1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
GPL compliance
in the
Embedded and Mobile Market
%center
%size 4
by
Harald Welte <laforge@gpl-violations.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GPL Compliance in the Embedded Market
Introduction
Who is speaking to you?
an independent Free Software developer
who earns his living by Free Software since 1997
who is one of the authors of the Linux kernel firewall system called netfilter/iptables
who has started gpl-violations.org to enforce license compliance
who IS NOT A LAWYER
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GPL Compliance in the Embedded Market
Disclaimer
Legal Disclaimer
All information presented here is provided on an as-is basis
There is no warranty for correctness of legal information
The author is not a lawyer
This does not comprise legal advice
The authors' experience is mostly limited to German copyright law
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GPL Compliance in the Embedded Market
Embedded Linux (traditionally)
The traditional embedded [Linux] industry
is selling high-quality products for markets like industrial automatization
is typically composed by SME with very high skill level
typically has relatively low quantities and thus high price
typically has a relatively good reputation of GPL compliance
thus not really a big problem maker
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GPL Compliance in the Embedded Market
Embedded Linux (mass market)
The mass-market embedded industry
has very long supply chains
very few entities in that chain understand the product
often unclear who truly originates a GPL violation
elements of the supply chain distributed over many jurisdictions
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GPL Compliance in the Embedded Market
Embedded Linux Industry
How does that industry work?
chipset maker develops a chipset for a given application
%pause
chipset maker develops Board Support Package (BSP)
%pause
some board-level maker produces a reference board
%pause
reference board + BSP are used by all other companies to build their products
%pause
some big OEM customers buy the products
not knowing or not asking what is in the product
%pause
the OEM sells its products through regular consumer electronics distributors
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GPL Compliance in the Embedded Market
Embedded Linux Industry
How does that industry work, further complications
the BSP might not be provided by the chipset maker itself
they might have partnered with some other entity whom they might [erroneously?] think has better Linux skills
it might be an alternative 3rd party BSP
or it might be an improvement over the original BSP
%pause
the OEM might deliver its products to a telco or ISP who [sometimes exclusively] distributes the product bundled with its DSL / cable data services
%pause
the OEM might need to partner with some other company in order to get such an ISP/telco deal
%pause
any entity in the supply chain will push their own requirements down the chain
%pause
the board maker might not be able to have the skill, so they hire some 3rd party developers to hack the BSP to fulfill those requirements
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GPL Compliance in the Embedded Market
Embedded Linux Industry
Other important facts about that industry
even those companies which you perceive as key players are nothing more than brands
most well-known names like D-Link, Linksys, Netgear, Belkin, ... don't do their own R&D
they purchase/source on a per-device basis, i.e. every device might come from a different supplier, each with its own [software] architecture
%pause
business relationships are very ad-hoc
e.g. at the time the consumer buys the product, the board maker might no longer do business with the BSP provider
thus, limited economic pressure can be excerted onto them
%pause
many of the companies in that industry apparently don't even have basic engineering policies like use of a revision control system, so they might e.g. have lost the source code at the time somebody requests it as part of GPL compliance
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GPL Compliance in the Embedded Market
Embedded Linux Industry
Specific problems we're seeing
an incredible amount of technical incompetence
almost nobody in the supply chain understands the product and its software architecture / components
%pause
this leads to incomplete source code releases that
don't have "complete corresponding source code" (GPLv2)
scripts to control compilation and installation
%pause
thus are impossible to actually compile into object code
%pause
contain GPL violations in itself (derivative works with proprietary components)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GPL Compliance in the Embedded Market
Complete Source Code
%size 3
"... complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
For standard C-language programs, this means:
Source Code
Makefiles
compile-time Configuration (such as kernel .config)
General Rule:
Intent of License is to enable user to run modified versions of the program. They need to be enabled to do so.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GPL Compliance in the Embedded Market
Control Scripts
The "Scripts"
(scripts to control compilation and installation, see earlier slide)
In case of embedded hardware, the "scripts" include:
Tools for generating the firmware binary from the source (even if they are technically no 'scripts')
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
How to (not) use GPL Software
Practical Source Code Offer
Completeness
The "complete corresponding source code" has to be made available
%pause
It has to be made available for each and every object-code version that was distributed
%pause
If you strip down the source code offer (e.g. remove proprietary source code), try to see whether the result actually compiles
%pause
I would argue that 75-90% of all "GPL source code" offers are incomplete and thus of limited practical usefullness
%pause
Many companies fail miserably at this
we end up in a cycle of source code updates, reviews, updates, reviews.
%pause
Supplying the complete source is a _condition_ for using the GPL'd code in the first place
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
How to (not) use GPL Software
The most common mistakes
The most common mistakes
%pause
not even once reading the GPL text and/or the FAQ from the FSF
%pause
not including the GPL license text with the product
%pause
not including a written offer with the product
%pause
not considering that the GPL also applies to software updates
%pause
only providing original source code (e.g. vanilla kernel.org kernel)
%pause
not including the "scripts to control installation"
%pause
only providing off-site hyperlinks to license and/ore source code
%pause
not responding to support requests for source code
%pause
charging rediculously high fees for physical shipping of source code
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
The End
%size 4
Further reading:
%size 4
The http://gpl-violations.org/ project
%size 4
The Free Software Foundation http://www.fsf.org/, http://www.fsf-europe.org/
%size 4
The GNU Project http://www.gnu.org/
%size 4
The netfilter homepage http://www.netfilter.org/
%% http://management.itmanagersjournal.com/management/04/05/31/1733229.shtml?tid=85&tid=4
|
