Technicolor GPL Source Code Request

bluewavenet · July 4, 2018, 12:05pm

Only a guess but would explain their slow response.

Zen96 · July 4, 2018, 12:15pm

I think that probably the developer (at least I hope he was a developer) who was tasked with the GPL compliance was either busy with other stuff or just thought he could get away with ignoring me (and @Ansuel and anyone else) and not do his job.
After all, not many people have the willpower, the time or the knowledge to properly escalate these kinds of issues and to keep insisting until a big company actually delivers.

eduperez · July 4, 2018, 1:02pm

I would bet such developer never existed at all...

dlakelan · July 4, 2018, 2:42pm

It doesn't actually matter that you make changes or not. If you distribute the kernel or any other gpl software you must provide the code you used to build that binary as well as all of the build environment you used so that others can build it. You don't need to provide code for any independent software you wrote which is merely bundled together... I'm always shocked how many people seem to never have read the GPL. It's right there in every GPL product, go take a look, it's very informative.

bluewavenet · July 4, 2018, 2:59pm

Indeed. This is my interpretation of the GPL and not what seems to be the theme of this thread.

Zen96 · July 4, 2018, 3:06pm

@dlakelan actually in the above mentioned modem/router there is no GPL text, and not in the web GUI either. The GPL is not mentioned anywhere. There's just a flyer that says (roughly translated from Italian) "This product may contain open source software, which is distributed according to the relevant open source licenses. The version number and name of such components may change in future software versions. For more details see [broken link to Technicolor's website] or another address that Technicolor may provide (how?). The open source code is available upon request (to whom?) if and where applicable."

I am not sure whether this qualifies as a GPL violation, as it seems way too vague, but honestly I don't care. I just want the sources.

simplexion · July 5, 2018, 7:58am

It is 100% a GPL violation. The second they sell a device to a user and don't have the source code of all GPL code made available to their customers, they are violating the licence.

MediaTek are the worst for this.

Also, bluewavenet is a dipshit who sells products using GPL'd software and doesn't distribute the source code. That is why he is behaving like this.

stangri · July 5, 2018, 12:55pm

What kind of experience with the router manufacturering process was this statement based upon?

lleachii · July 5, 2018, 2:35pm

This is inaccurate. Since there's no way for the end-user to recreate the actual binary firmware (i.e. since it was made on image builder), they would be required to provide the environment (minus proprietary blobs copied/pasted, but with patches included).

In my case, the software I need is an edit of an open source kernel driver, as well as other open source software that was altered to expose other WiFi Channels. Also, I am seeking changes to OLSR routing that make it incompatible with the OLSR packaged with OpenWrt (the other problem arises that the other project's developers call the daemon OSLR and oslrd, but the license seems to prohibit that without the accompanying license). In fact, I have yet to find the OSLR license in these projects (a requirement of the OSLR license).

Zen96 · July 5, 2018, 3:42pm

Going back on topic, on the OpenWrt.org website I found the following statement:

"The remerged OpenWrt project is legally represented by the Software in the Public Interest (SPI) - an US 501(c)(3) non-profit organization which is managing our OpenWrt trademark, handling our donations and helping us with legal problems."

Does this mean that SPI is responsible for license violation enforcement on behalf of at least some OpenWrt developers? Should I therefore contact SPI if Technicolor keeps "delaying" the code release?

dlakelan · July 5, 2018, 5:07pm

That would be my guess. Certainly if you contact them, they'll let you know if they feel they are the appropriate legal entity. I'd just do that now, it's been long enough.

Zen96 · July 5, 2018, 6:49pm

@dlakelan I most certainly will, if by next week Technicolor doesn't send the source code. This time, as I said, it seems that their own legal department has pressured the developers/whoever has to prepare the archives to act, or has been somehow notified of this, as they were cc'd in the last email.

Also, if anyone else wishes to request source code for any of Technicolor's devices, I suggest to do it now, so if they don't comply at least I will have more proof that my case is not an isolated one. Please clearly state the device model and the exact software build version, it should be something like xx.x.xxxx-xxxxxxx such as 17.3.0177-1681035 for newer, OpenWrt-based firmwares, and something like x.x.x.x such as 10.A.2.5 (x's can be letters too) for older firmwares based on Linux 2.6.
If the version displayed in your web UI does not match this pattern, then it has merely been renamed upon request by whoever commissioned that firmware (usually an ISP). If you have somehow gained access to a shell on your device, you can check the "actual" FW version by issuing the "software version" command on the telnet/ssh shell (on earlier models) or by looking at the contents of /etc/banner on OpenWrt-based newer models (by the way, they shamelessly replaced the big OpenWRT ascii art logo with their own).
If you cannot get the version number, try with the GUI-provided one anyway, but they have been known to refuse requests that didn't state "their" build number.

Please note that the ISP does not have the source code since all the actual development is done by Technicolor, that receives instructions on how to customize it and just provides the flashable binary to the ISP.

KAD · July 5, 2018, 8:58pm

Hi!

First post

I believe Technicolor's job of assembling the source code for their stuff is very large, for the simple reason that they not only have different versions and different hardware, but also different customers (ISPs) that have their own modifications.

There is a thread (in swedish) on the Sweclockers forum discussing how "backdoors" (my words) are set up (via dropbear) for personnel from the ISP and possibly for Technicolor. This setup is clearly ISP specific. Interesting stuff with GDPR in full swing.

The most interesting posts:

ISP specific settings
How to get a shell on the box. There are two more posts earlier in the thread on the same topic, from the same user -- I am only allowed to post two links here as a new user.

Sorry if I mention something that is already common knowledge. The thread I mention is about TG799vacXTREAM, which is on Zen96s list of devices with unreleased source code.

Zen96 · July 5, 2018, 10:32pm

@KAD First, I'm sorry, but I do not understand Swedish, but I think I got your reasoning anyway.
You are not completely wrong, however you must take into account that:

-An exploit that allows a user to get root access for several of these devices is known and has been published on the Internet

-At least in some Technicolor devices including the TG789vac v2, the TR-069 (remote control and update by ISPs) credentials and control server address can be easily found once you have a root shell. They are in a plain text file in the device's file system. The "remote control" functionality can be completely removed by deleting an executable file (cwmpd, IIRC) that starts the daemon/service that connects to the ISP, and deleting a few rows in a configuration file (that become useless anyway once cwmpd is deleted. I have done it myself even without the sources (I do not want to brag, and I am not the one who discovered this, but it is true).

-Some less security-concerned modem manufacturers even leave a SSH (or even freaking Telnet) shell open on the outside. Thousands of modems distributed by Wind (Italian ISP) were recently remotely bricked by an individual who discovered the password and wrote zeroes to the devices'flash memory and then rebooted them, leaving them in an unusable state. That is easy to disable too, just delete the user who can remotely access the device from the appropriate configuration file.

-As previously said, Technicolor shouldn't be having any difficulties in separating open source code from proprietary code, since they mantain detailed lists of which open source packages are used in each version of their software. These lists are published as PDFs on their website for anyone to see, so that is out of the question.

-Technicolor could have very well set up a build and version control system that is aware of the requirements of the GPL and allows them to quickly provide the required source code for any customized version of their software, even if they had hundreds of them.
In fact, the Software Freedom Law Center, that won several lawsuits for GPL violations, clearly highlights the importance of this point at https://www.softwarefreedom.org/resources/2008/compliance-guide.html

Some important quotes from that page:
"Knowing at all times what sources generated a given binary distribution is paramount"
and most importantly,
"Ensure that your developers are using revision control systems properly. Have them mark or tag the full source tree corresponding to builds distributed to customers. Finally, check that your developers store all parts of the software development in the revision control system, including readmes, build scripts, engineers’ notes, and documentation. Your developers will also benefit from a system that tracks the precise version of source that corresponds to any deployed binary."
This might require a little more effort on a company's part, but it's not rocket science. In fact, that page is from ten years ago.

-Technicolor is not a small software house. They sell millions of devices worldwide, and have at least hundreds of employees, so it's not like their only system administrator is on vacation and therefore my request cannot be satisfied until he's back

@Ansuel also said that they sent him some source code, but it was missing several crucial GPLv2'd kernel modules (I verified it myself), and they completely cut contact after he told them they had made a mistake. This is not, on its own, proof that their actions are made are in bad faith, but it surely doesn't make them look honest.

-Disorganization on their part is not an excuse. Imagine if the police sent you a fine to be paid in 30 days, or else they will impound your car. Let's say you do not pay in time and do not appeal it, on the 31st day the police tows your car away. You go to court and tell the judge that you didn't pay because you were busy and your house is a mess, even though you are very rich. The judge will laugh at you.

-Finally, taking two months to send the code would be unreasonable even if they were using Dropbox as their "version control system" and a guy on a bicycle as a means to deliver the code to me.

So, Technicolor could very well have complied quickly, and it is totally their fault for not doing so. What you said could justify a delay of two weeks, even a month if you're particularly generous.

dlang · July 6, 2018, 7:52am

@bluewavenet Technicolor indeed uses a modified version of OpenWrt. They declare that explicitly in the Open Source section in their website, where they list every open source/free software that is used in their modem/routers, where they also declare that such code is available for free upon request, so that is out of the question. Also, they must have modified it, as it currently doesn't run "unmodified" on their above mentioned device.

The use of proprietary code along with OpenWRT (or any GPL code) is permitted
only as long as such proprietary code is separate from OpenWRT code. For
example, a web interface that is not based on Luci could be proprietary and
used on top of OpenWrt (although, in this specific case, Technicolor's web GUI
is open source, according to themselves).

the GPL on the kernel does not affect anything running in userspace. If you have
proprietary code that uses standard system calls to interact with GPL code, you
don't need to release your code.

Linux kernel modules can be proprietary too (see for example xDSL driver's by
Broadcom), at least according to Linus Torvalds'interpretation of the GPL.

Actually, what Linus said is that if a chunk of code was written indepenently
from Linux (such as filesystems that existed before Linux existed, or video card
drivers that were written for windows) cannot be derived from the Linux kernel.

Zen96 · July 6, 2018, 10:09am

@dlang I was not, at least in this specific case, concerned with any userspace programs (although most of those used in Technicolor devices, such as Samba, are GPL'd anyway).
However, by "separate" I meant userspace programs, so I agree with you. Sorry if I was not clear enough, English is not my first language.

About the kernel module licensing, while Linus in fact said that, he also later said:

"Essentially, the kernel module interface is a "library" interface to the kernel, and kernel modules are considered to be under the GNU Library license. In fact, due to the way kernel modules work, you automatically do it according to the LGPL, so this isn't explicitly stated anywhere, but that's the way you should think about this.
Another way to look at this — using the legal rather than the moral viewpoint — is to just see module loading as "use" of the kernel, rather than as linking against it."

While I, too, think that's a questionable interpretation of the GPL, I am just a computer science student and I do not want to argue in any way that I know better than Linus.

Furthermore, if what you said was true, Broadcom, Ralink and others would have been in violation of the GPL for years, since their xDSL driver (that is a loadable kernel module) used in all modems that use their chipsets, is proprietary. Such driver was clearly written with Linux in mind and nobody seems to have questioned these companies about it.

However, even assuming that kernel modules code can be proprietary, that would still be irrelevant to my case, since Technicolor stated that the kernel modules I am looking for (for example, kmod-ripdrv) are under GPLv2

dlitz · July 10, 2018, 11:26am

It's not just their OpenWRT modems.

The Technicolor TC4350 is a basic DOCSIS 3 modem that my ISP (TekSavvy) sold me. It runs Linux 3.12.14, BusyBox, uClibc 0.9.33.2, U-Boot, net-snmp, OpenSSL 0.9.8ze, and a few other things, with various patches. It seems similar to the Netgear CM700, and it seems to use a similar toolchain to the Arris SB6150: it isn't OpenWRT, but rather something based on the Intel Puma6 toolchain some Texas Instruments SDK and some modifications by Arris (or Technicolor in the case of my modem).

The TC4350 came with no written notice; I only found out when I dumped the flash.

The filesystem image is dated Feb 2017, so their "valid for at least 3 years" obligations haven't expired, and I imagine they're also violating the OpenSSL's license.

Frustratingly, of the 3 modem manufacturers I've mentioned, Arris the only one whose source release actually builds. Even Netgear's "GPL source release" for the CM700 is particularly shoddy---several links just point to "GPL.rar", which doesn't contain any build scripts. (Didn't Netgear just settle a GPL enforcement action a few years ago? )

Could someone send me the contact info for Technicolor, ideally including that person in their legal department who's handling this? I'd like to put in a formal request and see what happens.

drbrains · July 10, 2018, 12:48pm

I understand you want them to honor the GPL license. But even if you manage. Then what? I assume the idea is to update/upgrade/modify their firmware to something you want/like. Will that in turn not violate their rights (or at least the warranty like discussed here: Get hardware warranty on device w/ LEDE f/w )

Zen96 · July 10, 2018, 1:09pm

@drbrains this will not violate "their rights". What rights, by the way? I can run any software on it, unless it's pirated or it's specifically meant to disrupt the telephone network (at least here, that would be a felony).

Of course, using a modified firmware voids the warranty, that is true, however the warranty period is about to end anyway, so I don't care.
Also, Technicolor can not be held liable if a device they made malfunctions, breaks down, catches fire or anything like that because it was using a custom-built firmware. I am aware of that, but that doesn't prevent me from using a custom firmware anyway.

Furthermore, I live in Italy and I am not aware of any laws that prevent me from writing whatever I want on the flash memory of any device I own.
This cannot be considered software piracy under any circumstances, as the modified firmware would only contain non-proprietary software.

BIGFAT · July 10, 2018, 1:12pm

Warranty is in most case out. Only a few manufacturer (not only modems) outthere really accept firmware modifications. Country of origin is important too. For a positiv example: OnePlus.

About their rights: If he doesnt use the proprietary code from those kernel modules, he will be fine. The rest is under gpl and can be freely used.