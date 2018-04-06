Symantec May Violate Linux GPL in Norton Core Router (zdnet.com) 28
An anonymous reader writes: For years, embedded device manufacturers have been illegally using Linux. Typically, they use Linux without publishing their device's source code, which Linux's GNU General Public License version 2 (GPLv2) requires them to do. Well, guess what? Another vendor, this time Symantec, appears to be the guilty party. This was revealed when Google engineer and Linux security expert Matthew Garrett was diving into his new Norton Core Router. This is a high-end Wi-Fi router. Symantec claims it's regularly updated with the latest security mechanisms. Garrett popped his box open to take a deeper look into Symantec's magic security sauce.
What he found appears to be a Linux distribution based on the QCA Software Development Kit (QSDK) project. This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system. For Symantec's purposes, QSDK and OpenWrt are an excellent choice. Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management. This enables Symantec to easily customize its router with updated security features. But -- and it's a big but -- if it's indeed based on QSDK and OpenWrt, Symantec needs to share the Norton Core Router's code with the world.
not share with "the world" just "customers" (Score:1)
The GPL doesn't require public release, only honouring requests from people who have been legitimately given the binary, i.e. customers. They may choose to do this by releasing it anyone who wants to down-load it but that's their choice.
Re: (Score:1)
Minor correction (Score:1)
Ahem. They have been illegally copying Linux. You're allowed to use Linux without any terms. Copying is the activity that Congress passed laws to restrict.
It's a minor detail, as long as everyone reading your words understands what you really meant. But imagine the various conclusions that a Trump-level intellect might make, and the misinformation they would spread. That's why you should really say what you mean, rather than having fai
Re: (Score:2)
It's not a semantic thing, is it?
But "Trump-level intellect," that's rich; mind if I use it?
This could have been avoided (Score:3)
If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.
But most companies would rather try to save some money and effort doing things the wrong way. Violating software licenses along the way, hoping they won't get caught. In the long run that strategy is most costly.
Re: (Score:1)
I came to the comments to say just this. The BSDs are the way to go if you're going to make closed commercial software. We don't mind, and we welcome any donations or patches as a way of saying thanks!~
Re: (Score:2)
Re: (Score:2)
If they would have used FreeBSD or NetBSD, it has no such requirements to share modified versions.Plus it has great networking and packet filtering.
So far more effort required on their part vs
... just uploading the source code on the web? Yeah I can see why QSDK.
Re: (Score:2)
But most companies would rather try to save some money and effort doing things the wrong way....
.
It probably would have cost Symantec a lot of money, not just some, to get BSD running on their router hardware. OpenWRT was written to run on hardware found in routers.
In the long run that strategy is most costly.
Evidence? What is "most costly" about releasing the source code for their hardware? Will people stop buying their routers just because the source code is available? Historically I have found this to the contrary. Routers that support 3rd party firmware tend to sell for more money than than the ones that do not.
How difficult is it to show source? (Score:2)
This approach is absolutely counterproductive (Score:2)
Re: (Score:2)
Not counterproductive at all, there is a purpose that is for the customer's benefit to the GPL. How do you know the drivers they chose to use aren't GPL?
Read-only firmware is good - most of the time (Score:1)
Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management.
For devices like this, firmware should have a hardware-enforced read-only setting that is on by default. Signed binaries are only as "secure" as the master signing keys, and if I can't install my own firmware I don't really "own" it, now do I?
If I want to flash my firmware, I should have to toggle a switch.
Granted, if the router is going to be in an out-of-the-way place, then I might need to leave that switch enabled all the time, leaving me vulnerable to fake updates. But for everyone else, hardware shou
Not... really (Score:3)
If Symantec are distributing Linux, then they need to make the source code for Linux available to their customers. If their system is based on OpenWRT, then they need to make the source code for OpenWRT available. Saying "Symantec needs to share the Norton Core Router's code with the world" is essentially saying that every piece of software written for Linux has to be open source - and it just ain't so. The GPL may be viral, but it's not that viral.