Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL License Compliancein the embedded devices market
Harald Welte
gpl-violations.orggnumonks.org
hmw-consulting.de
November 4, 2012 / Sofia / Bulgaria
1 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Outline
1 FOSS LicensesFree Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
2 Linux and the Embedded MarketLinux-based systems everywhereEmbedded Linux supply chainGPL - Embedded Systems
3 GPL Violations and License EnforcementGPL Violations and Business RisksGPL Enforcementgpl-violations.org
2 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
About the speaker
Using + playing with Linux since 1994Kernel development since 1999IT security expert, focus on network protocol securityBoard-level Electrical EngineeringSystem-level Software for PPC, ARM, x86IANAL, but companies not complying with the licenseforced me to spend lots of time with legal issues
3 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
Free SoftwareDefinition by the FSF
Free Software has to ensure the following key freedoms:Freedom to use the software for any purposeFreedom to make copies "to help your neighbor"Freedom to study its functionality (source code)Freedom to fix it yourself (make modifications)
4 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
CopyleftA concept to ensure Freedom
Copyleft is an idea to use copyright to ensure SoftwareFreedoms
Use/claim copyright on the softwareCreate a license that is permissive enough for the 4FreedomsHowever, put some conditions/obligations in the license
ensure the source code will always be availableensure nobody is able to remove the 4 Freedoms from thesoftware
Use that license for the software.
5 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
The GNU GPLAn implementation of Copyleft
The GNU General Public License (GPL)is a Copyleft Free Software Licenseassures the original author that his work will always havethe freedomsestablishes a level of fairness: You can use my code, if youshare your additions back with us.is a big motivation factor for many community members
6 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
Revisiting the GPLv2 License Terms
The GNU GPLv2Regulates distribution, not use (running the program)Allows distribution of source code and modified sourcecode, if
The license is mentionedA copy of the license text accompanies each copy
Allows distribution of or modified binaries, ifThe license is mentionedA copy of the license text accompanies each copyThe source code is either included with the copy, or awritten offer is made on how the source can be obtained.
7 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
Complete Corresponding Source CodeAs required by GPLv2
. . . complete source code means all the source code for allmodules it (the software) contains, plus any associatedinterface definition files, plus the scripts used to controlcompilation and installation of the executable.
For a C language program, this meansSource CodeMakefilescompile-time configuration (e.g. kernel .config)
General ruleIntent of the license is to enable the user to run modifiedversions of the programIf you provide everything needed for that, there will be nodiscussion
8 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
Modifications of GPL’d source codeThe details that matter
In the GPL, it does not matter if you have modified theGPL’d program or if you ship it unmodified.You always have to provide the source code!If you modify the source code, your changes have to bevisible/identifiableFor practical reasons, I suggest shipping original upstreamtarball + a diff/patch with your changes
9 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
Complete + Corresponding SourceFor every Release you make
Whenever you distribute GPL licensed software, thelicense applies. This includes
Actual sale of a physical embedded device with thesoftware in flashDownload of a firmware update as a file from a websiteShipping of firmware updates on physical storageDistribution of firmware updates e.g. by over-the-airmechanisms in DVB-S or other networks
Every time, the conditions of the license have to be fulfilled(mention there’s software under GPL, include full licensetext, include or offer complete corresponding source codeFor every release you ever ship (even beta release if it everis shipped only to one customer), you need the completecorresponding source code.
10 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
Derivative WorksKeeping it clean
Derivative works are a question of copyright law, not the GPLwhenever you couple a GPL and a non-GPL programtightly (e.g. static/dynamic linking), you’re entering a legalgrey areathere is little or no precedent on derivative works ofsoftwareyou’re violating the intention of the author. If he wanted youto link from proprietary programs, he would have usedLGPLtry to work with the community, rather than against it
11 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
Intermission
Take a break, go one step backThe License is not a means to itselfIntent of the license is to make sure people can modify +enhance the productThe more open your product is, the less you have to worryUsing Linux + FOSS without enabling community tomodify+enhance is cheating!Try to make friends of the developer community, notenemies!
12 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
License compliance is not an afterthought
Complying with the license terms is relatively easy if youconsider the license terms before starting R&D
you can integrate building source releases in your buildprocessyou can decide which software can be combined given thelicense terms
13 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Free Software and CopyleftThe GNU GPLGPL - Compatible source code offerGPL - Derivative Works
License compliance is not an afterthought
Achieving license compliance after shipping the product is veryhard
lack of good engineering practise could mean old sourcecode is goneengineers working on the product might have left thecompanyyou and your customers are under a lot of time pressure(legal threat)you might have already shipped a derivative work to GPLdsoftware and now have to release parts that you originallywanted to keep proprietary
14 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Linux-based systems everywhereEmbedded Linux supply chainGPL - Embedded Systems
Linux and Free Software (FOSS) everywhere
15 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Linux-based systems everywhereEmbedded Linux supply chainGPL - Embedded Systems
Areas of Embedded Linux
Embedded Network Devices (DSL-Modem, Router,WiFi-AP, NAS)Telecommunications equipment (Switch, DSLAM, ...)In-flight / In-vehicle entertainmentPersonal Navigation Devices (Tomtom GO)Mobile Phones (EZX, MAGX, Android, LiMo, WebOS)PoS terminals, ATMs, PayphonesDigital Media Players, Set-Top-Boxes, Video RecorderExercycles + Fitness GearBuilding automation + controlVoIP telephones, VoIP switches, PBXe-Ink readers, Tablet computers, MIDs
16 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Linux-based systems everywhereEmbedded Linux supply chainGPL - Embedded Systems
Embedded Linux Supply Chain
In a typical case, the supply chain consists minimal ofThe silicon maker of the SoC containing the core that runsLinuxThe supplier of the reference design / board for that SoCThe ODM building an actual circuit board using that SoCThe OEM selling the product under his brand in the targetmarket
17 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Linux-based systems everywhereEmbedded Linux supply chainGPL - Embedded Systems
Embedded Linux Supply Chain
Situation can be further complicated byA 3rd party supplier of the BSP / SDK for the SoC orreference boardMultiple companies involved on the ODM or OEM side(building parts of a product, later integration into the realproduct e.g. IVE for a car)3rd party suppliers of application programs (which mightuse FOSS)
18 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Linux-based systems everywhereEmbedded Linux supply chainGPL - Embedded Systems
Embedded Linux Supply Chain
Problems in the supply chain:OEM has no clue what kind of software ODM put into theproductODM has limited technical skill and has no clue what BSPprovider didEnd user buys a product with license/copyright violationsand has no clue
who the entities in the supply chain arewho actually caused the license/copyright violation
19 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Linux-based systems everywhereEmbedded Linux supply chainGPL - Embedded Systems
GPL and Embedded SystemsInterpreting the meaning
The GNU GPLv2 was written for the GNU project, at thetime this project was working on replacing individualapplication programs on top of a proprietary UNIXoperating system kernel.scripts used to control compilation and installation
Intent: To enable the user to modify + run modified versionsIn case of embedded systems, the "scripts used to controlinstallation" include the software required for installing theprogram onto the target device
20 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
Linux-based systems everywhereEmbedded Linux supply chainGPL - Embedded Systems
GPL and Embedded DRMSometimes called Tivo-ization
Some companies want to lock down their Linux-basedsystem, by
Cryptographic verification of bootloader by ROM loaderCryptographic verification of kernel image by bootloader. . .
This is problematic from a GPL point of view, sinceYou are depriving the user from practically exercising hisright to run modified versions of the programThus, violation not of the GPLv2 wording, but likely of theGPL’s intentionLegal outcome unclear, different scholars have differentopinions, also depends on jurisdiction
GPLv3 makes this intent explicit in the license text
21 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
GPL Violations
GPL violations are not new, just like GPL licensed softwareis not newHowever, increased popularity of GNU/Linux basedsystems increase GPL violationsToday, many more people and companies unfamiliar withthe history and values of Free Software start using and(re)distributing FOSS
22 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
Business Risk of GPL ViolationsOr: How to convince your managers
If you ship a product that is incompliant to the GNU GPL,you are committing a copyright infringement not differentfrom shipping a product with unlicensed copies of MSWindowsyou can face civil and criminal charges in courtcivil charges include (German jurisdiction)
immediate cease + desist (halt of product sales)information of which quantity of the product has been soldto whomdamages for lost revenue (see dual licensing)
civil charges can also be filed against everydistributor/store/importer
23 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
Early GPL Enforcement
The Free Software Foundation (FSF) has alway beendoing GPL enforcement on software of which they are thecopyright holder
They do so quietly, without much public noticeThe quiet route sometimes leads to lengthy negotiationsThe FSF only holds copyright on some Free Softwareprograms
24 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
The Linksys WRT54G case
During 2003, the Linksys WRT54G case drew a lot of attentionLinksys was selling 802.11 WLAN Access Points andRoutersLots of GPL licensed software embedded into the device,including Linux, uClibc, busybox, iptablesFSF-led alliance took their usual quiet approachLinksys bought itself a lot of time
Some sources were released two months laterFull GPL compliance only achieved four months later
25 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
Aftermath of the Linksys case
Some developers were not happy with the Linksys caseLinksys didn’t loose anything by not complying from thebeginningFour months delay is a long time given short productlifetimes
More embedded devices started to use Linux and otherFOSSThe netfilter/iptables project started to do their ownenforcement
Using German copyright law against German subsidiary ofvendorUsing direct legal / copyright based approach
The gpl-violations.org was later established
26 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
GPL Enforcement by the Community
The GPL is a Copyright LicenseGPL enforcement is thus Copyright enforcementCopyright enforcement can normally only be done bycopyright holders!Alternative (less tested) legal approaches
Competition / Anti-Trust law (by a GPL-abiding competitor)Consumer protection (The product without source code isincomplete)
27 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
GPL Enforcement Requirements
Clean copyright situationWho wrote which (part of a) softwareWas the copyright transferred to an employer?
Evidence for the violationTest purchase of the software on storage mediumDetailed screenshots of download side, downloadedsoftware imagesEvidence shows no notice of GPL or source codeavailability/offer
Copyright holders who want to do enforcement
28 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
GPL Enforcement by the Community
Authors/Developers of a project need to care about entitiesthat violate their licenseLegal options in case of a violation
One or multiple copyright holders do their own enforcementCopyright transfer to an entity that does enforcement
Free Software Foundationhttp://conservancy.softwarefreedom.org/Fiduciary License Agreement with the FSF Europe
29 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
The gpl-violations.org work
Use all legal means necessary to bring infringing productin complianceWe only act where we hold copyright (Linux kernel)We typically only act within Europe, mostly in GermanySuccess so far
More than 100 amicable agreements as results ofsettlementsMore than 5 preliminary injunctions halting sales ofproducts until complianceMultiple actual court cases with court verdict
30 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
The gpl-violations.org workTypical enforcement timeline
Customer of product sends a report about GPL violationThere is no GPL license text and/or no source code orwritten offer
We do reverse engineering and make test purchaseAfter confirming the violation, send legal warning notice tovendor
Tight deadline for complying with the GPL and signing adeclaration to cease and desist
If no declaration is signed, wecontract technical expert to do a studyapply for a preliminary injunction
If cease-desist is signed and license compliance reached:Resolve how the vendor can ensure already manufacturedproducts are compliant
31 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
The gpl-violations.org legal cases
Commonly-known cases that actually went to courtApril 2004: Preliminary injunction against SitecomMay 2004: Sitecom appeal case turned down by courtApril 2005: Preliminary injunction against FortinetSeptember 2006: Court case against D-Link
... all of those cases have been won
32 / 33 Harald Welte GPL License Compliance
FOSS LicensesLinux and the Embedded Market
GPL Violations and License Enforcement
GPL Violations and Business RisksGPL Enforcementgpl-violations.org
Outlook
OutlookBlatant GPL violations in embedded devices are declining,but are likely to continue due to lack of skill or negligence.We’ll see more derivative works types of GPL violations,and we’ll see actual legal enforcement and precedent inthis area over the next years.Stronger copyright protection demanded by contentindustry will also mean stronger protection for FOSSlicenses. Imagine GPL enforcement with three strikes lawin France ?!?
33 / 33 Harald Welte GPL License Compliance