Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Linux

Symantec May Violate Linux GPL in Norton Core Router (zdnet.com) 144

An anonymous reader writes: For years, embedded device manufacturers have been illegally using Linux. Typically, they use Linux without publishing their device's source code, which Linux's GNU General Public License version 2 (GPLv2) requires them to do. Well, guess what? Another vendor, this time Symantec, appears to be the guilty party. This was revealed when Google engineer and Linux security expert Matthew Garrett was diving into his new Norton Core Router. This is a high-end Wi-Fi router. Symantec claims it's regularly updated with the latest security mechanisms. Garrett popped his box open to take a deeper look into Symantec's magic security sauce.

What he found appears to be a Linux distribution based on the QCA Software Development Kit (QSDK) project. This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system. For Symantec's purposes, QSDK and OpenWrt are an excellent choice. Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management. This enables Symantec to easily customize its router with updated security features. But -- and it's a big but -- if it's indeed based on QSDK and OpenWrt, Symantec needs to share the Norton Core Router's code with the world.

This discussion has been archived. No new comments can be posted.

Symantec May Violate Linux GPL in Norton Core Router

Comments Filter:
  • The GPL doesn't require public release, only honouring requests from people who have been legitimately given the binary, i.e. customers. They may choose to do this by releasing it anyone who wants to down-load it but that's their choice.

    • Yes, but the customer has the right to release it to the public as well. So in this case there is no real difference.
      • The difference is that Symantec doesn't have to care about anyone who isn't a paying customer. They just can't demand an NDA for the customer to see the code.

        • by johnw ( 3725 )

          The difference is that Symantec doesn't have to care about anyone who isn't a paying customer.

          Yes they do - the GPLv2 is perfectly clear on this.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      I've no idea if this opinion is common or if it's the same AC who appears to peddle it every time but it's wrong. GPL V2 gives 3 options to distributing binaries, one of which must be met.

      1. 1. Accompany the binaries with the complete source code.
      2. 2. Accompany the binaries with a written offer, valid for 3 years, to give any third party the complete source for no more than your cost.
      3. 3. Pass on a written offer you received under the second option but ONLY for noncommercial distribution where you received such
      • Seeing that the software was "based on QSDK and OpenWrt", would "cost" include wages paid to anyone that helped customize, configure, test, etc. for each product?
        Just wondering...
        • Well, your question isn't all that clear. If you mean should the QSDK and OpenWRT people be paid, technically they could demand monetary damages but the community principles that most of them adhere to say they prioritize compliance over damages. An developer support organization like SFLC may ask for some damages for the purpose of supporting its own activities.

          If you are asking if their own employees and consultants should be paid, they usually are. But the cost, even with the source code distribution nec

    • by johnw ( 3725 )

      The GPL doesn't require public release, only honouring requests from people who have been legitimately given the binary, i.e. customers.

      Not true - whilst it doesn't require public release (in the sense of publishing it on a web site or similar) the licence does require that they make the source code available to anyone who asks for it - there is no restriction to just customers or anything like that.

      b) Accompany it with a written offer, valid for at least three
      years, to give any third party, for a charge no more than your
      cost of physically performing source distribution, a comple

      • That applies if the binaries are distributed, not otherwise. It's perfectly legal to keep modified GPLed code to yourself, and RMS is fine with it. It is true that, if you distribute the binaries, you have a responsibility to give copies of the source to people not your customers.

        • by johnw ( 3725 )

          It's perfectly legal to keep modified GPLed code to yourself,...

          True enough, but that's not the case under discussion.

          The assertion made was that if you distribute binaries you need only offer the source to people to whom you have given the binaries. This is just plain wrong, as I explained.

        • That applies if the binaries are distributed,

          The binaries have been distributed on a memory device, buried in a fancy case that says "Symantec Core Router" (or something - whatever this device is).

          The non-distributed case is for products that are not sold as such, but kept entirely in-house. If you build your own Widget and only use it on your own sites, then you're not distributing it (Google's millions of servers probably fall in this category). If you build a Widget which is used as a tool only by your

  • Minor correction (Score:1, Informative)

    by Anonymous Coward

    For years, embedded device manufacturers have been illegally using Linux.

    Ahem. They have been illegally copying Linux. You're allowed to use Linux without any terms. Copying is the activity that Congress passed laws to restrict.

    It's a minor detail, as long as everyone reading your words understands what you really meant. But imagine the various conclusions that a Trump-level intellect might make, and the misinformation they would spread. That's why you should really say what you mean, rather than having fai

    • by Anonymous Coward

      Copying is the activity that Congress passed laws to restrict.

      copying is what you do when you install the firmware onto the devices you're manufacturing.

    • It's not a semantic thing, is it?

      But "Trump-level intellect," that's rich; mind if I use it?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      imagine what a Hillary-level intellect might do with this: you'd be droned before breakfast....

    • Trump-level intellect

      You sound like Trump when you say that.

      How about you rise above Trump level insults, mkay?

    • But imagine the various conclusions that a Trump-level intellect might make

      Yes, you might end up as President or something. Be careful!

    • If you violate the GPL, what you are charged with is making unlicensed copies. The thing everyone gets wrong about that is that the license then becomes your defense and you have to prove that you were complying with the license, in order to defend yourself. And of course if you've been brought to court over this, you probably can't.
    • They have been illegally copying GNU-Linux? Or at they just breaking the law with the Linux kernel and not using any of the GNU utilities?

  • by OrangeTide ( 124937 ) on Friday April 06, 2018 @12:55PM (#56393261) Homepage Journal

    If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.

    But most companies would rather try to save some money and effort doing things the wrong way. Violating software licenses along the way, hoping they won't get caught. In the long run that strategy is most costly.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      I came to the comments to say just this. The BSDs are the way to go if you're going to make closed commercial software. We don't mind, and we welcome any donations or patches as a way of saying thanks!~

    • by nnull ( 1148259 )
      They don't care. The product is out and then discontinued in a year or two. Rinse and repeat.
    • If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.

      So far more effort required on their part vs ... just uploading the source code on the web? Yeah I can see why QSDK.

      • I've worked for a companies that struggle with uploading source (I mainly work as a Linux system software developer for embedded products).
        Cisco has trouble with this, because they are incompetent. NVIDIA, because they are paranoid about trade secrets.
        Amazon was good about sharing source when I worked there, but they've gone down hill as that team got bigger and more paranoid.

        • It's interesting that you haven't mentioned any that are ignorant. Not sure if this is a good or bad thing.

    • by Kludge ( 13653 )

      But most companies would rather try to save some money and effort doing things the wrong way.... .

      It probably would have cost Symantec a lot of money, not just some, to get BSD running on their router hardware. OpenWRT was written to run on hardware found in routers.

      In the long run that strategy is most costly.

      Evidence? What is "most costly" about releasing the source code for their hardware? Will people stop buying their routers just because the source code is available? Historically I have found this to the contrary. Routers that support 3rd party firmware tend to sell for more money than than the ones that do not.

      • by sjames ( 1099 )

        Releasing the source isn't costly. NOT honoring the license by releasing the source is what can get costly.

    • There isn't really a BSD distribution comparable to OpenWRT. I suspect the BSD license is one reason for that. A lot of people don't want to spend their free time producing corporate welfare. If a corporation wants to participate, they expect the corporation to return value to the Free Software community.

      • Most corporations do not want to join your religion, or don't understand it.

        They are free to develop in-house. But yeah to leverage a community driven projects like OpenWRT means that a community of open source advocates and the needs of a corporation would have to align. Or one or two crackpot BSD fanatics do it just to prove a point.

        Now there are consultants that have their own BSD distros for embedded systems. You can hire them to get access to it. That's not the same model that Free Software advocates a

        • Consultant - private BSD is not a model used extensively, most companies are still using Linux and other GPL software regardless of what they feel about the terms, simply because it has what they need and it's more mature with a larger development community. And by the way, this has nothing to do with religion and its offensive for you to imply that it does.
          • Consultant - private BSD is not a model used extensively,

            I never said it was common. Popularity doesn't alter the point.

            most companies are still using Linux and other GPL software regardless of what they feel about the terms

            For the ones that use it but don't comply with the terms pay a price. A price that is likely higher than the costs of porting the kernel to their board/SoC.

            with a larger development community.

            Really businesses don't care too much about that. The value of a large community is debatable. Especially if you can't share secret unreleased products on a public forum. I run into this one frequently at my current job. In some cases we reached out and hired people in those large communities

            • I learned how fruitless going your own way was when I worked for HP. Around 2000, they budgeted a Billion dollars to add IPV6 to HP-UX. This was of course completely insane.

              Then I had Symbian for a consulting customer. And they were really adamant that the Symbian OS was their strong point and really all of the value in their company, and they had just spent a similarly astronomical amount to put IPV6 in it. I suggested they port their GUI to Linux, but it turned out their GUI came from SONY or they had mor

              • I can't really blame Symbian for thinking they can succeed when RIM and Apple succeeded even if Palm failed.

                Systems programming makes the system work and met its requirement. It is the bare minimum necessary to have a product. And isn't at all about selling the hardware. My contributions don't sell more Kindles or SHIELDs or Switches. My team makes sure devices can be manufactured and run without a flood or support calls. And to the original point, that it meets requirements like not disclosing IP the compa

    • by tlhIngan ( 30335 )

      If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.

      But most companies would rather try to save some money and effort doing things the wrong way. Violating software licenses along the way, hoping they won't get caught. In the long run that strategy is most costly.

      The problem is, most SoCs run Linux. The problem is SoC vendors really only support Linux. Getting one to support BSD is quite iffy - if they've even he

      • And unfortunately, it's impossible to port it yourself

        That's my old job from Cisco.

        Even getting register lists from some of them is like pulling teeth.

        Sorry about that. That's my current job at NVIDIA. It's not as straight forward as zipping up our documents and handing them over.

    • by ebvwfbw ( 864834 )

      Freebsd is a great OS, if the year is 1990. By 1995 there were arguments over this. By 2000 a few arguments over this. By 2010, nobody that knows what they're talking about would say - hey let's develop under BSD. Now I wish it would just die and go away along with debian. We should all get unified instead of having so many different versions out there.

      • Different systems for different people is better than a unified computing platform. Not that there is much difference between FreeBSD and Linux architecturally. They are both POSIX and try to emulate the user experience of a decades old OS. It's rare to find software that will only run on one of them.

        If you want a monocultural of operating systems you could switch to Windows. That one has the most weight behind it in terms of numbers and is standardized by a central authority (Microsoft). If everyone used W

    • by sad_ ( 7868 )

      true, now you try to do the same with their software!

  • Geesh, even my TV's manufacturer makes the source code available... http://oss.sony.net/Products/L... [sony.net]
  • This dogmatic approach to OS is absolutely counterproductive. So what if they used Linux? Even if they publish the source, it won't include drivers, so it isn't like you will be able to compile and use it.
    • Not counterproductive at all, there is a purpose that is for the customer's benefit to the GPL. How do you know the drivers they chose to use aren't GPL?

      • by sinij ( 911942 )

        How do you know the drivers they chose to use aren't GPL?

        WAG based on how other products of this type usually work.

        • See, if they complied with the GPL2 we'd know the answer to that. Very useful thing for the customer.

          For what many of these vendors want to do, the BSD license is more useful.

    • by Anonymous Coward on Friday April 06, 2018 @02:01PM (#56393627)

      This dogmatic approach to OS is absolutely counterproductive. So what if they used Linux?

      Tell you what, start pirating Symantec's software, and see if they come after you for copyright infringement.

      If you don't wish to comply with the GPL for Linux, you are entirely free to fuck off an not use Linux. If you use Linux, you have to accept the license, just like with every other piece of software.

      If a company like Symantec is just going to steal other people's work and pass it off as their own, why should we refrain from stealing their work? Symantec doesn't get to take the stance that pirating their software is bad, but it's OK if they pirate someone else's. And I assure you, they would not accept you pirating their software.

      As has been pointed out, the *BSD licenses basically say "hey, you want to take this and do something with it and turn it into closed source, be our guests". Linux, however, has said that you don't get to do that.

      This isn't dogmatic, this is copyright law and software licenses. And the assholes who run corporations don't get to decide to take Linux and not abide by the terms and conditions.

      It really is as simple as the fact that if you're not willing to follow the license agreement, don't use the software.

      There is no software company on the planet who can make the argument they didn't know this, because this has been well known for 20+ years. It's hardly a secret.

      Which means Symantec are assholes who feel they can do just ignore that, and profit off other people's work by stealing it. Allowing corporations to get away with that isn't dogmatic. It's holding them to the exact same fucking standards the use to protect their own work, which means they have no valid excuse for ripping off stuff from other people.

      Corporate greed doesn't give them the right to software piracy. They don't have some inherent right to use that software any more than you have a right to theirs.

      Their own website [symantec.com] says:

      Symantec respects the intellectual property rights of others and responds to notices of alleged infringement.

      and

      Report software piracy and other suspicious activity. Learn about types of piracy, fraud and other abuse (including Tech Support Scams), what are their consequences and how to avoid becoming a victim.

      Sorry, but there is no way in hell you can accept a company like Symantec ignoring the terms of the GPL and pretending it's not a big fucking deal. Because they can't possibly not know they're breaking the law.

      Fuck that, stop making excuses for them. This isn't 'counterproductive', this is the entire point of the fucking GPL.

    • Even if they publish the source, it won't include drivers, so it isn't like you will be able to compile and use it.

      Actually, they are obligated to provide the drivers. Some people (never me) used to think that dynamically linking device drivers protected them from the GPL. But besides the other arguments that dynamic linking is not protective, we've just had the Oracle v. Google case declare that APIs are copyrightable, overturning what we thought we knew for 20 years from CAI v. Altai. One effect of this n

  • by davidwr ( 791652 ) on Friday April 06, 2018 @01:13PM (#56393367) Homepage Journal

    Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management.

    For devices like this, firmware should have a hardware-enforced read-only setting that is on by default. Signed binaries are only as "secure" as the master signing keys, and if I can't install my own firmware I don't really "own" it, now do I?

    If I want to flash my firmware, I should have to toggle a switch.

    Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.

    • If I want to flash my firmware, I should have to toggle a switch.

      Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.

      I think your risk assessment needs re-assessing.

      What do you think is more likely: that a) a vulnerability will be found in the router's firmware which requires patching, or b) that the encryption keys will be lost, the update domain hi-jacked or intercepted, and the bad actor will manage to deliver an update package complete with malware, signed with stolen keys?

      I'd bet a goodly sum that option a) is vastly more likely to occur than b), simply based on history. And yet you want to disable automatic updates

  • Not... really (Score:5, Informative)

    by DeathToBill ( 601486 ) on Friday April 06, 2018 @01:14PM (#56393375) Journal

    If Symantec are distributing Linux, then they need to make the source code for Linux available to their customers. If their system is based on OpenWRT, then they need to make the source code for OpenWRT available. Saying "Symantec needs to share the Norton Core Router's code with the world" is essentially saying that every piece of software written for Linux has to be open source - and it just ain't so. The GPL may be viral, but it's not that viral.

    • They don't have to distribute copies of Linux code unless they modified it. They just have to make sure users can get the code if they want, and if it's unmodified then users can get it from the usual places.

      • No. They are required by the license to distribute the source code themselves, whether or not they modified it. They can't satisfy the license obligation by pointing to a public web site, because the public web site is not itself obligated to stay running for the purpose of satsifying Symantec's license obligation.
  • My understanding is that Open BSD is the most secure of the OS's and uses the BSD license which is 'looser' as in, it lets you get away with more.

    My speculation is laziness, so many hands have developed so much software around Linux, OpenWRT being a good example, that the programmers hired by these companies can just drop the stuff in.

    But maybe there's more to it than that, which is why I'm posting the question.

  • This is why I'm against the soft-shoe approach to GPL violations in every case. Symantec is a large enough company and the people working there absolutely know what their responsibilities are. We need people who'll go after them for statutory damages to make an example.

    • Get a commit to the kernel tree accepted and when your copyright is violated go after them how you will.

      Then again, wasn't there a recent thing here about someone doing just that and not getting support for his/her/its efforts?

      • My understanding of that story was that the guy was going after companies that were not the size of Symantec and possibly weren't aware of their obligations.

  • Wouldn't that be true only if they actually modified any of the original source? If they've made no modifications to any of the packages, then all the source for the thing is still freely available. Just not from them.
    • In which case it costs them approximately nothing to distribute the source, and it won't reveal any secrets. They're required to make the source available, and they're responsible for keeping it available. If they want to have a third party do that, they need to make sure the third party continues to do that.

  • YES, they need to distribute the source code of the GPL components to customers who ask for it.
    NO, they do not need to release the source code of their proprietary software components as long as they are stand-alone programs (just like Oracle doesn't need to release the source code of their expensive database). A mix of OpenSource components and proprietary software is perfectly fine.
    YES, they also should add the correct license statement additions into their EULA.
    In Europe, we http://www.linuxbe.com/ [linuxbe.com] ca
  • "Symantec needs to share the Norton Core Router's code with the world."

    1. Not the world, but with customers, though practically speaking, might as well be the world.

    2. Not all of the code, but all of the GPL and LGPL code and anything linked to the GPL code and strictly speaking, if they statically linked LGPL code, then at a minimum the object files needed to recreate the executables.

"my terminal is a lethal teaspoon." -- Patricia O Tuama

Working...