License compliance?

As a commercial product you would almost certainly be in violation of most of the licenses, not just GPL. I would urge you to obtain formal legal counsel as well as appropriate liability insurance before you undertake anything even close to the path you’ve outlined.

3 Likes

Agreed and I'm not sticking my neck out on "internet lawyer" advice.

You likely need to to provide your source code, as GPL requires. Just like the big boys do. (They do not do that just because they are so nice :wink: )

Quite many of the major OEMs like Netgear, Linksys etc. use firmwares that are based on the old OpenWrt versions, although that is hidden from the end-user GUI. And they all (or at least most of them) provide sources (at least in theory), like in https://www.linksys.com/us/support-article?articleNum=114663

2 Likes

Yeah, that's what I figured and this isn't actually about me wanting to follow the path I've outlined - I might have found something out of compliance.

1 Like

I suspected as much. That's a nice example, thanks.

https://www.gnu.org/licenses/gpl-violation.en.html

1 Like

Short answer:
You will get a legal beating.

Even shorter answer:
I will give you a beating.

Even shorter answer:
You will be hated.

Maybe off-topic but you could be talking about the chinese's "custom" firmwares based on openwrt or ubiquity. They also use their own gui but leave the standard one accesible. Not ubiquity though, their gui sucks. It gets worse, less mobile browser-compatible and more bloated with each new version release.

It's common to see the chinese manufacturers and some community firmware promoters hide "easter eggs" like anti-features and binary blobs in order to do fun things like open backdoors or let their binary blobs traverse firewalls and send interesting data to "government-sponsored" corporaciones in Beijing.
One nice example is the software used on all the spy cameras from china and the apps to control them.
Things like that and the whole IoT world need to be isolated as guest devices on a segregated subnet or vlan.

There needs to be an neutral opensource way to scrutinize firmware that is based on open source and then pinpoint malicious firmware "authors" in order to expose them as serious network vulnerabilities (ratz) to the community of users, especially users who run production networks, like myself.

1 Like

@jeff
As far as BSD goes it pretty much says as long as you credit X you're fine.
https://youtu.be/cofKxtIO3Is?t=590
A quick overview and discussion about it....

Pretty close, as I interpret the common clause in BSD-style licenses:

Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.

This is often handled by including a copy of licenses in a compressed tar file for products that don't include source code. For example, the Android build system does just that for each ROM built.

LOL -- "I met Stallman. [...] If that's genius, I don't want to be that smart." Funny, I had exactly the same reaction when I was there myself.

@betelgeux, there are some pretty ridiculous mentalities here.

what you need is just to fork LUCI with a more simple web front end that is your brand as OEM.

you don't need to worry about crediting anything from those screens. you don't need to give ssh access. you don't need to give away your modified firmware. you don't need to make your code contributions available.

i could use something similar if you haven't solved this, i would be willing to help. nobody will hate you, this is the same thing as Open-Mesh, probably Ubiquity, etc.

1 Like

For anyone else reading this, the above post is, at best, uninformed.

For GPL 2 alone the following statements are trivially provable violations of terms of license and, as such amount to theft of intellectual property

  • you don't need to worry about crediting anything from those screens
  • you don't need to give away your modified firmware
  • you don't need to make your code contributions available.

https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html

Note also that https://forum.openwrt.org/guidelines clearly states

You may not post descriptions of, links to, or methods for stealing someone’s intellectual property (software, video, audio, images), or for breaking any other law.

9 Likes

You crybabies censored my post for telling this guy the truth. You go onto an airplane and watch a video, and when it boots you see X come up and it is running Linux. You aren't displaying the GPL notice and crediting Linux Torvalds with a copyleft notice when the video player runs. You run Android and the first thing that pops on the screen is not a Penguin and a copyright notice going to GNU.org.

If you are creating a service or a product, the whole point of the GPL is that it is your right to use it. The user doesn't need to see all the gory details to run your application. Jeff, you are at best an alarmist.

This guy wants to give people a clean interface to control basic router functions. He can damn well fork GPL LUCI and put his simple interface to control basic router functionality without giving users all the gory details about each OpenWRT copyright component. He can distribute his product all he wants! He does not need your permission, just because you want to call him a thief.

Nobody is talking about removing the embedded copyright notices. Nobody has to give ssh access to his firmware for his product. He can distribute it as much as he wants. If he is distributing proprietary mods to his firmware, he does not have to share them. Do you see Ubiquiti and Google distributing their mods for UNMS or 802.11s for public scrutiny? They are probably using OpenWRT in there anyway to a substantial degree in their products. It is their right. That is what the GPL is.

You are trying to violate my human rights for expressing my opinion about this guy's question. The United Nations 1948 Universal Declaration of Human Rights states: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference, and to seek, receive, and impart information and ideas through any media regardless of frontiers"

Just because you are accusing me of advocating theft does not mean that what I am saying is theft in any recognizable way, shape or form. You are an extremely poor judge and jury of basic concepts related to the production of products related to underlying GPL components.

1 Like

[this will be my first and final involvement in this thread, as I don't feel qualified to provide legal advice]

strusty, IANAL and I don't have the slightest motivation to start armchair lawyering here, but your interpretation of the primary licenses involved here differs quite a bit from more common interpretations[0], [1], including those of many of the companies you quote or precedent set in several jurisdictions. So if you're advocating to disregard the more common interpretations, it would be a good idea to ask a copyright lawyer within your own jurisdiction[2] first, to back up your statements. Given that you seem to be quite keen on international conventions and treaties, I might suggest to read up on the Berne Convention from 1886 as well.

Dragging human rights into this isn't really helping your case either, as it's a display of gross misinterpretation again. Yes, if you go to Hyde Park's corner, town hall place, your own blog[3] or your own lawn, no one would be allowed to silence you[4], but that doesn't imply that anyone would be forced to tolerate you reciting your opinions on their own lawn. Owners and administrators, or whoever they delegate this responsibility to via community flagging, of this forum instance have every right to execute their prerogative which content to publish -or not[5]. You can ask them to reconsider or override potential community flagging, but the decision is up to them, not you.

--
[0] regardless of correct or incorrect, that would be something for a court of law to decide. A blank free pass to "ignore the license terms" would be a rather bold expectation, while granting the same amount of source access you've been given for your derived works might be considered a relatively 'safe' option (and jurisdictions might even disagree here).
[1] e.g. interpretations may differ in the distinction between "mere aggregation" and "derived works", respectively "independent works based on common interfaces" or what "distribution" means in the first place. This would be something to ask an intellectual property lawyer, but at least at first glance, the OP's question don't even get as far as these potential corner cases.
[2] it would also make sense to reconsider to which extent your legislation and the hypothetical advice of your lawyer considering the given situation put before them applies to others, under different circumstances and/ or different legislations.
[3] depending on the actual contractual obligations between the parties involved, your hoster isn't necessarily forced to keep hosting your blog though, if they disagree.
[4] and even that isn't universal or absolute, as local legislation might come with additional restrictions, such as -among others- content, volume, timing or form.
[5] https://forum.openwrt.org/tos#3

3 Likes

Without the GPL we would not be here. As stated, not all code is under the GPL. Proprietary code is subjective, without transparency. The fundamental purpose of the GPL is mutual benefit which leads back to the OP's question.

If your use for the product NOT of a distributed nature ... then IMHO, this is a one hand clapping situation.

When you distribute you need to attribute. Simple.

4 Likes

@slh, that is a really cool response, if this was Facebook I would add you as friend.

We are talking about, as far as I can tell, distributing a Product, not source code. Or, it may be a Service.

There is no requirement to distribute the source code to your product- if there was we would all have Google and Ubiqiuiti's source code to their wifi products.

There is no requirement to display copyrights and logos when the user is using your product. There is no requirement to distribute source code to a user that is using your product. There is no requirement to put copyright notices on a control panel to help a user use your product.

What exactly are you saying I am missing here? That is all this user really wants to do. He is not even clear what he is asking, I am clarifying for him. You cannot tell me that giving a user access solely to a very reduced modified LUCI web interface with simplified items requires extensive representations of attribution for the underlying system components.

For that matter, forget LUCI, you can write your own HTML-based form for modifying the contents of /etc/config/network et al. That is all the user ever needs to see. You can give him OpenWRT underneath, you can shut off sshd, you can not give him the source code because god knows how many even have the source themselves who are freely using it.

This satisfies all this user's wishes with no violation of any license.

Tell me this is not true.

I believe you are confusing providing the recipient of your product with notice/licence and vandalizing your product with notice/licence etc.
Your notice can be in many forms and the open source code can be made available in many valid forms.

You really should try and understand first.

For example, in your earlier posts you mentioned Android doesn't plaster your screen with license notices. Of course it doesn't. However it does provide a notice.
You just need to look in the
Settings -> About Device -> Legal Information -> Open Source Licenses

https://source.android.com/setup/start/licenses

4 Likes

This very much is in contention, if you distribute code under a license like the GPL you are bound to follow the conditions of the GPL for those parts, and that includes the requirement to share any modifications to GPLd code, so if you distribute an OpenWrt based mod without at least a written offering to share the source, you are very much setting yourself up to loose in court. Even a cursory reading of the GPL will allow you to confirm this, how about you start with research before you give potentially costly advise on the internets? (Not that anybody should expect reliable legal advise from strangers on the internet, including me).

I believe this is a question you should discuss with a lawyer.

No you can not, for at least the kernel and lots of the applications are licensed under various GPL versions, like the kernel is licensed under GPL 2 (https://www.gnu.org/licenses/old-licenses/gpl-2.0.html) and that reads:
" 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code."

Which pretty much rules out your recommended course of action. You are right that if your own modification is not a derivative work of any GPLd code you might not need to share your own code, but that does not relieve you from the requirement to distribute all GPL code, otherwise you loose the license to use that code in the first place.

As by your request: This, as stated by you above, is untrue.

6 Likes

You are mixing two different concepts: providing a service using GPL software, and distributing a product based on GPL software.

Please, read both GPL 2 and GPL 3 thoroughly.

5 Likes

Let me put this another way.

In the case of user who wants to distribute his own whitebox router product- we agree the underlying code is OpenWRT and GPL. There is no issue with distributing it nor any valid reason to not want to. Most of us don't even want the source. There are many many companies producing versions of OpenWRT, using things like QCA developer kit. You can get the code to QCA SDK, but it will cost you and it is under NDA. Therefore your work product is not GPL and you can't distribute this derivative code especially regarding any binary blobs. You can't even use the OpenWRT router on something like IPQ-4019 without one of kvalo binary blobs from QCA. You Do Not get the source. Period. So all this talk about GPL is irrelevant in this kind of case.

Nobody cares about whether the OpenWRT code is underneath the hood, in fact, it is assumed that the OpenWRT code is underneath the hood in almost all cases. There is no reason to conceal that the router is driven by OpenWRT. You log into a Ubiquiti device, it looks and smells like OpenWRT or some version or LEDE. You log into an Open-Mesh / Datto device, it is LEDE. I doubt very seriously that Google Wifi is more than OpenWRT with some custom 802.11s handiwork. The idea that this user needs to conceal the licenses is for his branding. I am trying to show how the industry openly handles this, and it can be done by some legal means, there is no need to put legalese roadblocks in front of his wishes.

Now, we can establish that his product is OpenWRT and that, as a compromise, he can make the OpenWRT distribution available, not that he needs to since it is all online. This request from the user is a misconception on his road to produce a whitebox product like OpenMesh. They have their own replacement for LUCI, something very nice that runs in their CloudTrax portal. They are not attributing LEDE anywhere that the eye can see. They have been in business since the very start of this. They are not distributing the source. Cisco is not giving out the source to the Meraki product, which I believe also ran on an early version of LEDE.

So, the user can produce his own binary blob or his own patches or anything he wants- they can run at boot and install before the system runs- it really doesn't matter what he does to get his product looking like he wants. The gory details of the GPL and attribution are completely irrelevant in practical terms so that this user can get what he wants. How?

Like OpenMesh, he does not need to give ssh access to the routers, especially if doing so allowed the users to change the firmware in a situation where the router was approved in some legal jurisdiction with that particular set of firmware. Who cares if the user gets the firmware or the source if it is illegal to install it?

He can also make his hardware such that new firmware cannot be installed, rendering all of this point moot, simply by having production solder a resistor to the TX pin of the USB Debug UART.

I am watching what the industry is doing, these are the facts. Nobody is suing QCA, nobody is suing Datto, and nobody is suing Google. They are inserting their own binary blobs, by whatever means and controlling the underlying GPL code with either proprietary web interface or openly using LUCI with QCA SDK code under NDA.

I doubt these big companies are leaving the barn door of legal exposure open to accomplish exactly what the user wants. This is supposed to be a forum to help people, why don't we help him get what he needs instead of blowing smoke that what he wants to do isn't possible?

2 Likes