Is Linksys Violating The GPL?

jap writes "According to this post on LKML, Linksys is shipping firmware for (at least their) 802.11g access-points based on Linux - without any sourcecode available or mentioning of it on their site. This could be interesting: it might provide the possibility of building an ueber-cool accesspoint firmware with IPsec and native ipv6 support etc etc, using this information!"

Does it matter ?

[DumbMarketingGuy]

The GPL has no real valid legal meaning until it has been tested in a court of law. I think the fact that no GPL violation case has ever made it into a courtroom speaks volumes!

Better drivers?

[CodeMaster]

They have been using Linux for a long time on their routers/AP's.
Anyone who have one must have noticed it.

The one thing to say to their defence is that they are usually "driver friendly" with their PCMCIA WiFi cards.

I just hope that now they will wake up, straighten up the mess, and start helping the community with supporting 802.11g in Linux for their NIC's.

More From the Kernel List

[OctaneZ]

A couple follow ups on the kernel mailing list:

A very interesting bit from the busybox maintainer, who has evidently already sent linksys two letters [lkml.org]

A post outlinging the possibility that Belkin is also shipping GPL'd code [lkml.org]

A few other people are throwing their two cents in, but those were the most interesting, code be an interesting test of corporate policey, and the ability of the GPL to withstand a court battle.

Obligatory "not a GPL violation" post.

[mindstrm]

Two points. I always have two points.

First, as someone else already said, just becuase it uses a linux kernel doesn't mean they modified anything, it could be a stock kernel. If they wrote userspace drivers and/or kernel modules using existing interfaces for their custom hardware, they are not obligated to release anything.

Secondly, if they weren't abiding by terms they had to according to the GPL, it would be COPYRIGHT violation, not license violation, as if you don't comply with the license, copyright law says they can't redistribute it. I know it seems like a silly point, but it's not.

People talk about the GPL being "tested in court" and whatnot.. but the fact is: If you don't accept the GPL as valid, then copyright law still stands, and says you can't redistribute, or make derivitive works. A judge can rule the GPL as invalid, but that would mean that nobody had any rights to redistribute anything.

It's not a license you had to accept and agree to in order to use the product.. so you can't "violate" it.

Linus, or any other kernel developer could go to linksys, and say "I have not granted you permission to use my copyrighted work, please demonstrate why you think you are allowed to do this". They can then either cite how the GPL allows them to do what they do, or concede that they have no right to distribute.

So as unclear as I can be.. it's not a GPL violation... and people are not forced to release code because of a nonexistant GPL violation... although that might be an acceptable remedy to all parties in most cases. They could also be forced to simply stop doing it.

Re:Cisco IOS ?

[Anonymous Coward]

No, it'll run some BSD, as the BSD license allows this kind of usage.
Eg. OpenBSD would be ideal for an access point, with all the advanced networking&security features.

Re:Only if they changed something...

[runderwo]

No need to release anything if you don't change anything, to comply with the GPL.

Erm, take a look at Section 3 of the GPL [gnu.org] -- it quite clearly states that if the program is redistributed in binary form, it must be accompanied by the source code or a written offer for the source code.

You may be thinking of the LGPL [gnu.org] instead, which relaxes redistribution requirements.

Re:D-Link, too?

[PhoenixK7]

Hmm, denied access for me, but when I nmap it and try and fingerprint my DI-614+:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (192.168.0.1):
(The 1600 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
Remote operating system guess: LinkSys WAP11 wireless AP firmware ver. 2.2

Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds

hmm..

Re:Only if they changed something...

[BJH]

I call bullshit.

Even if they made no changes, they still have to provide a copy of the GPL itself, and tell the user where they can obtain the source.

As for "legal ways of circumventing the GPL", I've seen plenty of people spout this line, but never seen any of them produce an actual legal loophole in the GPL. I'd bet that you're no different.

Re:Does it matter ?

[Courageous]

...the stuff had effectively been placed in the public domain.

IIRC, that can't really happen accidentally. About the only way something of significance can enter the public domain, sans copyright expiration, is an explicit statement of the legal copyright holder to that effect. i.e., "this work is entered into the public domain."

C//

Re:Cisco IOS ?

[Anonymous Coward]

Interestingly enough, Cisco's Content Engine module (it's a web cache) for the 2600/3600 routers, run linux. So, is Cisco violating the GPL? Maybe, by not providing source. But, it doesn't mean they modified the source at all, much of the functions in it appear to be handled by external programs that they have written.

The module itself is just a PIII 500 mobile processor with a laptop drive and some memory. Basically, just a PC on a tiny card. It's neat.

Re:Cisco IOS ?

[prizog]

Hi. I work for the FSF investigating GPL violations (and yes, we are also working on this Linksys thing). Can you tell me more about this Cisco issue? Is there any software FSF holds copyright on (the gnu c library, bash, gnu tar, gzip ...)? Does the unit come with an offer to provide source code?

Looks like they're using zebra, too

[Saint Aardvark]

which is also GPL'd [zebra.org]. If you do strings /mnt/usr/sbin/zebra, you see:

Usage : %s [OPTION...]
Daemon which manages kernel routing table management and redistribution between
different routing protocols.
-b, --batch Runs in batch mode
-d, --daemon Runs in daemon mode
-f, --config_file Set configuration file name
-k, --keep_kernel Don't delete old routes which installed by zebra.
-l, --log_mode Set verbose log mode flag
-P, --vty_port Set vty's port number
-r, --retain When program terminates, retain added route by zebra.
-v, --version Print program version
-h, --help Display this help and exit
Report bugs to %s
bug-zebra@gnu.org

ObGPLQuote:

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

* a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

* b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

* c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

Re:Cisco IOS ?

[prizog]

Er, you can mail me at novalis atsign fsf.org if you have any information.

Re:Is Checkpoint violating the GPL?

[Anonymous Coward]

They *do* mention it if you buy their products, and they include a written offer for source code ... but they didn't always.

Re:Cisco IOS ?

[Sheetrock]

I'm a bit curious... how does the FSF avoid issues with EULA agreements when performing an investigation? They seem to forbid the types of operations I would think necessary to determine if code is being misappropriated, as some degree of disassembly or analysis of EULA'd software would seem to be necessary for a comparison.

Not that such an argument would matter much if they were indeed found to be misusing GPLed code, of course.

Re:It might be available

[Fluffy the Cat]

Doesn't matter. The firmware is downloadable regardless of whether you own the product or not - and the firmware includes a CRAMFS filesystem containing the kernel and busybox, so it's binary distribution of GPLed code. The offer of source has to be available to anyone who could obtain it from them. Read section 3 of the GPL.

Re:In case gets /.ed

[MickLinux]

I see your point. However, if I had to guess, the silent treatment is while management tries to figure out what to do.

I could imagine quite possibly that they've signed some NDAs that won't allow them to release all their source code. Then this GPL stuff means that they have to release all their source code -- or so it seems.

So now they've got to figure out what to do, and while they're figuring, it's legally safer to say nothing to anyone.

Probably their best way out is either get the NDAs released [unlikely], or find out the individual authors of their modules, and work out individual licensing agreements [difficult, but possible] that keep it outside the GPL. At that point, though, you won't have your information.

That said, I have to think about SCO, and think that one shouldn't take a "All your codebase are belong to us" approach. My feeling is that trying to knock others out to get what you want, is kindof evil. And that goes in both directions.

So I think persistance is key, here, but if they made a mistake, (1) don't gloat -- rather, be meek (2) still be persistent, and try to get FSF's help pursuing this (3) hopefully get the FSF to offer them help in finding for themselves a legally sound position.

P.S. Good hacking job [and yes, that's hacking not cracking, though I hope that they don't just decide 'hit him with the DMCA -- he's too small to fight it.' Ugh. This DMCA gives all the power to big criminals, it seems to me, and takes power away from little law abiders.

GPL not always as powerful as people think.

[RunzWithScissors]

Unfortunatly there are many, many misconceptions when it comes to the GPL. One of the previous comments stated that Tivo used Linux but had not released their source code. The reason is that they don't have to! I would be surprised if Linksys would be required to release their source code under the GPL.

The misconception that I see the most is that because a product runs on top of Linux, or uses the Linux kernel then the product is also GPL'd, not so. If the product has changed the sourcecode for Linux, those changes are covered under the GPL. This is why companies like Tivo are not required to release their source. The Tivo software was written without using any existing GPL'd code as it's base, therefore it can be covered under any licensing agreement the author sees fit.

As for Linksys, I'm willing to wager that they implemented all of their code as kernel modules. So if ask for the source code under the name of the GPL, all they are obligated to give you is the source code for the Linux kernel, sin any kernel modules they've written themselves. Kernel modules can be licensed any way the author sees fit.

-Runz

BusyBox GPL violation

[andersen]

<BusyBox maintainer hat on>

This is what I did to verify that the Linksys firmware was violating the GPL....

#!/bin/sh
wget ftp://ftp.linksys.com/pub/network/WRT54G_1.02.1_US _code.bin
# I noticed a GZIP signature for a file name "piggy" at offset
# 60 bytes from the start, suggesting we have a compressed Linux
# kernel
dd if=WRT54G_1.02.1_US_code.bin bs=60 skip=1 | zcat > kernel

# Noticed there was a cramfs magic signature at offset 786464
dd if=WRT54G_1.02.1_US_code.bin of=cramfs.image bs=786464 skip=1
file cramfs.image

sudo mount -o loop,ro -t cramfs ./cramfs.image /mnt
ls -la /mnt/bin
file /mnt/bin/busybox
strings /mnt/bin/busybox | grep BusyBox
/usr/i386-linux-uclibc/bin/i386-uclibc-ld d /mnt/bin/busybox

Re:Cisco IOS ?

[fm6]

Even though you got modded "Funny" I think you're serious. Consider the cost of licensing a proprietary OS and porting all your code to it. Weigh that against the cost of putting all the source code on the web.

My guess is that nobody at Linksys thought about their obligation to provide source code, or if they did, the process fell through the usual corporate cracks.

GPL uses...

[MrWa]

Does just using GPL software really mean you have to distribute the source? Could Linksys claim that they are not, in fact, distributing GPL code in any form, but are actually just using GPL software in their hardware?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:In case gets /.ed

[73939133]

Probably their best way out is either get the NDAs released [unlikely], or find out the individual authors of their modules, and work out individual licensing agreements [difficult, but possible] that keep it outside the GPL.

It's too late for that: whether they do or do not release the source code at this point, they have already lost their right to release the binary. And their GPL violation is not that they haven't put up the source code for FTP somewhere, the GPL violation is that they didn't identify the product as using GPL'ed code in the first place, accompanied by an offer to make the source code available.

That said, I have to think about SCO, and think that one shouldn't take a "All your codebase are belong to us" approach. My feeling is that trying to knock others out to get what you want, is kindof evil. And that goes in both directions.

If someone has violated SCO's copyright in the way they claim, they should be punished severely: copyright violations like those claimed by SCO threaten not only companies, they threaten the very existence of open source software. (However, I believe that SCO's claims are bogus, so I don't see much danger of that happening.)

Likewise, if Linksys has violated the terms of the GPL, they should be punished severely. Linksys's behavior, shipping GPL'ed code without identifying it as such, is a fundamental violation of the GPL, and if the only consequence is that companies have their wrists slapped when found out (and it has taken years to find this out about Linksys), it undermines the whole idea of the GPL.

Re:I'm sorry--I completely miss your point

[Anonymous Coward]

The only source code they are required to make available is that for the binaries being distributed.

Bzzz. Wrong. Section 3 of the GPL:

The source code for a work means the

preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

(emphasis mine)

If they've distributed executables which would require compiler modifications, those compiler mods would also have to be distributed. The exception above about not distributing the compiler doesn't apply, as the GCC with Broadcom modifications isn't "normally distributed" with the Linux kernel.

Re:Slowing it down?

[doogles]

One of my switches runs IOS on a PowerPC 403GA, running at either 25 or 33 MHz.

The linksys AP has a MIPS processor, which is probably running at 125 MHz.

It could run IOS without breaking a sweat.

Apples and oranges. On your switch, IOS just manages the system; the heavy lifting (frame forwarding) is actually done by ASICs for that very purpose.

On another note though, I'm not sure why the original posted is calling IOS "bloated" -- perhaps today there are a number of features that are not necessary for the core purpose of the box, but they don't typically add "overhead" to the box itself.

Most Cisco boxes are "underpowered" in terms of CPU, but they still manage to do the job.

The new(er) Cisco Aironet access points migrated away from the old VxWorks-based OS to IOS (see: Aironet 1100 are shipped as such, Aironet 1200 have a conversion kit)

Re:Cisco IOS ?

[dglaude]

This is not enough. I want the source code of all the GPL code (modified or not) by Cisco. If they do only provide a patch to a well-known source code, this is not respecting the GPL. Of course since I do not have such a module, I can not complain... but aquiring one just to remind Cisco that they do not understand the GPL and are not respecting the rules would be fun... Cisco and the FSF already discussed some issue in other cards like NAM, IDS, ... At least they have less problem using Windows for running IP telephony solution, Microsoft is less regarding since they don't care about freedom much.

Re:Belkin 54g WAP/Router

[Anonymous Coward]

The microsoft wireless broadband router also identified itself as runing linux to both NMap and a GFI languard scan, so did a Netgear RT314. Anyone care to run strings on their firmware?

Re:How they get away with it on the average

[Kynde]

Even if Linksys complies after some cajoling, this demonstrates the practical "loophole" we have been witnessing for the past 2 years:
companies use GPL'ed stuff, and if they get caught, they (often) comply. For each violation that gets caught, there might be several that get away.

So what? I mean, I'm all pro GPL and also a GPL sw coder. I work for a company that manufactures slot machines that run linux and loads of other GPL'd software aswell as our own apps. Technically we don't distribute the slotmachines so we're not bound by GPL, and if we were, we'd just put a simple ftp server that would have the .tar.gz's because I do everything possible to be able to use the stock products. Why? These are long term products, life spans of about 10 years. Living with a set of patches for every damn tool we need... I have better things to do. If there's a way to avoid changing the origian sources, we'll go ahead with that one.

And what's the real beauty is that when we discover bugs or make future enhancements or such changes, we try real hard to get them into the actual sw package, again just to avoid having to maintain a large set of patches.

And for example Linksys failing to offer a stock kernel tar ball in their site doesn't sound that serious to me. A proprietary sw mogul using gpl'd code in their product, now that would be a serious violation.

Re:The GPL: Open Source or Intellectual Theft?

[iainl]

Yes, I know the guy is almost certainly a troll, but this won't take long.

"Part of this license states that any changes to the kernel are to be made freely available.
Unfortunately for us, this meant that the great deal of time and money we spent "touching up" Linux to work for this investment firm would now be available at no cost to our competitors."

Sorry, thanks for playing. It merely states that you have to make the source available to those you give binaries. You can make all the changes you want to the kernel for a client, as long as you give that client the source as well. No-one else need have it.

In the instance of kernel changes, it makes a hell of a lot of sense, too. Lets assume for a moment that you weren't a troll. This company would have a custom kernel, but without the new modified kernel source they couldn't install anything else that would also patch the kernel, or even rebuild when bugfixes are released.