Technicolor GPL Source Code Request

Hi!

First post

I believe Technicolor's job of assembling the source code for their stuff is very large, for the simple reason that they not only have different versions and different hardware, but also different customers (ISPs) that have their own modifications.

There is a thread (in swedish) on the Sweclockers forum discussing how "backdoors" (my words) are set up (via dropbear) for personnel from the ISP and possibly for Technicolor. This setup is clearly ISP specific. Interesting stuff with GDPR in full swing.

The most interesting posts:

• ISP specific settings
• How to get a shell on the box. There are two more posts earlier in the thread on the same topic, from the same user -- I am only allowed to post two links here as a new user.

Sorry if I mention something that is already common knowledge. The thread I mention is about TG799vacXTREAM, which is on Zen96s list of devices with unreleased source code.

@KAD First, I'm sorry, but I do not understand Swedish, but I think I got your reasoning anyway.
You are not completely wrong, however you must take into account that:

-An exploit that allows a user to get root access for several of these devices is known and has been published on the Internet

-At least in some Technicolor devices including the TG789vac v2, the TR-069 (remote control and update by ISPs) credentials and control server address can be easily found once you have a root shell. They are in a plain text file in the device's file system. The "remote control" functionality can be completely removed by deleting an executable file (cwmpd, IIRC) that starts the daemon/service that connects to the ISP, and deleting a few rows in a configuration file (that become useless anyway once cwmpd is deleted. I have done it myself even without the sources (I do not want to brag, and I am not the one who discovered this, but it is true).

-Some less security-concerned modem manufacturers even leave a SSH (or even freaking Telnet) shell open on the outside. Thousands of modems distributed by Wind (Italian ISP) were recently remotely bricked by an individual who discovered the password and wrote zeroes to the devices'flash memory and then rebooted them, leaving them in an unusable state. That is easy to disable too, just delete the user who can remotely access the device from the appropriate configuration file.

-As previously said, Technicolor shouldn't be having any difficulties in separating open source code from proprietary code, since they mantain detailed lists of which open source packages are used in each version of their software. These lists are published as PDFs on their website for anyone to see, so that is out of the question.

-Technicolor could have very well set up a build and version control system that is aware of the requirements of the GPL and allows them to quickly provide the required source code for any customized version of their software, even if they had hundreds of them.
In fact, the Software Freedom Law Center, that won several lawsuits for GPL violations, clearly highlights the importance of this point at https://www.softwarefreedom.org/resources/2008/compliance-guide.html

Some important quotes from that page:
"Knowing at all times what sources generated a given binary distribution is paramount"
and most importantly,
"Ensure that your developers are using revision control systems properly. Have them mark or tag the full source tree corresponding to builds distributed to customers. Finally, check that your developers store all parts of the software development in the revision control system, including readmes, build scripts, engineers’ notes, and documentation. Your developers will also benefit from a system that tracks the precise version of source that corresponds to any deployed binary."
This might require a little more effort on a company's part, but it's not rocket science. In fact, that page is from ten years ago.

-Technicolor is not a small software house. They sell millions of devices worldwide, and have at least hundreds of employees, so it's not like their only system administrator is on vacation and therefore my request cannot be satisfied until he's back

@Ansuel also said that they sent him some source code, but it was missing several crucial GPLv2'd kernel modules (I verified it myself), and they completely cut contact after he told them they had made a mistake. This is not, on its own, proof that their actions are made are in bad faith, but it surely doesn't make them look honest.

-Disorganization on their part is not an excuse. Imagine if the police sent you a fine to be paid in 30 days, or else they will impound your car. Let's say you do not pay in time and do not appeal it, on the 31st day the police tows your car away. You go to court and tell the judge that you didn't pay because you were busy and your house is a mess, even though you are very rich. The judge will laugh at you.

-Finally, taking two months to send the code would be unreasonable even if they were using Dropbox as their "version control system" and a guy on a bicycle as a means to deliver the code to me.

So, Technicolor could very well have complied quickly, and it is totally their fault for not doing so. What you said could justify a delay of two weeks, even a month if you're particularly generous.

@bluewavenet Technicolor indeed uses a modified version of OpenWrt. They declare that explicitly in the Open Source section in their website, where they list every open source/free software that is used in their modem/routers, where they also declare that such code is available for free upon request, so that is out of the question. Also, they must have modified it, as it currently doesn't run "unmodified" on their above mentioned device.

The use of proprietary code along with OpenWRT (or any GPL code) is permitted
only as long as such proprietary code is separate from OpenWRT code. For
example, a web interface that is not based on Luci could be proprietary and
used on top of OpenWrt (although, in this specific case, Technicolor's web GUI
is open source, according to themselves).

the GPL on the kernel does not affect anything running in userspace. If you have
proprietary code that uses standard system calls to interact with GPL code, you
don't need to release your code.

Linux kernel modules can be proprietary too (see for example xDSL driver's by
Broadcom), at least according to Linus Torvalds'interpretation of the GPL.

Actually, what Linus said is that if a chunk of code was written indepenently
from Linux (such as filesystems that existed before Linux existed, or video card
drivers that were written for windows) cannot be derived from the Linux kernel.

@dlang I was not, at least in this specific case, concerned with any userspace programs (although most of those used in Technicolor devices, such as Samba, are GPL'd anyway).
However, by "separate" I meant userspace programs, so I agree with you. Sorry if I was not clear enough, English is not my first language.

About the kernel module licensing, while Linus in fact said that, he also later said:

"Essentially, the kernel module interface is a "library" interface to the kernel, and kernel modules are considered to be under the GNU Library license. In fact, due to the way kernel modules work, you automatically do it according to the LGPL, so this isn't explicitly stated anywhere, but that's the way you should think about this.
Another way to look at this — using the legal rather than the moral viewpoint — is to just see module loading as "use" of the kernel, rather than as linking against it."

While I, too, think that's a questionable interpretation of the GPL, I am just a computer science student and I do not want to argue in any way that I know better than Linus.

Furthermore, if what you said was true, Broadcom, Ralink and others would have been in violation of the GPL for years, since their xDSL driver (that is a loadable kernel module) used in all modems that use their chipsets, is proprietary. Such driver was clearly written with Linux in mind and nobody seems to have questioned these companies about it.

However, even assuming that kernel modules code can be proprietary, that would still be irrelevant to my case, since Technicolor stated that the kernel modules I am looking for (for example, kmod-ripdrv) are under GPLv2

It's not just their OpenWRT modems.

The Technicolor TC4350 is a basic DOCSIS 3 modem that my ISP (TekSavvy) sold me. It runs Linux 3.12.14, BusyBox, uClibc 0.9.33.2, U-Boot, net-snmp, OpenSSL 0.9.8ze, and a few other things, with various patches. It seems similar to the Netgear CM700, and it seems to use a similar toolchain to the Arris SB6150: it isn't OpenWRT, but rather something based on the Intel Puma6 toolchain some Texas Instruments SDK and some modifications by Arris (or Technicolor in the case of my modem).

The TC4350 came with no written notice; I only found out when I dumped the flash.

The filesystem image is dated Feb 2017, so their "valid for at least 3 years" obligations haven't expired, and I imagine they're also violating the OpenSSL's license.

Frustratingly, of the 3 modem manufacturers I've mentioned, Arris the only one whose source release actually builds. Even Netgear's "GPL source release" for the CM700 is particularly shoddy---several links just point to "GPL.rar", which doesn't contain any build scripts. (Didn't Netgear just settle a GPL enforcement action a few years ago? )

Could someone send me the contact info for Technicolor, ideally including that person in their legal department who's handling this? I'd like to put in a formal request and see what happens.

I understand you want them to honor the GPL license. But even if you manage. Then what? I assume the idea is to update/upgrade/modify their firmware to something you want/like. Will that in turn not violate their rights (or at least the warranty like discussed here: Get hardware warranty on device w/ LEDE f/w )

@drbrains this will not violate "their rights". What rights, by the way? I can run any software on it, unless it's pirated or it's specifically meant to disrupt the telephone network (at least here, that would be a felony).

Of course, using a modified firmware voids the warranty, that is true, however the warranty period is about to end anyway, so I don't care.
Also, Technicolor can not be held liable if a device they made malfunctions, breaks down, catches fire or anything like that because it was using a custom-built firmware. I am aware of that, but that doesn't prevent me from using a custom firmware anyway.

Furthermore, I live in Italy and I am not aware of any laws that prevent me from writing whatever I want on the flash memory of any device I own.
This cannot be considered software piracy under any circumstances, as the modified firmware would only contain non-proprietary software.

Warranty is in most case out. Only a few manufacturer (not only modems) outthere really accept firmware modifications. Country of origin is important too. For a positiv example: OnePlus.

About their rights: If he doesnt use the proprietary code from those kernel modules, he will be fine. The rest is under gpl and can be freely used.

Just an update: I received a link to download an archive that contained several source code files, however they were for the wrong modem/router model; they were meant for the TG799vac sold by Telia (Swedish ISP) instead of for the TG789vac v2 as I requested, so they are useless to me.
The build instructions were unhelpful, too. There seems to be no main Makefile, no INSTALL file, no build script or anything similar, and the only text file included just says what dependencies are needed and what toolchain to use.
I asked them to correct the mistake as soon as possible and I told them that this is not a proper way to comply with an user's GPL request.

If anyone wants to get this source code archive anyway (for example, I see that the TG799vac is sold in Australia as the "Telstra Gateway Max") please send me a private message.

@KAD You might want to get the code I received, as it seems to be meant for a Swedish ISP (Telia). Send me a message if you are interested.

I sent you a private message regarding this. I hope you have better luck than me.

Regarding the archive, some files have a license header that states:

Unless you and Broadcom execute a separate written software license
agreement governing use of this software, this software is licensed
to you under the terms of the GNU General Public License version 2
(the "GPL"), available at http://www.broadcom.com/licenses/GPLv2.php,
with the following added to such license:

As a special exception, the copyright holders of this software give
you permission to link this software with independent modules, and
to copy and distribute the resulting executable under terms of your
choice, provided that you also meet, for each linked independent
module, the terms and conditions of the license of that module.
An independent module is a module which is not derived from this
software. The special exception does not apply to any modifications
of the software.

Not withstanding the above, under no circumstances may you combine
this software in any way with any other Broadcom software provided
under a license other than the GPL, without Broadcom's express prior
written consent.

I did not sign any NDA or other written agreement to do anything, neither with Technicolor, nor with Broadcom. Does this, therefore, mean that those files are under the GPLv2 with the above "special exception"?

Also, some files appear to mistakenly have a "this is proprietary software" header despite the fact that they are a part of Linux kernel modules that are clearly licensed as GPLv2 as a whole (they contain the MODULE_LICENSE("GPL") statement, and PDFs available on Technicolor's website state that such modules are licensed under the GPLv2;). Can I safely ignore that?

Regrettably, this is not a legal forum with specialty in copyright law.

You have stated "fact" in that you have not executed a "separate written software license" ("NDA" has nothing to do with that term of the agreement). You should be aware that linking GPL code to non-GPL code may violate the license of the non-GPL code. Distributing such an amalgam is even more challenging.

As I understand the language, and not as a licensed lawyer, "this proprietary software" means just that, unless described in the terms of a license agreement. From https://www.merriam-webster.com/dictionary/proprietary

proprietary -- something that is used, produced, or marketed under exclusive legal right of the inventor or maker; specifically : a drug (such as a patent medicine) that is protected by secrecy, patent, or copyright against free competition as to name, product, composition, or process of manufacture

In many legal agreements, it is important to identify what is considered proprietary. Doing so allows it to be referenced by other legal agreements, such as NDAs and licensing agreements. Even without a specific agreement applying to a specific bit of information, many companies make it standard practice to identify what information they consider to be "proprietary", "confidential", or the like.

Edit: Something can be considered "proprietary" and still be licensed under GPL. "It's ours, we own it, and grant you specific legal rights to it under the GPL."

I agree with Jeff:

Nor am I actively licensed, and what I can speak authoritatively on, is not copyright law, especially relating to software.

I can say this...about this part:

...if your device is Broadcom, that's exactly why those chips are not fully-supported with Open Source firmware projects (with the exception of DD-WRT, who is thought to have signed an NDA to provide the "proprietary" module, i.e. a full driver with things like 40+ MHz bandwidth activated).

This literally even prevents you from copying the drivers from routers with comparable CPU/Architecture/Kernel and simply pasting them into the correct locations (unless its for research, scholarship or some other excluded purpose, of course).

Thanks @lleachii and @jeff for your insights.

Licensing doubts aside, Technicolor has not yet complied with my original request.
I was told that they contribute to odhcpd, netifd and other projects linked to OpenWRT, but that still doesn't excuse their shameful behaviour.

@zen96 If/when you decide to lodge a formal complaint with the organization that manages OpenWRT licensing, I would be very clear on what you have requested from Technicolor, how they have responded, and which specific sections of the GPL and other licenses that you believe they have violated, and why.

@jeff I will surely include those details. I have already lodged a formal complaint, containing such details and even a nmap scan, with the Software Freedom Conservancy, that manages Samba and Busybox licensing, since these two softwares are being used in these devices too.
I was told that they will try to contact Technicolor to discuss the issue, but they said they have a long backlog of gpl violations and don't know when they could actually do so.

I only recently discovered that OpenWRT licensing might be managed by "Software in the public interest, inc.". I say "might" because the OpenWRT wiki is not very clear on what SPI's exact responsibilities are.

Except for the fact that the leaflet in the modem is vague (it doesn't even mention the GPL specifically) and contains wrong information on how to get the sources, the main violation is that Technicolor failed to provide the correct sources in a reasonable time (two months).

anyway i checked the source code and again ... they are providing half code and violates GPL license totally....

The code lacks of crucial parts...

Yeah, the build "instructions" are useless, they list the dependencies needed for compilation and the name of the toolchain used, but not a single line on how to actually build anything.
The build scripts seem to be missing altogether, as there is no main Makefile or shell script or anything like that, just some Makefiles for single apps/modules, that obviously are useless on their own. The web interface seems to be missing too, despite Technicolor itself stating that it is open source.

@Ansuel Is anything else missing? I only looked at it quickly, since it was obviously not what I asked for, and so I was not particularly interested in it.

there are some file that have include (like otp.h) but the include file is not present at all...

They assembled the file wrong or they clearly omit some of them as this type of module are a bit critical and i think they are trying to hide something very very important...