1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
GPL License Enforcement
LiSoG Stammtisch Juli 2009
%center
%size 4
by
Harald Welte <laforge@gpl-violations.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Introduction
Who is speaking to you?
an independent Free Software developer, consultant and security analyst
who earns his living off Free Software since 1997
who is one of the authors of the Linux kernel firewall system called netfilter/iptables
who has been involved with many Free Software and Open Hardware projects, such as OpenPCD, OpenPICC, OpenBSC, OpenEZX, OpenMoko, ...
who has started gpl-violations.org
who has been spending a lot of time recently explaining the FOSS development model to management of semiconductor companies
who IS NOT A LAWYER
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Disclaimer
Legal Disclaimer
All information presented here is provided on an as-is basis
There is no warranty for correctness of legal information
The author is not a lawyer
This does not comprise legal advise
The authors' experience is limited to German copyright law
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Ideas and Goals of the GNU GPL
Free Software
Software that has fundamental freedoms:
to use it for any purpose
to "help your neighbour" (i.e. make copies)
to study it's functionality (reading source code)
to fix it myself (make modifications and run them)
Copyleft
Is the legal idea to
exercising copyright to grant the above freedoms
assure that nobody can take away the freedom
The GNU General Public License
Is a legal instrument to apply they copyleft idea on software
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
The GNU GPL revisited
Revisiting the GNU General Public License
Regulates distribution, not usage
Allows distribution of source code and modified source code
The license itself is mentioned
A copy of the license accompanies every copy
Allows distribution of binaries or modified binaries, if
The license itself is mentioned
A copy of the license accompanies every copy
The complete source code is either included with the copy (alternatively a written offer to send the source code on request to any 3rd party)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Complete Source Code
%size 3
"... complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
For standard C-language programs, this means:
Source Code
Makefiles
compile-time Configuration (such as kernel .config)
General Rule:
Intent of License is to enable user to run modified versions of the program.
Provide whatever is needed for that, and you will make them happy!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Derivative Works
What is a derivative work?
Not dependent on any particular kind of technology (static/dynamic linking, dlopen, whatever)
Even while the modification can itself be a copyrightable work, the combination with GPL-licensed code is subject to GPL.
As soon as code is written for a specific non-standard API (such as the iptables plugin API), there is significant indication for a derivative work
This position has been successfully enforced out-of-court with two Vendors so far (iptables modules/plugins).
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Derivative Works
Binary-only kernel modules
In-kernel proprietary code (binary kernel modules) are hard to claim GPL compliant
Case-by-case analysis required, as the level of integration into the GPL licensed kernel code depends on particular case
There is no general acceptance or tolerance to binary-only kernel modules in the Linux (development) community. Not even Linus himself has ever granted an exception for such modules!
Create all kinds of techical problems, too - kernel API's and ABI's change all the time...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Derivative Works
Glue Code
Acts as glue layer between GPL licensed code and proprietary code
Some Vendors think they can avoid the GPL by doing so
Is definitely not a bullet-proof legal solution, especially when it is clearly visible that the only purpose of this glue code is to "get rid" of the GPL.
So please, don't try it.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Derivative Works
Moral Issues
Apart from what is legally possible, there are moral issues
Even if in a particular case there is no legal way to claim a binary-only kernel module is a derivative work, you might still be acting against the authors' wishes
By shipping binary-only kernel modules, you violate the "moral code of conduct" of the Free Software community
But it is the work of this very community that enables you to build your product based on Free Software
Such action might have long-term detrimental effects on the motivation of FOSS developers (dissatisfaction, demotivation, ...)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
GPL And Embedded Systems
Historical background:
The GPL was written for userspace programs running on existing operating systems
Covering a whole OS (and even userspace programs) is not an ideal match, but if you read it carefully it still makes sense
Toolchain:
%size 3
"... the source code distributed need not include anything that is normally
distributed (in either source or binary form) with the major components
(compiler, kernel, and so on) of the operating system on which the executable
runs, unless that component itself accompanies the executable."
Practical case:
You've modified gcc for a specific embedded platform
Therefore, this gcc is not "normally distributed with the operating system" and you have to distribute it together with the source code
gcc itself is covered under GPL, so you need to provide binaries and source code(!)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
GPL And Embedded Systems
The "Scripts"
(scripts to control compilation and installation, see earlier slide)
In case of embedded hardware, the "scripts" include:
Tools for generating the firmware binary from the source (even if they are technically no 'scripts')
Embedded DRM
Intent of License is to enable user to run modified versions of the program. They need to be enabled to do so.
Result: Signing binaries and only accepting signed versions from the bootloader (without providing the signature key or a possibility to set a new key in the bootloader) is not acceptable!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Practical Source Code Offer
Some Rules
The "complete corresponding source code" has to be made available
It has to be made available for each and every object-code version that was distributed
If you strip down the source code offer (e.g. remove proprietary source code), try to see whether the result actually compiles
If the product is mixed free / proprietary software, consider including the proprietary parts (as object code) in the "source code package", so the full firmware image can be rebuilt without having to tear apart an existing image and ripping out those proprietary programs from there.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
The biggest myths about the GPL
The biggest myths about the GPL
The GPL is not enforcible
Software licensed under GPL has no copyright
Unmodified distribution does not require source code availability
The vendor can wait for a source code request (without offering it)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
The most common mistakes
The most common mistakes
not even once reading the GPL text and/or the FAQ from the FSF
not including the GPL license text with the product
not including a written offer with the product
not considering that the GPL also applies to software updates
only providing original source code (e.g. vanilla kernel.org kernel)
not including the "scripts to control installation"
only providing off-site hyperlinks to license and/ore source code
not responding to support requests for source code
charging rediculously high fees for physical shipping of source code
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
License Compatibility
There's lots of Free Software available
Different Software uses different Licenses:
Linux: GPL
glibc: LGPL
apache: Apache Software License
Perl: Artistic
ucd-snmp: BSD
If you combine (i.e. link) differently-licensed software,
check license compatibility
in case of doubt, ask legal person and/or contact software authors
authors might give you an exception or consider making licenses compatible
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Dual Licensing
The copyright holder (often the original author) can provide alternative licensing
Some projects do this as a business model (reiserfs, MySQL)
In some projects it's impossible due to the extremely distributed copyright (e.g. Linux kernel)
However, in smaller projects it never hurts to ask whether there would be interest in providing an alternative (non-copyleft) licensing
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
GPL Violations
When do I violate the license
when one ore more of the obligations are not fulfilled
What risk do I take if I violate the license?
the GPL automatically revokes any usage right
any copyright holder can obtain a preliminary injunction banning distribution of the infringing product
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Past GPL enforcement
Early GPL enforcement
GPL violations are nothing new, as GPL licensed software is nothing new.
However, the recent GNU/Linux hype made GPL licensed software used more often
The FSF enforces GPL violations of code on which they hold the copyright
silently, without public notice
in lengthy negotiations
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
The Linksys case
During 2003 the "Linksys" case drew a lot of attention
Linksys was selling 802.11 WLAN Acces Ponts / Routers
Lots of GPL licensed software embedded in the device (included Linux, uClibc, busybox, iptables, ...)
FSF led alliance took the usual "quiet" approach
Linksys bought itself a lot of time
Some source code was released two months later
About four months later, full GPL compliance was achieved
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
The Linksys case
Some developers didn't agree with this approach
not enough publicity
violators don't loose anything by first not complying and wait for the FSF
four months delay is too much for low product lifecycles in WLAN world
The netfilter/iptables project started to do their own enforcement in more cases that were coming up
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Enforcement case timeline
In chronological order
some user sends us a note he found our code somewhere
reverse engineering of firmware images
test purchase to verify device ships gpl-incompliant
sending the infringing organization a warning notice
wait for them to sign a statement to cease and desist
if no statement is signed
contract technical expert to do a study
apply for a preliminary injunction
if statement was signed
try to work out the details
grace period for boxes in stock possible
try to indicate that a donation would be good PR
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Sucess so far
Success so far
amicable agreements in a number (100+) of cases
some of which made significant donations to charitable organizations of the free software community
preliminary injunction against Sitecom, Sitecom also lost appeals case
court decision of munich district court in Sitecom appeals case
more preliminary injunctions (Siemens, Skype, Fortinet, D-Link)
more settled cases (most of which not published)
negotiating in more cases
public awareness
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Cases so far (1/4)
Allnet GmbH
Siemens AG
Fujitsu-Siemens Computers GmbH
Axis A.B.
Securepoint GmbH
U.S.Robotics Germany GmbH
Netgear GmbH
Belkin Compnents GmbH
ASUS GmbH
Gateprotect GmbH
Sitecom GmbH / B.V.
TomTom B.V.
Gigabyte Technologies GmbH
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Cases so far (2/4)
Sun Deutschland GmbH
Open-E GmbH
Siemens AG (second case)
Deutsche Telekom AG
Hitachi Inc.
Tecom Inc.
ARP Datacon GmbH
Conceptronic B.V.
D-Link GmbH
Adaptec Deutschland GmbH
Belkin Compnents GmbH (second case)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Cases so far (3/4)
Siemens AG (third case)
TARGA GmbH
Medion AG
naviflash GmbH
Maxtor Inc.
Cisco Deutschland GmbH
Fortinet
naviflash GmbH
iRiver Europe GmbH
Cisco Deutschland GmbH (second case)
Acer Deutschland GmbH
SMC Networks GmbH
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
Cases so far (4/4)
Samsung, Thecus, Western Digital, Avocent, Canyon, Digital Data, Cowon, DGStation, Smartlink, Sphairon, DeviceVM, Kenwood, Telegent, Barracuda Networks, Ovislink, Assman, Gamepark Holdings, Hermstedt, Longshine, Motorola, Skype, Agfeo,...
totally > 100 cases
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
What we've learned
Copyleft-style licenses can be enforced!
A lot of companies don't take Free Software licenses seriously
Even corporations with large legal departments who should know
Reasons unclear, probably the financial risk of infringement was considered less than the expected gains
The FUD spread about "GPL not holding up in court" has disappeared
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
What can companies do
What companies can do
Education and training for engineers + managers
Think before copying/using/combining software
Use proper R&D process and revision control
Make sure you always have the complete source tree for every software release
Have the source code package ready when you ship a software release
Participate in the FSFE FTF Legal Network
If you embrace the community and use an open source development process, your source code is released publicly before you even ship the product to the customer
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
The supply chain issue
In todays industry, suply chains are often very long
Silicon (SoC) maker designs the actual chip
BSP (Board Support Package) is developed in-house or by contracted 3rd party
This BSP is what typically contains Linux, u-boot and/or other GPL licensed software
Development board with chip + BSP sold to board makers (ODM)
Often even full "turnk-key solutions" either by chip maker or 3rd party
A OEM with recognized brand name buys the product from the ODM
Maybe one or two other companies between OEM And ODM
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
The supply chain issue
The long supply chains cause problems since
the original developers who wrote the code are hard to access
typicaly, nobody in the supply chain knows what the products contain
even if the upstream supplier provides [some] source code, typically, the OEM type customers don't even have any staff skilled enough to confirm it is complete
many jurisdictions are involved, especially those with lack of respect for copyrights in general
most consumer electronics today are manufactured in China, Taiwan, Korea or Vietnam
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
The supply chain issue
The long supply chain forces us to
take legal action against the OEM or distributor in Germany or the EU
rely on them transforming legal threat into economic threat on their upstream suppliers
this only works if distributor is important customer of upstream supplier
However
enforcing the GPL in the CE market has proven reliable this way
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
GNU GPL - Copyright helps Copyleft
The End
%size 4
Further reading:
%size 4
The http://gpl-violations.org/ project
%size 4
The Free Software Foundation http://www.fsf.org/, http://www.fsf-europe.org/
%size 4
The GNU Project http://www.gnu.org/
%size 4
The netfilter homepage http://www.netfilter.org/
%% http://management.itmanagersjournal.com/management/04/05/31/1733229.shtml?tid=85&tid=4
|
