Discussion:
BT Homehub 3B - GPL Violation
Darren Anderson
2014-03-08 15:42:03 UTC
Permalink
Hello,

I own a BT Homehub 3B, and I would like to modify it to provide telnet
access.

As it runs on Linux, and makes use of many other pieces of GPL licensed
software, I would have expected the full source code to be available so
that I could build my own modified binaries.

Unfortunately, on the BT GPL code page, there is no source code available
for the Homehub 3B

http://bt.custhelp.com/app/answers/detail/a_id/35298/~/bt-home-hub,-bt-voyager-and-connected-devices-gpl-code

I'm not sure, but does this constitute a GPL licence violation?

Kind Regards,
Darren A
Thomas Charron
2014-03-11 15:34:53 UTC
Permalink
Post by Darren Anderson
Hello,
I own a BT Homehub 3B, and I would like to modify it to provide telnet
access.
As it runs on Linux, and makes use of many other pieces of GPL licensed
software, I would have expected the full source code to be available so
that I could build my own modified binaries.
Unfortunately, on the BT GPL code page, there is no source code available
for the Homehub 3B
http://bt.custhelp.com/app/answers/detail/a_id/35298/~/bt-home-hub,-bt-voyager-and-connected-devices-gpl-code
I'm not sure, but does this constitute a GPL licence violation?
Kind Regards,
Darren A
After a little research, I found this:

"If any open source software is provided hereunder in
object code, and its accompanying license requires that it be provided in
source code as well, you may receive such source code by sending Jungo,
via
registered mail, a certified check for US$15.00 to cover our production
and
shipping costs. Please send the check to the following address, and a CD
with
the appropriate source code will be mailed to you: Jungo Ltd., 1
Hamachshev
St., Poleg Industrial Center, Netanya 42504, Israel."
--
-- Thomas
TJ
2014-03-11 17:50:23 UTC
Permalink
Post by Darren Anderson
Hello,
I own a BT Homehub 3B, and I would like to modify it to provide telnet access.
As it runs on Linux, and makes use of many other pieces of GPL licensed software, I would have expected the full source code to be available so that I could build my own modified binaries.
Unfortunately, on the BT GPL code page, there is no source code available for the Homehub 3B
http://bt.custhelp.com/app/answers/detail/a_id/35298/~/bt-home-hub,-bt-voyager-and-connected-devices-gpl-code
Looking at some of the archives linked on that page - which are suspiciously small - they only contain packages lists and hashes.

I'd suggest writing directly to British Telecommunications Acting Head of Open Source Innovation [1], "Colm Britton" <***@bt.com> [2], who should be able to link up with the appropriate
legal and technical people internally to resolve the issue.

[1] http://osmosoft.com/
[2] http://uk.linkedin.com/in/colmjude
Thomas Charron
2014-03-11 15:31:18 UTC
Permalink
Post by Darren Anderson
Hello,
I own a BT Homehub 3B, and I would like to modify it to provide telnet
access.
As it runs on Linux, and makes use of many other pieces of GPL licensed
software, I would have expected the full source code to be available so
that I could build my own modified binaries.
Unfortunately, on the BT GPL code page, there is no source code available
for the Homehub 3B
http://bt.custhelp.com/app/answers/detail/a_id/35298/~/bt-home-hub,-bt-voyager-and-connected-devices-gpl-code
I'm not sure, but does this constitute a GPL licence violation?
Kind Regards,
Darren A
No. Refer to their offer which was present with the product. I may very
well contain an offer which allows you to request it via some other
manner. Chances are this is an oversight, which happens many times, but
contact them via whatever their offer states.

Please bear in mind, that running Linux does not mean that you will be
able to modify what the device is running, unfortunately. It only provides
for you to access and build. Many times entities will restrict the 'load
and run' part, and this is not against the GPL v2 which Linux is published
under.
--
-- Thomas
Ralph Corderoy
2014-03-13 00:15:59 UTC
Permalink
Hi Thomas,
Post by Thomas Charron
Post by Darren Anderson
I own a BT Homehub 3B, and I would like to modify it to provide
telnet access.
...
Post by Thomas Charron
Please bear in mind, that running Linux does not mean that you will be
able to modify what the device is running, unfortunately. It only
provides for you to access and build. Many times entities will
restrict the 'load and run' part, and this is not against the GPL v2
which Linux is published under.
Is there a common reference for why Linux doesn't have to comply with
GPLv2's "installation of the executable".

The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as
a special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.

I'd take that to mean the scripts must include any code-signing stage,
etc.

Cheers, Ralph.
Bruce Perens
2014-03-13 00:22:50 UTC
Permalink
Post by Ralph Corderoy
I'd take that to mean the scripts must include any code-signing stage,
etc. Cheers, Ralph.
FSF's read on this, when last I checked, was that it was true for GPL3
but not for GPL2.
Bradley M. Kuhn
2014-03-13 21:41:20 UTC
Permalink
Post by Bruce Perens
Post by Ralph Corderoy
I'd take that to mean the scripts must include any code-signing stage,
etc.
FSF's read on this, when last I checked, was that it was true for GPL3
but not for GPL2.
Be careful there, Bruce. AFAICT, your statements above is much more
expansive than FSF's position on this, to my knowledge and belief.
Specifically, GPLv2 requires *all* "scripts used to control compilation
and installation of the executable". I believe that includes any
scripts that do code-signing, too!

I wrote a blog post about this nearly four years ago:
http://ebb.org/bkuhn/blog/2010/07/15/motorola-admits.html

The portion of that post most relevant to this conversation is:

[M]erely because GPLv3 expanded installation information
requirements does not lessen GPLv2's requirement of such. In fact,
in my reading of GPLv2 in comparison to GPLv3, the only effective
difference between the two on this point relates to cryptographic
device lock-down. I do admit that under GPLv2, if you give all the
required installation scripts, you could still use cryptography to
prevent those scripts from functioning without an authorization
key. Some vendors do this, and that's precisely why GPLv3 is written
the way that it is: we'd observed such lock-down occurring in the
field, and identified that behavior as a bug in GPLv2 that is now
closed with GPLv3.

However, because of all that hype about GPLv3's new "Installation
Information" definition, many simply forgot that the GPLv2 isn't
silent on the issue. In other words, GPLv3's verbosity on the
subject led people to minimize the important existing requirements
of GPLv2 regarding installation information.
--
-- bkuhn
Bruce Perens
2014-03-13 23:38:06 UTC
Permalink
OK, so under GPL2 the scripts must include the cryptographic program
itself but not the cryptographic key.
Robinson Tryon
2014-03-13 23:54:03 UTC
Permalink
Post by Bradley M. Kuhn
[M]erely because GPLv3 expanded installation information
requirements does not lessen GPLv2's requirement of such. In fact,
in my reading of GPLv2 in comparison to GPLv3, the only effective
difference between the two on this point relates to cryptographic
device lock-down. I do admit that under GPLv2, if you give all the
required installation scripts, you could still use cryptography to
prevent those scripts from functioning without an authorization
key.
Assuming your reading of GPLv2, how would one verify compliance with
the license without having a built binary B + signature(B) that can
actually run on a piece of hardware H? Obvious omissions, such as no
compilation or installation scripts at all, could be trivially
identified, but assuming the crypto system is anything but a no-op,
just B + H will get you nowhere.

I guess one could request 3rd party verification of compliance, but
that could be rather pricey. I wonder if such a cost would rest on the
distributor, or upon the party seeking to verify compliance (e.g. a
copyright holder).

Cheers,
--R
Bradley M. Kuhn
2014-03-14 16:15:29 UTC
Permalink
Post by Robinson Tryon
Assuming your reading of GPLv2, how would one verify compliance with
the license without having a built binary B + signature(B) that can
actually run on a piece of hardware H?
...
Post by Robinson Tryon
I guess one could request 3rd party verification of compliance, but
that could be rather pricey. I wonder if such a cost would rest on the
distributor, or upon the party seeking to verify compliance (e.g. a
copyright holder).
As I said in an post on another thread yesterday, compliance is an
affirmative defense that the violator much show, in their effort to
prove their claim that they didn't infringe copyright.

So, if we (as copyright holders or their representatives) can't be sure
that something is compliant based on what's been given, that's the
violators' problem, not ours.

In practice, though, I work really hard to give detailed reports to
violators about why their CCS is inadequate because, like always, I
*want* them to comply and keep using and incorporating Free Software
into their products (provided they do so in compliance with all relevant
Open Source and Free Software licenses ;).
--
-- bkuhn
Thomas Charron
2014-03-13 00:33:44 UTC
Permalink
Post by Ralph Corderoy
Is there a common reference for why Linux doesn't have to comply with
GPLv2's "installation of the executable".
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as
a special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
The scripts to do it, and the ability to actually get it stored into a
hardware devices flash are two different beasts.
Post by Ralph Corderoy
I'd take that to mean the scripts must include any code-signing stage,
etc.
Cheers, Ralph.
And you'd be wrong. I don't believe this has ever been challenged, but
it is accepted that it was a limitation to the GPL v2.
--
-- Thomas
Loading...