lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 16 May 2008 23:00:12 +0100
From:	Jo Shields <directhex@...box.org>
To:	linux-kernel@...r.kernel.org
Subject: GPL Violation: Compro Technology Inc, 2.6.17 modified binary-only
	kernel distribution

Hi,

I've discovered a GPL violation by Taiwanese TV card manufacturer Compro
Technology.

On their site, they are offering a "driver" for Mandriva
Linux 2007.1, in the form of an 18 meg "linux.rpm"[1,2,3,4]. This
"driver" is, in fact, an entire kernel image (from snd-emu10k1.ko to
libata.ko, with everything in between), generated from Mandriva's kernel
source package, with local modifications to at least two files (major
file size gap between Compro and Mandriva kernels in tuner.ko and
cx88xx.ko).

Their "driver" is being offered in binary-only form, without any
accompanying license, and I have received no replies to a formal request
for source after 2 (Taiwanese) working days. Obviously, this violates
several GPL clauses, and infringes on the rights of every kernel
developer with code in 2.6.17.

It is also the opinion of a LinuxTV developer with whom I've been
discussing the matter that their modified drivers appear to contain
large un-redistributable portions of code from a chip vendor's
proprietary SDK, but we obviously can't adequately check this with
only .ko files to work with.

They appear to be offering a similar "driver" for Fedora Core 6, which
is non-functional, presumably due to a failed upload (cpio fails to
extract the rpm)[4,5].

I'm not 100% certain what my next step should be, so I decided this was
the best place to give a public airing. One suggestion I've had
suggested is to file a DMCA takedown notice with their (US-based) ISP,
but I've no idea whether it's the right stage to do something like that,
nor do I have any claim to any code contained in the kernel. At any
rate, I wanted to make the kernel developers informed of this discovery.

I'm not on this mailing list, so a CC: would be appreciated.

--Jo Shields


[1] http://www.comprousa.com/downloadfiles/linux.rpm
[2] http://www.comprousa.com/en/download/sseries.html
[3] http://www.comprousa.com/en/download/tseries.html
[4] http://www.comprousa.com/en/download/xseries.html
[5] http://www.comprousa.com/downloadfiles/kernel-2618prep-3i386.rpm


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ