If You [Can't] Build It, They Will [Still] Come

08/05/2010

Slashdot ran a Your Rights Online post a couple months ago posing the question “Do Build Environments Give Companies an End Run Around the GPL?

The upshot: are companies1 basing their device firmwares on Linux breaking the GPL by posting only their source code, but omitting details2 regarding the environment required to to build that firmware, much less flash a device with these customized firmware.

It’s certainly an interesting question.

Ask any developer and they probably wouldn’t consider the build environment as at all related to GPL-compliance requirements. That’s likely because the vast majority of open source software builds on any standard GNU/Linux machine3; the context of “GPL-compliance” is version 2 of the GPL, released in 1991, when Linux-using embedded devices wasn’t on anyone’s radar.

But as embedded and mobile consumer electronics companies have leveraged the wealth of open source software to bring products to market quickly, this has become a very real issue, and the keepers of the GPL, the Free Software Foundation, have realized that could be a problem.

One of the main issues is “tivoization“, named after the obvious reference after they disallowed the execution of firmware containing modifications on their hardware. Such behavior is specifically restricted in version 3 of the GPL.

In the latest version of the GPL, this behavior was specifically called out as a allowable use of the end user and/or developer.

This problem doesn’t just affect embedded devices.

A common starting point for an open source hacker poking at these types of products it to try to reproduce what a company ships to its users4. But these days, that may not even be possible in software.

Mozilla Corporation, for example, now builds some of its builds with profile guided optimizations. This requires building Firefox, running it in an instrumented fashion, and using that data to guide the optimization of hot spots.

To provide a good, real world set of runtime data, Mozilla tests with a static page set of about 200 websites on the web. But it can’t release this archived content—now used in the build process—due to copyright restrictions.

So, even though open source developers are building Firefox on Win32, it won’t match what Mozilla Corporation actually ships to millions of users5.

To be sure, the issue of build systems, specifically, involves a very narrow interpretation of the GPL. Even in the cases the GPLv3 specifically addresses, there isn’t broad agreement among open source developers that such use should be disallowed7.

It may be annoying to open source hackers to be unable to fully experiment with custom firmwares their shiny new embedded, consumer product whiz-bang device.

It may take more time to reverse engineer how to flash these devices8 to get firmwares on them.

This sort of “freedom” may require a tradeoff in terms of enjoyment or functionality of these devices as manufacturers move more functionality into service offerings in the cloud, they can refuse access by these custom firmwares10.

But up to now, users have voted with their dollars and download clicks: they don’t care.

Most open source developers apparently don’t either.

_______________
1 who have the resources, but not the resolve
2 Either images or documentation
3 The venerable ./configure && make && make install triad
4 The so-called identity proof
5 To be fair, I cite Firefox as an example of this problem because it’s one I’m familiar with; Mozilla requires probably one of the most complex open source build environments around, and they’ve done a good job of, especially, documenting their build environments to the extent possible6 and making it easier to build on Win32.
6 Something I have no qualms asserting a large chunk of responsibility for having made happen
7 Linus Torvalds, for one, has stated that he doesn’t consider such restrictions on the use of the hardware to be a problem
8 And make no mistake, there are open source hackers out there, that totally get off on that sort of stuff, so they will find a way to do it9
9 Even if it nets them a few bricked devices
10 As Sony has done with its “Other Operating System” feature, and now routinely does with the Playstation Network and PS3 updates