McAfee Worried Over "Ambiguous" Open Source Licenses

willdavid writes to tell us InformationWeek is reporting that McAfee, in their annual report, has warned investors that "ambiguous" open source licenses "may result in unanticipated obligations regarding [McAfee] products." "McAfee said it's particularly troubling that the legality of terms included in the GNU/General Public License -- the most widely used open source license -- have yet to be tested in court. 'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission. Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software's source code to end users or customers. Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."

I don't get it

[noz]

Are they worried because they've used GPL licensed code in their products?

Re:I don't get it

[Anonymous Coward]

Are they worried because they've used GPL licensed code in their products?

It's FUD. For all I know, they are saying this as part of a side deal over tech info for something else.

Re:I don't get it

[davester666]

Yes. And to correct the article, they aren't really worried about having to release code may "leave ... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.

Since when do software licenses...

[JonathanR]

...require testing in court?

I would have thought that Copyright law was pretty unambiguous, and that any conditions imposed regarding distribution of a copyrighted work is at the whim of the copyright holder.

This would apply to any distribution license.

No need to test anything in court, unless you wish to discuss the finer detials of Copyright Law itself.

Re:Since when do software licenses...

[sinthetek]

Sounds to me like that is just an excuse; I think it is fairly likely they are just trying to stir up trouble for FOSS community with SEC. They have a lot at stake if you think about it. AV companies' prime source of revenue is MS and it's adoption is declining while *nix -based systems' are increasing. They have little experience with *nix software probably and know most people won't see much need for a *nix AV solution and there are several to compete with already.

I could be wrong but seems like this and similar complaints about FOSS are from entities with self-serving interests rather than interests of society/world at large. A lot of it is just FUD hoping to encourage paranoia in businesses and slow FOSS adoption

Re:I don't get it

[Anonymous Coward]

No, they are worried that if governments begin using "infected"[*] open source products, they [McAfee] might be forced to support those open source products. And they are afraid that their code will be contaminated by the GPL *license* (note: not code).

Let me put it another way..
1. You create a program for counting beans, it's written for Microsoft Windows
2. 40% of your important customers (government) switches to Linux
3. Because you want to keep you clients, you port your application to Linux.
In order to get access to the proper low-level interfaces (that you imagine you need for your bean counter), you start writing some kernel support functions.
4. You deliever your application to your government. You are happy, the government is happy.
5. One day, someone posts a "Company X are in violation of the GPL!" to Slashdot -- and all hell breaks loose. Your lawers tell you that "Yes, we have to open source all our products, because they have all been contaminated by the GPL, becase we touched the linux kernel source (which is GPL)!".
6. You shut down your business, and live on welfare for the rest of your life.

The only thing which has happened here is that McAfee has proclaimed that GPL is viral (it infects innocent suspects' code).

I suspect that McAfee has been offered a Great Deal by someone, in exchange for publicly stating that the GPL is viral.

And no, I don't believe they are using GPL code. That's not what this is about. They are afraid of their (important) customers demanding McAfee support GPL products.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I don't get it

[ricegf]

You post doesn't make sense - or maybe I'm not following you? Anyone can write a Linux application and use any license they like (or stated another way, quite a few Linux applications are proprietary - the proprietary Flash plugin, for instance). McAfee wouldn't need to release their product under the GPL just to run it on Linux.

And if they want to write a kernel support function that compiles with Linux and is also part of their product, they can dual-license (GPL when it's compiled with Linux, proprietary when part of their product). As long as they hold copyright, they aren't limited at all.

What they seem to be saying is that they compile code written by someone else and released under only the GPL in their products. They can't change the license on code on which someone else holds copyright, so they are distributing that code in violation of the license (or, more precisely, in violation of copyright). Either they must "cure" the violation (e.g., by releasing their source code or replacing the GPL'd code), or acquire a commercial license from the copyright holder (if available).

I must be missing something between step 3 and 5 in your post.

Re:I vote with my euros

[Paradigm_Complex]

While you may not have meant it, your comment pokes at another plausible reason for McAfee to dislike FOSS. After switching to Linux a ways back, I never even had a reason to buy McAfee products. Their business is dependent on vulnerable software for them to come in and protect; clearly any solid development model would be a threat to their wellbeing. It's not (just?) problems with FOSS software that bothers McAfee, it's FOSS's strengths, too.

GPL puts end-user freedom above all else

[noidentity]

Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering.

Translation: "Some manufacturers have voiced concerns that the requirement could leave important user-restriction features or copyright fair-use prevention features in their products open to rightful destruction."

They fail to grasp the most important aspect of GPL: every end-user is also the master of said software; it is not up to anyone else to decide what he can and can't do. Features which keep the end-user out are not part of (publicly distributed) GPL software, period.

Re:I don't get it

[Anonymous Coward]

Mysterious tfa quote.

McAfee frequently cautions other companies about the latest bugs and computer viruses, but the security software maker is now warning that its own business could be in jeopardy -- not from some form of malware but from the fact that its products rely heavily on open source software.

Reporting error from the article writer or straight from the horse's mouth that McAfee been violating the GPL?

Re:I don't get it

[IllForgetMyNickSoonA]

I asure you, my friend, that this is not only the case in the USA. The Europe (that's where I'm located) is not much better either. Corporate behaviour ESPECIALLY (but not only) with respect to open source and GPL, is plain disgusting.

I'm all for profit, after all that means my paycheck is secured and will grow, but if it's achieved by almost-criminal means, I don't need it. Otherwise, why don't we all just start selling crack? That's where the really big money is, after all.

Re:I don't get it

[JoelKatz]

"They have a very simple solution, then, don't they? Do their own graft, write their own damn software, and stop freeloading off the community."

Your understanding of the issues involved seems pretty close to zero. They are not "freeloading off the community", they are supporting Linux.

The problem is simply that in order to write software that interacts with Linux at the low level they need to interact, they need to use code that defines how Linux processes some things internally. There is no choice -- to support Linux, they need to use that code.

They are voicing the risk that using that code may require them to comply with the terms of the GPL. I personally think it's pretty clear that's not the case, but even if I were in their shoes, I'd have to voice the concern.

They are not taking any more code than engineering necessity requires them to take if they are to support Linux.

Re:I don't get it

[dave87656]

Re: "You have to use the kernel header files to create a kernel module."

"#include" doesn't bind you to the GPL of the included file. If you create your own header file using part of it, then it does bind you. People write software all the time using Kernel and other GPL'd header files. If that were true, #include would mean the virtually no linux code, anywhere, would be free from the GPL.

Re: "This is assuming that the API itself is not or cannot be covered by the GPL. It is not clear that extracting the API from the code leaves an API that is not itself a derivative work. This may be true, but you can't just assume it."

Again, every program written for linux, proprietary and otherwise, uses, at some level, linux GPL'd libraries. You can use them and you can even distribute them under their rules, but your code becomes bound when you include GPL _source_ code to create your code.

One thing to remember is that McAfee doesn't produce or sell products for Linux, as far as I know, so the issue is whether they used source code to create or derive code for their other products, which appears to be what they are saying or at least implying.