McAfee Worried Over "Ambiguous" Open Source Licenses 315
willdavid writes to tell us InformationWeek is reporting that McAfee, in their annual report, has warned investors that "ambiguous" open source licenses "may result in unanticipated obligations regarding [McAfee] products." "McAfee said it's particularly troubling that the legality of terms included in the GNU/General Public License -- the most widely used open source license -- have yet to be tested in court. 'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission. Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software's source code to end users or customers. Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."
McAffee is just wrong (Score:4, Informative)
Security by obscurity (Score:3, Informative)
and
2) Only use code owned by others and covered by a strong copyleft in a product, if you are willing to release all the code for that product under a strong copyleft.
It is really not that complicated.
Re:Simple Solution: Avoid The Kooky And Viral GPL (Score:4, Informative)
Very very simple.
Re:just lazy companies. (Score:5, Informative)
When you link a GPL work against a non-GPL work, you create a derivative work. As long as you are authorised to possess both works, the derivative work you create is initially permitted by the Law of the Land, as Fair Dealing (Fair Use in some jurisdictions), and any apparent prohibition in the licence terms is unenforcible precisely because a promise not to do something the Law of the Land already says you can do is worthless.
However, the terms of both licences now apply to the derivative work as a whole. If the restrictive licence said "You must not distribute the Source Code to others", that would conflict with the GPL's requirement to distribute the Source Code. Therefore, the only way you can comply with both licences at once is not to distribute the software at all (aka "Liberty or Death").
The key point is, you don't need a licence to create that Derivative Work. You need one to distribute it. None of which would be an issue, by the way, if software vendors just distributed the frigging Source Code already.
Re:What's the problem? (Score:4, Informative)
Re:just lazy companies. (Score:3, Informative)
HEY MCAFEE! (Score:4, Informative)
Re:I don't get it (Score:5, Informative)
If you choose to use GPL code in your product, then you must agree to the terms under which you are permitted to do so. These companies cross license code between each other all the time with a plethora of different licensing requirements. For example Microsoft will license a lot of code to you, such as wma/wmv codecs and drm, under the condition that you pay them for each copy you distribute as part of one of your products.
The only difference with the GPL is the requirements which you must abide by in order to distribute. Don't like the terms? Then write your own, or license code from somewhere else under different terms, or merely change the way you use the GPL code so that compliance no longer bothers you.
All this garbage about "releasing the source makes our products less secure" is ridiculous... Open source software has a very good track record when it comes to security, just look at OpenBSD for instance, and then you have apps like qmail for which the source has been available for years without huge numbers of holes. And Solaris hasn't suddenly seen a rash of new vulnerabilities since being open sourced.
If code is well written, it doesn't matter who can see the source code. If it's poorly written you can understand why someone wouldn't want to be embarrassed by it's release, but if it's full of holes people will still reverse engineer the binaries to find them.
Re:I don't get it (Score:3, Informative)
Re:I don't get it (Score:5, Informative)
Wrong
If you link against the Linux kernel (or part of it), then you have to use GPL. Very few programs do this. Even kernel modules do not have to do this, provided they use the correct API.
If you copy code from the Linux kernel, then you have to use the GPL. Incidentally, this applies even if you don't copy verbatim - if you copy the structure and then change variable and function names, you still have to use GPL.
But if you have a piece of code which you wrote in its entirety, and which is only linked against the Linux kernel when on Linux, then it only has to be GPL'd when actually linked to the Linux kernel. The version you ship on Windows or Mac OS X can be licensed any way you like.
Anyone who tells you different is just spreading FUD. Version Two [gnu.org] of the GPL is a very simple document and is easy to read. It means just what it says, there's nothing complex behind it. Version Three [gnu.org] is a little more prolix, but it still means just what it says. Go read it yourself; don't listen to people who are trying to mislead you.
Re:Kernel hooks (Score:3, Informative)
Re:They just need to free the interface & modu (Score:3, Informative)
Re:I don't get it (Score:4, Informative)
I'm of the belief that there are more people wanting to do good than bad. Of course, McAfee probably can only see the attacks they receive on their product by the nefarious trying to bypass their systems. From all that I can tell, McAfee is the Gateway (computers) of the AV world, it's useful if you aren't too worried about quality.
/sorry, early in the morning. thoughts may be incomplete and incoherent.
Re:I don't get it (Score:3, Informative)
The GPL must be attached to any "derived works" of the Linux kernel. I.e. if you write a module for the Linux kernel it must be GPLed. However, nVidia did not do this - they wrote their driver for Windows. They then took the Windows driver and wrote a GPLed interface library to make it work with Linux. So the interface library is derived from both the non-GPLed driver and the GPLed Linux kernel - the driver itself is not derived from any GPLed code so can remain under a different licence.
It is pretty similar to running your 802.11 drivers under ndiswrapper - the driver was written for Windows, not for Linux, so running it under ndiswrapper doesn't force the driver's code to be GPLed.
Probably more complicated than that (Score:3, Informative)
The major issue for the GPL v2 is that it is not 100% clear where the boundary relating to mere aggregation is. In general it is easy to read "a work based on the original work" meaning derivative work (i.e. a transformation or adaption of the original work in the same way that a movie may be based on a book, or a sequel may be based on another book), while aggregation seems to read as a collected or compiled work, but these simple interpretations are at odds with the FSF's interpretations. I.e. dynamic or even static linking would seem to create (possibly non-literal) compilations under copyright law, not derivations even if the linker strips out unused portions (this is because that process would not be creative enough to create a *new* copyrighted work in the form of the new library code). Hence the simple reading of the GPL v2 would seem to allow one to link proprietary applications to, say, GNU Readline. This question has not been resolved in court yet.
The GPL v3 has the same issue, but adds a few more. For example, does section 7, paragraph 2 govern sections of BSD code included verbatim in a GPL v3 application? I.e. must one be allowed to change the license of a file to the GPL v3 in order to call it compatible? (Eben Moglen says "Yes" while Richard Fontana says "No"-- both are members of the SFLC and both were involved in the GPL v3 development process.)
There are also a few false ambiguities-- for example the question as to whether mere use of software inside an organization might ever one to license patents out (the relevant section of the GPL v3 only applies to explicit patent licenses), though clearly one would want to stop using software before filing patent suits due to patent retaliation clauses.
Re:I don't get it (Score:2, Informative)
It's a "fancy" way of saying "I screwed up, so I'll have to re-organize huge portions of the design, in order to somehow find my way out of this mess." in such a way, as to make the manager think you must be some sort of a genius for using such fancy words.
Whenever I hear a colleague software developer saying
"Some re-factoring might be necessary in order to get that functionality"
followed by an (expected)
"Well, then, go ahead, do it"
in a meeting where we must decide whether we will allow a last minute addition of a critical requirement or not, I feel the urge to jump over the table and ram my fucking foot down the idiot's throat. I KNOW he is talking about a complete re-design of an otherwise good working piece of the code, without actually saying it.
I would really like to know who coined that stupid and unnecessary term in the first place!
Re:I don't get it (Score:3, Informative)
What this is about (Score:3, Informative)
So as far as I can tell, here's what this story is actually about:
McAfee makes a virus scanner for Linux [mcafee.com]. Presumably the "on-demand" scanning uses a closed-source kernel module. Some kernel developers (i.e. copyright holders) assert that it violates the GPL to distribute closed-source kernel modules (although NVIDIA's and ATI's lawyers presumably disagree). This has never been tested in court. If one of the kernel copyright holders decided to litigate and won, then McAfee might have to stop selling their product, or significant alter it. Since there is a risk of this happening, they are required to disclose it to investors.