Free Software Foundation lawsuit against Cisco

As covered at lwn and other sites, the Free Software Foundation (FSF) has filed a lawsuit against Cisco. This came as a big surprise to me, but a very welcome one.

At gpl-violations.org, we had our fair share of dealing with Cisco (and particularly Linksys, a Cisco division). Never we have received any entirely satisfactory response. Sure, when you notify them of some GPL infringement, they will take some steps here and there. But in all those years, I have not seen a case where there was a thorough response. Whatever was disclosed as 'GPL source' was incomplete, didn't compile, and with the next firmware release there was again no source code for that new release. And then came the next product, sourced-in from a different OEM, and the entire process had to re-start from scratch.

Yes, they have gone and hired some engineer[s] to explicitly deal with the GPL related issues, like they have taken other steps in the right direction. But it was always superficial. Never addressing the problem at the root, i.e. have a proper in-house business process and supply chain license management to ensure the next product is not yet again a copyright infringement on GPL licensed software. It is so easy to resolve at the source, and so hard to fix later.

So the FSF's decision to take this problem to court is the most appropriate response that one can think of. A company of the size of Linksys clearly has the manpower, skill and resources - as well as the economic power on their suppliers - to once and all resolve any GPL licensing issues they might have. Not only to the bare minimum that they might think, but all the way to leave any legal grey area whatsoever. Only if there is a demonstration of a _factual_ legal risk rather than a virtual legal risk, they will get the motivation necessary to just 'stay clean' and not try to bend the license to its extremes.

So you might think "why did you (i.e. gpl-violations.org) not take it to court?" For once, I only hold copyright on certain parts of the Linux kernel, and not for large amounts of code they use. Also, a number of the particularly problematic products were not shipped into the German jurisdiction, and thus a case could not be made over here. Furthermore, many of the violations are not as clear black or white as most of the other cases that we take on. So the amount of work and resources required in such a case would probably draw away too much attention from all the other cases that we have.

But once again, I really welcome the FSF's action. It's funny how the historic cycle closes. Originally I started gpl-violations.org because I thought the FSF strategy was not aggressive/efficient enough in making Linksys/Cisco GPL compliant in the infamous WRT54G case five years ago. Now, it seems that even the tolerance and patience of the FSF has found an end.

Oh, and don't get me wrong: I never wanted to criticize the FSF for what they did back then. They had and have their own strategy of what they think about their own copyright. It's just that my strategy was different. It's up to every author or rights holder to decide which legal strategy fits best.

gpl-violations.org report in Financial Times Deutschland

The German business newspaper Financial Times Deutschland has published an article about my GPL enforcement work. To the best of my knowledge, it is the first such article in a general newspaper. All previous coverage was in publications or magazines tailored to the IT industry.

However, the content is of very low quality, and the actual facts are wrong in a number of cases. First of all, why go to a personal level and describe myself as having a 'Harry Potter hairstyle', and then calling me "a mixture between bill gates and a heavy-metal fan". I hereby deny any similarity with Bill Gates. I had my hair style like this even in the nineties (before growing it long around 1997-2000 and then cutting it again in 2001). And I listen to a lot of weird music, though heavy metal is generally not on my playlist. Anyway, what is the point of all of that? How does this help people to evaluate the risk of GPL violations?

Further down, the article has claims like "the driver software of the router also contained some lines of code that were originally written by Welte". First of all, it is the firmware, not the driver. Secondly, it is more than a couple of lines (since a couple of lines would probably not constitute a copyrightable work).

The article also explicitly states that I am not fighting for money, but "out of principle". Despite that, it also claims "The first couple of companies are shivering expecting the destruction of their book value". That's illogical.

Furthermore, there are claims that I have focused on companies that only used small amount of open source. To the contrary: The majority of the products that I've enforced so far contain 75% or more open source software. Only small portions were added by the respective vendors.

To the contrary, there was a recent article in the Berliner Morgenpost paper one of the CCC Leaders which was really well-researched and of high quality. Even that one gets some minor facts wrong, but still portrays a realistic picture.

Receiving the 2008 Open Source Award

According to reports here and here I had the honor of being the recipient of one of the the 2008 Google+O'Reilly Open Source Awards entitled Defender of Rights", presented by Google and O'Reilly.

I'm obviously very happy to see that my work has been recognized this way. Following the FSF Award in March, this is definitely a big honor. Did anyone else receive both awards in the same year so far? ;)

Thanks to the committee for the trust they put in my work. I'd also like to use this opportunity to thank again my lawyer Dr. Till Jaeger and his law firm JBB, as well as Armijn Hemel, who has been running the day-to-day gpl-violations.org operations for quite some time now.

Victory: Skype withdraws appeals case, judgement from lower court accepted

The court hearing in the "Welte vs. Skype Technologies SA" case went pretty well. Initially the court again suggested that the two parties might reach some form of amicable agreement. We indicated that this has been discussed before and we're not interested in settling for anything less than full GPL compliance.

The various arguments by Skype supporting their claim that the GPL is violating German anti-trust legislation as well as further claims aiming at the GPL being invalid or incompatible with German legislation were not further analyzed by the court. The court stated that there was not enough arguments and material brought forward by Skype to support such a claim. And even if there was some truth to that, then Skype would not be able to still claim usage rights under that very same license.

The lawyer representing Skype still continued to argue for a bit into that direction, which resulted one of the judges making up an interesting analogy of something like: "If a publisher wants to publish a book of an author that wants his book only to be published in a green envelope, then that might seem odd to you, but still you will have to do it as long as you want to publish the book and have no other agreement in place".

In the end, the court hinted twice that if it was to judge about the case, Skype would not have very high chances. After a short break, Skype decided to revoke their appeals case and accept the previous judgement of the lower court (Landgericht Muenchen I, the decision was in my favor) as the final judgement. This means that the previous court decision is legally binding to Skype, and we have successfully won what has probably been the most lengthy and time consuming case so far.

Tomorrow: Court hearing in Welte vs. Skype GPL case

Tomorrow at 10:30am at the Oberlandesgericht Muenchen (higher regional court of Munich) there will be an oral hearing in the "Welte vs. Skype Technologies SA" case. The hearing is to be held in room E.06.

This case is about a GPL violation of Skype, related to their sales of Wifi Skype phones based on the Linux operating system kernel.

I'm fighting as part of the gpl-violations.org project in enforcing the GPL against Skype since February 2007. Initially Skype didn't respond, we then applied for a preliminary injunction. That injunction was granted by the court in June 2007, but Skype chose to file an appeals case against it.

The court hearing tomorrow is exactly to debate about this appeal.

Interestingly, Skype is arguing against the validity of the GPL as a whole, asserting that it is violating anti-trust regulation and similarly strange claims.

Report from FSFE FTF Licensing and Legal workshop

I'm on seven-hour train ride back from Amsterdam, where I've been attending the first Licensing and Legal workshop of the Freedom Task Force (FTF) of the Free Software Foundation Europe (FSFE).

While having a somewhat lengthy name, the FTF has been doing great work on bringing together a large group of legal and technical experts in the field of Free Software licensing. So far this was all 'virtual', happening on mailing lists.` The meeting in Amsterdam was the first of its kind, and was a huge success.

By the nature of the FSFE, most of the people were from Europe, though there were attendees from the US and even Australia, too.

There were many interesting and surprisingly interactive workshops. It was also a good opportunity to meet Armijn (the second half of gpl-violations.org) and Shane (full-time manager of the FSFE FTF), as well as many lawyers, both corporate legal counsel and from law firms.

The interest in Armijns presentation about gpl-violations.org and Till Jaeger's overview about the legal cases we've handled over the years in Germany were very well received and there was more interest and questions than the short time permitted.

What was really good for me to see is that large consumer electronics companies in Europe and the US are now implementing internal business processes to ensure GPL and other FOSS license compliance. They're also increasingly using very clear contractual language throughout their supply chain to minimize the potential risk of any "hidden" GPL surprises in products they source from OEM/ODM companies.

Meeting between gpl-violations.org and FSFE FTF

The last two days, I enjoyed a meeting between gpl-violations.org and the FSF Europe Freedom Task Force.

Participating were Armijn Hemel (whom I have to thank to assure gpl-violations.org doesn't die while I was in Taiwan for OpenMoko), Shane Coughland (who is doing an excellent job coordinating the FTF) and myself. For a couple of hours we've also been joined by Till Jaeger, who has handled all the legal cases of gpl-violations.org so far.

This meeting has been over-due, mostly because I basically dropped off the planet for way too long time. We've discussed all the current matters regarding strategies for license enforcement, current cases, progress of the FTF legal and technical networks, as well as future plans for incorporating the gpl-violations.org project.

Yes, you have read correctly. I've been planning to do this for quite some time, and I'm confident that 2008 will finally be the year in which this happens. It's too early to talk about any details, but this is the logical step to assure both financial and legal independence of the project from my person, as well as scalability. As you might know, we have a couple of hundred reported violations and can only cherry-pick those we consider particularly important.

In any case, it was a very productive meeting. I seriously believe it has helped to make all of us work together in a coherent manner, i.e. increased productivity and effectiveness for a long-term strategy to increase the amount of free software license compliance in the industry.

HTC TyTN II / Kaiser doesn't look like a GPL violation!

There have been numerous rumors floating around the net that the HTC TyTN II (aka Kaiser) might be a GPL violation due to a number of strings in the firmware image referring to Linux and vmlinux.

I've done some analysis on this subject, and posted my preliminary results in this posting to lkml earlier today.

So as indicated, I do not see any reason to believe there is a GPL violation with regard to the Linux kernel in the MSM7200 modem side as used in the abovementioned device.

So please stop those rumors now. I'm obviously not opposed to people being watchful and report/investigate potential GPL violations. But before you call it an actual violation, please rather make sure that you have some evidence!

Slowly getting back to work on gpl-violations.org

Today I've finally started to pro-actively work on gpl-violations.org again. I haven't been able to do any work on it for almost 1.5 years due to my intense involvement with OpenMoko.

Among my first tasks was to update the ssl certificate for our internal Request Tracker, which apparently expired quite some time ago. After that, I went through all RT tickets and deleted tons of spam from it. Now it finally looks like I can start working with it again :)

I'm also trying to catch up with all the gpl-violations.org related email, but please give me a couple of weeks, there's just way too much of it :(

Some more thoughts on the results of GPL enforcement

Just a small personal note: Yes, this blog is currently seeing close to no updates. This is because I'm literally working every minute that I'm awake, with no time for anything else.

But to get to the main point of this entry: The results we see from GPL enforcement. I don't want to write about the legal results, since they have always been successful, in 100+ violations that I've been dealing with so far.

I'd rather want to talk about other results. They mainly fall into two categories:

Structural results, how I like to call them, show that the vendors / "the industry" now understand the GPL [better] and thus adopt policies and business practises that are more likely to be GPL compliant from now on. This is good, since it has the potential to prevent further GPL violations down the road, presuming license compliance is something that we value and strive for.

But how does Free Software actually benefit from GPL enforcement? I'm talking about the actual software, and not the movement, the community, the advocates, etc.

How many times have you seen some code coming out of a "GPL code release" from one of the many (mostly embedded) vendors that was actually useful to be contributed back to an existing Free Software project, or even that spawned a new Free Software project? I for my part am certain to say: Zero. The actual number might be close to zero, but very small anyways.

The next logical question is to ask ourselves, why it is like that. First of all, the code quality is usually extremely bad. Looking at kernel patches from the various vendors, I'd say the code quality is _by far_ off any scale that would ever even remotely be considered to be suitable for upstream inclusion. Not only do those vendors not care about any CodingStyle (which could be easily fixed), but they ignore any existing standard API's (why use them if we can reinvent our own?), don't ever spend a single second on portability issues such as SMP, DMA safe allocations, endian issues, 32/64bit, etc. This code is "throw-away software". Fire and forget. The complete opposite of the long-term maintainability goals of about any FOSS project I know.

I would be the most embarrassed man if I ever was involved with any such software. Having your name associated with such poor quality would be like a stigma. Any technical person would laugh. And yet, the managers of those respective companies proudly announce the availability of their so-called "GPL code releases". If they only understood how ridiculous they make themselves in the technical community. It's like if they were proudly presenting a drawing from a three-year-old kid as the new Picasso. They just don't notice because the number of people with a taste of art is apparently larger than the number of people with a taste of source code quality and aesthetics.

The next big problem is the perpetual preference of vendors, even in a market with only six month product life-cycles, to use ages old software to base their code on. Of what use is e.g. an obscure netfilter patch that was developed against kernel 2.4.18, something that is many years old and of no relevance to current stable kernels or even current development?

Now you might argue "What about projects like OpenWRT?". While they are no doubt very useful, it is quite simple. Those projects mainly benefit only the customers of the (probably formerly GPL infringing) embedded devices. Therefore, they benefit specific customers, and not Free Software Users in general. Even if OpenWRT or others invest huge amounts of work and manage to clean up / re-implement some of the awkward sources released by embedded manufacturer X, and push it into the upstream project (e.g. Linux kernel), it is something that most often only a very specific user base that benefits from it. All the really interesting bits, if there are any at all, are kept proprietary by the respective manufacturers, using legally extremely questionable practises such as binary-only kernel modules.

If one thinks a bit more, this whole sad process could have envisioned before. It's a myth to believe that Linux and other FOSS is so popular in the embedded market because vendors think it is more reliable, or secure, or even because of the maintainability, audit-ability, or even the benefits that users and developers get from being able to run modified versions of the software. If they were, we would see clean code and regular security updates. In reality almost every product is one gaping security nightmare. None of those potential benefits are of any interest to embedded vendors.

The response to the 'why' question is quite simple: They use GNU/Linux because this way they can avoid per-unit royalties that are very popular with alternative (proprietary) embedded OS's. It's a cheap commodity. Thus, it's not surprising how they treat GPL compliance. Disgruntled, not understanding the issues behind, releasing only the most incomplete non-building source code snippets that make any reasonable developer vomit at first sight. And since they themselves lack the skilled developers internally (they're not cheap!), their management goes ahead and releases something that is embarrassing. If I wanted to evaluate the technical skill-set of a company before making large-scale business with them, I'd [have somebody] look at their source code releases. It can tell a lot about technical expertise and corporate style :)

Please don't get me wrong. I'm not complaining that there is any legal shortcoming in those "GPL Code Releases" though there often is, but that is not the point of this article). But if somebody asks me, how much the actual Free Software source code benefits from the code that was released by the vendors, my honest reply would be simple and sad: None.

While this whole post might sound bitter and resignated, and like I wanted to give up GPL enforcement since it's not worth it: This is not the message that I want to put out. GPL enforcement remains important. I never assumed that there would be a lot of actual mainline-mergeable source code coming out of it, so I'm not disappointed with the enforcement. I just have the constant feeling that many people are driven by misconceptions, and nobody outside the hacker community really knows what's going on on a technical level.

gpl-violations.org prevails in court case against D-Link on the GPL

A couple of weeks ago, I mentioned in this blog that there was legal victory in a ground-breaking court case on the validity and enforcibility of the GPL.

Today, I have released this press release stating some more details on the case, including the name of the defendant: D-Link.

I'm quite happy to see that our arguments have convinced the court outright, and that we didn't have to go through a lengthy procedure of calling several prominent kernel developers as witnesses, and getting statements from technical experts or the like.

If you're interested in the (German) judgement of 16 pages, you can find it at my lawyers' website. An English translation is in the works, but will take another week or so.

We've already received some press coverage, mainly in Germany so far. Interestingly, in a statement of D-Link quoted by heise.de, D-Link seems determined to not take this to a higher court... which means that this judgement will soon be considered legally binding, and be one more tiny step in the clarification of legal questions on the GPL.

I'd like to thank my fellow developers Werner Almesberger and David Woodhouse, as well as my lawyer Dr. Till Jaeger and his colleagues for all their support and work. A lot of time and effort was spent in preparation of this case, and as it turned out, exactly that preparation brought the case to a quick ending.

Victory!

Today I have receive news that we've won the first regular civil court case on the GPL in Germany. This is really good news, since so far we've only had a hand full of preliminary injunctions been granted (and an appeal case against an injunction), but not a regular civil trial.

The judge has ruled, but the details of the court order have not been publicised yet. I'll publicised the full details as soon as thus details are available in the next couple of weeks.

[p.s.: If you're from the press: Don't bother asking me about further details on who the defendant was, or whatever else. Patience. All shall be revealed soon]

10 common misunderstandings about the GPL

I'd just like to point out the excellent article on 10 common misunderstandings about the GPL by Bruce Byfield.

Meanwhile I'm still working in India, just returned back from Mumbai to Bangalore. Two more days and I'll be back to Germany. For one week, at least.

GPLv3 conference in bangalore

It's already four days ago, but I just couldn't find some time to write about it in this blog. The 4th international conference on GPLv3, held in Bangalore/India.

I've been to three of those four confrences now, and I guess that makes me the only one apart from the FSF to judge how it actually went, compared to other events.

And I'm sorry that I have to say that it was by far the worst of these events :(

• They closed down registration at some fixed limit (270?) because the auditorium couldn't hold more people. However, since the registration was free, only 50% fo the people who registered were actually present. And this at the expense of people apparently have been turned away after the quota was filled. Now we had a half-empty auditorium, and people who wanted to come but were rejected.
• The programme. Basically RMS and Eben did not only give there usual (every time updated) great presentations on the spirit and the wording of the current license draft. But then they were kept alone on the stage to reply to questions for about the same time. Nobody else but them was giving any presentations on something that is really GPLv3 related.
• The panels. What is the point of a "business panel" if all(most) you have represented there is some small three-men-in-a-garage companies that are run by free software enthusiasts? Where have beeen the Infosys, Wipro, ... companies? Don't they have something to say about the GPLv3?
• The audience. How can you come to a conference on the GPLv3 and then ask questions that
  • everybody knows will upset rms because they use Linxu with no GNU/ in front
  • are totally unrelated (how can I make Autocad work on Linux
  • reveal that you haven't even bothered reading the GPLv3 draft
  Where were the GPL-savyy lawyers, free software developers and industry representatives that had made their way to the Barcelona and Porto Alegre event?
• The [non-existing] moderation. Why was there nobody stopping all that off-topic crap like endless discussions on why gnucash isn't conforming the Indian accounting standards. I'm sure those are important problems to be adressed (and somebody should just hack that code into gnucash if he has a need for it). But who the hell cares about this on a conference specialized to license questions?

Travelling to a gpl-violations.org related court hearing tomorrow

Tomorrow morning I'll have the pleasure of travelling to Frankfurt, where the first court hearing in a particular gpl-violations.org case will happen.

Those of you who follow my actions closely (closer than the practically non-existing PR work of gpl-violations.org allows) will notice that this is actually the first 'regular court case'. So far we settled everything either out-of-court, or sooner or later after a preliminary injunction, or an appeals case thereof.

In this particular case the defendant claims that the GPL is not applicable to them for a number of reasons, but at the same time argues that he still has the right to use the software, despite not having obtained any kind of license.

I don't yet wan to disclose the identity of the defendant yet, but I'll certainly post some more information on this pretty soon. You will all know the company, though. A very popular vendor of embedded networking gear.

Interview on gpl-violations.org with groklaw.net

There seems to be "interview season", since just after the lwn.net interview, groklaw.net has now published this interview with me on gpl-violations.org.

The interview was taken by Sean Daly, who has also been taking care of the audio and video recordings at the 3rd international GPLv3 Conference in Barcelona last week.

Let's hope that those interviews will raise some more awareness and prevent more violations from ever ending up in our request tracker.

LWN publishes gpl-violations.org related interview

Linux Weekly News has just published the second part of an interview with me. This part is on gpl-violations.org.

Meeting up with Armijn Hemel

During my short trip to Amsterdam, I had a chance to meet with Armijn for a couple of hours. It's always good to meet people face-to-face when you're working with them a lot, especially on delicate issues such as GPL enforcement.

We've decided on how to optimize our work-flow and how to improve internal documentation of the individual cases. The usual thing when you're used to working on something alone (i.e. knowing everything off your head) as opposed to other people getting involved, etc.

Anyway, I'm extremely pleased that somebody is helping me out. There's also another friend of mine who's starting to get involved in the project, mainly on technical issues such as verification of the source code offered by the various (formerly?) infringing entities.

OpenWRT terminates GPL License to SveaSoft

It might not be something new to you at all, but it was new to me, since it happened during my holidays: OpenWRT has sent SveaSoft a note of terminating of rights under the GPL.

I've had SveaSoft on my radar several times, but the whole situation seems to be so messy, and there seems to be a history of different violations with each and every release they made. Also, there seems to be quite some confusion on the whereabouts of the developer[s?], which makes it difficult to find an applicable jurisdiction.

How to boot your own kernel on the Thecus N2100 - and prove it violates the GPL

My latest candidate for gpl-violations.org (and hopefully the last before finally leaving for holidays): The Thecus N2100 and N4100 NAS devices.

The Thecus boxes seem nice, at first sight. Apparently somebody recognized the need for a bit more performance, so there's an Intel IOP 80219 with 64bit PCI-X support, DDR400 memory (actually in a socket), an empty miniPCI slot (great!), USB2.0 ports, and SATA (yay). This should definitely be more promising than the usual 33MHz 32bit PCI / IDE / MIPS / SDRAM based smaller NAS boxes. The only thing really lacking with those Intel I/O processors is a hardware crypto unit. Who wants to have unencrypted storage these days?

Looking at the software, the problems start. First, there is no NFS support. iTunes, SMB/CIFS, HTTP, FTP - but no NFS :( Secondly, the web configuration frontend requires flash. Duh! How can you use something as ugly and proprietary as flash for something as simple as a web configuration frontend for an embedded box. God knows.

Anyway, let's get back to the GPL issue. As usual, I cannot make such a claim without verifying it. First of all, the devices (and their firmware updates) ship without a copy of the GPL, any indication that GPL licensed software was used, no written offer and no source code.

But well, where the heck do I know from (and can prove) that they actually run Linux? I won't disclose the reason for my initial hints, since I don't want future vendors of future products to know how they can avoid me ;) But anyway, let's assume I was surprised to see a nmap fingerprint that indicates Linux on the box and now want to go further.

Looking at the firmware update images, they appear to be scrambled / encrypted somehow. At least there is no gzip/bzip2/LZMA/ext3/cramfs/romfs/... signature to be found in them. And even if the firmware updates contain Linux, this doesn't actually prove anything about the software pre-installed on the device.

The running device also doesn't offer any ports apart from the SMB-related ones and http(s). So we're stuck.

This is where I usually take the device apart, carefully analyze it's hardware and go looking for a serial port with my Oscilloscope probe. Unfortunately the PCB of the N2100 didn't seem to have one. It took me some time to figure out that the serial port connector (there's actually a standard 9pin header) is on the SATA backplane rather than on the CPU board ;)

Hooking up a serial console, you can see RedBoot wait for one second and then execute a boot script that loads initrd and kernel, finally executes it. Yay!. Too bad that the actual kernel seems to lack support for a serial console. So all you get is the 'Uncompressing Linux......................................................................................... done, booting the kernel.' line. Together with the firmware scrambling/crypto, this is definitely an attempt to hide the use of GPL licensed software and/or otherwise lock the user out of the device.

Unfortunately hex-dumping the whole memory contents from RedBoot via the serial port, and parsing it on the host side seemed like a rather clumsy - and otherwise unproductive approach to finding proof of GPL licensed software in the device.

Luckily, you can interrupt RedBoot and configure the network device, set up TFTP, cross-compile a kernel for the IOP 80219, and boot that. After some twisting of the .config, I got it to boot without any crashes, and even the RedBoot partition table is correctly recognized and parsed.

So now I'm running Linux on the device, great. But still I can't prove that the device actually ships GPL licensed software in an incompliant way. So all that is missing is a NFS-root capable installation of Debian-arm that we can boot into, and which we can use to read out the mtd partitions.

Oh, and yes. While I appreciate their love for the netfilter project and it's software: There's absolutely no place in a NAS box for having ip_conntrack linked statically into the kernel - unless you voluntarily want to loose performance. At least to my knowledge, performance of NAS devices counts. So, Thecus, in your own interest: disable ip_conntrack in the kernels you ship.

Buried alive in GPL violations

It's not funny anymore. The current rate at which new GPL violations get reported and/or discovered, especially from the appliance/embedded market is really alarming.

For example, I haven't yet seen a single Linux-based NAS product that was even remotely license compliant when first analyzing it. And I'm not only talking about the SoHo NAS boxes with one or two hard disk drives, but even about enterprise storage systems.

On the Enterprise end We're now also Seine carrier grade network equipment such as SONET/SDH switches, metropolitan area Ethernet, DSLAMS and the like.

Also, in some areas of business, competing companies seem to make the same mistake again, rather than learning from their competitor. Some time ago I had to resolve GPL issues with Maxtor Shared Storage drives, when they were first released. Now I found out that Western Digital has similar systems called NetCenter. Ordered one, and it came without GPL license text, written offer or source code.

Finally, there is one good example though. For a very long time, a product that I analyzed was actually GPL compliant. It's good to see that there are a few who get it right, from the beginning: The APC NetBotz family of products. The manual contains a reference to the source code, which can be obtained from ftp://ftp.netbotz.com/gpl/.

Anyway, I need a break (see my holiday related post). Hopefully I'll get back from that trip rested, with lots of energy and an extra portion of patience. This has become more of a burden than I ever thought.

The second and third quarter of this year definitely are the right time to think of a way to incorporate gpl-violations.org as an NGO/non-for-profit. One that can actually pay somebody hunting down those cases, doing the day-by-day work. I have a dream that in some point in the future I can once again concentrate on cool and interesting development, like most other hackers do.

Another unproductive day of GPL enforcement.

I'm feeling terrible. The second day in a row where I didn't find time to write a single line of code, merge any contributed patches, squash any bugzilla entry. Not even to speak of paid-for work.

While I used to spend about 30% of my time with GPL enforcement related work, it now peaks at about 70% for the last two weeks. This is not a good sign.

So apart from talking to lawyers, proof reading legal paperwork, negotiating with allegedly infringing companies and the like, I now also start having trouble doing test purchases. Not only refuse some retailers to take orders from me, but also if I actually place an order it raises new problems.

The last web store I ordered a test purchase from now asked me for a complete, readable copy of both sides of my ID card. WTF ?!? This is totally against any data protection laws. There is absolutely no requirement for them to know my passport photograph, id card number, size or eye colour. So as a follow-up I had to write an official complaint with the Berlin data protection agency - as if I didn't have any other work to do.

Also, for the last months, I find myself giving about EUR 10k in 0% interest loans to GPL infringing companies. That's the amount of money spent for test purchases that I had to do to confirm GPL violations but which hasn't yet been reimbursed.

About the only positive thing in the course of my work day was producing the Chaosradio Express issue on gpl-violations, which Tim and I did earlier this evening.

Oh, and the best thing that happened today in general, is that the German Federal Constitutional Court has invalidated a recent law that allowed the government to order the military to shoot a passenger plane which was abducted by terrorists. At least some people still have a sane view on human rights.

More TI AR7 related GPL violations

Out of all the embedded network devices that had GPL issues, the Texas Instruments AR7 based devices probably have the worst GPL compliance history I've ever seen. The time has come to properly rant about this.

It's yet unclear whether this is TI's own fault, or just the fault of their OEM/ODM manufacturers. But I'm more than determined to find out.

Anyway, the list of problems with TI AR7 based devices is so incredibly long, that I don't even know where to start.

First of all, re-engineering their devices (for GPL compliance audits and legal action following up to such an audit) is incredibly difficult because they've added LZMA compression to both the kernel image (vmlinux) and squashfs.

Now what's so difficult about this? You might argue that the LZMA algorithm is (L)GPL licensed and publicly available. As is the original kernel source code, and the squashfs code. Also, you might know that numerous individuals have already released patches to add LZMA to kernel boot, initrd and squashfs.

However, there are various methods (with/without LZMA header, with/without p7zip header, etc.), and there simply is no standard on how to build a system from the algorithm.

Getting to the actual infringements. So far I've seen devices that

• remove the "(C) Netfilter Core Team" message that is usually printed during boot-up
• modify existing netfilter/iptables code, like add HTTP reply support to ipt_REJECT
• add binary-only new netfilter/iptables targets, like ipt_PNAT
• add new binary kernel modules that have "MODULE_LICENSE(GPL)" without providing source code

There are many other potential issues, on whose GPL compatibility (or lack thereof) I do not want to comment at this time, such as their binary only drivers for the DSL chipset, the WLAN driver.

Interestingly, all of the Vendors of TI AR7 based devices with whom I had contact on the GPL issues showed equally little interest into bringing their products into compliance. Now this could all just be a coincidence. But my personal guess is that they just forward whatever questionable policy they get from their upstream chipset and reference software development kit provider: TI.

You might wander about the device manufacturers in question? I'm still a bit hesitant in disclosing names. One of the first companies running into GPL trouble with TI AR7 was D-Link. Another company with anything but the cleanest GPL history on TI AR7 based devices is AVM, who produce the overly popular and widely branded FritzBox devices.

There is another brand that is sold in significant quantities, at least in the German market. We're on the brink of applying for the next gpl-violations.org preliminary injunction, so I won't be able to say any names.

[and now, after some five hours of gpl-violations related device re-engineering before getting up, I'll finally try to find some time go get some breakfast.]

Austrian Health Card System now GPL compliant

It's already been at some point at the End of 2005, but now I finally got around writing a press release on this subject:

gpl-violations.org has enforced yet another high-profile (at least in the German speaking continental European world) case of a GPL violation. Instead of repeating myself, you might want to read this release or the German version.

My real problem is a lack of time, and it's more than a pity that gpl-violations.org didn't have a press release for nine months - even though those were full of successful enforcement work. I hereby promise to improve my public relations work.

First GPLv3 draft

As almost every reader of this journal will know, the first GPLv3 draft has been published, and everyone is invited to comment on it.

I obviously already left some comments, though I still want to write up a somewhat larger article on my thoughts on it. This journal entry is not that article ;)

In general, I'm quite relieved. I had somewhat mixed expectations - but almost everything looks quite fine, and there are hardly any issues. I obviously like the DRM countermeasures.

From a gpl enforcement point of view, it is very good to see that the "complete corresponding source code" has been specified in more detail. This should save us from the hassle of ever again starting the discussion (nit-picking) on whether "scripts to control compilation and installation" (GPLv2) really only means scripts, or whether it also covers other methods controlling compilation and installation.

What is a real problem, and I hope this can still be resolved, is the new "60 days" grace period that was introduced. With GPLv2, the right to distribute the software was automatically revoked in the case non-conformant distribution has happened. In the v3 draft, there is a grace period where the rights _may_ be terminated, and only 60 days after being notified by one of the copyright holders.

The intention of it is to take care of "inadvertent violation". As harmless and reasonable as this sounds, this change has the potential to render most of the current enforcement success of gpl-violations.org impossible in the future.

From all the 60+ cases that we've enforced, I cannot tell you one case where the defendant would not claim that the violation was inadvertent. So in reality, inadvertent basically means "we didn't care". However, the whole point of the gpl enforcement exercise is to raise awareness and make them care before it is too late.

The 60 days grace period is not acceptable. On the one hand, we (in Germany) basically loose the ability to apply for preliminary injunctions. PI's are only granted in case of urgency, which translates (depending on the court) to something like 30 days. So if I know for more than 30 days that somebody is infringing on my copyright (and don't get the matter resolved with him in that period of time), then I can't consider this matter as urgent.

The 60 days grace period is also not acceptable, because it would basically reduce the motivation to comply with the license in the first place. So for EvilCorp Inc. it is perfectly possible to design a product using GPL licensed software, not comply with the license, ship the product, wait for a copyright holder to send a notice, make sure that I ship all the remaining in-stock products that do not contain a written offer, GPL text and/or source code in the 60 remaining days, and then start behaving GPL compliant. If such behaviour has no consequences at all, why would anyone behave different in the first place?

Today marks the first discovery of a ulogd GPL violation

It's actually not really all that important, but today I found the first product that distributes my ulogd program in a GPL incompliant way.

To my biggest surprise, it's not a Firewall/Router/WLAN device, but rather a NAS. Still have to figure out where, how and why they use ulogd on it, but it's there (and no source code [offer]).

Have to turn down invitation on GPLv3 conference

As you might know, the GNU GPL is currently under review and version 3 is underway. With regard to the GPLv3 process, the FSF will be holding a conference later this January to which I had the honour to be invited.

Since many people have already been wondering why I will not participate: It is not because of the conference or because of the FSF. My previous contacts with the FSF have been very forthcoming and productive, and I would very much like to share my GPL enforcement experience at the GPLv3 conference.

Unfortunately though, the conference will be held in the USA, a country to which I'm not going to travel anymore because I don't want to hand over (and leave) my biometric information (aka fingerprints) in a country that basically has non-existing data protection rights, esp. when it comes to government agencies and foreigners.

In addition to the biometrics issue, there are numerous dangers from the software patent and the DMCA front for people like me who indulge in quite a bit of reverse engineering. In the end, the US just don't sound like a place where I would feel comfortable and/or safe and/or secure in any way.

My best wishes to the GPLv3 conference, I hope they'll have a productive meeting for the future of free software.

Increasing number of GPL violations

As the frequent reader of this blog will know: In order to keep track about all the alleged/confirmed gpl violations, and the progress in their resolval, we're now using RT (request tracker).

Since the request tracker was introduced about one month ago, we've received an incredible amount of reports. Today I opened ticket number 64 (!).

I don't really have those kind of automatic statistics on the number of reported violations before, but it was certainly less than that number...

More cases seem to be coming up, test purchases dropping in

Sometimes I really think that I'm insane. In the last week alone, I've spent some 7000 EUR in test purchases to prove GPL violations. Yes, I'll get reimbursed once those cases are over, but somehow I feel like giving loans to those companies who don't obey the license. If I'd put that money into a bank, I'd at least get some (crappy) interest rate.

There are so many cases that I would like to write/talk about, but cannot because they're still not over yet. *sigh*. Let's hope I can publish some news before I leave for my 11 day trip to Bangalore for FOSS.in.

When I'm back, I can be sure that there's a stockpile of devices to analyze. Wish I could spend that time with something more productive, though.

Four more gpl enforcement cases

Today I've finalized my preparations (paperwork, etc) for passing four more gpl violation cases off to my lawyer. As usual, I don't state the names of the vendors/products at this time.

There has been quite some amount of backlog piling up, as I've been busy with other (more interesting, to be honest) stuff in the netfilter, openmrtd and OpenEZX world. Luckily we're now using RequestTracker and hopefully don't loose any reports of violating products.

Sony Root-kit allegedly is an LGPL license violation

Some of you might have already read it, Sony distributes a 'root kit' with their DRM-encumbered 'copy protected' Cd's. This basically allows Sony to control your computer, once you've installed the software contained on on of their audio Cd's.

While this in itself is already a security nightmare (especially since they don't inform and/or warn the user about this), it gets even worse: According to a number of sources, this software even contains a statically linked version of the LGPL licensed liblame homepage.

I guess this gives a really strong measure: In order to protect our valuable copyright on proprietary music, we don't give anything about the copyright of others, such as authors of free software.

Insurance against GPL violations

According to this zdnet.com article, there is now an insurance against legal risks from violating Free Software Licenses.

Strangely, that article claims the insurance is about "the risk of using open source software". This is misleading, since there is no risk involved in _using_ the software. There is, like with any other software, a risk when you violate the license.

One wonders when we'll get such an insurance for "the risks of using proprietary software [without obtaining a license]".

FreeDOS project uncovers GPL violations in DR-DOS 8.1

The FreeDOS project has discovered multiple GPL violations in the commercial and proprietary DR-DOS 8.1 product.

Brian about a possible GPL violation

In his blog, Brian points out that the Barracuda Spam Firewall 300 seems to be violating the GPL.

It's not yet clear what kind of software they actually include, but if a customer (who has received a binary copy of the GPL licensed Linux kernel) calls them up and explicitly asks for the source and then gets fishy answers like those pointed out in Brian's blog, then there's certainly something wrong.

Installing a Request-Tracker for gpl-violations.org

Since a number of issues were already lost on the legal@lists.gpl-violations.org list, and there's now actually more people getting involved in the project (mainly Armijn), I've installed Request Tracker for the project.

Anyone who has new gpl violations to report, please contact license-violation@gpl-violations.org instead of the new mailing list.

Please do not report any old cases (that have been posted to the list) to the request tracker, I've already added all those old cases as tickets to the new system.

Bringing ftp.gpl-devices.org live

ftp.gpl-devices.org has been up and running for a number of months now. As usual, I never really had the time to take care of it (i.e. feed it with all the vendor-released and 3rd party source code for embedded devices running GPL licensed software).

Luckily, Imre Kaloz was interested in helping me out. He's now in charge of at least putting all the TI AR7 related source tar-balls on the ftp site.

I've already dedicated a 300GB hard disk for the source code, which should be fairly sufficient for some time. At this point, I have no more than 40GB of vendor-supplied source code images at home.. ftp.gpl-devices.org has only some 3GB as of now.

Thanks go to noris.net, the innternet provider where like for almost all of my projects, the server ftp.gpl-devices.org is colocated.

Donating 7000 EUR from GPL enforcement to FoeBud e.V.

Sometimes as part of my GPL enforcement work, vendors will make donations in order to settle things like a grace period, i.e. a time where they can still sell their stock of already-produced gpl incompliant devices.

Recently, as part of such a settlement, I was able to get EUR7000 which have been donated to FoeBud e.V., a registered German charity fighting against privacy-invading technology use such as RFID, and video surveillance. They hold the annual "Big Brother Awards" which give a "prize" to those individuals and organizations that hurt privacy and data protection most in that year.

iRiver hands over source code CD-ROM

Some time ago, I ran into GPL issues with the iRiver PMP-1xx series. For some reason, the Korean company chose to cease distributing their products in Germany, rather than making them GPL compliant.

Despite that, they've now sent me a CD-R with the source code. I've made it available to interested parties at ftp.gpl-devices.org. I did not yet have the time to do a full-scale analysis whether it is complete (as per gpl definition of "complete corresponding source code"). However, at least from a first quick look it seems fine (and even documented!).

RMS visits ASUS: Free Software beyond their notice ?!?

In his blog, Richard Stallman writes that he had a very unpleasant experience visiting ASUS in Taiwan.

This is outrageous, considering they are using Linux and other free software programs in their products and making business from it.

Their WL500g routers are using Linux, and did not comply with the GPL. So in 2004, I used my copyright to enforce the license. I have obtained a declaration to cease and desist from ASUS Headquarters in Taiwan, and they modified their product promptly to bring it into GPL compliance. See this news item on the netfilter.org project homepage.

Even today, ASUS seems to be using Free Software in a number of their latest devices, as I indicated in this blog entry.

Almost all vendors of console servers GPL incompliant

According to this German article (by Dr. Dirk Wetter), out of seven tested console servers (all Linux-based) of various vendors, only two even mentioned that GPL licensed software was used in the product. The majority of the devices did neither mention the GPL, nor make any source code offer.

The vendors have been contacted by the author of the article, and almost all promised to make their devices GPL compliant in the future. It has yet to be seen whether they actually fulfill that promise. I will ask each of them for a copy of the full corresponding source code, since the offer implicitly has to exist [the devices didn't ship with the source code, so 3a GPL is no longer possible].

It's really disappointing to see this happen again and again. Everybody seems to not care at all about the copyright of the code involved.