| |||||||||||||
|
| |||||||||||||
BusyBox settles another lawsuitBusyBox settles another lawsuitPosted Mar 6, 2008 19:45 UTC (Thu) by macson_g (subscriber, #12717)Parent article: BusyBox settles another lawsuit
Please, correct me: I think that BusyBox requirements are draconian. Of course I understand that one have to publish it's code. But they require publishing of full source of every little bit of GPL'd software you have installed on your device - they are pointing at Linksys as reference. I'm currently building device which uses BusyBox, and I'm terrified, that instead of simply putting link to SVN repository on our website, I have to host source of each package used, which is 99% vanilla.
(Log in to post comments)
BusyBox settles another lawsuit Posted Mar 6, 2008 19:57 UTC (Thu) by martinfick (subscriber, #4455) [Link] A somewhat common GPL complaint, but hardly a BusyBox complaint.
You don't need to offer the software online. Posted Mar 6, 2008 21:23 UTC (Thu) by dmarti (subscriber, #11625) [Link] You could probably just print a blurb in the back of the manual citing the GPL software you use, and say "send $1 and a CD-ROM sized SASE for source". Just using GPL software on a device doesn't mean you have to be in the downloads business.
BusyBox settles another lawsuit Posted Mar 6, 2008 19:57 UTC (Thu) by nigelm (subscriber, #622) [Link] So you are building a business distributing devices based on GPL software, and you have not bothered to clarify your license requirements? I'm stunned!
BusyBox settles another lawsuit Posted Mar 6, 2008 19:57 UTC (Thu) by atai (subscriber, #10977) [Link] You have to provide the exact source code you use to build the Busybox software you distribute so people can rebuild them and verify that your binaries do come from this set of sources. On the other hand, BusyBox can only require you to provide sources to the software they write... they cannot force you to do this for other GPL'd software not written by them. But practically that does not matter because the other authors would demand the same.
BusyBox settles another lawsuit Posted Mar 8, 2008 22:10 UTC (Sat) by jengelh (subscriber, #33263) [Link] >You have to provide the exact source code you use to build the Busybox software you distribute so people can rebuild them and verify that your binaries do come from this set of sources. And that is where the problems begin, for example with code that puts the compilation date into the binary. That way you will never get the exact MD5 of the originally-shipped binary! :-(
BusyBox settles another lawsuit Posted Mar 9, 2008 7:59 UTC (Sun) by atai (subscriber, #10977) [Link] This should not be a problem... people can verify if your binaries are built this way from the sources, by modifying the sources to hard code the dates you have in your binaries...
BusyBox settles another lawsuit Posted Mar 6, 2008 19:59 UTC (Thu) by MathFox (guest, #6104) [Link] You knowingly use GPL software. How much would it cost you to buy equivalent software at a commercial supplier? Wouldn't it be fair that you in return make the source code available and provide proper attribution of the FOSS you use? Yes, you'll have to go that extra yard to comply with Open Source licenses. You don't need to host the source packages on your website, if you ensure that the recipients of your devices obtain the source code in some (computer readable) way, for example on a CD-ROM. Read the GPL about the details.
BusyBox settles another lawsuit Posted Mar 6, 2008 21:02 UTC (Thu) by flewellyn (subscriber, #5047) [Link] It's draconian to require people to abide by the terms of the software license? Especially when the license is so permissive otherwise? Really, now.
BusyBox settles another lawsuit Posted Mar 6, 2008 22:39 UTC (Thu) by landley (guest, #6789) [Link]
Compliance is actually pretty easy once you understand what your
responsibilities actually are. To comply with the license, you need to do
at least the following three things:
1) State the base version explicitly. (Yes I already have this code, but
I don't _know_ that this is the specific code you used unless you tell me.
For all I know you grabbed some random svn snapshot and did who knows what
with it. "I used busybox" covers 10 years of development at this point,
you need to be more specific.)
2) If you didn't modify it, SAY SO. ("This is vanilla 1.2.1, with no
changes" is a perfectly acceptable answer to me, as long as you're telling
the truth.)
3) If you modified it, post a patch (preferably diff -u) against the base
version you identified in step 1. (I actually _prefer_ this to you
posting a complete tarball I then have to extract my own patch from to see
what you changed, but I can work with a tarball. Obviously a full source
tarball is compliant, it's just overkill most of the time.)
The first problem companies get in is they don't _identify_ the source
they use sufficiently for others to reproduce their binaries. You have no
idea how many people don't realize that steps #1 and #2 above are actually
_requirements_, so they go into a "what do they want from us" panic when
approached about it. Sometimes we just want clarification. "We're
using busybox" isn't good enough, but "We're using busybox 1.0.0-pre3 with
this patch" usually is. Even if they're using plain vanilla with no
patches, they have to _say_ "This is vanilla version X with no patches".
I can't just assume you didn't make any changes, and it's a huge amount of
work to prove a negative (takes a lot of examination, you have to look at
_everything_ to make sure you recognize all of it).
The other problem some companies have (I can't comment on any specific
case) is that they loose track. After it's shipped and the development
team moved on, they can't reproduce it either. They don't know what the
base version was, they don't know what (if any) patches they applied, so
when we ask these questions, they can't answer them. We're generally
happy to work with 'em out of court to track down this info (which can be
a _lot_ of work after the fact, by the way), but if they panic and stop
talking to us in hopes we go away, the SFLC will sue.
Often the patch turns out to be small and uninteresting and it _is_ mostly
vanilla code with trivial tweaks that they can't _possibly_ be interested
in trying to extract some kind of proprietary advantage out of. But we
care about proving there _isn't_ something interesting. Please don't make
us do a lot of work to confirm this, the license says you owe us this info
up front. It's your responsibility to track this, not ours.
The "host a mirror or don't host a mirror" issue is a red herring, and one
I don't particularly care about. I don't need another copy of the bits I
already have, and OSL is already providing us a high bandwidth mirror for
all the historical versions. But I _do_ need you to tell me where to
_find_ the source you used if I want to reproduce your binaries. If you
can't tell us that, you're not complying with the license.
The real issue is third party reproducibility of the code. If you give me
a binary and don't explicitly say "this is version X and I did not patch
this" (or "this is version X with this patch"), then how do I know? I
have to do extensive forensic analysis to see what changes you may or may
not have made, and having to do that for 100 different product releases
gets old fast.
Rob
BusyBox settles another lawsuit Posted Mar 6, 2008 23:35 UTC (Thu) by sepreece (subscriber, #19270) [Link] One could hope that Rob's requirements would be a model for everyone - they're reasonable, simple, and should be straightforward for anyone to comply with (at essentially zero cost). They are much less stringent that the letter of the GPL, but nicely satisfy its spirit. scott
Rob, your directions are just wrong Posted Mar 7, 2008 0:03 UTC (Fri) by JoeBuck (subscriber, #2330) [Link] If you ship GPL'ed binaries, you have to be prepared to provide the source.It doesn't suffice to say what the version is (though that's nice), or to supply patches. You don't have to host the full source, but you do have to include a written offer, good for three years, to provide the full source. You can charge what it costs you for doing this. It can be done offline, you can mail CDs to people who request it. You can't stop them from posting that CD online. Don't tell people that they just need to supply patches; that is incorrect.
BusyBox settles another lawsuit Posted Mar 7, 2008 3:17 UTC (Fri) by njs (subscriber, #40338) [Link] Rob's note is thoughtful, and makes good points, but it should be noted that it is *not* actually describing the requirements of the GPL; it's describing how close you have to get to the GPL's requirements before Rob stops caring about suing you. Anyone in the position of distributing GPL software in a device would be smart to follow his advice, and the community will surely appreciate it... but they should *also* read the actual legal requirements set out by the GPL, and follow those too, to avoid liability from all the other authors of GPL software who aren't Rob.
BusyBox settles another lawsuit Posted Mar 7, 2008 13:08 UTC (Fri) by jeff@uclinux.org (guest, #8024) [Link]
"Compliance is actually pretty easy once you understand what your
responsibilities actually are. To comply with the license, you need to do
at least the following three things:
Post the sources. Or offer to deliver them, as per the license.
1) State the base version explicitly. (Yes I already have this code, but
I don't _know_ that this is the specific code you used unless you tell me.
For all I know you grabbed some random svn snapshot and did who knows what
with it. "I used busybox" covers 10 years of development at this point,
you need to be more specific.)
This is not a part of the license, at all. It's nice though!
2) If you didn't modify it, SAY SO. ("This is vanilla 1.2.1, with no
changes" is a perfectly acceptable answer to me, as long as you're telling
the truth.)
This is not a part of the license, at all. It's nice though!
3) If you modified it, post a patch (preferably diff -u) against the base
version you identified in step 1. (I actually _prefer_ this to you
posting a complete tarball I then have to extract my own patch from to see
what you changed, but I can work with a tarball. Obviously a full source
tarball is compliant, it's just overkill most of the time.)
No, that's incorrect. The full source & scrips... only way to be compliant. Posting
a patch is a way to create a misunderstanding and get sued by someone who
is on a crusade... and they are within their rights to do that even if they
contributed trivially to the project (no, I'm not saying you would).
"The first problem companies get in is they don't _identify_ the source
they use sufficiently for others to reproduce their binaries. You have no
idea how many people don't realize that steps #1 and #2 above are actually
_requirements_"
Right, because they aren't. That is not what the license says.
Rob, Erik, this is really really scary. You guys talk enforcement but seem intent on
shooting yourselves in the foot. When starting the uClinux project where a lot of
these things (uClibc etc) came from I did so so that people could benefit, not be
afraid of what they need to do because of license uncertainty! Threatening "SFLC
will sue [if you don't]" but posting misunderstandings like above is exactly the opposite
of what is needed here.
D. Jeff Dionne.
Jeff@uClinux.org
BusyBox settles another lawsuit Posted Mar 7, 2008 14:33 UTC (Fri) by sepreece (subscriber, #19270) [Link] What Rob posted were what he cares about as a rights holder. Anyone providing the information he asked for should be trivially able to satisfy the letter of the license if anyone actually asked them to do so. [I'd say that anyone capable of realistically doing anything useful with the source would also be able to satisfy her needs with that information.] The license terms are what they are. Most rights holders seem content with one or another thing equivalent to the license terms. Offering downloads, for instance, does not satisfy the license, but does satisfy most rights holders [and, I imagine, most people who want the sources.] However, you're right that anyone shipping GPLed code needs to be aware of the actual terms, needs to meet at least the notification requirements, and needs to be prepared to provide source if requested.
BusyBox settles another lawsuit Posted Mar 7, 2008 15:04 UTC (Fri) by jeff@uclinux.org (guest, #8024) [Link] While what Rob requests is nice to have (all of us prefer useful patches to a tarball of garbage from a vendor), this is NOT compliance with the license. Rob will take these reasonable things and be happy... that's fine. But those interested in having a legal framework for Valid, Global, Running Business (which is what embedded is about, make no mistake) cannot rely upon what Rob would like to get. Remember, we got into these discussions because the busybox project is interested in "enforcement" of the License and has sued people over it. That license is the GPL... only. Rob's post is suggesting people do things that don't amount to compliance when compared to the requirements of the license, and that's not good. There are others of us who are copyright holders, many many in fact, and who knows what some others will do in that situation. The license language is clear, if one wants to satisfy the legal requirements and get on with the real work, that's where to look. If one is interested in wondering about the legality of what one ships, posting some (perhaps perceived to be) random patches and version numbers seems to apply. J.
BusyBox settles another lawsuit Posted Mar 7, 2008 19:24 UTC (Fri) by landley (guest, #6789) [Link] > Rob, Erik, this is really really scary. I'm not speaking for Erik, nor for the SFLC either. Never said I was. I'm saying that a lot of people go into "deer caught in headlights" mode when the subject of GPLv2 compliance comes up because they think the source code being publicly available is sufficient, when they haven't identified it specifically enough for us to have a clue what they used (nor have they even _checked_ to see if their developers modified it). If you understand a developer's motivations for approaching you, it's easier to satisfy them. The core of GPLv2 is "show me the code". How you go about this is details. > You guys talk enforcement but seem intent on shooting yourselves in the > foot. *shrug* Once you actually wind up in court, the full requirements of GPLv2 get enforced, including little details like clause 3c only applying to non-commercial distribution. I'm talking about staying _out_ of court. My previous message is really about how far a small developer like the one who started this thread can usually stretch 3c before it breaks. Many people just assume "the source is already on the web, that means I'm covered", which isn't quite sufficient and there are _reasons_ it isn't sufficient, which I attempted to explain. > When starting the uClinux project where a lot of these things > (uClibc etc) came from I did so so that people could benefit, not be > afraid of what they need to do because of license uncertainty! Obviously a full reading of the GPLv2 can tell you more about how to comply with that license than I can, and thus you're free to ignore anything I have to say about it. Although who said "medium customarily used for software interchange" (a phrase from section 3a which predates the escape of web servers from CERN) does _not_ include "base tarball plus patch file"? Isn't that what you customarily find in source RPMs? Technically, GPLv2 probably still allows you to mail out a 9 track tape containing the source (since that's what was customarily used when the license was drafted in 1991, and what the FSF itself did for many years). Certainly you could charge people $5 to burn a CD and mail it to them under section 3b. Heck, materials plus postage plus amortized depreciation on your equipment plus 15 minutes at your hourly consulting rate, you can probably get away with charging $50 or more. Thus your written offer could include "mail a check to this address" as a precondition, and GPLv2 explicitly allows it. Do you see any text in the license that _requires_ you to put up a web mirror? Yes, I have actually thought about this before. There are ways to not play nice while complying with the letter of GPLv2, and there are ways to not play nice while trying to enforce GPLv2. I prefer to play nice. > Threatening "SFLC will sue [if you don't]" but posting misunderstandings > like above is exactly the opposite of what is needed here. I'm not threatening anything. (License complaints go straight to the SFLC these days via gpl@busybox.net. I don't even see 'em until after the SFLC has investigated the issue, contacted the company, and already decided they're unable to resolve it out of court. Thus I don't see most of 'em, which _are_ dealt with out of court, and if somebody does contact me directly I forward them to the laywers. The exception is when I volunteer to analyze the resulting code they get to confirm that it's complete and corresponding, of which I have a half dozen backlogged that I haven't had time to look at properly yet.) All I'm pointing out is that if you haven't identified a specific version, and identified your changes against that version (including explicitly stating "there were no changes" if that is indeed the case) sufficiently for us to reproduce what you did, then there's no way any GPLv2 project's developers can really be satisfied with your license compliance. Not even under section 3c. And that this is what motivates copyright holders (or their designated representatives) to take enforcement action in the first place. No, I didn't go into "what constitutes complete and corresponding source code" and whether that includes your config files (which is a case by case judgement call as far as I'm concerned). I'm also aware that the FSF browbeat Mepis (a tiny garage operation) into buying a high bandwidth web mirror for packages that were already in the Ubuntu repository, despite Mepis having partnered with Ubuntu (with a press release quoting Mark Shuttleworth and everything). How Mepis can delegate an ISP to mirror the packages for them when they couldn't delegate Ubuntu to do it, I have no idea. (What really seems to have happend is that Mepis didn't have the time/energy/expertise/money to defend itself in court when the FSF came trolling, but then I wasn't a party to any of that so I don't really know. And I'll concede that a real troll could probably do a sco-style lawsuit and keep things tied up in court for a while as long as they had money to pay lawyers, but that's not specific to any particular license, and the FSF itself doesn't seem to care about GPLv2 anymore now that v3 is out.) Is that what you wanted me to tell a developer who's already publishing a public SVN repository before we even _asked_? "Be afraid of frivolous lawsuits, despite your existing show of good faith?" Or maybe "beware the FSF trying to make an example of you?" "Here's every fiddly corner case of copyright law that you may ever have to worry about if you ever use anybody else's code?" Doesn't seem useful in this context. "Here's how you can avoid motivating most developers to take action against you." That seemed useful.
BusyBox settles another lawsuit Posted Mar 27, 2008 0:49 UTC (Thu) by samroberts (subscriber, #46749) [Link] Rob, do you work for the SFLC? Just wondering, because your statements don't seem to agree with those at http://www.fsf.org/licensing/licenses/gpl-faq.html My understanding of what the busybox lawsuits mean is that the 3 things you list above are NOT sufficient. In particular, not distributing the source because you didn't actually change it, and people can just go download it from where you got it is not good enough. I don't believe we can just say "hey, its foozit v3.2.1, unmodified, get it over there". http://www.fsf.org/licensing/licenses/gpl-faq.html#Unchan... And if you changed it I don't think you can provide just a patch, either. http://www.fsf.org/licensing/licenses/gpl-faq.html#Distri... Cheers.
BusyBox settles another lawsuit Posted Mar 6, 2008 22:53 UTC (Thu) by csawtell (guest, #986) [Link] I'd suggest you read section 3 of the GPL version 2. Section 3b would appear to apply to your situation.b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;Notes:
BusyBox settles another lawsuit Posted Mar 7, 2008 4:44 UTC (Fri) by djao (subscriber, #4263) [Link] Actually, if you read the text of Section 3b that you posted, it says explicitly that the offer of source code must be extended to "any third party." In other words, under Section 3b, you really must make the source code available to the general public, not just your own customers.If for some reason you desperately want to make source code available only to your customers, you can do this under the GPL, but you must choose Section 3a of the GPL instead of Section 3b.
It's not that hard Posted Mar 6, 2008 23:58 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] No, you don't have to host any source code on your site. You can enclose an offer with your device to supply source on request, and you can charge your costs for supplying that source.It's only a pain if you don't set up your operations to handle it, and it's a small cost considering that you get all that software for free. For example, you could produce an ISO file for all the GPL/LGPL sources on your device, and tell people that if they want it, they can send a stamped, self-addressed envelope and a few dollars (or appropriate currency) to cover costs. You're not supposed to make a profit on that, but if it takes an employee 30 minutes to get the CD burned and put it in the mail, you can charge for that time. Or you could just have the sources CD in your catalog; figure out what the fair price is for selling it at cost (CD cost plus shipping and handling), and you comply. But many organizations find it simplest to just host the source code on their site. If this is all too scary to you, then I suppose that you can buy your OS from Microsoft or QNX or someone else. But then you've got to pay money.
It's not that hard Posted Mar 7, 2008 17:58 UTC (Fri) by vmole (guest, #111) [Link] FWIW, I used to work for a company that used some GPL and other free software in its product. We found the easiest way to comply was to simply build the tarballs from our CVS and include them on the product CD. The customer thus got the version we were using, including any mods. This, of course, assumes you're not trying to hide the fact that you're using free software.
It's not that hard Posted Mar 8, 2008 20:27 UTC (Sat) by pizza (subscriber, #46) [Link] > FWIW, I used to work for a company that used some GPL and other free software in its product. We found the easiest way to comply was to simply build the tarballs from our CVS and include them on the product CD. The customer thus got the version we were using, including any mods. This, of course, assumes you're not trying to hide the fact that you're using free software. My employer does something similar, though we aren't in the end-user business. Instead, we actually ship to our customers a full source tree. One of the targets of the build system takes all of the GPL'd components and emits a nice tarball of the exact source used to build a binary image.
BusyBox settles another lawsuit Posted Mar 7, 2008 5:52 UTC (Fri) by MattPerry (guest, #46341) [Link] > I think that BusyBox requirements are draconian. Then don't use redistribute it and you have nothing to worry about.
BusyBox settles another lawsuit Posted Mar 7, 2008 10:32 UTC (Fri) by endecotp (guest, #36428) [Link] > I'm terrified, that > ... > I have to host source of each package used, which is 99% vanilla. I'm curious to know why the idea of putting a few tarballs on your website _terrifies_ you. Can you explain?
BusyBox settles another lawsuit Posted Mar 8, 2008 22:34 UTC (Sat) by jengelh (subscriber, #33263) [Link]
Very well. It is because vendors sometimes think of "full source" as or even get it told in
the settlement to "provide the full toolchain", and that definitely is a bit redundant if it
is just the vanilla binutils and gcc sources used in mips crosscompiling mode!
I have checked out the downloads pages of some companies that are listed on gpl-violations.org
and almost universally they provide a ridiculously big 70+ megabyte something tar with all
the tools I mostly have already¹. No wonder everybody gets to think "think about the bandwidth
this will cost us...".
Of course it is a different thing if compiler/binutils was enhanced by, say, a new
architecture, but most of the times, the sold devices seem to be standard mips stuff.
They do not just need an Open Source Compliance Officer, they need someone with common sense
of release management, does not even need to be an officially approved "officer" if some
random employee has the needed sense.
¹And my recommendation is: split it up. Provide compiler, binutils and source packages plus
patches as separate entities if possible. Like, uh, the Debian repository, aka.
{gcc,binutils,busybox}{.tar,.diff}.bz2, making a mere 6 base files, providing all that Rob
Landley (and me too) would want whilst giving a way for saving bandwidth because now I can
just dl busybox instead of the fat uninteresting compiler package.
BusyBox settles another lawsuit Posted Mar 8, 2008 3:34 UTC (Sat) by gdt (subscriber, #6284) [Link] I think that BusyBox requirements are draconian. They're not in practice onerous if you add the requirement to make the source available into your binary build process. That build then emits the binary and related source and you push both to the CD or website. I'm currently building device which uses BusyBox, and I'm terrified, that instead of simply putting link to SVN repository on our website, I have to host source of each package used, which is 99% vanilla. If you are worried about bandwidth issues, then it's not difficult to find free hosting for GPLed software distribution, even for commercial for-profit vendors. You might want to carefully read the SVN Book. When you use third-party software in SVN the recommended structure does take a complete copy of the original source, and you then you pull that into your trunk. This makes it very easy to port your application to a later version of the third party software (eg, when it has security issues). If the Busybox requirements terrify you, then don't read the VxWorks license :-)
|
|
||||||||||||