I disagree completely - in fact it makes the process much easier for both developers and legal bodies to review.

In the case of projects based on the Linux kernel the cleanest work-flow is to use git as the DVCS, and in particular its submodule abilities, where the master repository is for the device, and the
submodules are for the components that make up the entire project - FL/OS and proprietary, e.g.:

mkdir our_device_01 && cd our_device_01
git init
mkdir legal
git add legal
git commit -s -S$MY_GPG_KEYID -m 'Keep all legal correspondence here'
git remote add public ssh://***@www.myco.com:~/git/our_device_01.git
git submodule add git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux
git submodule init linux
git submodule add git://busybox.net/busybox.git busybox
git submodule init busybox
...
git submodule foreach git remote add public ssh://***@www.myco.com:~/git/$name
...
cat >open_source_submodules.list <<EOT
linux
busybox
EOT

git add open_source_submodules.list
git commit -s -S$MY_GPG_KEYID -m 'list of Open Source submodules to be publicly released'
...
git submodule add file://path/to/internal/closed-source/project_1 proprietary_project_1
git submodule init proprietary_project_1
...
git branch -b new-feature-01
...
git add .
git commit -s -S$MY_GPG_KEYID -m 'Integrate new feature 01'
...
mailx -c ***@myco.com -s "Please review branch new-feature-01 of project our_device_01" ***@myco.com
...
# read email
mailx
O 1 legal@@myco.com Thu Nov 21 16:01 31/545 "Release Approved"
# approval received
type 1
save +legal
exit
git add legal/*
git commit -s -S$MY_GPG_KEYID -m 'Release Approved'
git checkout master
git merge new_feature_01
git tag -s -m "Add new feature 01"
...
for module in open_source_submodules.list; do
pushd $module
git push public master
popd
done

This allows per-commit traceability in the device project and all its constituent parts, with clean and obvious separation between the FL/OS and closed-source parts.

When the firmware is ready for release it is straight-forward to review the commits to the FL/OS parts before signing it off with a signed tag in the master repo which also binds the state of the
submodules. The FL/OS parts can then be pushed to a public repository or tar-balled.

That has nothing to do with F/OSS in particular, they need to perform
this diligance before incorporating *any* code in their product.
Frankly if that is the case, they have no business using F/OSS. They
know *in advance* they are required to release the corresponding source
code to the binaries. That's the price they pay for not having to write
everything from scratch.

Ten years ago they may have been able to plead ignorance, but today?
Come on.
....Then they can write their whole system from scratch, and not
freeload off of others' hard work.
The GPL's requirements are clear. If you don't grant downstream users
the same rights as you were given, then you're not allowed to
re-distribute that GPL software. It really is that simple.
I don't disagree, but I should point out that the time to do this is
*before* you start shipping product, not months afterwards!

- Solomon

Having a lawyer-filter on a git repo would kill productivity, but the
vetting process has to happen before a product ships. If you're on a
tight release schedule, you've got to budget the appropriate amount of
time for review, whether that's a little time each week or a big chunk
of time at the end of the project.
Indeed it can. But if you only take this step after shipping a
product, there's no way to revert code that can't legally be released.

Or to put it another way, if you clean your car each week, it will
stay relatively tidy. If you wait for only once a year, you might find
a stain on the carpet that has set and will never come out.

--R