GPL Violations: Is Cisco the Big One?
Many sceptics were convinced that as free software spread out beyond hackers into the general computing sector the rigorous GNU GPL licence would gradually be replaced by more accommodating – meaning weaker – forms, since it was “obvious” that its unbending rules were too strict for widespread use. In fact, the GPL has grown in importance, until today it is probably fair to say that it underpins most of the free software world, including enterprise applications. This makes any violation of its terms particularly worrying, because if left unchallenged, it threatens to undermine the entire ecosystem.
And yet, surprisingly, the Free Software Foundation has been very reluctant to take those who violate the licence's terms to court, preferring, instead, to adopt a softly-softly approach. As Eben Moglen, the main architect of the FSF's legal policy, told me back in 2000, when I interviewed him for Rebel Code:
“About a dozen times a year,” Moglen says, “somebody does something [that] violates the GPL. Most of the time, they're doing so inadvertently, they haven't thought through what the requirements are. And I call them them and I say, 'Look, you're violating the GPL. What you need to do is this. Would you help us?'” The answer is invariably yes, he says.
“What is true,” Moglen admits, “is that no large American software company has engaged in a public controversy with us over the enforcement of the GPL.” And although some might conclude “that means...there's something about the GPL [that] is not enforceable, I would turn that proposition around,” Moglen says. “There have been no such controversies because nobody thinks they're going to in them.”
But Moglen was well aware that a time would come when a “large American software company” *would* engage in just such a public controversy:
“I think that sometime it's probably going to become necessary, in order to dispel a little FUD on these subjects, for us to choose to take the judicial enforcement route with a case [that] we would otherwise feel comfortable working out in our traditional way.”
That time, it seems, has just arrived:
The Free Software Foundation (FSF) today announced that it has filed a copyright infringement lawsuit against Cisco. The FSF's complaint alleges that in the course of distributing various products under the Linksys brand Cisco has violated the licenses of many programs on which the FSF holds copyright, including GCC, binutils, and the GNU C Library. In doing so, Cisco has denied its users their right to share and modify the software.
Most of these programs are licensed under the GNU General Public License (GPL), and the rest are under the GNU Lesser General Public License (LGPL). Both these licenses encourage everyone, including companies like Cisco, to modify the software as they see fit and then share it with others, under certain conditions. One of those conditions says that anyone who redistributes the software must also provide their recipients with the source code to that program. The FSF has documented many instances where Cisco has distributed licensed software but failed to provide its customers with the corresponding source code.
Harald Welte, who has done so much good work on GNU GPL violations with his gpl-violations.org project, provides some interesting background:
At gpl-violations.org, we had our fair share of dealing with Cisco (and particularly Linksys, a Cisco division). Never we have received any entirely satisfactory response. Sure, when you notify them of some GPL infringement, they will take some steps here and there. But in all those years, I have not seen a case where there was a thorough response. Whatever was disclosed as 'GPL source' was incomplete, didn't compile, and with the next firmware release there was again no source code for that new release. And then came the next product, sourced-in from a different OEM, and the entire process had to re-start from scratch.
Yes, they have gone and hired some engineer[s] to explicitly deal with the GPL related issues, like they have taken other steps in the right direction. But it was always superficial. Never addressing the problem at the root, i.e. have a proper in-house business process and supply chain license management to ensure the next product is not yet again a copyright infringement on GPL licensed software. It is so easy to resolve at the source, and so hard to fix later.
This consistent sloppiness suggests something close to contempt for the licence terms. That's curious given the fact that Cisco has recently made some positive moves to boost its GNU/Linux-based Application eXtension Platform (AXP):
Cisco is asking developers to instead think "inside the box" to create applications that will run on the Linux based Cisco AXP module. It's tossing in $100,000 in prize money just to keep it interesting.
This might be a case of the right hand not knowing what the left hand is doing, but that seems unlikely, since licensing is a fundamental issue that proprietary software companies certainly think about. It's significant that the competition mentioned above isn't about open source as such, just apps that run on GNU/Linux:
Though open source applications are welcomed by the Cisco contest, Kiran noted that it doesn't matter for the contest. "Cisco doesn't want to own the IP (intellectual property). As long as people can come up with an original idea, open source or otherwise we're OK with that."
This suggests that it sees open source as a handy and cheap source of materials that it can use, but not something that it explicitly wants to support, or indeed cares much about. That's a view that has already been voiced well before the current FSF action.
Against that background, I don't think the current alleged violations are an intentional attack on the GNU GPL – the “Big One” that everyone is waiting for to settle definitively its legal validity - but spring rather from a fundamental misunderstanding of what free software is about. Since it doesn't understand why people really care about being able to see the up-to-date source code, Cisco probably didn't think it would matter if it didn't comply fully with the GNU GPL licence. Once it realises that its ignorance and indifference is seriously damaging its reputation among a key constituency – that of developers – I predict it will soon comply with the licence, not least because it will cost a trivial amount of money and effort to do so.
The issue is not whether it will change its mind about fulfilling the terms of the licence to the letter in this case, but whether it will change its entire attitude to free software, and start giving it the respect it deserves. The best result from the current FSF action would not be a victory in the courts – welcome though that would be – but if Cisco became a permanent and serious contributor to the free software world. That would not be not just a win for the FSF, but a win-win for everyone.
Glyn Moody writes about free software at opendotdotdot.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Ubuntu Online Summit
- Devuan Beta Release
- The Qt Company's Qt Start-Up
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- May 2016 Issue of Linux Journal
- The US Government and Open-Source Software
- Open-Source Project Secretly Funded by CIA
- The Death of RoboVM
- New Container Image Standard Promises More Portable Apps
- BitTorrent Inc.'s Sync
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide