Any legal risk to resell a device flashed with OpenWrt?

I bought a Meraki MR12 sometime ago on a second-hand site.
My intention was to use it in a non profit organisation.
I flashed it with openwrt.
We don't need it anymore.
Is there a legal risk to resell it (per analogy with a Windows PC refurbished with Linux I should assume it's OK but ....)

Any advice / (bad) experience in this domain?

Thanks for your advises

If it's a release build there is no issue because everyone can get the source code. Like a car though, many buyers may prefer the unit in stock condition so they can decide themselves if and how they want to modify it.

Perhaps safest is to re-flash with OEM firmware and direct the new owner to the Meraki site for information.

With GPL-licensed software there are specific terms around transfer to a new owner. The portions of software licensed under other terms have their own requirements. Without handing them a CD with the entirety of source code and build system on it (and perhaps more), you potentially run afoul of many of those licenses. Whether you consider that a "legal risk" is a personal decision.

Technically speaking you need to personally guarantee for 3 years access to the source code or distribute it with the device. I'd suggest you flash the latest release and just burn the source to a DVD and throw it into the box. You should be pretty much ok at that point.

Not actually sure how to get the source though :-\

There was a thread about this...and I'm not sure it would be required if the OP flashed a firmware from the downloads site...but they could use the build tools to make a firmware and provide a copy of their entire build directory.

This would result in more problems than it solves, as there's no way for any user to easily determine if the build system or source code has been tampered with. A better solution might be to simply include a link to the source code and a light-touch or zero-touch script that auto-compiles the build system

  • I created a light-touch script for Ubuntu a while back, which could be used as a template or as is.

Additionally, IIRC, at least for the source code, all licenses would have to be made available in the root of the media containing the source code, which is another reason to only include a link.

  • Organizations usually have a person or team that deals specifically with ensuring all licenses are included where they're supposed to be when distributing code and software, and screwing that up could result in quite a few headaches for the person distributing the code.

If you read the gpl a link to someone else's archive just doesn't qualify if you are selling the item.

@dlakelan What would be a good way to ensure the end user knows the source code they're being provided with by the seller hasn't been tampered with? Perhaps including the link to the source code on the same media containing the source code?

Your information is clearly incorrect and misleading. Reading the licenses themselves would be a good idea before you speak again on the subject.

While portions of OpenWRT are under GPL, there are many that are under other licenses. BSD two-clause is illustrative of other types of licenses.

First, nothing in any of these licenses speaks to determining if the code has been "tampered" with. Nor does it speak to "root of the media" or any such construct.

Second, while linking to the second code might satisfy your mistaken belief as to what the licenses require, the licenses typically include a requirement to deliver assets with the work product, not just point people at it.

GPL includes "Accompany with" in its language in multiple places

BSD style licenses typically include "Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution."


Thanks for the snark, perhaps you should try a little less of it... respect goes a long way.

As to source code, I was referring to the device's source code, not OpenWrt's build system (which I referenced directly), and I did state IIRC [If I Recall Correctly], which one should infer as having read through the licenses at some point, so clearly I wasn't recalling what I had read correctly (clearly you've never done such a thing).

@macavlt this discussion has happened before here on the forums. There are a lot of forms of misinformation around. The GPL and the BSD licenses are widely available, and you can read them. There are other versions than the ones jeff linked above (GPL v3 and soforth), but the main result is if you want to completely "wash your hands" of your obligation, it seems like the easiest way is to set up a build-system, build your own version of the OpenWRT firmware, install it on the device, and then burn your build directory to a DVD and throw it in the box. That would seem to discharge your duty most completely (I am not a lawyer, this is not formal legal advice)

It does also seem like openwrt would be required to provide their own archive of the sources used to build the downloadable releases. So, another simpler method would be to get a release build, install it, and then download the openwrt official source archive and burn that to a DVD. However, I think this is not as easy as it sounds. I don't think OpenWRT actually provides this. What they provide is a lot of git archives. The build-bot basically checks out the appropriate code, builds the binary, and then I don't think you can actually get that build-bot directory anywhere. The storage requirements for storing a complete copy of the source tree for each and every one of the thousands of router devices that are supported is just too burdensome. OpenWRT relies on the fact that it's enough to provide an offer to do this if needed, unless I'm wrong. But for example if you go to you won't see a place to download pre-created archives of the source, rather there's a system for you to check-out the source from git and build your own, that basically discharges their duty because you can check out the same thing the build bot checked out.

Not knowing all that is distributed, the Apache license has some requirements around notifications of "modified files", as well as any "NOTICE" file(s) in the original distribution or added by subsequent contributors, that are notably different than the GPL or BSD-style licenses. Especially the requirement for notifications of modifications (4.b) might not be met with a "snapshot" delivery of the as-compiled source code.

This Apache license also requires that (4.c) "You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work ..." (highlight mine).

I read this as saying that you can not remove any copyright, patent... notices from the Source...[you distribute] not that you must keep an archive of what you did.

But good point about the Apache license. Reading it it seems that if you yourself did not make any alterations, you'd be unlikely to have to do anything beyond distributing what you received, but again, not a lawyer.

I think the discussion has gone far enough to ask @macavlt: What would you do now, after reading all this?

(check appropriate answer)
[ ] Sell the devices without caring about any licenses
[ ] Set up a build-system, build your own version of the OpenWrt firmware, install it on the devices, then burn your build directory to a DVD, throw it in the box and sell the devices.
[ ] Flash back to OEM stock fw and sell the devices

Just curious...

After reading all those expert advises I will

1)keep the device and give it for free to another not profil organisation
2)install it in my cave just for the fun
3)sell it without publishing an offer on the web

1 Like

Would the most pragmatic be to flash a current release and just download the github zip files and offer it to the buyer (keeping a copy for yourself for the relevant time period) and you don't need to be concerned with building and archiving source. Please don't burn a CD/DVD if no one asks for it just be prepared in case they do.

You would have meet your obligations, you have done the buyer a favor by giving them an official release that will get support.

for example for 18.06

Question) Have I missed any archives that are also required ?


That approach leaves you missing at least all of the source code that is brought in by the build system including the kernel and packages. It also has other, significant gaps when looked at against GPL, BSD, Apache, and the other applicable licenses and their varied requirements. Even "tar up your build directory" has some gaps against the varied license requirements (and also then arguably invokes the licenses all your build tools which you are now distributing as well).

So where are the archives for the kernel etc.

It would be better for the whole community if they had a list of archives that they need to grab ( for official releases) and offer them to buyers, Rather than crippling the device with unmaintained OEM in most cases.

This is why I will likely never make an OpenWRT build of mine public. The infrastructure isn't in place and functional to properly meet the license requirements of all the components in an OpenWRT build in a reasonable way.

That makes sense.

But I am referring to OpenWrt official releases. OpenWrt as an organization has to comply and most likely is. So where are these other archives located how do we find them without making a official request to the organization to provide the source and been billed for reasonable cost of time and effort.