Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
GNU is Not Unix Open Source Hardware Linux

Checking For GPL Compliance, When the Code Is Embedded 75

Posted by timothy
from the thank-you-bruce-perens-for-busybox dept.
Excerpting from ComputerWorld UK, ChiefMonkeyGrinder writes with word of what sounds like a very cool tool: "Open source software is everywhere these days. In particular, Linux is being used increasingly to power embedded systems of all kinds. That's good, but it's also a challenge, because the free software used in such products may not always be compliant with all the licences it is released under, notably the GNU GPL. For companies that sell such embedded systems using open source, it can be hard even finding out what exactly is inside, let alone whether it is compliant. Enter the new Binary Analysis Tool."
This discussion has been archived. No new comments can be posted.

Checking For GPL Compliance, When the Code Is Embedded

Comments Filter:
  • Frist post (Score:-1, Offtopic)

    by Anonymous Coward on Saturday April 17, 2010 @07:33AM (#31880502)
    It's back, yay! I was almost considering leaving the house.
  • by Anonymous Coward on Saturday April 17, 2010 @08:07AM (#31880620)

    are an example of a principle that could be adopted to meet the needs of software. Perhaps there could be a little-known or obscure function put inside the kernel (with the blessing of the higher-ups) which could show 100% that it is a Linux. I.e. there should be behaviour P which only exists in "Q" software package, so P -> Q.

    Of course, people would just remove this (i.e. Q not -> P), but then again if you are taking a "I don't care" attitude to software licensing, then chances are you do not care about the code and will neglect to remove the deliberate trap set.

    Or you could use the law, or the WTO or something.

  • So.. (Score:5, Funny)

    by qreeves (1363277) on Saturday April 17, 2010 @08:09AM (#31880628) Homepage
    We're going to take on big companies with a BAT?
    • by Anonymous Coward on Saturday April 17, 2010 @09:30AM (#31881126)

      We're going to take on big companies with a BAT?

      Go for the knees first.

    • by bonch (38532) on Saturday April 17, 2010 @03:11PM (#31883066)

      I thought Slashdot was opposed to copyright law? The GPL is a copyright license, so why would we care about compliance with a copyright?

      • by Obsi (912791) on Saturday April 17, 2010 @03:39PM (#31883198)

        The Slashdot groupthink is opposed to over-the-top copyright law and secretly-drafted legislation, not against reasonable (read: 14 years) copyright terms.

        For someone with such a low UID you should know this.

        • by Bing Tsher E (943915) on Saturday April 17, 2010 @04:39PM (#31883518) Journal

          Speaking as someone who has used the Linux kernel a long time, and who has several of the 1992 and 93 releases on published CD-ROM media, that is very interesting. Big chunks of the Free Software out there are up for grabs in a 14-year copyright world.

          Almost all of GNU Emacs falls into that category, and the 1996 Linux kernel is looking pretty useful for embedding purposes.

          • by tlhIngan (30335) <slashdot@[ ]f.net ['wor' in gap]> on Sunday April 18, 2010 @12:16AM (#31885280)

            Speaking as someone who has used the Linux kernel a long time, and who has several of the 1992 and 93 releases on published CD-ROM media, that is very interesting. Big chunks of the Free Software out there are up for grabs in a 14-year copyright world.

            Almost all of GNU Emacs falls into that category, and the 1996 Linux kernel is looking pretty useful for embedding purposes.

            The problem is, there is very few 14-year old software that still is relevant today unchanged. Embedded a 14-year old Linux kernel may work for some projects, but others tend to want more recent technology, like SATA, USB, better networking/firewall, etc. Heck, under a 14 year copyright, Windows 95 is free and clear and use - which makes it pretty useless since few software apps will run on it today. Heck, there probably aren't drivers for all but the most basic hardware supported today still working.

            14 years of technology progress is huge. So even if it was in public domain, no one really would want to use it. Lack of support is huge - no modern features, no drivers for modern hardware, post-1996 bug fixes are unavailable, etc. It'll be a huge undertaking just to use some public domain code.

            Hell, you might as well use Windows 95, that's free and clear as well. In another year, WIn95 OSR2 will be free as well.

            The only real software at risk are those packages that are so mature, that once they've been written, there really has been no reason to update it. But those are very few, and even the most slowly developed of all open-source apps have done a release in the past 14 years. Or everyone else has moved onto alternatives that are under more active development.

    • by Anonymous Coward on Sunday April 18, 2010 @12:17AM (#31885286)

      http://www.cse-semaphore.com/products/t-box/t-box-scada-alarm.php [cse-semaphore.com]

      They use busy box and linux. I've not seen where they release source code.

  • Irony (Score:-1, Flamebait)

    by Anonymous Coward on Saturday April 17, 2010 @08:24AM (#31880726)

    You fuckers whine about Microsoft and Apple being evil companies and here you fucks come with your 'compliance.'

  • by Anonymous Coward on Saturday April 17, 2010 @08:38AM (#31880808)

    TLD domain
    HIV virus
    LCD display
    and now:
    GNU GPL

  • Why? (Score:-1, Troll)

    by Anonymous Coward on Saturday April 17, 2010 @08:44AM (#31880844)

    Why would anyone agree to such a restrictive software license? What's next? Embedding some sort of software activation to ensure compliance to a draconian licensing scheme?

    • Re:Why? (Score:0, Flamebait)

      by pnewhook (788591) on Saturday April 17, 2010 @09:07AM (#31881006)

      Agreed. The very same people that justify stealing music or movies via download sites are the first people to get up in arms about companies taking open source and not complying to GPL. Bunch of hypocrites.

      • by selven (1556643) on Saturday April 17, 2010 @09:12AM (#31881040)

        Do you really not understand the difference between downloading something for personal enjoyment and commercial distribution?

        Also, I really would like some proof that the downloading crowd and the GPL enforcement crowd are made up of the same people.

      • by tsj5j (1159013) on Saturday April 17, 2010 @09:15AM (#31881054)
        Ridiculous argument. How can you generalize that the developers of these tools are pro-piracy too? Evidence please.
        • Re:Why? (Score:5, Insightful)

          by AusIV (950840) on Saturday April 17, 2010 @10:32AM (#31881556)

          I agree. Many people view open source software as a better alternative to pirated software. Also worth noting: pirating commercial software lets the business keep mindshare. Adobe doesn't pursue students who pirate Photoshop because they would rather hook kids on photoshop so they'll buy it later than see them get adapt to a cheaper (or open source) alternative and never become a customer. The same is true for Windows: Microsoft would rather see people pirate Windows than switch to Linux; at least that way they keep the mindshare.

          In general, I think piracy is as much an enemy of open source software as it is commercial software. There could be people who oppose software piracy but support movie and music piracy, but I think very often people take the same stance on piracy across the board.

          • by judeancodersfront (1760122) on Monday April 19, 2010 @02:54PM (#31900112)
            for a business that has an 80% piracy rate they could care less about any mindshare from pirates who take away potential sales. Companies would rather have less piracy and more sales with which they could spend on advertising. Most software companies are small and medium businesses that need every sale they can get.
            • by AusIV (950840) on Monday April 19, 2010 @11:46PM (#31906142)
              I'm not trying to rationalize piracy, I'm disputing with pnewhook's argument that open source developers are the same people who advocate piracy. Assuming open source developers are at all interested in market share, then their interests are served when people use their software instead of pirating commercial software. When I say that pirating commercial software lets businesses keep their mindshare I'm not saying it's always a good thing for those businesses, just that it's a bad thing for their open source competitors.
  • Way to go .. (Score:2, Informative)

    by roguegramma (982660) on Saturday April 17, 2010 @08:45AM (#31880854) Journal

    Technical requirements

            * A Fedora GNU/Linux installation
            * python (2.6 or higher preferred, but not 3)
            * python-magic
            * GNU binutils (for readelf and strings)
            * e2tools http://freshmeat.net/projects/e2tools/ [freshmeat.net] (optional)
            * squashfs tools (4.0 highly recommended)
            * module-init-tools (for modinfo)
            * gzip (for zcat)
            * xz (for lzma)
            * PyLucene (latest version possible)
            * OpenJDK, Apache Ant and dependencies to build PyLucene

  • by Anonymous Coward on Saturday April 17, 2010 @09:16AM (#31881062)

    With most embedded products, what makes them interesting is the software that drives the peripherals and presents it to the user. This stuff is almost always non-GPL, and the peripherals typically require an NDA just to get the specs.

    The GPL'd part is typically just stuff like the kernel, busybox and all that boring stuff. So yeah, you can eventually get a root prompt on your satellite receiver (or whatever), but after that good luck.

  • False positives...? (Score:2, Interesting)

    by nlewis (1168711) on Saturday April 17, 2010 @09:39AM (#31881178)

    Are we to believe then that, unlike every single piece of virus-scanning software ever, this binary scanning utility will never encounter a false positive? What happens when it shows some product as containing OSS, but it doesn't?

    And with that in mind, even if you *do* identify a product as containing OSS, how do you prove it without access to the source code? The company could simply claim it was a false positive (regardless of whether or not that happened to be true), and you would be left with the burden of proving the tool wasn't flawed.

    Of course, there are also the false negatives...

    • by publiclurker (952615) on Saturday April 17, 2010 @10:27AM (#31881526)
      Of course, there are also people who enjoy reading machine code dumps with their morning coffee. Tools like this simple help them to know where to concentrate there efforts.
    • see the trick is if you find GNUSort traces in Evil Incs file mangler then as the owner of GNUSort you can file a lawsuit and then get them to prove that the source is "clean".

      • by Bing Tsher E (943915) on Saturday April 17, 2010 @04:45PM (#31883536) Journal

        Isn't the burden of proof on the party filing the law suit? Otherwise, I can see where a pretty adventurous circus could ensue, resulting in the deepest pockets almost always winning.

        • by Anonymous Coward on Saturday April 17, 2010 @06:05PM (#31883938)

          Criminal Law: "Beyond a reasonable doubt."
          Civil Law: "A preponderance [wiktionary.org] of the evidence."

          If the only evidence is a binary matching tool that shows a lot of matches, then the bulk (ie: all) of the evidence shows they're guilty. Thus after having shown a match, the targeted company is on the hook to prove they're innocent.

        • by Grishnakh (216268) on Monday April 19, 2010 @02:11PM (#31899450)

          That's what "discovery" is for. In a case like this, if the defendant refuses to prove to the plaintiff that there's no violation (by showing the source code), to the plaintiff's satisfaction, then the plaintiff files a lawsuit, and part of the Discovery process is that the defendant MUST provide the source code to the plaintiff for examination. If the source code shows a violation, then the defendant can either get skewered in court, or settle out-of-court. If it shows no violation, then the plaintiff can drop the case (and the defendant can feel stupid for spending money on lawyers when they could have just showed the source code to begin with instead of letting it get to Court).

          Parties in a lawsuit aren't allowed to keep secrets from each other.

    • by RAMMS+EIN (578166) on Saturday April 17, 2010 @03:40PM (#31883208) Homepage Journal

      ``What happens when it shows some product as containing OSS, but it doesn't?''

      That's a good question, and that's why we have things like "innocent until proven guilty" and rights for criminal suspects and people who have been put under arrest.

      In other words, as long as we all stay civilized, false positives needn't be a big problem. You inform the company that you believe their product may contain software whose license puts certain requirements on the company that it doesn't seem to be fulfilling, and then they get a chance to convince you that everything is in order and it's just a false positive.

      If you are not convinced, I suppose you can always bring the case to court and force disclosure and investigation. But experience up to now seems to indicate that companies who are violating the terms of the GPL usually change their ways before things get that far.

      • by pclminion (145572) on Tuesday April 20, 2010 @06:48PM (#31916704)

        If you are not convinced, I suppose you can always bring the case to court and force disclosure and investigation. But experience up to now seems to indicate that companies who are violating the terms of the GPL usually change their ways before things get that far.

        So, with no evidence other than some abstract mathematical metric, you're going to make me invest tens of thousands of dollars to prove to you that I haven't violated the GPL in some way? Sounds an awful lot like "guilty until you can prove yourself innocent" to me. By the way, I'll be sending you a bill for wasting my time after proving myself to your silly satisfaction.

  • But Does It (Score:-1, Redundant)

    by Anonymous Coward on Saturday April 17, 2010 @10:35AM (#31881582)

    Enter the ultimate "but does it run Linux?" troll.

  • by jellomizer (103300) on Saturday April 17, 2010 @11:25AM (#31881850)

    Isn't this a lot like a DRM designed for open source... The only real difference is what we call Normal DRM makes sure the End User is following the rules. the Open Source is making sure the Companies are following the rules. But in general Closed Source puts restrictions on the Users and the GNU puts restrictions on the Company. So it really is just an other form of DRM.

    So it is Evil for a company to say illegal coping and sharing of our software that we put a lot of time, money and development into is given away for free while we still have all these expenses to pay for, and we should try to find a way to make sure we curve this behavior so we can get the money we earned.

    But it Haled when a tool is made to make sure Software companies are making software that uses Open Source Software and they are not following the rules of the license.

    Odly enough most companies are not as big and evil as you think... Most companies don't have teams of lawyers judging every action they do... No all software developers know the GNU and speak it every sunday at around 9:00 every morning. A lot of people think Open Source means public domain, or how much can they modify the code before it is there and they can license it any way they want...

    If you want to go all out and push Open Source GNU license and make sure people are compliant with technical means then you should back off on DRM. Or if you want to push DRM then you should support not having Open Source push the issue too... Otherwise you will be in overall hyporcracy of yourself and probably just be branded as an Anti-Caplistic Nut.

    • by DarkOx (621550) on Saturday April 17, 2010 @01:00PM (#31882418) Journal

      Its not hypocrisy at all but a cleaver response. The GPL was originally created because RMS felt that the way software was being produced, sold, and controlled with licensing, patents, and copyright was not good for people, the economy, and especially the general principle of freedom.

      He and others first lobbied to try and get the rules changed, many continue that effort. In the mean time he did the next best thing. He co-opted the rules and created a license that preserves things he felt were important that others were using the same rules to take away. He then put in lots of effort to ensure there would be a concentration of value protected by that license such that others would want to access it. The four freedoms would for the most part exist in the natural state; that is a world free of patents, and copyright. You might not always have the source to something you bought but it would be a pretty tough world to sell software in competitively without offering the code.
      So what the GPL is really designed to do is say, look we don't think the system should work this way and that there should be these rules but ok if you get to use them than so can we. If you don't like it than you have to adopt our position that the copyright and patent system at least where software is concerned is broken and throw out your rules.
      were using the same rules to take away. Most of the freedoms would probably exist

    • This tool is to be used voluntarily by people wishing to preform an audit of software packages they have acquired. DRM is shipped with software that you receive, and is non-voluntarily run on the consumers computer, to check for compliance.

      This would be like DRM if we were writing code into open source projects that would phone home if the company tried to violate the GPL. This is not what is happening at all. (nor would it even be feasibly possible, since open source DRM is a laughable concept)

      This is not ensuring compliance by technical means, this is detecting non-compliance by technical means. After it is established that non-compliance exists, the standard practice is to politely contact the company and seek to resolve the issue in a professional manner.

      (this happens a lot more than you might think, generally speaking the only times you hear about non-compliant companies is when they are unwilling to resolve the issue, or when someone decides to take the opportunity to get some publicity for themselves.)

    • by pseudonomous (1389971) on Saturday April 17, 2010 @01:37PM (#31882566)
      It's not at all like DRM, it's a forensics tool. DRM takes your file/software/whatever and asks "is this an authorized copy? should I let the user access/run this file?", this software looks at software that's already been compiled and is being used and determines if it likely came from known source code. Nor is this tool limited to use with open source software, it's just that tool itself is open-source.
    • by TubeSteak (669689) on Saturday April 17, 2010 @02:38PM (#31882838) Journal

      So it is Evil for a company to say illegal coping and sharing of our software that we put a lot of time, money and development into is given away for free while we still have all these expenses to pay for, and we should try to find a way to make sure we curve this behavior so we can get the money we earned.

      But it Haled when a tool is made to make sure Software companies are making software that uses Open Source Software and they are not following the rules of the license.

      1. Your comparison of the "Binary Analysis Tool" and DRM is shaky at best
      The "Binary Analysis Tool" is an auditing tool, not a license enforcement mechanism like the DRM in Assassin's Creed 2.

      2. Most individual copyright infringement is for non-commercial purposes.
      Most companies that are engaging in copyright infringement are doing so for commercial purposes.

      Do you see the difference?
      The law treats commercial and non-commercial infringement very differently.

    • by stefanPryor (863364) <pryorsc@gmaiTOKYOl.com minus city> on Sunday April 18, 2010 @03:28PM (#31889204)

      As I see it, a comparison of DRM and the GPL that basically equates the two, is pretty flawed.

      The purpose of DRM is more or less, to restrict and control what users of software can do with that software.

      Users of GPL software, on the other hand, are guaranteed certain rights by the GPL, such as the right to have access to the source code of the software they receive.

      The tool mentioned in the article will help users to ensure that their rights under the GPL are being protected.

      If a company distributes GPLed software, the users are entitled to the source code. This tool makes it easier for users to enforce their rights.

      Really, it seems to me that the GPL is basically incompatible with DRM.

  • by Anonymous Coward on Saturday April 17, 2010 @12:05PM (#31882118)

    simply don't believe in imaginary property?

  • Why bother (Score:1, Flamebait)

    by DaveV1.0 (203135) on Saturday April 17, 2010 @06:34PM (#31884080) Journal

    When we are going to abolish copyright? This is hypocrisy! This is using the same evil tactics that ??AA uses!

  • by viking80 (697716) on Saturday April 17, 2010 @08:11PM (#31884464) Journal

    Discovered that Cisco is using GPL software and not complying with neither disclosing it nor making it available. Good an clear documentation as well.

    I was not able to find anyone interested at all.

  • by Anonymous Coward on Saturday April 17, 2010 @09:48PM (#31884766)

    I know! You could convince the government to enforce software on everyone's computers which scans for GPL violations!

The world is no nursery. - Sigmund Freud

Working...