A new FUD angle: securities laws
Many companies using Linux for embedded applications may be unwittingly violating the Linux license and even breaking federal securities laws, according to a white paper released today by Wasabi Systems, a leading embedded operating systems provider. The white paper, When GPL Violations are Sarbanes-Oxley Violations, is the first in a series of legal studies analyzing the common misperceptions and risks associated with Linux and its license, the GNU General Public License (GPL)." (Thanks to Brock Frazier.)
Posted Jan 19, 2006 21:27 UTC (Thu)
by jwb (guest, #15467)
[Link] (8 responses)
Posted Jan 19, 2006 23:27 UTC (Thu)
by lordsutch (guest, #53)
[Link] (7 responses)
Posted Jan 20, 2006 1:18 UTC (Fri)
by mattdm (subscriber, #18)
[Link]
Posted Jan 20, 2006 2:06 UTC (Fri)
by tialaramex (subscriber, #21167)
[Link]
If you actually /can't/ provide the source to an embedded product from 3 years ago I think you have other engineering and legal problems without worrying about the GNU GPL.
Besides, if people making a $10 mouse can throw in a mini-CD full of documentation, it can't be hard to include a source code CD with your television, lawnmower or other Linux embedded device.
For non-embedded products, you can fulfill your distribution obligations in full by putting the source code with license text on the CD or FTP server next to the binary. If the user never looks at it, or (in the case of the FTP server) doesn't even download it, that's their problem, not yours according to the license.
Posted Jan 20, 2006 2:19 UTC (Fri)
by jwb (guest, #15467)
[Link] (2 responses)
Posted Jan 23, 2006 22:08 UTC (Mon)
by anonymous21 (guest, #30106)
[Link] (1 responses)
Clearly, you've never seen the BSD license you Linux Zealot Weenie.
My dog can comprehend the three simple BSD clauses.
Your argument seems to be that the BSD license is just as complex as the GPL, and it's just not. Not
Posted Jan 29, 2006 0:40 UTC (Sun)
by man_ls (guest, #15091)
[Link]
Posted Jan 20, 2006 12:47 UTC (Fri)
by smitty_one_each (subscriber, #28989)
[Link] (1 responses)
Really? I wouldn't think you'd be responsible for much beyond the current version of something.
Posted Jan 20, 2006 14:08 UTC (Fri)
by farnz (subscriber, #17727)
[Link]
If you took up option 3a, as most GNU projects do by providing source and binaries in the same location (same CD set, same FTP site etc), you're clear of obligation. If you took up option 3b, you must keep the sources around for 3 years after you last shipped a product with that code in it.
Posted Jan 19, 2006 21:44 UTC (Thu)
by proski (subscriber, #104)
[Link] (2 responses)
GPL v2: "You are not required to accept this License, since you have not
signed it".
Posted Jan 19, 2006 22:02 UTC (Thu)
by dcoutts (guest, #5387)
[Link]
In the GPL v3 they're going to make it slightly easier for accidental breaches of the GPL to be corrected without the distrbutor automatically loosing their rights to distribute the software.
Posted Jan 19, 2006 22:03 UTC (Thu)
by stevenj (guest, #421)
[Link]
Posted Jan 19, 2006 23:23 UTC (Thu)
by tzafrir (subscriber, #11501)
[Link] (1 responses)
How much of the code in Wasabi's system is covered by the original BSD system? Do distributers *really* comply with those licenses? Have those PHB and their lawyers verified that?
If not, they may be facing criminal charges, according to this white paper!
Posted Jan 20, 2006 8:33 UTC (Fri)
by tzafrir (subscriber, #11501)
[Link]
| This requirement [to provide the source code
In other words: the argument is that if you have already spent money on writing the driver you should make sure noone else can help you spend money on maintaining it. Cool. Nice of them to save work for Linus and the others.
BTW: they do get to keep the copyrights even if they publish it under the GPL.
Posted Jan 20, 2006 0:05 UTC (Fri)
by xoddam (guest, #2322)
[Link]
Posted Jan 20, 2006 8:21 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (2 responses)
In other words, they are useless attorneys or they are *deliberately* FUDding.
I would have thought it was blatantly obvious to any half-way competent attorney that in order to enforce a copyright licence, you need to own (or have rights to) the copyright you are trying to enforce.
HINT TO WASABI ATTORNEYS: the FSF does not have any copyright rights to the linux kernel! (Actually, that's not quite true, but unfortunately for the FSF, Linus has veto rights as far as this issue is concerned, and he has been pretty blatant (ie read the COPYING file) that he will use them.)
Cheers,
Posted Jan 22, 2006 21:21 UTC (Sun)
by dwmw2 (subscriber, #2063)
[Link] (1 responses)
Linus doesn't officially have veto rights. He didn't collect copyright assignments, and doesn't really have any more rights than any other significant contributor. However, I suppose he does effectively have veto rights in one way... if I was bringing a lawsuit against a distributor of binary-only modules I might be inclined to back down if Linus specifically asked me to. However, I suspect that it's unlikely that he'd do so. You are wrong about what it says in the COPYING file, if you think it gives an exception for kernel modules. Here's Linus' own response (LKML, 2003-12-03) to someone else who had the same mistaken impression, once before:
There's a clarification that user-space programs that use the standard
system call interfaces aren't considered derived works, but even that
isn't an "exception" - it's just a statement of a border of what is
clearly considered a "derived work". User programs are _clearly_ not
derived works of the kernel, and as such whatever the kernel license is
just doesn't matter.
And in fact, when it comes to modules, the GPL issue is exactly the same.
The kernel _is_ GPL. No ifs, buts and maybe's about it. As a result,
anything that is a derived work has to be GPL'd. It's that simple.
Now, the "derived work" issue in copyright law is the only thing that
leads to any gray areas. There are areas that are not gray at all: user
space is clearly not a derived work, while kernel patches clearly _are_
derived works.
But one gray area in particular is something like a driver that was
originally written for another operating system (ie clearly not a derived
work of Linux in origin). At exactly what point does it become a derived
work of the kernel (and thus fall under the GPL)?
THAT is a gray area, and _that_ is the area where I personally believe
that some modules may be considered to not be derived works simply because
they weren't designed for Linux and don't depend on any special Linux
behaviour.
Basically:
Historically, there's been things like the original Andrew filesystem
module: a standard filesystem that really wasn't written for Linux in the
first place, and just implements a UNIX filesystem. Is that derived just
because it got ported to Linux that had a reasonably similar VFS interface
to what other UNIXes did? Personally, I didn't feel that I could make that
judgment call. Maybe it was, maybe it wasn't, but it clearly is a gray
area.
Personally, I think that case wasn't a derived work, and I was willing to
tell the AFS guys so.
Does that mean that any kernel module is automatically not a derived work?
HELL NO! It has nothing to do with modules per se, except that non-modules
clearly are derived works (if they are so central to the kenrel that you
can't load them as a module, they are clearly derived works just by virtue
of being very intimate - and because the GPL expressly mentions linking).
But if you use those same sources (and _you_ wrote them) they do not
contain any Linux code, they are _clearly_ not derived from Linux, and you
can license and use your own code any way you want.
You just can't make a binary module for Linux, and claim that that module
isn't derived from the kernel. Because it generally is - the binary
module not only included header files, but more importantly it clearly is
_not_ a standalone work any more. So even if you made your own prototypes
and tried hard to avoid kernel headers, it would _still_ be connected and
dependent on the kernel.
And note that I'm very much talking about just the _binary_. Your source
code is still very much yours, and you have the right to distribute it
separately any which way you want. You wrote it, you own the copyrights to
it, and it is an independent work.
But when you distribute it in a way that is CLEARLY tied to the GPL'd
kernel (and a binary module is just one such clear tie - a "patch" to
build it or otherwise tie it to the kernel is also such a tie, even if you
distribute it as source under some other license), you're BY DEFINITION
not an independent work any more.
Posted Jan 27, 2006 11:50 UTC (Fri)
by ekj (guest, #1524)
[Link]
That's not what veto means. He is free to state his opinion. Yes, so is anyone, that's called free speech.
You are free to listen to him, if you want to listen to him. Yes, sure you are, but you are in no way obligated to listen to him.
It makes no sense whatsoever to say that Linus has defacto veto-rigths.
The only thing he does have is a lot of respect, making it more likely that many people will (voluntarily!) *choose* to listen to him on some issues.
Posted Jan 20, 2006 10:04 UTC (Fri)
by danieldk (subscriber, #27876)
[Link] (1 responses)
To quote their site: Wasabi provides a wide range of GNU toolchain optimization and customization services, with some of the leading experts in the industry.
Let's hope for them that they don't break any federal securities laws ;).
Posted Jan 20, 2006 16:02 UTC (Fri)
by nix (subscriber, #2304)
[Link]
Is anyone left there who can educate their higherups?
Posted Jan 20, 2006 10:14 UTC (Fri)
by ivor (guest, #31998)
[Link]
Posted Jan 20, 2006 14:25 UTC (Fri)
by wookey (guest, #5501)
[Link]
Nearly every page says 'If you violate the GPL <bad things will happen>'. Which is all true, but of course if you don't, then bad things won't happen, and the world will in fact be rosy.
And by the time we get to "You mustn't let engineers make sure you are in compliance, because only lawyers can do so under Sarbanes-oxley", my FUD-detector starts to wail (really? - I bet the engineers are better-informed than the suits), and as many others have pointed out this applies just as much to your BSD and proprietary code.
Then we have "The simplest answer is not to cheat. However, there are [] problems with this simple response. First, most companies do cheat, because compliance is expensive". OK - now they are just talking bollocks: GPL-compliance overheads are small, if not tiny. I know - I do this stuff for a living. Just make the code you ship available, either on-line, or on a CD with the product - How expensive can that be? He's right that non-compliance has been rife, but I think that was actually largely ignorance, laziness and incompetence, and the GPL-compliance project seems to have reduced the incidence markedly.
And oddly enough I find myself capable of confirming GPL compliance (or the lack of it) without the aid of lawyers (well, except where I read what they write on-line).
Here's another fine quote: "Moglen's solution, in his response to Michaelson above, is simply to "share and share alike," i.e. make all code open source, including, presumably, code to modules which might be considered derivative works. This solution would indeed assure compliance with the GPL, but would render LKMs useless."
Of course - kernel modules are completely useless if they don't let you keep drivers proprietary - no other purpose could possibly exist :-) The persistent use of 'LKM's when he means 'Proprietary LKMs' does smack of FUD.
So, overall - a very informative paper, rather spoilt by bias.
Posted Jan 20, 2006 16:32 UTC (Fri)
by Spike (guest, #14160)
[Link] (2 responses)
Who logged in with what ID when.
Who updated what data in the ERP system.
Were changes properly authorized ....etc
All around proper accounting practices. One could easily comply with SOX and not the GPL or vise versa because one is a proper use license and the other is Corp. Financial Law. Possibly related in some ways but, certainly not directly. This is total bunk.
Posted Jan 20, 2006 17:17 UTC (Fri)
by Ross (guest, #4065)
[Link] (1 responses)
Posted Jan 20, 2006 22:14 UTC (Fri)
by gdt (subscriber, #6284)
[Link]
Even that's not safe. You could still be in trouble for misrepresenting the origin of the source code -- saying "we wrote it" when someone else did. The bottom line is that companies need to trust their programmers to do what they are paid for. This is hardly unique to programming and it why dishonest people are such a nightmare to employ. It is also why companies have audit procedures. We are seeing the beginning of audit procedures for source code -- simply reflecting the maturation of business use of computer programming. And just like in other audit fields, there are companies that are willing to mis-state or exagerate the risks to promote their products.
Posted Feb 1, 2006 0:24 UTC (Wed)
by filker0 (guest, #31278)
[Link]
If code written to work as a plug-in for the user-space program, even if it emulates a non-GPL'd program's published plug-in interface, is automatically GPL by law, we start to slide down into what I believe is the absurd. If a GPL image processing program accepts Adobe Photoshop plug-ins, and I use a non-GPL plug-in with it, have I violated the spirit of the GPL? If so, why even support that interface in the GPL'd product?
When you write loadable driver modules that make no modifications to the kernel data structures themselves, simply use published binary interfaces for the version of the kernel that they support, is the code itself, by association, a derived work? If I choose to distribute the source code under a BSD, Mozilla, or other Open Source license, have I violated the GPL? From what Linus says, no, I have not; From what some others are saying, yes, I have.
I am an open source advocate, and have been for many years, but it has been my reading of the GPLv2 that, to be a derived work, it must be based on that work and not simply patterned to work with it. I view loadable driver modules as a plug-in using a documented binary interface, thus not a work derived from the kernel, whether it's all-new or ported from another OS. If the driver module goes around the published interface and manipulates internal kernel data structures directly or requires kernel changes outside of the module itself to operate, that's another matter entirely.
I'm working on an embedded project where we have some proprietary hardware for which we are writing Linux drivers. In one case, the driver is completely new; none of its code is based on pre-existing drivers for the device, as no pre-existing device was around. In the other case, there was a similar device used in another project that used LynxOS for the platform, and the bulk of the internals of that driver are derived from that source. In a sense, that driver is being ported from LynxOS to Linux. By the definitions that are being offered, the first driver is definitely a derived work, whereas the second is questionable, even if the changes required to port the driver are extensive.
The embedded device has a very specific application. We have exactly one customer for the product. There will be few of these devices deployed, and they are unlikely ever to find their way onto the open market. We will give the customer the sources to our device drivers; they will likely never look at them, and they are even less likely to want to change them. We will *not* give the source code for the FPGAs that implement some of the hardware interfaces to anybody; they are not open source, and they're not being done by a group that is working with open source software. The people who are making the decisions may wish to use a different Open Source license (in fact, they do.) The decision has not been made yet, and won't be for some months. Management believes that the customer may have the right to the code, but for a device that will never exist outside of an integrated product (it's built onto the board) there is no real need to submit the source to the Kernel maintainers.
So, is the path we're taking leading us to a violation of the GPL?
Haha hilarious. Wasabi's FUD says that if you are violating the terms of the GPL, you may also be violating Sarbanes-Oxley, and therefore you may go to jail. But the same is true of _any_ intellectual property license: free software, open source, or proprietary. Even the BSD license that Wasabi Systems is trying to sell.Linux Users May Be Breaking U.S. Securities Laws
True, but it's pretty damn hard (actually, close to impossible unless you're being actively malicious) to violate the 3-clause BSD license. The GPL has some pretty byzantine requirements if you sit down and try to comply with them to the letter (i.e. you must provide the exact source of something you shipped three years ago on demand, you must provide a written offer to this effect, blah blah blah).Linux Users May Be Breaking U.S. Securities Laws
*shrug* The bit you cite is one of several options, and is easily avoided simply by shipping source with your binary code.Linux Users May Be Breaking U.S. Securities Laws
"It's pretty damn hard", yet such violations occur, and for the same reasons as with the GPL. Someone wants a competitive advantage they don't deserve. So they take BSD code and remove all the copyright statements, then brand it as a proprietary solution and sell it for $$$. Maybe if they remember they even change some of the code.Linux Users May Be Breaking U.S. Securities Laws
The degree of difficulty of violation is not relevant, because the Wasabi people insist the cost of the Linux Users May Be Breaking U.S. Securities Laws
GPL is that your engineers aren't qualified to evaluate the license, so you need expensive legal
vetting to discharge your obligations under Sarbanes-Oxley. But clearly the same is true of the BSD
license. If your engineers cannot gauge the risk of the GPL, they also cannot gauge the risk of
incorporating Berkeley-licensed code, or code under any other license, and the legal effort must be
undertaken regardless of the manner in which the 3rd-party software is acquired.
> the Wasabi people insist the cost of the GPL is that your engineers aren't qualified to evaluate the Linux Users May Be Breaking U.S. Securities Laws
> license, so you need expensive legal vetting to discharge your obligations under Sarbanes-Oxley.
> But clearly the same is true of the BSD license.
by a long shot.
The GPL is not that hard either. Time to make your dog attend one of Eben Moglen's seminars?
Not much complexity anyway
> you must provide the exact source of something you shipped three years ago on demandLinux Users May Be Breaking U.S. Securities Laws
For example, earlier versions of emacs are not necessarily obtainable.
I'm unsure your interpretation is correct, but this could be a worthwhile GPLv3 question.
Depends which option you took under section 3 of the GPL. As a commercial distributor, you can't take up option 3c, so your choices are option 3a or 3b.
Linux Users May Be Breaking U.S. Securities Laws
Jay Michaelson: "If companies are violating the GPL, they don't have the right to use that software".
License vs Contract again
Point taken, but in this case they're talking about companies using GPL software in embeded devices. Presumably these devices are being sold and so the GPL software on them is being distributed. So the company is bound by the GPL and must stop distributing if it breaks the license.License vs Contract again
By "use" I think they mean "use in a shipping device", i.e. distribute. Distributing the
software to third parties does require you to accept the GPL. Of course, similarly
for any other license.
License vs Contract again
Reverse FUD:A new FUD angle: securities laws
Not to mention the usual suspects:A new FUD angle: securities laws
| of the driver] is quite onerous for some
| software companies, since it means giving
| away code which they have spent a great deal
| of money to create, and which might otherwise
| represent valuable intellectual property
"... they don't mean it's free like the air, which you can breathe with "they don't mean it's free like the air"
no requirements."
Maybe breathing is an unencumbered use of air, but in most countries
there are severe restrictions and requirements when you start burning
things in it.
Neither air nor the Free Software commons is free for despoiling.
"Why the FSF doesn't enforce the GPL wrt LKMs"."As attorneys we don't understand"
Wol
No exception.
"(Actually, that's not quite true, but unfortunately for the FSF, Linus has veto rights as far as this issue is concerned, and he has been pretty blatant (ie read the COPYING file) that he will use them.)"
Nope. No such exception exists.
Note that Linus went on to be even clearer about the fact that kernel modules are a derived work unless there are very special circumstances (LKML, 2003-12-05):
- anything that was written with Linux in mind (whether it then _also_
works on other operating systems or not) is clearly partially a derived
work.
- anything that has knowledge of and plays with fundamental internal
Linux behaviour is clearly a derived work. If you need to muck around
with core code, you're derived, no question about it.
I claim that a "binary linux kernel module" is a derived work of the
kernel, and thus has to come with sources.
Linus doesn't officially have veto rights. He didn't collect copyright assignments, and doesn't really have any more rights than any other significant contributor. However, I suppose he does effectively have veto rights in one way... if I was bringing a lawsuit against a distributor of binary-only modules I might be inclined to back down if Linus specifically asked me to.No exception.
A new FUD angle: securities laws
Yeah. There are some noteworthy free software people who at one time or another have sent mail from @wasabisystems.com; Ben Elliston (who I think is now at IBM) and Ian Lance Taylor, among others.A new FUD angle: securities laws
..and if a company actually respects the GPL, uses GPL software, makes modifications/improvements to it and has a proper culture and development process in place that provides those changes back to the community they've got nothing to worry about have they? They don't need to worry whether they are keeping track of their secret changes correctly.surely, nothing to fear
So companies only need to worry if they're cheating, lying, stealing, trying to rip people off, are trying to simply follow the letter but not the spirit of the GPL, etc etc etc? So what. Big deal. Cry me a river.
The White paper is actually quite a useful summary of OSS licences, the difference between GPL and BSD, what happens if you don't comply, the legal status of Linux Kernel Modules (and that they are clearly against the sprit of the GPL), and (presumably - I know very little about it) a summary of the extra requirments of Sarbanes-Oxley. It starts off each section very well, clearly explaining a number of things that many people are no doubt still unsure about, but it is does appear to be written with a bias, pushing their BSD-licensed stuff and scaring people off the GPL, and starts to go downhill when we get into details.A new FUD angle: securities laws
This is such a joke.
"Even if an executive thinks the company is complying, s/he may still be breaking the law if adequate control measures are not in place. What that means is unclear - but, at a minimum, it requires a lawyer."
This alone says We're spreading FUD cause we have no real idea what SOX is about.
I work in corp. IT and we are working on SOX compliance. The key to SOX compliance as we have been told is providing "control Practices" that make changes to Accounting/Financial data have an audit trail.
Some Examples are.
SOX is about Financial Controls Not IP and copyright law.
I also work in IT security. The other major flaw in this paper is that most of the supposed "GPL" problems are actually issues which would happen any time license violations occur. If that's their primary worry, they should only use and write software in the public domain.SOX is about Financial Controls Not IP and copyright law.
SOX is about Financial Controls Not IP and copyright law.
What is the status of plug-ins to user-space programs written under the GPLv2? Are they derivitive works of that program? What if the program in question actually implements a plug-in interface that is compatible with a pre-existing commercial (read proprietary) products plug-in interface, such as for Photoshop? Is the plug-in still a derivitive work of the GPL'd program? Of Photoshop? If the plug-in was intended for the proprietary program, clearly that plug-in can't be expected to inherit a GPL status by association.Plug-ins as derivitive works?