Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Software Your Rights Online

McAfee Worried Over "Ambiguous" Open Source Licenses 315

Posted by ScuttleMonkey from the play-by-the-rules-and-no-one-gets-hurt dept.
willdavid writes to tell us InformationWeek is reporting that McAfee, in their annual report, has warned investors that "ambiguous" open source licenses "may result in unanticipated obligations regarding [McAfee] products." "McAfee said it's particularly troubling that the legality of terms included in the GNU/General Public License -- the most widely used open source license -- have yet to be tested in court. 'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission. Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software's source code to end users or customers. Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."
This discussion has been archived. No new comments can be posted.

McAfee Worried Over "Ambiguous" Open Source Licenses More

McAfee Worried Over "Ambiguous" Open Source Licenses

Comments Filter:

  • well... (Score:1, Insightful)

    by mAIsE ( 548 ) on Saturday January 05, 2008 @05:39AM (#21920724) Homepage
    If your buisness doesn't agree with the license DON'T use it.

    You can't have your cake and sell it too !!

  • What's the problem? (Score:5, Insightful)

    by zebslash ( 1107957 ) on Saturday January 05, 2008 @05:40AM (#21920732)
    Don't want to be bound to the terms of the GPL? Don't use GPL code!
    Just another piece of FUD.

  • Fine. (Score:4, Insightful)

    by palegray.net ( 1195047 ) <philip...paradis@@@palegray...net> on Saturday January 05, 2008 @05:44AM (#21920752) Homepage Journal
    If you're worried about "uncertainties" with respect to any software license, don't include code in your application that might cause those licensing terms to apply to it. End of story.

  • just lazy companies. (Score:5, Insightful)

    by bark ( 582535 ) on Saturday January 05, 2008 @05:47AM (#21920770)
    there is no free lunch. these manufacturers are seeing the "gold mine" open source software as a way to do less work. Well, you've got to comply with the terms of the license if you distribute it. no 2 ways about it.

  • Re:I don't get it (Score:5, Insightful)

    by Broken Toys ( 1198853 ) on Saturday January 05, 2008 @05:47AM (#21920772)
    "McAfee's warning may have been prompted by the fact the Software Freedom Law Center, an open source advocacy group, recently filed a series of lawsuits against alleged GPL violators."

    The article isn't very clear on this point but it sounds like McAfee is almost admitting they violated the GPL and are about to end up in court.

  • Missing the point (Score:3, Insightful)

    by nurhussein ( 864532 ) on Saturday January 05, 2008 @05:53AM (#21920808) Homepage
    "Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering"

    Uh, that's the very idea of the GPL. It lets people who bought the product use it in any way they see fit, which includes "tamnpering" with it. It even allows you to redistribute it. The only thing it prevents is redistribution under a different license without permission. Didn't anyone give McAfee the memo?

  • Re:I don't get it (Score:5, Insightful)

    by unlametheweak ( 1102159 ) on Saturday January 05, 2008 @06:03AM (#21920854)
    The article talks more about lawsuits regarding GPL license violations than it does about security issues.

    Much security software is already open-source: encryption, firewall, virus scan, etc. The fact is that there is no inherent security problem with GPL software. McAfee just appears to have a problem with the licensing.

    Yes it seems like they would like to have their open source cake and eat it too.

  • Re:I don't get it (Score:5, Insightful)

    by unlametheweak ( 1102159 ) on Saturday January 05, 2008 @06:18AM (#21920916)

    Yes. And to correct the article, they aren't really worried about having to release code may "leave ... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.
    I would suspect that it would be easier to run automated programs for finding buffer over-runs, etc, rather than phishing through thousands of lines of code looking for a non-obvious vulnerability (anybody who has ever coded knows that ALL coding mistakes are non-obvious... as soon as they press the compile button :P).

    By their logic it would be trivial to hack into a Linux computer because it is open-source, and next to impossible to hack into a Microsoft computer.

  • SEC Risks (aka Just Slashdot Laziness ) (Score:3, Insightful)

    by AHumbleOpinion ( 546848 ) on Saturday January 05, 2008 @06:49AM (#21921016) Homepage
    Do you guys have a clue as to what goes into the risks section of an SEC filing? Pretty much anything conceivable. That way if it happens it is harder to get sued by an ambulance chasing lawyer who found *one* unhappy shareholder and filed a class action suit. So if you are a publicly traded company you probably should have a risk enumerated that a programmer will violate policy and inappropriately incorporate GPL'd code.

  • Re:Since when do software licenses... (Score:3, Insightful)

    by Yokaze ( 70883 ) on Saturday January 05, 2008 @06:53AM (#21921030)
    > [...] that any conditions imposed regarding distribution of a copyrighted work is at the whim of the copyright holder.

    No. The conditions are still subject to
    a) common law
            Extreme example: you can't demand the firstborn for the use or distribution of the work.
    b) interpretation by court
            The legal meaning is finally determined by judges.

  • Re:Lone programmer, against company policy (Score:4, Insightful)

    by Anonymous Coward on Saturday January 05, 2008 @07:16AM (#21921120)

    You are seriously mistaken. You are assuming that it is company policy to inappropriately incorporate GPL'd code. It may be against policy but a programmer may get lazy and do it on his own.
    Then when that's identified, they have to remove the code, if necessary pulling the product. Or comply with whatever license the copyright holder is prepared to grant them. This is EXACTLY the same position as if the lazy programmer had infringed on a previous employer's code, or on leaked Microsoft code or... any other copyright infringement at all.

    Their best bet is to tighten up on their recruitment and code review processes. That would certainly beat complaining that it MAY turn out that some of their employees may be breaking various laws and that if they are then the victims may be gosh darned unreasonable about it.

  • Re:Obviously they are worried (Score:4, Insightful)

    by DrSkwid ( 118965 ) on Saturday January 05, 2008 @07:35AM (#21921226) Journal
    > When all software out there is Open Source, leaks will be found and closed.

    When all software is open source, there will be so much of it that the scope for virus infection is wider and products that monitor system calls and does intrusion detection will have more market.

    McAffee's real problem is that Windows gets more and more locked down and fine grained capability permissions are being applied. The days of the blanket anti-virus product are numbered in the business world balanced against the rise of the dedicated software administrator.

  • Re:I don't get it (Score:4, Insightful)

    by Simon Brooke ( 45012 ) <stillyet@googlemail.com> on Saturday January 05, 2008 @07:43AM (#21921262) Homepage Journal

    Yes. And to correct the article, they aren't really worried about having to release code may "leave ... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.

    They have a very simple solution, then, don't they? Do their own graft, write their own damn software, and stop freeloading off the community.

  • You are seriously mistaken. You are assuming that it is company policy to inappropriately incorporate GPL'd code. It may be against policy but a programmer may get lazy and do it on his own. Hell, it could be a relatively honest mistake like confusing a GPL'd lib for a LGPL'd lib. A GPL related lawsuit would be an appropriate item in the risks section of an SEC filing.

    If you don't have sufficient code review processes in place, and you don't know where your employees are copying code from, that's very much your problem. McAfee may be that unprofessional, but if they are they deserve everything that's coming to them.

  • Re:I don't get it (Score:4, Insightful)

    by Peaker ( 72084 ) <gnupeaker@NosPAM.yahoo.com> on Saturday January 05, 2008 @09:24AM (#21921948) Homepage

    anybody who has ever coded knows that ALL coding mistakes are non-obvious... as soon as they press the compile button :P


    Quite a few bugs are obvious to the experienced programmer.

    Many are not obviously bugs, but are obviously "bad practice" which will often lead to bugs.

    Once a proficient programmer re-factors "ugly" (full of "bad practice") code, most flaws also become obvious.

  • Re:I don't get it (Score:5, Insightful)

    by HangingChad ( 677530 ) on Saturday January 05, 2008 @10:15AM (#21922278) Homepage

    Do their own graft, write their own damn software, and stop freeloading off the community.

    What kind of leftie, tree-hugging nonsense is that? Expecting corporations to accept responsibility when there is shareholder value to consider, quarterly numbers to make and fat bonuses to earn.

    Accountability...I can't believe such a radical concept will ever fly. The American corporate way is to have our cake, eat it too and expense the bill as entertainment.

  • Re:I don't get it (Score:3, Insightful)

    by Svartalf ( 2997 ) on Saturday January 05, 2008 @02:39PM (#21924932) Homepage
    Considering that the GPL only comes into play when you DISTRIBUTE the code in question, the NVidia driver's been
    pretty much something of a non-issue.

    You can't legally distribute to someone an install done this way, or provide an installation that ships directly with the NVidia
    drivers, but you can ship a Linux install that can make it easy for someone and you can always turn it off/remove the offending
    binary blob when you hand someone a machine you've been using the driver on. Since usage is not controlled by the GPL grant,
    and there's no directly infringing pieces involved everyone just grouses about the blob NVidia provides, asks if they'll ever
    do like AMD and Intel are in the process of doing, and goes on.

  • Re:Not Just McAffee (Score:3, Insightful)

    by SwashbucklingCowboy ( 727629 ) on Saturday January 05, 2008 @02:47PM (#21924998)
    And there's good reason for this. You don't necessarily know the provenance of the source code.

    Here's an example: I was doing evaluations of the two open source identification products available today (from Black Duck and Palamida), and I found an instance where it appeared that code that was originally released under the GPL had found it's way into code that was released under the Apache license. I did some due diligence on this, looking back in the repositories to see when the initial checkins had been done to determine which project had the code first. Admittedly, that's not fool proof, but was the best I could do under the circumstances.

    So, now imagine if someone in good faith takes the code from the Apache licensed project and uses it in their proprietary product. They comply with the Apache license. Then someone from the GPL project comes along and says "Hey! You're using OUR code that was made available under the GPL, you have to release the source code for your product." Legally speaking, that could be the result. And some people don't want to take that chance.

  • Nope (Score:3, Insightful)

    by Peaker ( 72084 ) <gnupeaker@NosPAM.yahoo.com> on Sunday January 06, 2008 @10:27AM (#21931930) Homepage
    Refactoring isn't just "any random change of the code".

    Refactoring means modifications of the code that are not supposed to alter its functionality. Things like renaming variables or moving code or data from one place to another.

    I re-factor a lot of code, much of it I did not write (but sometimes its my old code where I didn't get it perfect or account for future developments).
    Semantic transformations of code that do not alter functionality allow you to remain relatively sure that you are not breaking anything (especially if there's good test coverage) while fixing a bad design, or after having found a novel way to reduce code duplication or such. Once code duplication and tight coupling was removed or reduced, adding new functionality, finding and fixing bugs is much easier.

Slashdot Top Deals

To program is to be.

Close