Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

McAfee Worried Over "Ambiguous" Open Source Licenses

ScuttleMonkey posted more than 6 years ago | from the play-by-the-rules-and-no-one-gets-hurt dept.

Software 315

willdavid writes to tell us InformationWeek is reporting that McAfee, in their annual report, has warned investors that "ambiguous" open source licenses "may result in unanticipated obligations regarding [McAfee] products." "McAfee said it's particularly troubling that the legality of terms included in the GNU/General Public License -- the most widely used open source license -- have yet to be tested in court. 'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission. Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software's source code to end users or customers. Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."

cancel ×

315 comments

Sorry! There are no comments related to the filter you selected.

I don't get it (5, Interesting)

noz (253073) | more than 6 years ago | (#21920720)

Are they worried because they've used GPL licensed code in their products?

Re:I don't get it (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21920740)

Are they worried because they've used GPL licensed code in their products?
It's FUD. For all I know, they are saying this as part of a side deal over tech info for something else.

Re:I don't get it (2, Funny)

smitty_one_each (243267) | more than 6 years ago | (#21921230)

Hmm. And where might dey win doze side deals?
It's all so mysterious.

Re:I don't get it (5, Interesting)

davester666 (731373) | more than 6 years ago | (#21920758)

Yes. And to correct the article, they aren't really worried about having to release code may "leave ... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.

Re:I don't get it (5, Insightful)

unlametheweak (1102159) | more than 6 years ago | (#21920916)

Yes. And to correct the article, they aren't really worried about having to release code may "leave ... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.
I would suspect that it would be easier to run automated programs for finding buffer over-runs, etc, rather than phishing through thousands of lines of code looking for a non-obvious vulnerability (anybody who has ever coded knows that ALL coding mistakes are non-obvious... as soon as they press the compile button :P).

By their logic it would be trivial to hack into a Linux computer because it is open-source, and next to impossible to hack into a Microsoft computer.

Re:I don't get it (-1, Flamebait)

tbyte_s_user_on_slas (969373) | more than 6 years ago | (#21921174)

It is nearly trivial to crack a Linux computer and considerably harder to crack an windoze. Believe it or not ....

Re:I don't get it (2, Informative)

ajs318 (655362) | more than 6 years ago | (#21921252)

Typing linux init=/bin/sh at the boot prompt is not necessarily trivial. It requires physical access to the machine, and it is evident to an external observer.

Re:I don't get it (3, Insightful)

Simon Brooke (45012) | more than 6 years ago | (#21921262)

Yes. And to correct the article, they aren't really worried about having to release code may "leave ... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.

They have a very simple solution, then, don't they? Do their own graft, write their own damn software, and stop freeloading off the community.

Re:I don't get it (5, Insightful)

Broken Toys (1198853) | more than 6 years ago | (#21920772)

"McAfee's warning may have been prompted by the fact the Software Freedom Law Center, an open source advocacy group, recently filed a series of lawsuits against alleged GPL violators."

The article isn't very clear on this point but it sounds like McAfee is almost admitting they violated the GPL and are about to end up in court.

Re:I don't get it (0, Redundant)

someone1234 (830754) | more than 6 years ago | (#21920830)

I hope they will get their taste of the GPL in court.

Re:I don't get it (1)

andy.ruddock (821066) | more than 6 years ago | (#21920834)

"Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software," McAfee said in the report filed last month with the Securities and Exchange Commission.
Certainly sounds like they're worried about their use of GPL code. They probably should have read the licence first.

Re:I don't get it (4, Insightful)

unlametheweak (1102159) | more than 6 years ago | (#21920854)

The article talks more about lawsuits regarding GPL license violations than it does about security issues.

Much security software is already open-source: encryption, firewall, virus scan, etc. The fact is that there is no inherent security problem with GPL software. McAfee just appears to have a problem with the licensing.

Yes it seems like they would like to have their open source cake and eat it too.

Re:I don't get it (5, Interesting)

Anonymous Coward | more than 6 years ago | (#21920910)

No, they are worried that if governments begin using "infected"[*] open source products, they [McAfee] might be forced to support those open source products. And they are afraid that their code will be contaminated by the GPL *license* (note: not code).

Let me put it another way..
1. You create a program for counting beans, it's written for Microsoft Windows
2. 40% of your important customers (government) switches to Linux
3. Because you want to keep you clients, you port your application to Linux.
In order to get access to the proper low-level interfaces (that you imagine you need for your bean counter), you start writing some kernel support functions.
4. You deliever your application to your government. You are happy, the government is happy.
5. One day, someone posts a "Company X are in violation of the GPL!" to Slashdot -- and all hell breaks loose. Your lawers tell you that "Yes, we have to open source all our products, because they have all been contaminated by the GPL, becase we touched the linux kernel source (which is GPL)!".
6. You shut down your business, and live on welfare for the rest of your life.

The only thing which has happened here is that McAfee has proclaimed that GPL is viral (it infects innocent suspects' code).

I suspect that McAfee has been offered a Great Deal by someone, in exchange for publicly stating that the GPL is viral.

And no, I don't believe they are using GPL code. That's not what this is about. They are afraid of their (important) customers demanding McAfee support GPL products.

Re:I don't get it (4, Interesting)

ricegf (1059658) | more than 6 years ago | (#21921116)

You post doesn't make sense - or maybe I'm not following you? Anyone can write a Linux application and use any license they like (or stated another way, quite a few Linux applications are proprietary - the proprietary Flash plugin, for instance). McAfee wouldn't need to release their product under the GPL just to run it on Linux.

And if they want to write a kernel support function that compiles with Linux and is also part of their product, they can dual-license (GPL when it's compiled with Linux, proprietary when part of their product). As long as they hold copyright, they aren't limited at all.

What they seem to be saying is that they compile code written by someone else and released under only the GPL in their products. They can't change the license on code on which someone else holds copyright, so they are distributing that code in violation of the license (or, more precisely, in violation of copyright). Either they must "cure" the violation (e.g., by releasing their source code or replacing the GPL'd code), or acquire a commercial license from the copyright holder (if available).

I must be missing something between step 3 and 5 in your post.

Re:I don't get it (1)

tsa (15680) | more than 6 years ago | (#21921210)

If you mess with kernel support functions you have to use the GPL because the Linux kernel is GPL'd. That is what the GP's post is about.

Re:I don't get it (1)

ajs318 (655362) | more than 6 years ago | (#21921282)

And most software doesn't need to muck about at kernel level. Linux's legendary robustness (right up there, just behind the BSDs) might have something to do with this.

Re:I don't get it (1)

init100 (915886) | more than 6 years ago | (#21921338)

And most software doesn't need to muck about at kernel level.

On-demand virus scanners probably do however.

They just need to free the interface & module (1)

Nicolas MONNET (4727) | more than 6 years ago | (#21921682)

I can see one thing they'd want to add to the kernel for "on-demand" scanning, it would be an interface to get information about new files, or be able to snoop on file writes or something. Nevermind that it probably already exists (/[id]notify/), they would just need to publish under the GPL the tiny part that is to reside in the kernel and its interfaces. Just like you can implement a proprietary filesystem through Fuse if you want, there would be no GPL requirement on the userland part of the software.

Re:I don't get it (1)

Angostura (703910) | more than 6 years ago | (#21921358)

Surely that's what the LGPL is used for. You wrap your kernel support functions into LGPL-licensed modules and then link your proprietary code from there. No?

Re:I don't get it (4, Informative)

Simon Brooke (45012) | more than 6 years ago | (#21921376)

If you mess with kernel support functions you have to use the GPL because the Linux kernel is GPL'd. That is what the GP's post is about.

Wrong

If you link against the Linux kernel (or part of it), then you have to use GPL. Very few programs do this. Even kernel modules do not have to do this, provided they use the correct API.

If you copy code from the Linux kernel, then you have to use the GPL. Incidentally, this applies even if you don't copy verbatim - if you copy the structure and then change variable and function names, you still have to use GPL.

But if you have a piece of code which you wrote in its entirety, and which is only linked against the Linux kernel when on Linux, then it only has to be GPL'd when actually linked to the Linux kernel. The version you ship on Windows or Mac OS X can be licensed any way you like.

Anyone who tells you different is just spreading FUD. Version Two [gnu.org] of the GPL is a very simple document and is easy to read. It means just what it says, there's nothing complex behind it. Version Three [gnu.org] is a little more prolix, but it still means just what it says. Go read it yourself; don't listen to people who are trying to mislead you.

Re:I don't get it (4, Informative)

Bert64 (520050) | more than 6 years ago | (#21921186)

GPL code does not "infect innocent suspects' code"...
If you choose to use GPL code in your product, then you must agree to the terms under which you are permitted to do so. These companies cross license code between each other all the time with a plethora of different licensing requirements. For example Microsoft will license a lot of code to you, such as wma/wmv codecs and drm, under the condition that you pay them for each copy you distribute as part of one of your products.
The only difference with the GPL is the requirements which you must abide by in order to distribute. Don't like the terms? Then write your own, or license code from somewhere else under different terms, or merely change the way you use the GPL code so that compliance no longer bothers you.

All this garbage about "releasing the source makes our products less secure" is ridiculous... Open source software has a very good track record when it comes to security, just look at OpenBSD for instance, and then you have apps like qmail for which the source has been available for years without huge numbers of holes. And Solaris hasn't suddenly seen a rash of new vulnerabilities since being open sourced.
If code is well written, it doesn't matter who can see the source code. If it's poorly written you can understand why someone wouldn't want to be embarrassed by it's release, but if it's full of holes people will still reverse engineer the binaries to find them.

Re:I don't get it (1)

Alsee (515537) | more than 6 years ago | (#21921472)

5. One day, someone posts a "Company X are in violation of the GPL!" to Slashdot -- and all hell breaks loose. Your lawers tell you that "Yes, we have to open source all our products, because they have all been contaminated by the GPL, becase we touched the linux kernel source (which is GPL)!".
6. You shut down your business, and live on welfare for the rest of your life.


Well lets see. If it is GPL software involved you have a choice. Either you release the source code and maybe you shut down your business / live on welfare or maybe you don't, or you don't release your source and you face the legal consequences for copyright infringement and maybe you shut down your business / live on welfare or maybe you don't. You pretty much get to pick and choose whichever option will best keep you from shutting down and going on welfare.

That situation with GPL software *is* rather different than had it not been GPL software involved. If it was Windows instead of Linux, or pretty much any other non-GPL software involved then you don't get to pick and chose. If you do that with any other software you just plain face the legal consequences for copyright infringement and and maybe you shut down your business / live on welfare or maybe you don't. If it's not GPL software then you just plain lose the possibility of maybe releasing the source and maybe saving your company from obliteration in the courts being sued by Microsoft or whoever, and you lose that other option for maybe keeping yourself and all your employees off the welfare lines.

It's absolutely hysterical when people try and make up these scare stories about how GPL software is so dangerous. If you are going to potentially make an honest mistake in mishandling some code, you are massively better off if it's GPL code. If you're going to break the law and you're going commit copyright infringement on someone's code, you are massively BETTER off if it's GPL code.

The article complains that the GPL hasn't been litigated in court (not true, it has been litigated in the court systems of at least one other country). The reason for the lack of such cases is because the companies were able to obtain a vastly preferable alternative exactly because it was GPL software.

-

ClamAV and ClamWin forever (1)

Marcion (876801) | more than 6 years ago | (#21921040)

Maybe a big customer moved to a free software anti-virus and they want their salesmen to have something to use while pitching against it.

Re:I don't get it (0, Offtopic)

Anonymous Coward | more than 6 years ago | (#21921134)

They have used GPL'd code in their products; IIRC some of their network sniffer appliances ran Linux, and yes they shipped with source, a copy of the license, etc.

Re:I don't get it (0)

Anonymous Coward | more than 6 years ago | (#21921222)

This is moderated as "(Score:5, Insightful)"??????????????????????

Is it insightful to not read the article before posting and ask a question specifically answered in the article?

Sheeesh!

well... (1, Insightful)

mAIsE (548) | more than 6 years ago | (#21920724)

If your buisness doesn't agree with the license DON'T use it.

You can't have your cake and sell it too !!

Re:well... (2, Funny)

snuf23 (182335) | more than 6 years ago | (#21921104)

Unless your favorite flavor of open source is BSD!

Go Apple! :)

As opposed to... (5, Funny)

Anonymous Coward | more than 6 years ago | (#21920726)

their EULA which has been rigorously tested time to time in International Court of Justice.

What's the problem? (5, Insightful)

zebslash (1107957) | more than 6 years ago | (#21920732)

Don't want to be bound to the terms of the GPL? Don't use GPL code!
Just another piece of FUD.

Lone programmer, against company policy (1)

AHumbleOpinion (546848) | more than 6 years ago | (#21921032)

Don't want to be bound to the terms of the GPL? Don't use GPL code! Just another piece of FUD.

You are seriously mistaken. You are assuming that it is company policy to inappropriately incorporate GPL'd code. It may be against policy but a programmer may get lazy and do it on his own. Hell, it could be a relatively honest mistake like confusing a GPL'd lib for a LGPL'd lib. A GPL related lawsuit would be an appropriate item in the risks section of an SEC filing.

Re:Lone programmer, against company policy (4, Insightful)

Anonymous Coward | more than 6 years ago | (#21921120)

You are seriously mistaken. You are assuming that it is company policy to inappropriately incorporate GPL'd code. It may be against policy but a programmer may get lazy and do it on his own.
Then when that's identified, they have to remove the code, if necessary pulling the product. Or comply with whatever license the copyright holder is prepared to grant them. This is EXACTLY the same position as if the lazy programmer had infringed on a previous employer's code, or on leaked Microsoft code or... any other copyright infringement at all.

Their best bet is to tighten up on their recruitment and code review processes. That would certainly beat complaining that it MAY turn out that some of their employees may be breaking various laws and that if they are then the victims may be gosh darned unreasonable about it.

Re:Lone programmer, against company policy (2, Insightful)

Simon Brooke (45012) | more than 6 years ago | (#21921414)

You are seriously mistaken. You are assuming that it is company policy to inappropriately incorporate GPL'd code. It may be against policy but a programmer may get lazy and do it on his own. Hell, it could be a relatively honest mistake like confusing a GPL'd lib for a LGPL'd lib. A GPL related lawsuit would be an appropriate item in the risks section of an SEC filing.

If you don't have sufficient code review processes in place, and you don't know where your employees are copying code from, that's very much your problem. McAfee may be that unprofessional, but if they are they deserve everything that's coming to them.

Fine. (4, Insightful)

palegray.net (1195047) | more than 6 years ago | (#21920752)

If you're worried about "uncertainties" with respect to any software license, don't include code in your application that might cause those licensing terms to apply to it. End of story.

Too True. AND (1)

AndGodSed (968378) | more than 6 years ago | (#21921006)

Stop the FUD.

Taking aim like this at the GPL smacks of seeking to discredit it in the public/industry's eyes. Any licence agreement has inherent dangers.

Re:Fine. (1)

oglueck (235089) | more than 6 years ago | (#21921142)

Can be tricky, if you have a bunch of young programmers hacking on a closed source codebase and they don't care about these things. You need to educate your programmers about licencing issues and have a monitoring process of your codebase that can identify blatant violations of your licensing policy. Otherwise your codebase will end up depending on GPL libraries or include verbatim copies ("look, ma, what I found on the Internet") of GPL code. If you ever ship a release with such code, be prepared of the whole thing collapsing on you one day.

Re:Fine. (1)

ajs318 (655362) | more than 6 years ago | (#21921310)

And how is that any different from them copying an example program out of a copyrighted textbook with a notice inside the front cover to the effect that use of code examples in a commercial application requires permission from the author?

If you don't want to end up in court for copyright violation, don't violate copyright.

Re:Fine. (1)

oglueck (235089) | more than 6 years ago | (#21921382)

The difference is the ease of use. It's just so incredibly easy for stupid programmers to copy code off the Iternet and introduce that into your proprietary codebase. I don't blame the GPL. I blame the bad education of the people.

I vote with my euros (0, Redundant)

wikinerd (809585) | more than 6 years ago | (#21920756)

I am not going to buy McAfee products.

Re:I vote with my euros (1)

El_Muerte_TDS (592157) | more than 6 years ago | (#21920886)

Because of this? There are much better reasons why not to buy McAfee products. Only recently they fucked up again by identifying commonly used JavaScript frameworks/libraries as being malware. Or missing various common malware, not to mention the resource hogs their products usually are.

Re:I vote with my euros (1)

wikinerd (809585) | more than 6 years ago | (#21921014)

Not solely because of this of course, there are so many reasons really, but with this one as an addon it just gets too far...

Re:I vote with my euros (1)

Bert64 (520050) | more than 6 years ago | (#21921200)

All antivirus products are a huge waste of resources...
The extra overhead of "security products" on a typical windows install just serve to increase the perceived performance benefits of Linux.

Re:I vote with my euros (3, Interesting)

Paradigm_Complex (968558) | more than 6 years ago | (#21921128)

While you may not have meant it, your comment pokes at another plausible reason for McAfee to dislike FOSS. After switching to Linux a ways back, I never even had a reason to buy McAfee products. Their business is dependent on vulnerable software for them to come in and protect; clearly any solid development model would be a threat to their wellbeing. It's not (just?) problems with FOSS software that bothers McAfee, it's FOSS's strengths, too.

Re:I vote with my euros (1)

wikinerd (809585) | more than 6 years ago | (#21921678)

Their business is dependent on vulnerable software for them to come in and protect

Yes, that's correct, and when GNU/Linux takes over the world and McAfee feels the need to diversify by building more products for it (be it antivirus or anything else), I am going to remember their FUD about GPL and make sure to keep them out of my shopping basket.

Re:I vote with my euros (0)

Anonymous Coward | more than 6 years ago | (#21921366)

funny how you say

I vote with my euros
and your Sig "Protect your privacy! [ronpaul2008.com] " is obviously talking about an American election that you would have no say in if you were European.

Also more on topic I dont use McAfee anymore I use linux!

Simple Solution: Avoid The Kooky And Viral GPL (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21920764)

Any company that is foolish enough to ship one of their products with some sort of GPL IP mixed in either at the source or library level deserves the mess they are creating for themselves.

Business IT and engineering people got ahead of the legal people with open source software in their companies over the past few years. That mistake is rapidly being corrected by most companies now with the hammer coming down hard on the viral GPL crap and a mandate that only truly free licensed open source software be used for products.

Re:Simple Solution: Avoid The Kooky And Viral GPL (3, Informative)

Urkki (668283) | more than 6 years ago | (#21920964)

Or, to put it more simply: If you want to use some copyrighted software, you need a license. If you can't get a license you want to accept, then you don't get a license, and can't use the software.

Very very simple.

Re:Simple Solution: Avoid The Kooky And Viral GPL (1)

Jackmn (895532) | more than 6 years ago | (#21921050)

Or, to put it more simply: If you want to use some copyrighted software, you need a license. If you can't get a license you want to accept, then you don't get a license, and can't use the software.
The GPL doesn't govern use. It governs distribution.

Re:Simple Solution: Avoid The Kooky And Viral GPL (1)

smaddox (928261) | more than 6 years ago | (#21921086)

That is the most accurate, yet useless statement I have ever read.

No copyright governs use. Copyright only governs distribution!

Guess what! GPL is copyright!

Re:Simple Solution: Avoid The Kooky And Viral GPL (1)

init100 (915886) | more than 6 years ago | (#21921354)

No copyright governs use. Copyright only governs distribution!

EULAs cover use however.

Re:Simple Solution: Avoid The Kooky And Viral GPL (1)

tubs (143128) | more than 6 years ago | (#21921370)

Could you not argue that by using a computer program you are copying it?

ie

When you install it, you copy it to your hard drive
when you "run" it you copy into memory, or it's copied to virtual memory
If you hibernate, the whole lot is copied to hard drive

etc

I think in US copyright "if in the normal coures of operation" then there is an exception. The UK and probably most EU countries do not have that, so in theory you need a licence to run the software.

Re:Simple Solution: Avoid The Kooky And Viral GPL (1)

snuf23 (182335) | more than 6 years ago | (#21921144)

Oh you mean foolish like Apple?

What would be foolish is not understanding the terms of the license. Apple ships Mac OSX with GPL components. Linksys and Asus (both after a slight spanking) ship products with GPL components. Even Dell does. The key is understanding the GPL, adhering to it and having a product that is beneficial beyond the GPL code base (notice that all three examples sell hardware... although with Apple their software is not dependent on GPL but rather benefits from it).

Re:Simple Solution: Avoid The Kooky And Viral GPL (1)

howlingmadhowie (943150) | more than 6 years ago | (#21921170)

the gpl is about protecting user rights. if you want to screw the user over, that's your decision, just don't expect the gpl to help you.

Re:Simple Solution: Avoid The Kooky And Viral GPL (1)

Bert64 (520050) | more than 6 years ago | (#21921580)

The GPL is already far less restrictive than most commercial licenses...

Do you think Microsoft would sit idly by if someone took the windows source code that was leaked a couple of years back and created a derivative work? The leaked source could have proved beneficial to projects like Wine, Reactos and Samba etc, but they avoided it because it would be illegal. Given a reversed situation i doubt whether microsoft would behave in such a responsible and ethical manner, but despite their behaviour they do have the same right to govern distribution of their code as anyone else.

just lazy companies. (5, Insightful)

bark (582535) | more than 6 years ago | (#21920770)

there is no free lunch. these manufacturers are seeing the "gold mine" open source software as a way to do less work. Well, you've got to comply with the terms of the license if you distribute it. no 2 ways about it.

Re:just lazy companies. (1)

huckamania (533052) | more than 6 years ago | (#21920994)

I have a question for all of the GPL license experts.

What if, instead of distributing GPL software with your app/hw, you had your installation software download the same GPL software onto the box from the internet. Would you be violating the GPL in any way?

Let's put a couple of caveats...
1. Your sw/hw can work without the GPL stuff, even if in a very limited manner.
2. You make the user press the button to download the GPL stuff.

Re:just lazy companies. (1)

Enleth (947766) | more than 6 years ago | (#21921064)

Looks like you are misunderstanding the GPL. You can distribute a piece of GPL software just fine on your device, CD or whatever, side by side with your proprietary software, being obliged to provide the source just for the GPL parts - as long, as your software doesn't link to the GPL code, as that would be considered a "derivative work". If you, for example, put Linux on your device, together with some GPL programs and include your own one, but do the communication using some kind of IPC protocol or just simple pipes, you're fine. Nothing links together, you don't have to release your code.

Re:just lazy companies. (2, Informative)

snuf23 (182335) | more than 6 years ago | (#21921162)

Yep which is why Apple can distribute OSX with GPL software and even proprietary GUI hooks to configure it in their OS.

Re:just lazy companies. (4, Informative)

ajs318 (655362) | more than 6 years ago | (#21921098)

No.

When you link a GPL work against a non-GPL work, you create a derivative work. As long as you are authorised to possess both works, the derivative work you create is initially permitted by the Law of the Land, as Fair Dealing (Fair Use in some jurisdictions), and any apparent prohibition in the licence terms is unenforcible precisely because a promise not to do something the Law of the Land already says you can do is worthless.

However, the terms of both licences now apply to the derivative work as a whole. If the restrictive licence said "You must not distribute the Source Code to others", that would conflict with the GPL's requirement to distribute the Source Code. Therefore, the only way you can comply with both licences at once is not to distribute the software at all (aka "Liberty or Death").

The key point is, you don't need a licence to create that Derivative Work. You need one to distribute it. None of which would be an issue, by the way, if software vendors just distributed the frigging Source Code already.

SEC Risks (aka Just Slashdot Laziness ) (2, Insightful)

AHumbleOpinion (546848) | more than 6 years ago | (#21921016)

Do you guys have a clue as to what goes into the risks section of an SEC filing? Pretty much anything conceivable. That way if it happens it is harder to get sued by an ambulance chasing lawyer who found *one* unhappy shareholder and filed a class action suit. So if you are a publicly traded company you probably should have a risk enumerated that a programmer will violate policy and inappropriately incorporate GPL'd code.

Re:SEC Risks (aka Just Slashdot Laziness ) (1)

martin-boundary (547041) | more than 6 years ago | (#21921324)

Yeah, but do you have a clue as to what goes into the comments section of a slashdot story? Pretty much anything conceivable. That way, people can try out their favourite rants and arguments as long as it's roughly on topic :)

What they are *really* saying... (1)

winchester (265873) | more than 6 years ago | (#21920774)

"We have a McAfee product for Linux in the labs, but the company lawyers are worried that someone else runs away with our IP."

Re:What they are *really* saying... (1)

JonathanR (852748) | more than 6 years ago | (#21920822)

but the company lawyers are worried that someone else runs away with our IP
What parts of 'software released under the GNU GPL isn't their IP' and 'software taken from the GNU GPL codebase isn't their IP' don't they understand?

Since when do software licenses... (4, Interesting)

JonathanR (852748) | more than 6 years ago | (#21920780)

...require testing in court?

I would have thought that Copyright law was pretty unambiguous, and that any conditions imposed regarding distribution of a copyrighted work is at the whim of the copyright holder.

This would apply to any distribution license.

No need to test anything in court, unless you wish to discuss the finer detials of Copyright Law itself.

Re:Since when do software licenses... (5, Interesting)

sinthetek (678498) | more than 6 years ago | (#21920848)

Sounds to me like that is just an excuse; I think it is fairly likely they are just trying to stir up trouble for FOSS community with SEC. They have a lot at stake if you think about it. AV companies' prime source of revenue is MS and it's adoption is declining while *nix -based systems' are increasing. They have little experience with *nix software probably and know most people won't see much need for a *nix AV solution and there are several to compete with already.

I could be wrong but seems like this and similar complaints about FOSS are from entities with self-serving interests rather than interests of society/world at large. A lot of it is just FUD hoping to encourage paranoia in businesses and slow FOSS adoption

Re:Since when do software licenses... (1)

ppanon (16583) | more than 6 years ago | (#21921042)

Nah, I would guess it more likely has to do with the various McAfee appliances (i.e. Messaging or Web Security [mcafee.com] ). They could be using GPL code (such as a modified kernel and TCP/IP stack, or portions of some other OSS package).

Re:Since when do software licenses... (1)

sinthetek (678498) | more than 6 years ago | (#21921204)

Well, originally I assumed they would be more discrete about such a big/obvious violation but I must have missed where the article mentioned McAffee had "told investors" this stuff, but it's still hard to believe it would be an 'unforseen' liability due to code distribution terms since the most clear aspect of GPL is that to distribute modified programs/code you must redistribute the source. Even most misinterpretations dictate you have to distribute it in more cases than truly necessary.

In other words, if they violated GPL it was probably intentional. Either way they are taking the opportunity to blame their misdeed (or misfortune crappy business) on GPL/FOSS (at the very least to shift blame, possibly trying to kill multiple birds with one stone).

My 2 cents

Re:Since when do software licenses... (1)

ajs318 (655362) | more than 6 years ago | (#21921234)

So what? Forget the GPL for a moment. The key thing is: if they are using someone else's copyrighted software in a product that they sell, they require permission from the copyright holder.

The GPL provides conditional permission to use covered software in a product you sell. If you don't think the conditions are generous enough, then you have the right to fuck off.

Re:Since when do software licenses... (2, Insightful)

Yokaze (70883) | more than 6 years ago | (#21921030)

> [...] that any conditions imposed regarding distribution of a copyrighted work is at the whim of the copyright holder.

No. The conditions are still subject to
a) common law
        Extreme example: you can't demand the firstborn for the use or distribution of the work.
b) interpretation by court
        The legal meaning is finally determined by judges.

Re:Since when do software licenses... (0)

Anonymous Coward | more than 6 years ago | (#21921044)

The GPL is not an ordinary software license by a long shot.

Rather it ensures that the end user gets rights - rights which are normally reserved by the publisher or other copyright holder, in this case McAfee. They are rather concerned about this since the stock GPL could well "contaminate" the rest of their codebase, requiring them to release the some or all of the products for the GPL'd code in question. The GPL has occasionally been nicknamed the "General Public Virus" for this reason. This leaves them vulnerable, and lets just about anyone use the source code for whatever purposes they desire, 99% of which will not involve paying McAfee one cent.

While we can debate whether proprietary or free software is better or whether the bankrupting of McAfee and other proprietary software companies would benefit the computing world as a whole, the business side of McAfee, which would like to continue to exist, is (justifiably) worried about this as it does directly involve the core of their current business. The GPL, again being very unusual, ventures into an unexplored region of law, and as such there could well be parts interpreted especially favorably or unfavorably for any party in question, from enforcing a part with extreme prejudice to throwing out entire sections. With a few bad court rulings they could find themselves having to either release the code or be sued by the FSF and forced to do it, which could well cripple or destroy them.

Re:Since when do software licenses... (1)

DerekLyons (302214) | more than 6 years ago | (#21921150)

I would have thought that Copyright law was pretty unambiguous

Copyright law is well tested in court, and so is Licensing law, and so is Contract law. However, the various F/OSS licenses meld the three different kinds of law together in a new way, and this melding isn't yet tested in court.
 
 

any conditions imposed regarding distribution of a copyrighted work is at the whim of the copyright holder.

A copyright holder can't impose conditions on the distribution of his work on a whim - either the work is copyrighted, or it is in the public domain. The only choice to be made on a whim is a binary one. Anything more detailed than that falls under the heading of licensing, which is a different matter entirely.

pretty much the exact intention? (0)

Anonymous Coward | more than 6 years ago | (#21920804)

Sure would be a shame to help the community you are trying to profit off of wouldn't it?

I don't understand why they would go whine to the SEC about it though.

Missing the point (2, Insightful)

nurhussein (864532) | more than 6 years ago | (#21920808)

"Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering"

Uh, that's the very idea of the GPL. It lets people who bought the product use it in any way they see fit, which includes "tamnpering" with it. It even allows you to redistribute it. The only thing it prevents is redistribution under a different license without permission. Didn't anyone give McAfee the memo?

Whaaaa! (1)

stox (131684) | more than 6 years ago | (#21920812)

We used GPL code, and it breaks our business model. I really feel bad for McAfee, not!

McAffee is just wrong (4, Informative)

inode_buddha (576844) | more than 6 years ago | (#21920816)

It has been tested in both USA and Euro courts, If you've been reading Groklaw at all in the last few years. And no, I don't mean SCO.

Wiggle wiggle (0, Troll)

davro (539320) | more than 6 years ago | (#21920818)

From what i read above it seem that the McAfeehole needs to get a grip.
Before you use the software you have to accept the license, one reason i do not use microsoft/apple pooducts.

McAfee fsck off, you lame microsoft fan boys/girls.

Does this mean (1)

rastoboy29 (807168) | more than 6 years ago | (#21920868)

...that they think they're about to get caught out abusing an Open license in one of their products?

boo hoo (2, Funny)

SeaFox (739806) | more than 6 years ago | (#21920870)

'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission.

Translation: "We fucked up and didn't do our homework."

They could've asked me (0)

Anonymous Coward | more than 6 years ago | (#21920912)

Funny they paid a bunch of lawyers to come up with this. If they paid me just half what they paid them I could explain the GNU GPLv3 very thoroughly to them.

Re:They could've asked me (0)

Anonymous Coward | more than 6 years ago | (#21921124)

They wanted to, but no one knows who you are.

Obviously they are worried (4, Interesting)

houghi (78078) | more than 6 years ago | (#21920920)

When all software out there is Open Source, leaks will be found and closed. That would mean no more virusses. That would mean no more McAfee.

What is the best defence they can come up with? FUD!

If anybody is dependent on closed source and the slow process of bringing out patches, it is these guys. In an ideal world they should not even exist.

Re:Obviously they are worried (1)

dvice_null (981029) | more than 6 years ago | (#21920938)

Yes. And even if Linux had a virus problem, there would be open source anti-virus application to defend people against viruses. That would also mean no more McAfee.

Re:Obviously they are worried (3, Insightful)

DrSkwid (118965) | more than 6 years ago | (#21921226)

> When all software out there is Open Source, leaks will be found and closed.

When all software is open source, there will be so much of it that the scope for virus infection is wider and products that monitor system calls and does intrusion detection will have more market.

McAffee's real problem is that Windows gets more and more locked down and fine grained capability permissions are being applied. The days of the blanket anti-virus product are numbered in the business world balanced against the rise of the dedicated software administrator.

Re:Obviously they are worried (1)

Cally (10873) | more than 6 years ago | (#21921270)

When all software out there is Open Source, leaks will be found and closed.

Right, because of course Free software never has security bugs [redhat.com] . Look, I'm a paid-up card-carrying member of the FSF, which makes me about as much of a swivel-eyed zealot as they come, but even we don't make silly claims like that.

There should be legislation passed into law.... (1)

3seas (184403) | more than 6 years ago | (#21920932)

.... to criminalize such fud, but there are laws against slander and libel. Perhaps teh FSF and EFF should take action.

However the real issues here is not exposing this FUD to those who know better but to those who don't.
So sue to force such FUD spreading companies to undo the FUD they spread by the same means and extent they used to spread it.

Security by obscurity (2, Informative)

Per Abrahamsen (1397) | more than 6 years ago | (#21920962)

1) Don't use any license that requires you disclose your code if you rely on obscurity for your security.

and

2) Only use code owned by others and covered by a strong copyleft in a product, if you are willing to release all the code for that product under a strong copyleft.

It is really not that complicated.

Ambiguous? (1)

Per Abrahamsen (1397) | more than 6 years ago | (#21920988)

There is nothing "ambiguous" about the GPL, at least not on the context presented.

Both cases, "security by obscurity" and "keep part of the program proprietary" are simple no goes with regard to the GPL.

What "ambiguous" it really means is that some companies hope they can get away with ignoring the GPL, either directly or by finding some legal loophole.

McAfee correct that either strategy put the company at risk. Just as it puts the company to risk to ignore or circomvent the license of any proprietary software they might use.

Re:Ambiguous? (1)

pilsner.urquell (734632) | more than 6 years ago | (#21921198)

What McAfee needs to do is tell someone who really cares. McAfee was one of the original anti virus companies who's software was free to the home user and cost only a modestest fee for the corporate user. Also, there product was of a higher quality than most of the others on the market, was updated frequently and non intrusive but all that changed after incorporation in 1992 when they started to follow the Microsoft style of marketing.

This was the worst business year since 1994 for me (0)

Anonymous Coward | more than 6 years ago | (#21921106)

But thats only because I wouldn't risk lawsuits over ambiguous open source agreements or contracts because that is the surest way to end your career.

HEY MCAFEE! (3, Informative)

martin-boundary (547041) | more than 6 years ago | (#21921178)

How about your write your OWN DAMN CODE instead of complaining, or just STEAL Theo De Raadt's. He WON'T mind AT ALL, honest :)

BWAHAHAHAH (1)

EdIII (1114411) | more than 6 years ago | (#21921180)

"Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."

HUH? ROFL.

Maybe I'm not thinking this through completely, so forgive my youthful ignorance..... but since when did OPEN SOURCE software NEED copyright protection features?

Last time i checked, I did not enter a cd-key and have to activate say something like.... ohh..... any sourceforge project on a linux box.

I mean seriously... Am I missing something here? Please Tell Me? Confused Minds want to know :)

Re:BWAHAHAHAH (1)

gnasher719 (869701) | more than 6 years ago | (#21921360)

Maybe I'm not thinking this through completely, so forgive my youthful ignorance..... but since when did OPEN SOURCE software NEED copyright protection features?
It is the other way around. A DRM implementation might find it useful to have code that implements AES, as an example, and there are open source implementations, so it would be useful to incorporate some well-tested AES code that is licensed under GPL into a DRM implementation.

That is perfectly legal to do, but it requires that the DRM implementation would be licensed under GPL, which means that anyone, including evil DRM crackers, would have access to the source code. If you can find a way to implement DRM in such a way that having the source code doesn't help the cracker, fine. If your DRM relies on keeping the source code secret, then you can't include GPL code.

Re:BWAHAHAHAH (0)

Anonymous Coward | more than 6 years ago | (#21921552)

They're probably talking about DRM. If you implement DRM in a GPLed program, you have to release the source code of your DRM implementation.

They also complain that the GPL "might" allow users to tamper with this DRM. This is retarded, because there's no "might" about it - the GPL explicitly allows users to modify GPLed software.

That's why you use LGPL software, and spin your DRM off into a separate library with no open source code in it. The LGPL explicitly allows this.

You can tell this entire article is bullshit because Mcafee keeps using vague qualifers like "may" when the situation is crystal clear. The 'U' in "FUD" is for "uncertainty," after all.

MS FUD? (0)

Anonymous Coward | more than 6 years ago | (#21921218)

Nobody has yes suggested another possibility - that this is FUD that is being produced at the behest of Microsoft. McAffee prsumably depends to an extent on MS being friendly, or at least not antagonistic, and would likely be easily persuaded to spread FUD when MS feel they need to increase their FUD output a bit.

GPL puts end-user freedom above all else (4, Interesting)

noidentity (188756) | more than 6 years ago | (#21921302)

Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering.

Translation: "Some manufacturers have voiced concerns that the requirement could leave important user-restriction features or copyright fair-use prevention features in their products open to rightful destruction."

They fail to grasp the most important aspect of GPL: every end-user is also the master of said software; it is not up to anyone else to decide what he can and can't do. Features which keep the end-user out are not part of (publicly distributed) GPL software, period.

Kernel hooks (1)

init100 (915886) | more than 6 years ago | (#21921462)

My guess is that this warning has arisen from the use of kernel hooks to provide on-demand scanning. I read somewhere that McAfee modifies the Windows kernel to intercept among others file access calls. They might want to do the same for Linux, which would subject the code that provides those hooks to the GPL. It may be the case that McAfee thinks that this code must be secret to ensure the security of their product, and that could be why they are so afraid of the GPL.

How about creating a generic interface for such applications that multiple vendors could use to intercept e.g. file access calls? Or does it already exist?

Re:Kernel hooks (2, Informative)

ettlz (639203) | more than 6 years ago | (#21921640)

It already exists, it's called Dazuko [dazuko.org] . It's licensed under the GPL for the Linux kernel, and BSD license for FreeBSD. But the Linux kernel license makes it quite clear that making system calls from user space (essentially all kernel extensions like this just provide extra syscalls and ioctls) does not constitute a derivative work so far as the GPL is concerned. Otherwise any piece of proprietary software running on Linux would be necessarily screwed.

Facepalm (0)

Anonymous Coward | more than 6 years ago | (#21921616)

Not This Shit Again [encycloped...matica.com]

cow_2001

Fuck McAfee (1)

moxley (895517) | more than 6 years ago | (#21921672)

Fuck McAfee. Their anti-virus and security products suck anyway; buying a prebuilt machine that comes with this crap on it is about as bad as the ones which come with Norton...I have never met anyone who has worked with windows machines a lot who doesn't dislike both of these products.

It's not so much that they aren't secure enough for various reasons, it's that they impose such an overhead on your machine, occasionally can be difficult to remove, install so much crap, and really impact the user experience in a negative way.

As far as home Anti-virus goes it is my opinion that there are several good options, Grisoft's AVG line primarily - I think Trend isnt bad - I have heard good things about Avast but have no personal experience.

As far as corporate I have experience using Norton's corporate edition which I think is much better than their home offerings, but nowhere near as good as Grisoft's stuff. I switched our company network to AVG network edition a couple of years ago and have been extremely impressed with the result - in addition to being much more reasonable priced I find it much easier to administer locally or via the network; it gives me the information, control, and reporting I need from the administration module and has the same low overhead and and flawless performance as their other stuff.

I have to say that seeing corporations like this fret about possibly having taken advantage of the GPL and possibly getting nailed on it is heart warming.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?