Forgot your password?
typodupeerror
GNU is Not Unix Open Source Hardware Linux

Checking For GPL Compliance, When the Code Is Embedded 75

Posted by timothy
from the thank-you-bruce-perens-for-busybox dept.
Excerpting from ComputerWorld UK, ChiefMonkeyGrinder writes with word of what sounds like a very cool tool: "Open source software is everywhere these days. In particular, Linux is being used increasingly to power embedded systems of all kinds. That's good, but it's also a challenge, because the free software used in such products may not always be compliant with all the licences it is released under, notably the GNU GPL. For companies that sell such embedded systems using open source, it can be hard even finding out what exactly is inside, let alone whether it is compliant. Enter the new Binary Analysis Tool."
This discussion has been archived. No new comments can be posted.

Checking For GPL Compliance, When the Code Is Embedded

Comments Filter:
  • So.. (Score:5, Funny)

    by qreeves (1363277) on Saturday April 17, 2010 @07:09AM (#31880628) Homepage
    We're going to take on big companies with a BAT?
    • by bonch (38532)

      I thought Slashdot was opposed to copyright law? The GPL is a copyright license, so why would we care about compliance with a copyright?

      • by Obsi (912791)

        The Slashdot groupthink is opposed to over-the-top copyright law and secretly-drafted legislation, not against reasonable (read: 14 years) copyright terms.

        For someone with such a low UID you should know this.

        • Speaking as someone who has used the Linux kernel a long time, and who has several of the 1992 and 93 releases on published CD-ROM media, that is very interesting. Big chunks of the Free Software out there are up for grabs in a 14-year copyright world.

          Almost all of GNU Emacs falls into that category, and the 1996 Linux kernel is looking pretty useful for embedding purposes.

          • by tlhIngan (30335)

            Speaking as someone who has used the Linux kernel a long time, and who has several of the 1992 and 93 releases on published CD-ROM media, that is very interesting. Big chunks of the Free Software out there are up for grabs in a 14-year copyright world.

            Almost all of GNU Emacs falls into that category, and the 1996 Linux kernel is looking pretty useful for embedding purposes.

            The problem is, there is very few 14-year old software that still is relevant today unchanged. Embedded a 14-year old Linux kernel may w

  • Way to go .. (Score:2, Informative)

    by roguegramma (982660)

    Technical requirements

    * A Fedora GNU/Linux installation
    * python (2.6 or higher preferred, but not 3)
    * python-magic
    * GNU binutils (for readelf and strings)
    * e2tools http://freshmeat.net/projects/e2tools/ [freshmeat.net] (optional)
    * squashfs tools (4.0 highly recommended)
    * module-init-tools (for modinfo)

    • by selven (1556643)

      Ok, so the software has some dependencies. Isn't the Linux package management system designed to take care of all that with one command?

      • by hduff (570443)

        Not all package managers handle dependencies as well as others. An app like this should include a script to check for them and provide some useful, non-cryptic error messages if necessary.

        But it's sad that a specific Linux distro is a dependency. That means that the developers took some shortcuts and didn't write distro-agnostic scripts. Lazy.

        • by Sir_Lewk (967686)

          Not all package managers handle dependencies as well as others. An app like this should include a script to check for them and provide some useful, non-cryptic error messages if necessary.

          Nonsense, this is a very standard, and non-exotic list of dependencies (aside from the apparent Fedora dependency, I agree that is lazy). Packagers for different distros need only package this software for their distro as they package any other piece of software, and the user will never have to care what dependencies it r

          • by Sir_Lewk (967686)

            Followup:

            From the README file:

            "The binary analysis tool is fairly self contained and can run without too many dependencies. The tools have been written and tested on Fedora 11 and 12, but should run without (m)any modifications on other Linux distributions."

            It seems the Fedora dependency is listed somewhat in error, probably the result of someone being a tad too conservative.

      • Yeah, but if you're using Debian or Ubuntu, I'm pretty sure APT won't be able to install Fedora!

    • If you think that is bad, you should take a look at all the dependencies Firefox has....

      Hell, if you already have a standard GNU/Linux installation, then half that list is already installed!

  • False positives...? (Score:2, Interesting)

    by nlewis (1168711)

    Are we to believe then that, unlike every single piece of virus-scanning software ever, this binary scanning utility will never encounter a false positive? What happens when it shows some product as containing OSS, but it doesn't?

    And with that in mind, even if you *do* identify a product as containing OSS, how do you prove it without access to the source code? The company could simply claim it was a false positive (regardless of whether or not that happened to be true), and you would be left with the burd

    • Re: (Score:3, Insightful)

      by publiclurker (952615)
      Of course, there are also people who enjoy reading machine code dumps with their morning coffee. Tools like this simple help them to know where to concentrate there efforts.
      • by nlewis (1168711)

        Which just brings us right back to my second point - how do you *prove* it without access to the source?

        • by DAldredge (2353)
          You sue them. Just like the MPAA/RIAA.
        • Unless they are tweaking the binaries after they are compiled, you won't really need the source code. Just compare what they have with the compiled results of whatever open source project you think is being stolen.
    • see the trick is if you find GNUSort traces in Evil Incs file mangler then as the owner of GNUSort you can file a lawsuit and then get them to prove that the source is "clean".

      • Isn't the burden of proof on the party filing the law suit? Otherwise, I can see where a pretty adventurous circus could ensue, resulting in the deepest pockets almost always winning.

        • by Grishnakh (216268)

          That's what "discovery" is for. In a case like this, if the defendant refuses to prove to the plaintiff that there's no violation (by showing the source code), to the plaintiff's satisfaction, then the plaintiff files a lawsuit, and part of the Discovery process is that the defendant MUST provide the source code to the plaintiff for examination. If the source code shows a violation, then the defendant can either get skewered in court, or settle out-of-court. If it shows no violation, then the plaintiff c

    • Re: (Score:3, Interesting)

      by RAMMS+EIN (578166)

      ``What happens when it shows some product as containing OSS, but it doesn't?''

      That's a good question, and that's why we have things like "innocent until proven guilty" and rights for criminal suspects and people who have been put under arrest.

      In other words, as long as we all stay civilized, false positives needn't be a big problem. You inform the company that you believe their product may contain software whose license puts certain requirements on the company that it doesn't seem to be fulfilling, and then

      • by pclminion (145572)

        If you are not convinced, I suppose you can always bring the case to court and force disclosure and investigation. But experience up to now seems to indicate that companies who are violating the terms of the GPL usually change their ways before things get that far.

        So, with no evidence other than some abstract mathematical metric, you're going to make me invest tens of thousands of dollars to prove to you that I haven't violated the GPL in some way? Sounds an awful lot like "guilty until you can prove your

  • Why bother (Score:1, Flamebait)

    by DaveV1.0 (203135)

    When we are going to abolish copyright? This is hypocrisy! This is using the same evil tactics that ??AA uses!

  • Discovered that Cisco is using GPL software and not complying with neither disclosing it nor making it available. Good an clear documentation as well.

    I was not able to find anyone interested at all.

Lo! Men have become the tool of their tools. -- Henry David Thoreau

Working...