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GPL Compliance in the Embedded Market Introduction Who is speaking to you? an independent Free Software developer who earns his living by Free Software since 1997 who is one of the authors of the Linux kernel firewall system called netfilter/iptables who has started gpl-violations.org to enforce license compliance who IS NOT A LAWYER %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GPL Compliance in the Embedded Market Disclaimer Legal Disclaimer All information presented here is provided on an as-is basis There is no warranty for correctness of legal information The author is not a lawyer This does not comprise legal advice The authors' experience is mostly limited to German copyright law %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GPL Compliance in the Embedded Market Embedded Linux (traditionally) The traditional embedded [Linux] industry is selling high-quality products for markets like industrial automatization is typically composed by SME with very high skill level typically has relatively low quantities and thus high price typically has a relatively good reputation of GPL compliance thus not really a big problem maker %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GPL Compliance in the Embedded Market Embedded Linux (mass market) The mass-market embedded industry has very long supply chains very few entities in that chain understand the product often unclear who truly originates a GPL violation elements of the supply chain distributed over many jurisdictions %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GPL Compliance in the Embedded Market Embedded Linux Industry How does that industry work? chipset maker develops a chipset for a given application %pause chipset maker develops Board Support Package (BSP) %pause some board-level maker produces a reference board %pause reference board + BSP are used by all other companies to build their products %pause some big OEM customers buy the products not knowing or not asking what is in the product %pause the OEM sells its products through regular consumer electronics distributors %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GPL Compliance in the Embedded Market Embedded Linux Industry How does that industry work, further complications the BSP might not be provided by the chipset maker itself they might have partnered with some other entity whom they might [erroneously?] think has better Linux skills it might be an alternative 3rd party BSP or it might be an improvement over the original BSP %pause the OEM might deliver its products to a telco or ISP who [sometimes exclusively] distributes the product bundled with its DSL / cable data services %pause the OEM might need to partner with some other company in order to get such an ISP/telco deal %pause any entity in the supply chain will push their own requirements down the chain %pause the board maker might not be able to have the skill, so they hire some 3rd party developers to hack the BSP to fulfill those requirements %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GPL Compliance in the Embedded Market Embedded Linux Industry Other important facts about that industry even those companies which you perceive as key players are nothing more than brands most well-known names like D-Link, Linksys, Netgear, Belkin, ... don't do their own R&D they purchase/source on a per-device basis, i.e. every device might come from a different supplier, each with its own [software] architecture %pause business relationships are very ad-hoc e.g. at the time the consumer buys the product, the board maker might no longer do business with the BSP provider thus, limited economic pressure can be excerted onto them %pause many of the companies in that industry apparently don't even have basic engineering policies like use of a revision control system, so they might e.g. have lost the source code at the time somebody requests it as part of GPL compliance %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GPL Compliance in the Embedded Market Embedded Linux Industry Specific problems we're seeing an incredible amount of technical incompetence almost nobody in the supply chain understands the product and its software architecture / components %pause this leads to incomplete source code releases that don't have "complete corresponding source code" (GPLv2) scripts to control compilation and installation %pause thus are impossible to actually compile into object code %pause contain GPL violations in itself (derivative works with proprietary components) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GPL Compliance in the Embedded Market Complete Source Code %size 3 "... complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable." For standard C-language programs, this means: Source Code Makefiles compile-time Configuration (such as kernel .config) General Rule: Intent of License is to enable user to run modified versions of the program. They need to be enabled to do so. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GPL Compliance in the Embedded Market Control Scripts The "Scripts" (scripts to control compilation and installation, see earlier slide) In case of embedded hardware, the "scripts" include: Tools for generating the firmware binary from the source (even if they are technically no 'scripts') %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page How to (not) use GPL Software Practical Source Code Offer Completeness The "complete corresponding source code" has to be made available %pause It has to be made available for each and every object-code version that was distributed %pause If you strip down the source code offer (e.g. remove proprietary source code), try to see whether the result actually compiles %pause I would argue that 75-90% of all "GPL source code" offers are incomplete and thus of limited practical usefullness %pause Many companies fail miserably at this we end up in a cycle of source code updates, reviews, updates, reviews. %pause Supplying the complete source is a _condition_ for using the GPL'd code in the first place %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page How to (not) use GPL Software The most common mistakes The most common mistakes %pause not even once reading the GPL text and/or the FAQ from the FSF %pause not including the GPL license text with the product %pause not including a written offer with the product %pause not considering that the GPL also applies to software updates %pause only providing original source code (e.g. vanilla kernel.org kernel) %pause not including the "scripts to control installation" %pause only providing off-site hyperlinks to license and/ore source code %pause not responding to support requests for source code %pause charging rediculously high fees for physical shipping of source code %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GNU GPL - Copyright helps Copyleft The End %size 4 Further reading: %size 4 The http://gpl-violations.org/ project %size 4 The Free Software Foundation http://www.fsf.org/, http://www.fsf-europe.org/ %size 4 The GNU Project http://www.gnu.org/ %size 4 The netfilter homepage http://www.netfilter.org/ %% http://management.itmanagersjournal.com/management/04/05/31/1733229.shtml?tid=85&tid=4