Checking For GPL Compliance, When the Code Is Embedded 75
Excerpting from ComputerWorld UK, ChiefMonkeyGrinder writes with word of what sounds like a very cool tool: "Open source software is everywhere these days. In particular, Linux is being used increasingly to power embedded systems of all kinds. That's good, but it's also a challenge, because the free software used in such products may not always be compliant with all the licences it is released under, notably the GNU GPL. For companies that sell such embedded systems using open source, it can be hard even finding out what exactly is inside, let alone whether it is compliant. Enter the new Binary Analysis Tool."
False positives...? (Score:2, Interesting)
Are we to believe then that, unlike every single piece of virus-scanning software ever, this binary scanning utility will never encounter a false positive? What happens when it shows some product as containing OSS, but it doesn't?
And with that in mind, even if you *do* identify a product as containing OSS, how do you prove it without access to the source code? The company could simply claim it was a false positive (regardless of whether or not that happened to be true), and you would be left with the burden of proving the tool wasn't flawed.
Of course, there are also the false negatives...
It is only like DRM if you don't know what DRM is. (Score:3, Interesting)
This tool is to be used voluntarily by people wishing to preform an audit of software packages they have acquired. DRM is shipped with software that you receive, and is non-voluntarily run on the consumers computer, to check for compliance.
This would be like DRM if we were writing code into open source projects that would phone home if the company tried to violate the GPL. This is not what is happening at all. (nor would it even be feasibly possible, since open source DRM is a laughable concept)
This is not ensuring compliance by technical means, this is detecting non-compliance by technical means. After it is established that non-compliance exists, the standard practice is to politely contact the company and seek to resolve the issue in a professional manner.
(this happens a lot more than you might think, generally speaking the only times you hear about non-compliant companies is when they are unwilling to resolve the issue, or when someone decides to take the opportunity to get some publicity for themselves.)
Re:False positives...? (Score:3, Interesting)
``What happens when it shows some product as containing OSS, but it doesn't?''
That's a good question, and that's why we have things like "innocent until proven guilty" and rights for criminal suspects and people who have been put under arrest.
In other words, as long as we all stay civilized, false positives needn't be a big problem. You inform the company that you believe their product may contain software whose license puts certain requirements on the company that it doesn't seem to be fulfilling, and then they get a chance to convince you that everything is in order and it's just a false positive.
If you are not convinced, I suppose you can always bring the case to court and force disclosure and investigation. But experience up to now seems to indicate that companies who are violating the terms of the GPL usually change their ways before things get that far.