Discussion:
Mikrotik source
André Machado
2008-02-17 01:29:07 UTC
Permalink
Hi every body.
I try to find the source code of RouterOS (Mikrotik) but can't get any notice about... some body knows?
_________________________________________________________________
Conheça o Windows Live Spaces, a rede de relacionamentos do Messenger!
http://www.amigosdomessenger.com.br/
mr
2008-02-17 10:13:45 UTC
Permalink
no, not without further information. What makes you think it's running
linux? What router is it? (please give a link to the product page). If
it's running linux, have you asked them for the source code?

Regards,

Alan
Post by André Machado
Hi every body.
I try to find the source code of RouterOS (Mikrotik) but can't get any
notice about... some body knows?
________________________________
Conheça já o Windows Live Spaces, o site de relacion
Florian Fainelli
2008-02-17 15:17:55 UTC
Permalink
Hi,

Mikrotik RouterOS uses a Linux kernel modified to run on their hardware, and
runs a CLI as the user-space binary you are invited to use.

Sourcecode of the RB500/RB100/RB300 can be found here :
http://www.routerboard.com/files/linux-2.4.31.zip

Support for the other boards is also available, but I do not find the
sourcecode right now.
Post by André Machado
Hi every body.
I try to find the source code of RouterOS (Mikrotik) but can't get any
notice about... some body knows?
________________________________
Conheça já o Windows Live Spaces, o site de relacionamentos do Messenger!
Crie já o seu!
--
Cordialement, Florian Fainelli
------------------------------
Sebastian Gottschall
2008-02-18 11:42:04 UTC
Permalink
Post by Florian Fainelli
Hi,
Mikrotik RouterOS uses a Linux kernel modified to run on their hardware, and
runs a CLI as the user-space binary you are invited to use.
http://www.routerboard.com/files/linux-2.4.31.zip
Support for the other boards is also available, but I do not find the
sourcecode right now.
i dont think that the support for the other boards is available
Post by Florian Fainelli
Post by André Machado
Hi every body.
I try to find the source code of RouterOS (Mikrotik) but can't get any
notice about... some body knows?
________________________________
Conheça já o Windows Live Spaces, o site de relacionamentos do Messenger!
Crie já o seu!
Bradley M. Kuhn
2014-03-05 22:17:58 UTC
Permalink
..I disagree, once you have the _complete_ recipe, with correct compiler
versions, settings, time stamps etc thrown in, you will be able to prove
all your correct checksums etc in GPL compliance cases. _No_ need to back
off here.
I just don't think "scripts used to control compilation and installation of
the executable" requires that you get a byte-for-byte identical binary.

I don't have any objection to asking for byte-by-byte perfection, but I
don't think GPL demands it. Generally speaking, GPL instead demands that
a reasonably knowledgeable developer/build-engineer can follow the
instructions from the distributor to generate a binary from source
that will build, install and run in the same manner that the distributed
GPL binary installs and runs.
..but we should suggest a proper way to do this, so people like Mikrotek
can properly document their checksums and the proper way to verify their
checksums and GPL etc compliance.
There have been some ideas floated, most notably by Ed Warnicke, of
how we might be able to encode checksums of the source in binaries without
taking up too much space. I think these mechanisms should be studied, built,
and encouraged. I've even urged groups like SPDX to focus on this sort
of thing, as it would be much more useful than the current projects
they're doing.
Leave these long tall sweaty tSCOG-like stories on why-it-failed to the
offenders.
I'm not sure this attitude helps our problems with failed compliance. We
have a world filled with hundreds of GPL violators who are refusing to give
us adequate CCS for their GPL'd binaries. While I sympathize more than you
can probably imagine with your sentiment, I'm not sure how mere posturing and
demanding something that we'd "like to have" will get them to comply with the
GPL.

-- bkuhn
Kern Sibbald
2014-03-06 12:03:04 UTC
Permalink
Hello,

I am the project manager for the open source Bacula project, and I have
been a bit surprised by recent emails talking about checksumming
binaries. My experience is that you cannot simply apply a checksum to a
binary and compare it to another binary to determine if the code is the
same. Having long ago written a linker, this seems to me obvious since
the compiling and linking process can write out bytes that come from
uninitialized memory, which means there are certain areas of binaries
that will be random, unless you have compilers and linkers that
methodically clear all static memory that is not initialized. In
addition, although the binary is likely to be constructed of the various
object files in the same order each time, this is not 100% guaranteed
especially if a linker uses multiple threads to find and pull together
the object files needed to build the binary.

As a test this morning, I produced 16 Windows binaries as release by the
Bacula project. They are build on a Linux machine (Ubuntu 12.04) using
cross-compiling primarily with GNU g++. After producing the binaries, I
took the "md5sum" of each of the files. I then re-ran the exact same
build script with no changes made in anything since the first binaries
and produced a second set of binaries. Not surprisingly, the md5sums of
the second set of binaries do not match those of the first set.

My conclusion is that any attempt to checksum binaries for determining
if they come from the same source code will be very difficult to get right.

Best regards,
Kern Sibbald
Bacula Project Manager
Arnt Karlsen
2014-03-07 00:32:07 UTC
Permalink
On Thu, 06 Mar 2014 13:03:04 +0100, Kern wrote in message
Post by Kern Sibbald
Hello,
I am the project manager for the open source Bacula project, and I
have been a bit surprised by recent emails talking about checksumming
binaries. My experience is that you cannot simply apply a checksum
to a binary and compare it to another binary to determine if the code
is the same. Having long ago written a linker, this seems to me
obvious since the compiling and linking process can write out bytes
that come from uninitialized memory, which means there are certain
areas of binaries that will be random, unless you have compilers and
linkers that methodically clear all static memory that is not
initialized. In addition, although the binary is likely to be
constructed of the various object files in the same order each time,
this is not 100% guaranteed especially if a linker uses multiple
threads to find and pull together the object files needed to build
the binary.
..we agree checksumming require more work to come up with a standard
way to prove GPL etc compliance, and we agree "it can not be done
easily right now", and we disagree "on whether it can be done at all."

..and my guess is such a standard way to prove GPL etc compliance in
front of jurors in courts, makes it easier to convince said jurors
that "such and such binaries match that source because the checksums
match the list in the source", than longwinded stories on "how very
difficult and complex it is to checksum 16 Windows binaries right"
in these modern times where computers are supposed to make hard tasks
easy, even for jurors. ;o)
Post by Kern Sibbald
As a test this morning, I produced 16 Windows binaries as release by
the Bacula project. They are build on a Linux machine (Ubuntu 12.04)
using cross-compiling primarily with GNU g++. After producing the
binaries, I took the "md5sum" of each of the files. I then re-ran the
exact same build script with no changes made in anything since the
first binaries and produced a second set of binaries. Not
surprisingly, the md5sums of the second set of binaries do not match
those of the first set.
My conclusion is that any attempt to checksum binaries for determining
if they come from the same source code will be very difficult to get right.
Best regards,
Kern Sibbald
Bacula Project Manager
..pity, you could have use this in your (secret?) lawsuit on Bareos.
Maybe Bareos can use this in their defense and countersuit? ;o)
http://www.baculasystems.com/blog/bacula-systems-sa-files-lawsuit-against-bareos-gmbh-co-kg
http://www.bareos.org/en/news/items/lawsuite-between-bacula-systems-sa-and-bareos-gmbh-co-kg-copy.html
--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
Kern Sibbald
2014-03-07 10:41:25 UTC
Permalink
Post by Arnt Karlsen
On Thu, 06 Mar 2014 13:03:04 +0100, Kern wrote in message
Post by Kern Sibbald
Hello,
I am the project manager for the open source Bacula project, and I
have been a bit surprised by recent emails talking about checksumming
binaries. My experience is that you cannot simply apply a checksum
to a binary and compare it to another binary to determine if the code
is the same. Having long ago written a linker, this seems to me
obvious since the compiling and linking process can write out bytes
that come from uninitialized memory, which means there are certain
areas of binaries that will be random, unless you have compilers and
linkers that methodically clear all static memory that is not
initialized. In addition, although the binary is likely to be
constructed of the various object files in the same order each time,
this is not 100% guaranteed especially if a linker uses multiple
threads to find and pull together the object files needed to build
the binary.
..we agree checksumming require more work to come up with a standard
way to prove GPL etc compliance, and we agree "it can not be done
easily right now", and we disagree "on whether it can be done at all."
Sorry, I didn't mean to imply that checksums cannot be done, but
it will likely be difficult.
Post by Arnt Karlsen
..and my guess is such a standard way to prove GPL etc compliance in
front of jurors in courts, makes it easier to convince said jurors
that "such and such binaries match that source because the checksums
match the list in the source", than longwinded stories on "how very
difficult and complex it is to checksum 16 Windows binaries right"
in these modern times where computers are supposed to make hard tasks
easy, even for jurors. ;o)
I don't recall having said that taking checksums is difficult, since
I did it with one script command. Getting meaningfully comparable
checksums will probably not be easy.

Yes, I do tend to be longwinded, and to avoid being so
again, I will spare you the explanation :-)

Perhaps all this was obvious to you, but my main point is that from
the standpoint of an open source developer, what I am hearing on
this list about checksumming worries me that you are going in a
direction that could put more burden on developers not
just those who violate the GPL.
Post by Arnt Karlsen
Post by Kern Sibbald
As a test this morning, I produced 16 Windows binaries as release by
the Bacula project. They are build on a Linux machine (Ubuntu 12.04)
using cross-compiling primarily with GNU g++. After producing the
binaries, I took the "md5sum" of each of the files. I then re-ran the
exact same build script with no changes made in anything since the
first binaries and produced a second set of binaries. Not
surprisingly, the md5sums of the second set of binaries do not match
those of the first set.
My conclusion is that any attempt to checksum binaries for determining
if they come from the same source code will be very difficult to get right.
Best regards,
Kern Sibbald
Bacula Project Manager
My email was not meant to discuss my own problems, but since you
brought it up, here is my (shortened as much as I can)
response.
Post by Arnt Karlsen
..pity, you could have use this in your (secret?) lawsuit on Bareos.
Now, that is a very curious comment "secret?". I didn't know there
was anything secret about this lawsuit. It is documented on the
Bareos website, the bacula.org website, and the Bacula Systems
website.

The lawsuit is about alleged theft of proprietary code and unfair
competition. Bareos also violated the Bacula copyright license, held
by the FSFE and after working with the FSFE corrected the most
flagrant violations. However, it is my belief that they are still
violating the copyright in two senses, one the commercial
(not putting the copyright where it should be), two violating
basic author's rights. Since I am no longer the copyright owner,
I can only act concerning part two: author's rights. My own
personal view as an open source project manager is presented at:

http://blog.bacula.org

Warning, it is longwinded. (this comment not made with any
negative intention).

Checksums would not be of any use in this case.

Best regards,
Kern
Post by Arnt Karlsen
Maybe Bareos can use this in their defense and countersuit? ;o)
http://www.baculasystems.com/blog/bacula-systems-sa-files-lawsuit-against-bareos-gmbh-co-kg
http://www.bareos.org/en/news/items/lawsuite-between-bacula-systems-sa-and-bareos-gmbh-co-kg-copy.html
Arnt Karlsen
2014-03-07 12:13:24 UTC
Permalink
On Fri, 07 Mar 2014 11:41:25 +0100, Kern wrote in message
Post by Kern Sibbald
Post by Arnt Karlsen
On Thu, 06 Mar 2014 13:03:04 +0100, Kern wrote in message
Perhaps all this was obvious to you, but my main point is that from
the standpoint of an open source developer, what I am hearing on
this list about checksumming worries me that you are going in a
direction that could put more burden on developers not
just those who violate the GPL.
..having taken part in 11 years of Groklaw.net, I feel a wee bit of
short term agony on our part right now, will prevent another few
decades of frivolous litigation, once we have checksumming etc
frivolous lawsuit swatter tools in place in the courts.

..but we must make those tools available first.
Post by Kern Sibbald
Post by Arnt Karlsen
..pity, you could have use this in your (secret?) lawsuit on Bareos.
Now, that is a very curious comment "secret?". I didn't know there
was anything secret about this lawsuit. It is documented on the
Bareos website
...where they mention how they were not properly served... ;o)
Post by Kern Sibbald
The lawsuit is about alleged theft of proprietary code and unfair
competition. Bareos also violated the Bacula copyright license, held
by the FSFE and after working with the FSFE corrected the most
flagrant violations. However, it is my belief that they are still
violating the copyright in two senses, one the commercial
(not putting the copyright where it should be), two violating
basic author's rights. Since I am no longer the copyright owner,
I can only act concerning part two: author's rights. My own
http://blog.bacula.org
Warning, it is longwinded. (this comment not made with any
negative intention).
..indeed ;o), but messing around with copyright notices is
a "Big Mistake", even without that thick Austrian accent.

..the expensive part is in your allegations of "unfair competition",
this will be hard to prove cheaply either way, "The SCO Group" also
tried that, and failed, but your alleged facts looks better founded,
and those are offtopic here, except as a litigation tactic.
Post by Kern Sibbald
Checksums would not be of any use in this case.
..read "checksums" as "tests the jurors can easily do themselves",
such easy test would be useful if we had them now.
Post by Kern Sibbald
Best regards,
Kern
Post by Arnt Karlsen
Maybe Bareos can use this in their defense and countersuit? ;o)
http://www.baculasystems.com/blog/bacula-systems-sa-files-lawsuit-against-bareos-gmbh-co-kg
http://www.bareos.org/en/news/items/lawsuite-between-bacula-systems-sa-and-bareos-gmbh-co-kg-copy.html
--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
Kern Sibbald
2014-03-07 13:45:01 UTC
Permalink
Post by Arnt Karlsen
On Fri, 07 Mar 2014 11:41:25 +0100, Kern wrote in message
Post by Kern Sibbald
Post by Arnt Karlsen
On Thu, 06 Mar 2014 13:03:04 +0100, Kern wrote in message
Perhaps all this was obvious to you, but my main point is that from
the standpoint of an open source developer, what I am hearing on
this list about checksumming worries me that you are going in a
direction that could put more burden on developers not
just those who violate the GPL.
..having taken part in 11 years of Groklaw.net, I feel a wee bit of
short term agony on our part right now, will prevent another few
decades of frivolous litigation, once we have checksumming etc
frivolous lawsuit swatter tools in place in the courts.
..but we must make those tools available first.
Post by Kern Sibbald
Post by Arnt Karlsen
..pity, you could have use this in your (secret?) lawsuit on Bareos.
Now, that is a very curious comment "secret?". I didn't know there
was anything secret about this lawsuit. It is documented on the
Bareos website
...where they mention how they were not properly served... ;o)
OK, now I understand your comment.
Yes, Bareos posted this comment on their website shortly after
Bacula Systems announced the lawsuit. The facts are:
1. Bacula Systems doesn't do the formal notification,
it is the court, and that takes time. So Bareos
really should complain about the international judicial procedure.
2. Within a day or two Bareos hired a Swiss lawyer.
3. Within an hour of Bareos' contacting the Bacula Systems lawyer, he
received a courtesy copy directly from the Bacula Systems'
lawyer.
4. Bareos' lawyer with the case in hand then officially requested
a formal notification.
5. Based on the fact that the Bareos Swiss lawyer has *everything*,
the judge ruled that the notification was complete.
6. Bareos retains their comment on their website.
Post by Arnt Karlsen
Post by Kern Sibbald
The lawsuit is about alleged theft of proprietary code and unfair
competition. Bareos also violated the Bacula copyright license, held
by the FSFE and after working with the FSFE corrected the most
flagrant violations. However, it is my belief that they are still
violating the copyright in two senses, one the commercial
(not putting the copyright where it should be), two violating
basic author's rights. Since I am no longer the copyright owner,
I can only act concerning part two: author's rights. My own
http://blog.bacula.org
Warning, it is longwinded. (this comment not made with any
negative intention).
..indeed ;o), but messing around with copyright notices is
a "Big Mistake", even without that thick Austrian accent.
..the expensive part is in your allegations of "unfair competition",
this will be hard to prove cheaply either way, "The SCO Group" also
tried that, and failed, but your alleged facts looks better founded,
and those are offtopic here, except as a litigation tactic.
Post by Kern Sibbald
Checksums would not be of any use in this case.
..read "checksums" as "tests the jurors can easily do themselves",
such easy test would be useful if we had them now.
Yes, I agree that would be useful, and I will not complain if
you succeed in doing it.

However, permit me to suggest an alternative strategy that
might prove useful.

First my assumptions that may not be valid or may be hard to do:
1. Your goal is to make sure the "vendor" doesn't have any
additional functionality in his binary that is not present in the
distributed source code.
2. You can require the "vendor" to release the binaries with
debug symbols turned on or if they are stripped they must
be done in a way that they can be re-integrated as with rpm debug
packages.
3. You can require the *exact* build scripts that they used
to produce the binaries (i.e. which compiler, optimization options,...
4. Now at that point, one could (as a fairly big project) write a
program that
breaks the binary up into subroutines and puts them into some human
readable form (assembly language, or perhaps reconstructed C, C++).
Call it the "reconstructed source".

Now you can do a fairly high level comparison of the two programs on a
subroutine by subroutine basis (object file by object file or whatever) to
search and find any code that is included in the distributed binary that
is not in the distributed source. Comparing the "reconstructed source"
from the vendor's binary and a binary that you build, could also then
show up any major discrepancies or "code that was left out of the
distributed source".

Best regards,
Kern
Post by Arnt Karlsen
Post by Kern Sibbald
Best regards,
Kern
Post by Arnt Karlsen
Maybe Bareos can use this in their defense and countersuit? ;o)
http://www.baculasystems.com/blog/bacula-systems-sa-files-lawsuit-against-bareos-gmbh-co-kg
http://www.bareos.org/en/news/items/lawsuite-between-bacula-systems-sa-and-bareos-gmbh-co-kg-copy.html
Arnt Karlsen
2014-03-07 23:20:36 UTC
Permalink
On Fri, 07 Mar 2014 14:45:01 +0100, Kern wrote in message
Post by Kern Sibbald
Post by Arnt Karlsen
On Fri, 07 Mar 2014 11:41:25 +0100, Kern wrote in message
Post by Kern Sibbald
Post by Arnt Karlsen
On Thu, 06 Mar 2014 13:03:04 +0100, Kern wrote in message
5. Based on the fact that the Bareos Swiss lawyer has *everything*,
the judge ruled that the notification was complete.
6. Bareos retains their comment on their website.
..right, and you're both playing Crimean Standoff there. ;o)
Post by Kern Sibbald
Post by Arnt Karlsen
Post by Kern Sibbald
Checksums would not be of any use in this case.
..read "checksums" as "tests the jurors can easily do themselves",
such easy test would be useful if we had them now.
Yes, I agree that would be useful, and I will not complain if
you succeed in doing it.
However, permit me to suggest an alternative strategy that
might prove useful.
1. Your goal is to make sure the "vendor" doesn't have any
additional functionality in his binary that is not present in the
distributed source code.
..or bugs, both functionality and bugs are features.
Post by Kern Sibbald
2. You can require the "vendor" to release the binaries with
debug symbols turned on or if they are stripped they must
be done in a way that they can be re-integrated as with rpm debug
packages.
..a better approach is have the gcc etc compiler folks solve this in
a way that keeps software vendors happy, and makes jurors etc happy.
E.g. by making checksum lists, settings etc, and compile logs, part
of the standard compilers default release settings.

..this would set up a nice trap on violators, "I found a binary
and checksummed it, do you have the source and the build recipe
(and the checksum list)?", where you the decent vendor responds
"Here: $url", and where the bad guys needs to respond as promptly
with a slick story that starts with "Here: $url" and where said
url needs to have the source, checksums, build scripts etc etc
right (or "right") to produce "OK"s all the way down whenever
some dumb juror tries to check the stories he is being told.
Post by Kern Sibbald
3. You can require the *exact* build scripts that they used
to produce the binaries (i.e. which compiler, optimization
options,...
..yup.
Post by Kern Sibbald
4. Now at that point, one could (as a fairly big project) write a
program that breaks the binary up into subroutines and puts them into
some human readable form (assembly language, or perhaps reconstructed
C, C++). Call it the "reconstructed source".
..this I feel is moving towards forensics and investigations, useful,
but not what I feel jurors should be doing.

..jurors often struggles to understand whether or not and how "tech"
babble laced evidence matches the story each law shark tries to push
him or her to believe, and will want any easy test tool set to make
sure the stories they are told, makes good common sense to them.
Post by Kern Sibbald
Now you can do a fairly high level comparison of the two programs on a
subroutine by subroutine basis (object file by object file or
whatever) to search and find any code that is included in the
distributed binary that is not in the distributed source. Comparing
the "reconstructed source" from the vendor's binary and a binary that
you build, could also then show up any major discrepancies or "code
that was left out of the distributed source".
..yes, this is useful, but the teeth in the GPL comes from copyright
law, which is decided upon by jurors and judges, if their tool sets
remains blunt, so will GPL's teeth.
Post by Kern Sibbald
Best regards,
Kern
--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
Armijn Hemel
2014-03-07 10:37:46 UTC
Permalink
Post by Arnt Karlsen
..we agree checksumming require more work to come up with a standard
way to prove GPL etc compliance, and we agree "it can not be done
easily right now", and we disagree "on whether it can be done at all."
Getting checksums right every time is, as said, hard. But even if it is
possible there are some very valid use cases where this is not desirable
to have. There are compilers out there that vary the generated byte code
slightly with each compile to make it harder for attackers to compromise
programs and the binaries will have different checksums because of that.

There are other good ways to identify binaries and map them to source
code, at least in a way that it will be good enough for law suits (if
needed).

armijn
--
------------------------------------------------------------------------
***@gpl-violations.org || http://www.gpl-violations.org/
------------------------------------------------------------------------
Armijn Hemel
2014-03-08 12:20:04 UTC
Permalink
If you look carefully at my proposal, you will see that it facilitates
knowing where to make checksums without any compiler changes, which
means that it will work with any compiler and can be applied to the
binaries.
Finding out what *exactly* went into a binary is a complex problem. No
solution I have seen in the last 10 years gives perfect results and
depend on the build system behaving properly. I can tell you that this
is very often *not* the case. In consumer electronics binaries are
copied around after being built (and without source code so you cannot
verify). Libraries built with one system are used as binary components
in other build systems where the constraints of the first build system
might not apply (at the same time causing some pretty funky side effects
with the dynamic linker because dependencies no longer necessarily
match). Checksumming will only give you partial results and not 100%
accuracy that people on this list are talking about. This is why other
methods are, in my opinion, much more useful.

But, if you really want to work on it I suggest looking at Nix (
http://www.nixos.org/ ) first, since it already does a ton of
checksumming and where even small changes in the build environment are
taken into account. Good luck.

armijn
--
------------------------------------------------------------------------
***@gpl-violations.org || http://www.gpl-violations.org/
------------------------------------------------------------------------
Kern Sibbald
2014-03-08 11:46:16 UTC
Permalink
If you look carefully at my proposal, you will see that it facilitates
knowing where to make checksums without any compiler changes, which
means that it will work with any compiler and can be applied to the
binaries.

Kern
Post by Armijn Hemel
Post by Arnt Karlsen
..we agree checksumming require more work to come up with a standard
way to prove GPL etc compliance, and we agree "it can not be done
easily right now", and we disagree "on whether it can be done at all."
Getting checksums right every time is, as said, hard. But even if it
is possible there are some very valid use cases where this is not
desirable to have. There are compilers out there that vary the
generated byte code slightly with each compile to make it harder for
attackers to compromise programs and the binaries will have different
checksums because of that.
There are other good ways to identify binaries and map them to source
code, at least in a way that it will be good enough for law suits (if
needed).
armijn
Jonathan Wilson
2014-03-06 12:18:37 UTC
Permalink
Post by Bradley M. Kuhn
There have been some ideas floated, most notably by Ed Warnicke, of
how we might be able to encode checksums of the source in binaries without
taking up too much space. I think these mechanisms should be studied, built,
and encouraged. I've even urged groups like SPDX to focus on this sort
of thing, as it would be much more useful than the current projects
they're doing.
Why not simply have the makefiles for the program in question do a shasum
of the source, put that checksum into some source file and have the file
linked into the binaries in a way that can easily be found. (e.g. you make
it so the binary contains some easy-to-find fixed string of bytes followed
by the shasum value)

Now some GPL violators will simply strip the feature out before shipping
but for those who don't, it will help in verifying that the source they
distribute matches the binaries.

Although I guess the question then becomes "what goes into the shasum"
lkcl .
2014-03-06 21:37:41 UTC
Permalink
---------- Forwarded message ----------
From: Luke Kenneth Casson Leighton <***@lkcl.net>
To: "Bradley M. Kuhn" <***@ebb.org>
Cc: "***@lists.gpl-violations.org" <***@lists.gpl-violations.org>
Date: Thu, 6 Mar 2014 15:26:27 +0000
Subject: Re: Use of GNU GPL 2.0 code in Mikrotik RBXXX series and others
Thus, what concerns me here most is that there are accusations going
back to 2008 on this mailing list that Mikrotik's source code is not
complete,
it's slightly more complex than it first seems. mikrotik's success
comes from their "remote management" system which is similar in a way
to cisco router management system.

to achieve this, mikrotik *heavily modified* the underlying commands.
by that i mean that when you ssh or telnet into a mikrotik router,
instead of the "/bin/route" command having parameters that you would
type on the command-line, they MODIFIED /BIN/ROUTE so that it takes
parameters in BINARY FORM ON STDIN. something to that effect,
anyway. and they've done this across the *ENTIRE* command-set [*1]

so in other words they have a complete binary command-protocol on top
of a heavily-modified normal and standard GNU/Linux command set,
covering ifconfig, iwconfig, route, management of files in /etc and so
on.

PART of that is PROPRIETARY.

PART of that is obviously GPL'd and other free software licensed software.

the last time i checked (which admittedly was back in 2005 when i was
investigating reverse-engineering their binary command protocol as a
way to easily manage thousands of mikrotik routers) they were
reasonably GPL-compliant. i found the source code. it was great...

.... but of course it was completely useless, because without the
proprietary applications (none of which they were required to release
to anybody) the entire GPL'd codebase that they'd modified was
completely irrelevant.

just fyi.

l.

[1] openwrt does this is a much more sane manner!
Marco Maske
2014-03-08 17:54:01 UTC
Permalink
Post by lkcl .
Thus, what concerns me here most is that there are accusations going
back to 2008 on this mailing list that Mikrotik's source code is not
complete,
I read that too late after I have bought a Mikrotik-Router. My mistake! I
bought a Mikrotik-Router for the GNU / Linux firmware.
When you first start, the license is displayed with the paragraph regarding
the Software Sources. ... € 45,- each CD !...
Router-OS Firmware has an upgrade all few weeks! Then I read, in this regard
the arrogant responses of employees in the Mikrotik forum.
I wanted to smash the Mikrotik-Router!

I am not a lawyer and english is not my native language. Licenses and rights
are difficult to understand. However, this is against my perception of free
software! Use it and do it on ftp, damn! That was my first&last unit of
Mikrotik!


Then I discovered Ubiquity. The Ubiquity people get it right. The GPL source
code of the new firmware can be downloaded directly from the ftp servers.
They've a very good user-community and friendly employee. Sometimes a SDK is
available for their firmware.

Have some wireless router of those and wait for the Vyatta / Debian-based
EdgeRouter ER-8. I can on the device: apt-get install 'all-the GNU stuff I
want'
Post by lkcl .
it's slightly more complex than it first seems. mikrotik's success
comes from their "remote management" system which is similar in a way
to cisco router management system.
...and from the very good user-community and their exellent hardware.
Post by lkcl .
to achieve this, mikrotik *heavily modified* the underlying commands.
by that i mean that when you ssh or telnet into a mikrotik router,
instead of the "/bin/route" command having parameters that you would
type on the command-line, they MODIFIED /BIN/ROUTE so that it takes
parameters in BINARY FORM ON STDIN. something to that effect,
anyway. and they've done this across the *ENTIRE* command-set [*1]
so in other words they have a complete binary command-protocol on top
of a heavily-modified normal and standard GNU/Linux command set,
covering ifconfig, iwconfig, route, management of files in /etc and so
on.
PART of that is PROPRIETARY.
PART of that is obviously GPL'd and other free software licensed software.
Thank you for this good explanation.
Post by lkcl .
the last time i checked (which admittedly was back in 2005 when i was
investigating reverse-engineering their binary command protocol as a
way to easily manage thousands of mikrotik routers) they were
reasonably GPL-compliant. i found the source code. it was great...
As far as I know, this old code is all there is to download on the internet
today.
Post by lkcl .
[1] openwrt does this is a much more sane manner!
Yeah, and runs on my Ubiquiti WiFi devices.

Ciao Marco!
--
Debian Hint #35: The package 'devscripts' contains some useful scripts for
users who want to help to improve Debian, e.g. wnpp-alert, rc-alert and bts.
Bradley M. Kuhn
2014-03-07 21:29:16 UTC
Permalink
Post by Jonathan Wilson
Why not simply have the makefiles for the program in question do a
shasum of the source, put that checksum into some source file and have
the file linked into the binaries in a way that can easily be found.
This is the basis of Ed's idea, but the problem becomes wasting a lot of
space. A shasum of the entire source in aggregate, plus "scripts used
to control compilation and installation of the executable", won't be
that helpful.
Post by Jonathan Wilson
Although I guess the question then becomes "what goes into the shasum"
Exactly right!

What if there's a one-byte change somewhere in a build script, or a
space added to a source file?

What you want is a more fine-grained set of shasums for each component,
possibly with pathnames somehow encoded, etc.


The idea would not just to be able to tell "does this source match" (the
answer to that is almost always "no", anyway) but "what source is
missing when it doesn't match", or "how can I quickly check that the
change to the sources since this was built is surely benign"?
Post by Jonathan Wilson
Now some GPL violators will simply strip the feature out before
shipping but for those who don't, it will help in verifying that the
source they distribute matches the binaries.
Right, this idea is purely to make testing compliance of good actors
easy.
--
-- bkuhn
Arnt Karlsen
2014-03-06 12:35:10 UTC
Permalink
On Wed, 5 Mar 2014 17:17:58 -0500, Bradley wrote in message
Post by Bradley M. Kuhn
..I disagree, once you have the _complete_ recipe, with correct
compiler versions, settings, time stamps etc thrown in, you will be
able to prove all your correct checksums etc in GPL compliance
cases. _No_ need to back off here.
I just don't think "scripts used to control compilation and
installation of the executable" requires that you get a byte-for-byte
identical binary.
I don't have any objection to asking for byte-by-byte perfection, but
I don't think GPL demands it. Generally speaking, GPL instead
demands that a reasonably knowledgeable developer/build-engineer can
follow the instructions from the distributor to generate a binary
from source that will build, install and run in the same manner that
the distributed GPL binary installs and runs.
..11 years back, people were "happy to rip out _any_ SCO code
in Linux, and start over from scratch, just name it."
Da Darl's Dark side didn't want that kinda standard make it
into case law. ;o)
Post by Bradley M. Kuhn
..but we should suggest a proper way to do this, so people like
Mikrotek can properly document their checksums and the proper way
to verify their checksums and GPL etc compliance.
There have been some ideas floated, most notably by Ed Warnicke, of
how we might be able to encode checksums of the source in binaries
without taking up too much space. I think these mechanisms should be
studied, built, and encouraged. I've even urged groups like SPDX to
focus on this sort of thing, as it would be much more useful than the
current projects they're doing.
..I agree.
Post by Bradley M. Kuhn
Leave these long tall sweaty tSCOG-like stories on why-it-failed to
the offenders.
I'm not sure this attitude helps our problems with failed
compliance.
We have a world filled with hundreds of GPL violators
who are refusing to give us adequate CCS for their GPL'd binaries.
While I sympathize more than you can probably imagine with your
sentiment, I'm not sure how mere posturing and demanding something
that we'd "like to have" will get them to comply with the GPL.
..it's not going to, until _after_ we have those easy simple
test standards in place for the courts and their jurors.
Only once that happens, we can start demand it in e.g.
GPLv2.2+ and GPLv3.1+.
--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
Bradley M. Kuhn
2014-03-06 21:46:03 UTC
Permalink
..it's not going to, until _after_ we have those easy simple test standards
in place for the courts and their jurors. Only once that happens, we can
start demand it in e.g. GPLv2.2+ and GPLv3.1+.
Your response indicates to me that you've probably never been involved
heavily in a GPL violation lawsuit, at least in a jurisdiction that centers
its legal system around an adversarial process. But I'm telling you based on
extensive in-court experience that forcing the issue in this direction
(perfect production of binaries) is not going to help us in the short or
medium term. As a very long term solution, something like Ed's idea of
requiring some way to verify what sources made what binary is useful, but a
"rote perfect checksum" won't get us there because it's too technically
difficult to get perfect such that it makes a viable compliance litmus test.

Frankly, even if a litmus test that we *thought* worked in all cases
existed, I'd be loathe to advocate for its inclusion officially in GPL.
The moment a litmus test was written into GPL, violators, who are
typically very wealthy companies, would seek and likely find a way
to meet the litmus test but fail on all other areas of compliance.

I really do encourage you to study the Conservancy v. Best Buy et al case.
Seeing how the process actually works in practice will probably make
it clear that this avenue isn't useful.


However,
as I said, I really appreciate your zeal about this and you clearly care
deeply like I do about this. I'd love your help as a volunteer on doing CCS
checks with violators if you have the time. Get in touch with me if you're
interested. That's where we could use the help today to stop violations
of the GPL.


-- bkuhn
Neil Brown
2014-03-07 09:49:42 UTC
Permalink
On 6 Mar 2014, at 21:46, Bradley M. Kuhn <***@ebb.org> wrote:

Morning, Bradley
Post by Bradley M. Kuhn
violators, who are
typically very wealthy companies,
This is an interesting comment.

Is it your perception that the majority of GPL violations arise from "wealthy companies", or just that those which are most often brought to light, or perhaps those which are considered worth pursuing, are by wealthy companies?


Best wishes

Neil

__________

Neil Brown
***@neilzone.co.uk | http://neilzone.co.uk
Sebastian Gottschall
2008-02-18 11:41:19 UTC
Permalink
Post by mr
no, not without further information. What makes you think it's running
linux? What router is it? (please give a link to the product page). If
it's running linux, have you asked them for the source code?
Mikrotik OS is fully based on linux. some kernel sources are provided in
the past for the RB532. but everything else
(which is alot) is missing.

Sebastian
Post by mr
Regards,
Alan
Post by André Machado
Hi every body.
I try to find the source code of RouterOS (Mikrotik) but can't get any
notice about... some body knows?
________________________________
Conheça já o Windows Live Spaces, o site de relacionamentos do Messenger!
Crie já o seu!
Loading...