Request for sources legit?

There is a commercial corp, also offering the service to manage hotspots based on custom openwrt firmware images, to be downloaded from the corporations web site.
Of course, this image will also contain custom shell scripts, may be even custom C-code.
Is it legit, to request the source code for such an image ?

All the details are here in the license.

There are lots of commercial products that are based on OpenWrt. It is legit for them to use and/or customize the code, provided that they adhere to the terms of the license.


If I understand correctly, they don't need to provide the source until you get the binary.
But any client with the binary is eligible to request the source and make it public.

1 Like

They only have to provided the sources for code "derived* from open source code: they can develop some program from scratch, distribute the binary on the image, and have no legal obligation to release the sources.

1 Like

"derived from open source code" still is too vague for me. Lets have an example:
In case, I do a "standard" custom build, i.e. for the WE826 from ZBT, using the default "make menuconfig" with following mods: I drop the openwrt-firewall (unselect Base system - firewall) , provide my own, basic files/etc/ and edit files/etc/rc.local to call, which contains standard iptables rules.
Now I do the build, and distribute the final image.
Question: Upon request, which files to provide ?
(.config, files/etc/, files/etc/rc.local) or complete build environment, or what ?

The only answer to this would be reading the (individual!) licenses and then asking a lawyer specialized in intellectual property legislation in your jurisdiction.

If you look at oracle vs google about java usage in android, determining what is a derived work and what public APIs isn't trivial to determine.

1 Like

The manufacturer might ignore your requests, like Huawei do....

1 Like

Yes, it's vague, it's so vague companies have spent (literally) millions on disputes that have lasted for ages:

A derivative of opensource code is you take a program, make modifications to the source code, and make a different or at least modified program

you are not modifying any source code, you are adding your own stuff. The only "source" you are changing is the rc.local configuration file in the build system default (if you change the default in the build system, if you include external files through the /files folder for example then you are not modifying the build system source)

So you are not legally obligated to disclose your custom, although it's a plaintext script so it's technically not hard to just look and see what you did in it, then do the same. You can't copyright or make a "closed source" list of iptable commands anyway, because that's just commandline commands to another program.

A more interesting example is let's say you do like GL.Inet and replace the web interface with your own (better/cooler/whatever) one. That's a separate package and can have its own license. In case someone is asking for a disclosure you can just point to a repo where you have the base OpenWrt firmware (where you modified the OpenWrt source code to actually support your device, since you must modify source code and build system to do this), while your proprietary web interface packages are not disclosed and in a private repo. Which is afail what GL.Inet does

1 Like

It's not THAT vague. SCO has been trolling and got slammed multiple times, they just refuse to back down.

On OpenWrt each package or component has its own license, and also the build system as a whole has a license (which is GPLv2 as stated in the Readme).

So if you modify a package source code you must follow that software's original license (the package makefiles usually state what license they have), and if you modify the build system you must follow the build system's license.

Changing configuration is not a modification and does not change the license.

Adding custom packages is "derivative" work only as far as the package makefile is concerned. The actual software that is packaged can be proprietary as well and it's safe from forced disclosure.

This is a dispute about program API names, which has nothing to do with opensource. That is a Copyright case, and Oracle is being its usual evil greedy trash bag self.

1 Like

While I agree with both points, what I wanted to explain is that these questions should be answered by a lawyer, not by random users from an internet forum.

1 Like

The fact that the "final word" must be said by a lawyer does not mean that nobody else can tell him how it is in theory by just looking at the license and how the project is made. FOSS licenses aren't hard to understand, and regardless of what the license says, lawyers always come up with random bs in court while trying to win a case in front of a judge that is probably not well-educated about software development.

You all already told him multiple times to get a lawyer so I figured it was enough disclaimers and I could give my answer.

Bonus fact: ignorance cuts both ways, it's entirely possible that if you are strong or persistent enough (and look official enough, there are enough organizations that can help you enforce or at least make your FOSS source code requests look "official") you can get them to cave in and give you access to sources anyway, like what happened for Quectel modem OEM when people started requesting the source (from page 15 onwards in these slides)

(from the wiki of this foss/reverse-engineering modem firmware project )

1 Like