I've noted that there are binary builds being distributed either through this site, or through links associated with the site. In some cases the GPL Corresponding Source is not being provided, nor are the plethora of licenses associated with the packages included in the image included. While I understand the desire to share, "open source" software is not "free" and GPL is one of the most encumbered of the licenses. Even the more permissive licenses generally require at least that the copyright notice, list of conditions and disclaimer of liability be included.
- So...how are we all able to install the OpenWRT SDK and compile the software ourselves then?
- If there is no code, how does the buildbot compile it?
- Have you ever looked where the SDK and buildbot pull the code from?
I beg you to be careful about making such claims.
I did not say that the LEDE/OpenWRT project itself was in violation. My apologies if it was interpreted that way.
There are a lot of enthusiastic individuals here that may not be aware of the restrictions of GPL and the other licenses in the images that they build and distribute.
I didn't find a clear statement about forum policy on this. Perhaps one like that on the XDA might be a good reminder for individuals.
As an example, this is the present content of a Github project that neither provides the Corresponding Source, nor the licenses for the IP in the binaries it almost certainly contains.
Shouldn't this command executed in the build root download all sources?
Not if the individual has patched or otherwise altered any of the sources.
You've still got the obligation to the licenses.
It is something of amusement that so many in the community highlight how vendors fail to supply complete and buildable source, yet others in the same community make the same errors.
Can you give an example where that's the case with binaries distributed on download.openwrt.org?
As I stated, this is not about the OpenWRT/LEDE project itself, but of this forum and some of its members.
that looks like my github jeff, whats the issue? you wanna go to court or what? you a lawyer? in fact since you made a topic about this, im going to make this a huge issue now.
Might be anybody's Github that's built OpenWRT. I don't see any names there or anywhere else in my postings on this thread.
No, I'm not a lawyer, but I do try to respect the copyrights and licenses of others.
I think the XDA statement sums up the kernel end of things pretty well.
The Android build system, in the case of the OS and applications, goes through and captures the copyrights and/or licenses of the constituent parts and includes them. Consideration of the copyrights and licenses of the packages should be a part of and distribution. Thankfully, there are licenses other than the GPL series, yet most of them require that the copyright statement, the license, and the limitation on liability be distributed in some manner with the source and/or object form.
It's not rocket science to be reasonably compliant.
After the LEDE split they had the build system generate a file that states the config used in that current compilation, in your example you see a "config.seed" file which contains that. Just take it and place it in a fresh OpenWrt buildsystem as .config and you will build an identical firmware image.
If someone added patches to the OpenWrt codebase, then this stuff has to be available too, (easiest way is to have them in their github fork).
Everything else is taken as-is from release tarballs and can be traced back easily if you look at each package's makefile where this is stated.
I'd be OK with requiring that projects posted within the forums must either provide this config.seed if just using different options, or link to a github repo (or other source repo) if they have custom patches not merged with OpenWrt.
jeff is technically right, GPL isn't applied only when it is convenient to you (i.e. only when you want to get code off OEMs)
I am not a lawyer, but as far as I know, the person distributing the binaries is under the obligation to provide the source code only when somebody who received such binaries asks for them.
Did you try asking for the sources?
A quick examination of the licenses involved will show that there are several proactive steps that need to be taken, including, but not limited to, the method of release of source and toolchain under GPL-style licensing.
Some examples are linked below
From GPL v2:
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
So 3c doesn't apply unless you're distributing object code noncommercially. If you're distributing something else, you have to personally insure that you can provide the actual code you used for 3 years. It's not sufficient to say "gee I guess I could always go get another copy of the code from OpenWRT some day if I needed to" because: they might not have that version any more, and they might not even exist anymore.
Safest thing is tar up all your code and stick it in an archive somewhere.
Now, if that is your GitHub site (and thus you do are distributing LEDE / OpenWrt binaries), do these builds carry any modifications from the official LEDE / OpenWrt releases? Is the source code for those modifications available anywhere? I think that would put an end to the issue being discussed here.
Who forced anyone to download/use this person's OpenWRT binaries???
Also recall you said:
Please explain how making a link or posting a binary online puts him in violation???
One could reasonably assume, he posted the link for his own use...not yours (or anyone else). Also...I understand we do the following to make a OpenWRT binary:
- We install the OpenWRT SDK
- Configure the SDK
- The SDK DOWNLOADS SOURCE CODE FROM openwrt.org and elsewhere
- It parses the packages directory for any custom software not available in OpenWRT's repositories (WWW and local)
- It is compiled...
Please recall, in most cases, we are merely compiling unaltered source code from the OpenWRT site.
I surmise, at this point, it would be safest to TAR the full build directory...but I honestly think only his final SDK config/feeds/etc. files are all that's truly needed.
Posting anyone's Github as an "example" (whether the person is identified or not) was a mistake on your part.
As @dlakelan has already highlighted, GPLv2 requires you to
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
clause (c) only applies "only if you received the program in object code or executable form with such an offer, in accord with Subsection b above."
Further, let's look at the licensing of a BSD component, that is very likely present, hostapd and wpa_supplicant
README of that source distribution:
License ------- This software may be distributed, used, and modified under the terms of BSD license: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name(s) of the above-listed copyright holder(s) nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Section (2) there clearly calls out that the license be provided in conjunction with the binary distribution. This is common with the non-GPL-style licenses, under which many of the packages are contributed.
While many package-based OSes include the license in the packages and install it with the package, this is not the case in OpenWRT. Android handles this by collecting all the licenses and installing them on the ROM, typically as
system/etc/NOTICE.html.gz. GPL isn't the only license that should be complied with.
There are more "challenges" such as the kernel config not being included in
config.seed, the OpenWRT version string not always being reversible to a specific commit, the feeds changing with time (though the manifest does help with this), but these are above and beyond the failure to comply with the most basic requirements of the GPL licenses and the non-GPL licenses.
The Github reference was provided as a specific example, not a specific request. Thankfully the LEDE Project and, by inclusion, the OpenWRT Project already have https://forum.openwrt.org/tos#2 in place, which specifically speaks to either making available directly, or by linking, or any other means that
you have fully complied with any third-party licenses relating to the Content, and have done all things necessary to successfully pass through to end users any required terms;
Posting a link to a "bare" binary does not accomplish that.
What might this entail?
Again, I cannot provide legal advice, only a personal opinion of how I would address my reading of the licenses involved.
If you're building it for yourself and not transferring the object code to others, either by itself, or in a "flashed" device, as I read it for the licenses I have seen, you're using source code and not subject to the restrictions on the transfer of the code. You can "build" it any way you want for your personal use.
As soon as you offer to transfer the code or an image built from it, or a device flashed with it, there are additional restrictions.
At a high level, for all components in the distribution:
- The license and copyright notices themselves
- Complete source, including the "toolchain" and any "tainted" by the GPL, either directly or by explicit reference
- A "prominent", dated notification of any modifications to the source, which includes the toolchain
- The license and copyright notices themselves
- For some licenses there are additional restrictions; "cause any modified files to carry prominent notices stating that You changed the files" and include the "NOTICE" file (Apache License, for example)
- (Read the license)
In More Detail
The kernel itself, as I understand it, is under GPLv2. As I read that license, if I offer an object based on GPLv2 code (as defined by that license), I need to provide:
- A copy of the License itself
- "[...] the modified files to carry prominent notices stating that you changed the files and the date of any change."
- The complete source code, including "all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable"
The GPLv2 talks about "offering access to copy from a designated place" which I take to mean designating that place sufficiently to allow a verbatim copy of the "source code" to be obtained, such as the specific
git commit from which the code was taken. It also includes all config files for the component, such as the kernel config.
There are also clauses around if the program "normally reads commands interactively when run", which I interpret not to include a router under "normal" operation.
Past the kernel, there are all the other components in the distribution, many of which are "packages" in OpenWRT.
Those that are GPLv2 licensed fall under the discussion above.
One class of licenses are reasonably unencumbered. These include, for example, the BSD and Apache licensed. While each license is different, they generally require a copy of the license to be delivered with the object.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
It is an open question of legal interpretation if supplying a reference to the original license is sufficient, or if the license, itself, needs to somehow accompany the distribution.
GPLv3 is something of a mess, but likely covers components in a binary distribution of OpenWRT. It is similar to GPLv2 but defines
The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities.
just ban jeff already jesus!, lets see if he takes it to court and uses my github to single me out, unlike everyone else thats been posting their own builds on github for years and this has never been an issue lol. Im pretty sure hes probably downloaded and used them as well at some point.