Symantec May Violate Linux GPL in Norton Core Router (zdnet.com) 144
An anonymous reader writes: For years, embedded device manufacturers have been illegally using Linux. Typically, they use Linux without publishing their device's source code, which Linux's GNU General Public License version 2 (GPLv2) requires them to do. Well, guess what? Another vendor, this time Symantec, appears to be the guilty party. This was revealed when Google engineer and Linux security expert Matthew Garrett was diving into his new Norton Core Router. This is a high-end Wi-Fi router. Symantec claims it's regularly updated with the latest security mechanisms. Garrett popped his box open to take a deeper look into Symantec's magic security sauce.
What he found appears to be a Linux distribution based on the QCA Software Development Kit (QSDK) project. This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system. For Symantec's purposes, QSDK and OpenWrt are an excellent choice. Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management. This enables Symantec to easily customize its router with updated security features. But -- and it's a big but -- if it's indeed based on QSDK and OpenWrt, Symantec needs to share the Norton Core Router's code with the world.
What he found appears to be a Linux distribution based on the QCA Software Development Kit (QSDK) project. This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system. For Symantec's purposes, QSDK and OpenWrt are an excellent choice. Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management. This enables Symantec to easily customize its router with updated security features. But -- and it's a big but -- if it's indeed based on QSDK and OpenWrt, Symantec needs to share the Norton Core Router's code with the world.
not share with "the world" just "customers" (Score:1)
The GPL doesn't require public release, only honouring requests from people who have been legitimately given the binary, i.e. customers. They may choose to do this by releasing it anyone who wants to down-load it but that's their choice.
Re: (Score:3)
Re: (Score:2)
The difference is that Symantec doesn't have to care about anyone who isn't a paying customer. They just can't demand an NDA for the customer to see the code.
Re: (Score:1)
The difference is that Symantec doesn't have to care about anyone who isn't a paying customer.
Yes they do - the GPLv2 is perfectly clear on this.
Re: (Score:3)
Re: (Score:3)
There is no requirement to put up a download link, but there is a requirement to provide the source code to any third party that asks for it
Re: (Score:2)
Re: (Score:2)
They didn't provide the source code with the router.
Re: (Score:2)
Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code
Re: (Score:2)
No, they don't.
All they have to do is offer the source to people who own the router and be done with it.
Just repeatedly posting this nonsense isn't going to make it true. Read the GPLv2 (and the relevant section has already been posted in this discussion) and realize that you are wrong.
(Interestingly - if they shipped the source code with the router that would fulfil the licence requirements, but just offering it to people who already have the router wouldn't.)
Re: (Score:3, Informative)
I've no idea if this opinion is common or if it's the same AC who appears to peddle it every time but it's wrong. GPL V2 gives 3 options to distributing binaries, one of which must be met.
Re: (Score:2)
Just wondering...
Re: (Score:2)
Well, your question isn't all that clear. If you mean should the QSDK and OpenWRT people be paid, technically they could demand monetary damages but the community principles that most of them adhere to say they prioritize compliance over damages. An developer support organization like SFLC may ask for some damages for the purpose of supporting its own activities.
If you are asking if their own employees and consultants should be paid, they usually are. But the cost, even with the source code distribution nec
Re: (Score:2)
Thanks Bruce, keep up the great work.
Re: not share with "the world" just "customers" (Score:2)
Re: (Score:2)
Sorry to have been unclear.
Thanks
Re: (Score:3)
The GPL doesn't require public release, only honouring requests from people who have been legitimately given the binary, i.e. customers.
Not true - whilst it doesn't require public release (in the sense of publishing it on a web site or similar) the licence does require that they make the source code available to anyone who asks for it - there is no restriction to just customers or anything like that.
Re: (Score:1)
That applies if the binaries are distributed, not otherwise. It's perfectly legal to keep modified GPLed code to yourself, and RMS is fine with it. It is true that, if you distribute the binaries, you have a responsibility to give copies of the source to people not your customers.
Re: (Score:2)
It's perfectly legal to keep modified GPLed code to yourself,...
True enough, but that's not the case under discussion.
The assertion made was that if you distribute binaries you need only offer the source to people to whom you have given the binaries. This is just plain wrong, as I explained.
Re: (Score:2)
The binaries have been distributed on a memory device, buried in a fancy case that says "Symantec Core Router" (or something - whatever this device is).
The non-distributed case is for products that are not sold as such, but kept entirely in-house. If you build your own Widget and only use it on your own sites, then you're not distributing it (Google's millions of servers probably fall in this category). If you build a Widget which is used as a tool only by your
Minor correction (Score:1, Informative)
Ahem. They have been illegally copying Linux. You're allowed to use Linux without any terms. Copying is the activity that Congress passed laws to restrict.
It's a minor detail, as long as everyone reading your words understands what you really meant. But imagine the various conclusions that a Trump-level intellect might make, and the misinformation they would spread. That's why you should really say what you mean, rather than having fai
dipshit (Score:1)
Copying is the activity that Congress passed laws to restrict.
copying is what you do when you install the firmware onto the devices you're manufacturing.
Re: (Score:2)
It's not a semantic thing, is it?
But "Trump-level intellect," that's rich; mind if I use it?
Re: (Score:2, Insightful)
imagine what a Hillary-level intellect might do with this: you'd be droned before breakfast....
Re: (Score:2)
Trump-level intellect
You sound like Trump when you say that.
How about you rise above Trump level insults, mkay?
Re: (Score:2)
You forgot to mention Russians and Porn Stars.
Re: (Score:1)
Re: (Score:2)
But imagine the various conclusions that a Trump-level intellect might make
Yes, you might end up as President or something. Be careful!
Re: (Score:3)
GNU-Linux (Score:2)
They have been illegally copying GNU-Linux? Or at they just breaking the law with the Linux kernel and not using any of the GNU utilities?
Re:Minor correction (Score:5, Informative)
Sorry, Martin, it really is unlicensed copying that is the violation. The way it works is when you violate the license, the copyright holder (plaintiff) goes to court and says "the defendant is infringing my copyright by making unlicensed copies". The defendant answers with their defense: "I am not violating copyright because I have a license". The plaintiff then shows all of the ways that the defendant is not honoring the license terms, and thus demonstrates that the act of copying was unlicensed and that for the defendant, all rights were reserved and are thus being infringed. The tort is making unlicensed copies.
This could have been avoided (Score:5, Interesting)
If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.
But most companies would rather try to save some money and effort doing things the wrong way. Violating software licenses along the way, hoping they won't get caught. In the long run that strategy is most costly.
Re: (Score:3, Informative)
I came to the comments to say just this. The BSDs are the way to go if you're going to make closed commercial software. We don't mind, and we welcome any donations or patches as a way of saying thanks!~
Re: (Score:2)
Re: (Score:2)
If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.
So far more effort required on their part vs ... just uploading the source code on the web? Yeah I can see why QSDK.
Re: (Score:2)
I've worked for a companies that struggle with uploading source (I mainly work as a Linux system software developer for embedded products).
Cisco has trouble with this, because they are incompetent. NVIDIA, because they are paranoid about trade secrets.
Amazon was good about sharing source when I worked there, but they've gone down hill as that team got bigger and more paranoid.
Re: (Score:2)
It's interesting that you haven't mentioned any that are ignorant. Not sure if this is a good or bad thing.
Re: (Score:3)
But most companies would rather try to save some money and effort doing things the wrong way.... .
It probably would have cost Symantec a lot of money, not just some, to get BSD running on their router hardware. OpenWRT was written to run on hardware found in routers.
In the long run that strategy is most costly.
Evidence? What is "most costly" about releasing the source code for their hardware? Will people stop buying their routers just because the source code is available? Historically I have found this to the contrary. Routers that support 3rd party firmware tend to sell for more money than than the ones that do not.
Re: (Score:3)
Releasing the source isn't costly. NOT honoring the license by releasing the source is what can get costly.
Re: (Score:2)
Re: (Score:2)
Giant lock on your single CPU router SoC is not a big deal.
The removal of the BKL is even recent in the Linux kernel (2010?), and it isn't making our typical 1-10 core environments faster or better. I think engineering for a purpose is more important than an expansive feature list.
If you wanted to make a massive parallel cluster then you really should run Linux, like many super computers do. (sorry FreeBSD!)
Re: (Score:2)
Point is though that there is a right way, and that way isn't the FreeBSD way.
Point noted, but dismissed as not applicable in this context. Thank you for your contribution.
Re: (Score:2)
Releasing source code is a NO effort thing.
I spend such a tremendous quantity of time on this in my current job that I'm a little offended.
Re: (Score:3)
There isn't really a BSD distribution comparable to OpenWRT. I suspect the BSD license is one reason for that. A lot of people don't want to spend their free time producing corporate welfare. If a corporation wants to participate, they expect the corporation to return value to the Free Software community.
Re: (Score:2)
Most corporations do not want to join your religion, or don't understand it.
They are free to develop in-house. But yeah to leverage a community driven projects like OpenWRT means that a community of open source advocates and the needs of a corporation would have to align. Or one or two crackpot BSD fanatics do it just to prove a point.
Now there are consultants that have their own BSD distros for embedded systems. You can hire them to get access to it. That's not the same model that Free Software advocates a
Re: This could have been avoided (Score:2)
Re: (Score:2)
Consultant - private BSD is not a model used extensively,
I never said it was common. Popularity doesn't alter the point.
most companies are still using Linux and other GPL software regardless of what they feel about the terms
For the ones that use it but don't comply with the terms pay a price. A price that is likely higher than the costs of porting the kernel to their board/SoC.
with a larger development community.
Really businesses don't care too much about that. The value of a large community is debatable. Especially if you can't share secret unreleased products on a public forum. I run into this one frequently at my current job. In some cases we reached out and hired people in those large communities
Re: (Score:2)
I learned how fruitless going your own way was when I worked for HP. Around 2000, they budgeted a Billion dollars to add IPV6 to HP-UX. This was of course completely insane.
Then I had Symbian for a consulting customer. And they were really adamant that the Symbian OS was their strong point and really all of the value in their company, and they had just spent a similarly astronomical amount to put IPV6 in it. I suggested they port their GUI to Linux, but it turned out their GUI came from SONY or they had mor
Re: (Score:2)
I can't really blame Symbian for thinking they can succeed when RIM and Apple succeeded even if Palm failed.
Systems programming makes the system work and met its requirement. It is the bare minimum necessary to have a product. And isn't at all about selling the hardware. My contributions don't sell more Kindles or SHIELDs or Switches. My team makes sure devices can be manufactured and run without a flood or support calls. And to the original point, that it meets requirements like not disclosing IP the compa
Re: (Score:2)
The problem is, most SoCs run Linux. The problem is SoC vendors really only support Linux. Getting one to support BSD is quite iffy - if they've even he
Re: (Score:2)
And unfortunately, it's impossible to port it yourself
That's my old job from Cisco.
Even getting register lists from some of them is like pulling teeth.
Sorry about that. That's my current job at NVIDIA. It's not as straight forward as zipping up our documents and handing them over.
Re: (Score:1)
Freebsd is a great OS, if the year is 1990. By 1995 there were arguments over this. By 2000 a few arguments over this. By 2010, nobody that knows what they're talking about would say - hey let's develop under BSD. Now I wish it would just die and go away along with debian. We should all get unified instead of having so many different versions out there.
Re: (Score:2)
Different systems for different people is better than a unified computing platform. Not that there is much difference between FreeBSD and Linux architecturally. They are both POSIX and try to emulate the user experience of a decades old OS. It's rare to find software that will only run on one of them.
If you want a monocultural of operating systems you could switch to Windows. That one has the most weight behind it in terms of numbers and is standardized by a central authority (Microsoft). If everyone used W
Re: (Score:2)
true, now you try to do the same with their software!
Re: (Score:2)
How difficult is it to show source? (Score:2)
Re: (Score:2)
This approach is absolutely counterproductive (Score:1)
Re: (Score:2)
Not counterproductive at all, there is a purpose that is for the customer's benefit to the GPL. How do you know the drivers they chose to use aren't GPL?
Re: (Score:2)
How do you know the drivers they chose to use aren't GPL?
WAG based on how other products of this type usually work.
Re: (Score:2)
See, if they complied with the GPL2 we'd know the answer to that. Very useful thing for the customer.
For what many of these vendors want to do, the BSD license is more useful.
Re:This approach is absolutely counterproductive (Score:4, Insightful)
Tell you what, start pirating Symantec's software, and see if they come after you for copyright infringement.
If you don't wish to comply with the GPL for Linux, you are entirely free to fuck off an not use Linux. If you use Linux, you have to accept the license, just like with every other piece of software.
If a company like Symantec is just going to steal other people's work and pass it off as their own, why should we refrain from stealing their work? Symantec doesn't get to take the stance that pirating their software is bad, but it's OK if they pirate someone else's. And I assure you, they would not accept you pirating their software.
As has been pointed out, the *BSD licenses basically say "hey, you want to take this and do something with it and turn it into closed source, be our guests". Linux, however, has said that you don't get to do that.
This isn't dogmatic, this is copyright law and software licenses. And the assholes who run corporations don't get to decide to take Linux and not abide by the terms and conditions.
It really is as simple as the fact that if you're not willing to follow the license agreement, don't use the software.
There is no software company on the planet who can make the argument they didn't know this, because this has been well known for 20+ years. It's hardly a secret.
Which means Symantec are assholes who feel they can do just ignore that, and profit off other people's work by stealing it. Allowing corporations to get away with that isn't dogmatic. It's holding them to the exact same fucking standards the use to protect their own work, which means they have no valid excuse for ripping off stuff from other people.
Corporate greed doesn't give them the right to software piracy. They don't have some inherent right to use that software any more than you have a right to theirs.
Their own website [symantec.com] says:
and
Sorry, but there is no way in hell you can accept a company like Symantec ignoring the terms of the GPL and pretending it's not a big fucking deal. Because they can't possibly not know they're breaking the law.
Fuck that, stop making excuses for them. This isn't 'counterproductive', this is the entire point of the fucking GPL.
Re: (Score:2)
Actually, they are obligated to provide the drivers. Some people (never me) used to think that dynamically linking device drivers protected them from the GPL. But besides the other arguments that dynamic linking is not protective, we've just had the Oracle v. Google case declare that APIs are copyrightable, overturning what we thought we knew for 20 years from CAI v. Altai. One effect of this n
Read-only firmware is good - most of the time (Score:4, Insightful)
Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management.
For devices like this, firmware should have a hardware-enforced read-only setting that is on by default. Signed binaries are only as "secure" as the master signing keys, and if I can't install my own firmware I don't really "own" it, now do I?
If I want to flash my firmware, I should have to toggle a switch.
Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.
Re: (Score:3)
If I want to flash my firmware, I should have to toggle a switch.
Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware should prevent a bad actor from installing a new binary, signed (with a stolen key) or not.
I think your risk assessment needs re-assessing.
What do you think is more likely: that a) a vulnerability will be found in the router's firmware which requires patching, or b) that the encryption keys will be lost, the update domain hi-jacked or intercepted, and the bad actor will manage to deliver an update package complete with malware, signed with stolen keys?
I'd bet a goodly sum that option a) is vastly more likely to occur than b), simply based on history. And yet you want to disable automatic updates
Not... really (Score:5, Informative)
If Symantec are distributing Linux, then they need to make the source code for Linux available to their customers. If their system is based on OpenWRT, then they need to make the source code for OpenWRT available. Saying "Symantec needs to share the Norton Core Router's code with the world" is essentially saying that every piece of software written for Linux has to be open source - and it just ain't so. The GPL may be viral, but it's not that viral.
Re: (Score:2)
A lot of people get this wrong. If you redistribute GPL code, you are responsible to redistribute the source code too. Directly, and even if you never modified anything. You can't point to anyone else's web site because those people aren't obligated to keep their web sites going to satisfy your license obligation.
Re: (Score:2)
Re: (Score:2)
They don't have to distribute copies of Linux code unless they modified it. They just have to make sure users can get the code if they want, and if it's unmodified then users can get it from the usual places.
Re: (Score:3)
Do these people ever use Open BSD? Just Wonderin (Score:1)
My understanding is that Open BSD is the most secure of the OS's and uses the BSD license which is 'looser' as in, it lets you get away with more.
My speculation is laziness, so many hands have developed so much software around Linux, OpenWRT being a good example, that the programmers hired by these companies can just drop the stuff in.
But maybe there's more to it than that, which is why I'm posting the question.
This is why I'm against the soft-shoe approach (Score:3)
This is why I'm against the soft-shoe approach to GPL violations in every case. Symantec is a large enough company and the people working there absolutely know what their responsibilities are. We need people who'll go after them for statutory damages to make an example.
Re: (Score:2)
Get a commit to the kernel tree accepted and when your copyright is violated go after them how you will.
Then again, wasn't there a recent thing here about someone doing just that and not getting support for his/her/its efforts?
Re: (Score:2)
My understanding of that story was that the guy was going after companies that were not the size of Symantec and possibly weren't aware of their obligations.
Wouldn't That Be True (Score:2)
Re: (Score:2)
In which case it costs them approximately nothing to distribute the source, and it won't reveal any secrets. They're required to make the source available, and they're responsible for keeping it available. If they want to have a third party do that, they need to make sure the third party continues to do that.
Yes and no! (Score:2)
NO, they do not need to release the source code of their proprietary software components as long as they are stand-alone programs (just like Oracle doesn't need to release the source code of their expensive database). A mix of OpenSource components and proprietary software is perfectly fine.
YES, they also should add the correct license statement additions into their EULA.
In Europe, we http://www.linuxbe.com/ [linuxbe.com] ca
Big Overstatement (Score:2)
"Symantec needs to share the Norton Core Router's code with the world."
1. Not the world, but with customers, though practically speaking, might as well be the world.
2. Not all of the code, but all of the GPL and LGPL code and anything linked to the GPL code and strictly speaking, if they statically linked LGPL code, then at a minimum the object files needed to recreate the executables.
Re: (Score:1)
Wrong, even if they just use an off the shelf openWRT firmware image, they have to provide a way for you to have the source code. Additionally the declaration that it is licensed under the GPL.
Re:No they are not. (Score:4, Informative)
A simple statement that the source is freely available elsewhere is sufficient to fulfill this requirement.
Again - not true. This option is available only in the case of non-commercial distribution. If you want a copy of Linux and I fling you one of my old CDs then I don't need to make you an offer of the source as well.
If OTOH, I sell CDs of Linux as a business, I do need to make provision for you to be able to ask for the source as well.
The text of the GPLv2 is freely available and very comprehensible - why don't people read it?
Re: (Score:2)
Re: (Score:2)
The GPLv2 license is simple that if you have used anything that is released under the license, then you need to make that available to your customers as well. This includes any modifications you may have made to the original software. The accepted line for this has been that as long as you are not linking anything with the GPL software, you do not have to make your software open as well. This gets even more interesting as the apps that have been written that are dynamically linked with standard libraries are also not subject to being released under the same license. This last part is sometimes debated by a lot of folks and GPLv3 makes this use even more complex, as it puts restrictions on how the software can be used.
So what does Symantec need to do here? Simple, own up that they are using the QSDK and as long as they have not made any changes to this, they just need to point folks to the release tarball. If all that they have done is add some new binaries in the filesystem then that is not a violation of the GPL. However, if they have made changes to the packages that openwrt builds, then they need to publish that.
This might be what you feel is the meaning of the GPL, but that isn't what the GPL states.
When a customer asks for the source code of the GPL licensed software, Symantec is legally obligated to provide it.
Also, they are (legally) required to add the GPL (and other licenses) additions to their EULA. Including where to write to, to obtain the source code.
They are not required to 'publish' anything. Merely provide the source code when asked for it (including possible changes to openwrt builds). They might
Re: Nice Headline, but not much substance to it (Score:2)