lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 29 Aug 2018 21:26:35 +0100
From:   Ben Hutchings <ben@...adent.org.uk>
To:     Felix Manlunas <felix.manlunas@...ium.com>,
        Florian Weimer <fweimer@...hat.com>
Cc:     linux-firmware@...nel.org,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        Derek Chickles <derek.chickles@...iumnetworks.com>,
        Satanand Burla <satananda.burla@...iumnetworks.com>,
        Felix Manlunas <felix.manlunas@...iumnetworks.com>,
        Raghu Vatsavayi <raghu.vatsavayi@...iumnetworks.com>,
        Manish Awasthi <manish.awasthi@...ium.com>,
        Manojkumar.Panicker@...ium.com
Subject: Re: GPL compliance issue with liquidio/lio_23xx_vsw.bin firmware

On Mon, 2018-08-27 at 17:04 -0700, Felix Manlunas wrote:
> On Mon, Aug 27, 2018 at 05:01:10PM +0200, Florian Weimer wrote:
> > liquidio/lio_23xx_vsw.bin contains a compiled MIPS Linux kernel:
> > 
> > $ tail --bytes=+1313 liquidio/lio_23xx_vsw.bin > elf
> > $ readelf -aW elf
> > […]
> >   [ 6] __ksymtab         PROGBITS        ffffffff80e495f8 64a5f8 00d130
> > 00   A  0   0  8
> >   [ 7] __ksymtab_gpl     PROGBITS        ffffffff80e56728 657728 008400
> > 00   A  0   0  8
> >   [ 8] __ksymtab_strings PROGBITS        ffffffff80e5eb28 65fb28 018868
> > 00   A  0   0  1
> > […]
> > Symbol table '.symtab' contains 1349 entries:
> >    Num:    Value          Size Type    Bind   Vis      Ndx Name
> >      0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
> >      1: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS
> > arch/mips/kernel/head.o
> >      2: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS init/main.c
> >      3: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS
> > include/linux/types.h
> > […]
> > 
> > Yet there is no corresponding source provided, and LICENCE.cavium lacks
> > the required notices.
> > 
> > Thanks,
> > Florian
> 
> Cavium apologizes for the oversight.  Cavium has been advertising the
> appropriate license terms including the existence of GPL in the firmware
> in our outbox releases. We will update the license terms in LICENCE.cavium
> in our upstream contribution in collaboration with our legal team.

Everything added to linux-firmware.git needs to be safe for Linux
distributions to redistribute.  (There are some ancient firmware images
with unclear licensing, but we don't want to add any more.)

My understanding is that GPL v2 requires that commercial distributors
either provide the complete and corresponding source alongside the
binaries, or include a written offer to provide it later.  They
*cannot* simply point to your offer to do this (only non-commercial
distributors can do that).  So the source needs to be published too.

Adding the complete Linux kernel source code to linux-firmware.git
doesn't seem like a sensible step, so maybe this particular firmware
needs to live elsewhere.

Ben.

-- 
Ben Hutchings
For every complex problem
there is a solution that is simple, neat, and wrong.



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ