headers
Peter Kleissner | 1 Jan 2010 13:15
Picon

Ikarus Security Software violating LGPL (Bochs, WINE and ReactOS)

Wonderful good day,

Ikarus Security Software (www.ikarus.at) is using open source in their
anti-virus scanning engine, without publishing the modified source. I
already informed the developers of bochs, WINE and ReactOS about the
violation.

Can you give me some tips what to do next? There is a trial Ikarus against
me on January 25 2010, because they accuse me of selling their source.

When I came to Ikarus, there was already the simulator, part of the scanning
engine, that simulates viruses until they are unpacked. My work at Ikarus
was to improve that simulator, making it faster and better. I am now aware
that the existing simulator was based on bochs, and 80% of the code there is
now stolen open source.

Can someone ask Ikarus for the modified source code? If, then please put me
in CC, then I can also show the court that they do not publish their
modified open source upon request (if they don't give you the source).

Any tips etc. would be helpful.

Kind regards,

Peter Kleissner
Permalink | Reply | 5 comments |
headers
nobodyO | 1 Jan 2010 16:41
Picon

=?iso-8859-15?Q?Re:_Ikarus_Security_Software_violating_LGPL_(Bochs, _WI?= NE and ReactOS)

Hi,

i used several friends and relatives, with a different last name in other cities:
I wrote different letters, with different fonts etc. and they sent them
with their signature from their city, for different date stamps.
For a receipt and a faster reply fax is an alternative.

Best regards,

Rolf

> -----Ursprüngliche Nachricht-----
> Von: "Peter Kleissner" <Peter <at> Kleissner.at>
> Gesendet: 01.01.10 13:45:58
> An: <legal <at> lists.gpl-violations.org>
> CC: christianembacher <at> gmx.at
> Betreff: Ikarus Security Software violating LGPL (Bochs, WINE and ReactOS)

> Wonderful good day,
> 
> Ikarus Security Software (www.ikarus.at) is using open source in their
> anti-virus scanning engine, without publishing the modified source. I
> already informed the developers of bochs, WINE and ReactOS about the
> violation.
> 
> Can you give me some tips what to do next? There is a trial Ikarus against
> me on January 25 2010, because they accuse me of selling their source.
> 
> When I came to Ikarus, there was already the simulator, part of the scanning
> engine, that simulates viruses until they are unpacked. My work at Ikarus
(Continue reading)

Permalink | Reply | 0 comments |
headers
Neil Brown | 1 Jan 2010 18:30
Picon
Favicon

Re: Ikarus Security Software violating LGPL (Bochs, WINE and ReactOS)


Peter

**This is not legal advice**

This looks to be an even more complex situation than usual, to my mind-

a.) You appear to have had a past (employment/contracting) relationship
with Ikarus;
b.) You are engaged in litigation with Ikarus; and
c.) There is an alleged infringement of open source licences.

However, each of these could impact the situation differently, and, for
this reason, I would strongly advise that you seek independent legal
advice in advance of your court appearance.

It is rather unclear to me quite what you are looking to achieve here,
too - are you looking to report, and have rectified, a GPL violation, or
are you looking for support in defence of Ikarus' claim against you, and
looking to use evidence of a GPL violation as part of your defence?

Some further thoughts inline below.

----

Peter Kleissner wrote:

>  There is a trial Ikarus against
> me on January 25 2010, because they accuse me of selling their source.
(Continue reading)

Permalink | Reply | 4 comments |
headers
Peter Kleissner | 1 Jan 2010 19:42
Picon

AW: Ikarus Security Software violating LGPL (Bochs, WINE and ReactOS)

Hi,

To explain the story: No I have not sold any line of their code, they just accuse me because of a joke (an easter
egg) I've made. I want report here the LGPL violation, and look for support. The fact that the Ikarus
scanner is mostly open source will be part of my defense (why would I sell open source), but at the same time I
want to force Ikarus to publish their modified stolen open source, committing back the changes and fixes
to Bochs x86 PC emulator etc.
	
Ikarus steals open source (bochs), makes money out of the work of others and licensing their engine to other
companies, thus taking advantage of open source software developers. My own software is published under
the EUPL, I think that "Human knowledge belongs to the world".

> There is no claim of "selling their source" as such - is the claim one
> of copyright infringement? Or is it some form of contractual dispute? To

They say "giving further business secrets to the advantage of foreign countries", and say because of a
program I have published (also as open source) they had to develop a new anti-virus scanner version (they
are loco) and want "at least" (their words) 23.000 € - and that is going to be discussed on January 25 in
front of court.

> unfortunately - demonstrating that Ikarus is infringing copyright, if
> indeed it is, is unlikely to be a defence to a claim of copyright
> infringement against you.

Depends. If you steal open source and accuse then an ex-employee to sell the source then you should be aware
that those claims do not fall back on you. I will surely not go to jail because someone accuses me of selling
open source.

I think you guys here have a good experience in gpl violations, this is why I turned here. Looking at other GPL
violations (especially ones in Germany) helps, but I agree that I need a lawyer (for my court trial I'll get
(Continue reading)

Permalink | Reply | 1 comment |
headers
Neil Brown | 1 Jan 2010 20:04
Picon
Favicon

Re: AW: Ikarus Security Software violating LGPL (Bochs, WINE and ReactOS)


Peter Kleissner wrote:

> To explain the story: No I have not sold any line of their code, they just accuse me because of a joke (an
easter egg) I've made. 

It sounds as if this part of the business is entirely without the scope
this list- but, if you have no sold any of its code, then, joke or no
joke, would Ikarus not have a difficult time proving copyright
infringement, if they cannot actually point to any of their code in your
product?

> I want report here the LGPL violation, and look for support.

Great.

> They say "giving further business secrets to the advantage of foreign countries", and say because of a
program I have published (also as open source) they had to develop a new anti-virus scanner version (they
are loco) and want "at least" (their words) 23.000 € - and that is going to be discussed on January 25 in
front of court.

Obviously something to discuss with your lawyer, but, proving a claim
such as this, irrespective of proving the quantum of damage, could be
difficult if, as you say, it has not actually occurred.

> Depends. If you steal open source and accuse then an ex-employee to sell the source then you should be aware
that those claims do not fall back on you.

Following up on a violation report is one thing - but using a claimant's
infringement as a defence to a claim against you is not always possible
(Continue reading)

Permalink | Reply | 0 comments |
headers
Arnoud Engelfriet | 2 Jan 2010 23:44
Gravatar

Re: Ikarus Security Software violating LGPL (Bochs, WINE and ReactOS)

Neil Brown wrote:
> license..." and "You must license..." - clause 2, LGPL 2.1, for example,
> requires that a distributor of a modified work "must cause ... the
> work... to be licensed" - it's not clear to me that there is an inherent
> licence grant if the distributor decides to breach the licence terms.
> 
> This really is something which you should discuss, in respect of your
> particular situation, with a lawyer qualified in your jurisdiction, to
> find out if your defence, if my (many) assumptions above are correct, is
> one based on you having a valid licence, or else )

Agree completely. Without all the facts it is very hard to make any
kind of legal argument.

As to your last argument, GPLv2 and LGPLv2.1 both have statements to the
effect that "Each time you redistribute the Library (or any work based on
the Library), the recipient automatically receives a license from the
original licensor". Arguably this applies even when a redistribution is
unauthorized, so that the OP could invoke the LGPL's rights granted to
him in a defence against the company's accusations.

However, I am not sure copyright is at all an issue. I saw a reference to
Easter Eggs, which sounds more like a bad workmanship/defamation kind
of claim. Some companies consider Easter Eggs to be unprofessional.
Or perhaps there was exposure of proprietary data (even if the software
is open source, input data sets could be confidential or proprietary).

Arnoud

--

--
(Continue reading)

Permalink | Reply | 1 comment |
headers
Neil Brown | 3 Jan 2010 10:31
Picon
Favicon

Re: Ikarus Security Software violating LGPL (Bochs, WINE and ReactOS)


Happy new year, Arnoud!

Arnoud Engelfriet wrote:

> As to your last argument, GPLv2 and LGPLv2.1 both have statements to the
> effect that "Each time you redistribute the Library (or any work based on
> the Library), the recipient automatically receives a license from the
> original licensor". Arguably this applies even when a redistribution is
> unauthorized, so that the OP could invoke the LGPL's rights granted to
> him in a defence against the company's accusations.

An excellent point.

> However, I am not sure copyright is at all an issue. 

On the basis of the information which Peter circulated after my
response, I agree that there is more to it than "just" a claim of
copyright infringement.

--

Neil
Permalink | Reply | 0 comments |
headers
Chris McCracken | 5 Jan 2010 16:34

Linux kernel on HTC Hero Android phone (CDMA/US-Spec)

HTC is distributing the Linux kernel as part of the Android operating system on its Hero mobile phone.  While the Android OS is licensed under the Apache Public License and does not have significant distribution restrictions, the Linux kernel itself is licensed under the GPL.  HTC has made modifications to the Linux kernel source code specific to its hardware, and has compiled the modifications directly into the kernel (not using loadable modules), thus requiring release of that source code.

There are two seperate versions of the Hero phone, with slightly different hardware for two different mobile phone radio technologies- GSM and CDMA.  The GSM Hero was the first one released, and is used in several areas around the world (not including the US).  In the USA, the Hero currently being distributed is the CDMA versions, sold by Sprint.  Due to the different radio hardware in the phones, they have different kernels.  HTC has made the GSM kernel available on its developer.htc.com website, but for several months (since the CDMA Hero's release Oct 11th) has been unwilling to release the source code for its CDMA kernel.  I'm not certain if they are intentionally withholding the information, or if they actually do not realize that it is different source code that must also be released.

Here is a copy of the recent detailed request I sent to HTC (support ref # 591050), I will update with the reply I receive:


Request for Linux source code specific to CDMA Hero per GNU Public License terms

Per the HTC Hero Legal Agreement, and the GNU Public License, I am requesting the complete source code that was used to build the Linux kernel on the CDMA Hero being distributed in the USA by Sprint.  This includes all the source code (.c files) plus header files (.h files) plus the scripts used to control compilation and installation of [only] the Linux kernel. These must be the files specific to the distributed kernel version, as follows:

Linux version 2.6.27-533ce29d (htc-kernel <at> and18-2) (gcc version 4.3.2 (Sourcery G++ Lite 2008q3-72) ) #742 PREEMPT Fri Aug 28 21:59:31 CST 2009

I am aware of the file available at developer.htc.com (kernel_hero_0078c992.tar.bz2, 49.6MB), that was released on 2009/10/22.  However, this source code is specific to the GSM model of the Hero, which is not sold in the USA.  The source code used to produce the US-spec CDMA Hero's kernel is different than what is contained within this file.  There are several key source code files that are missing from this archive file, including but not limited to:

arch/arm/mach-msm/board-heroc.c
arch/arm/mach-msm/board-heroc-keypad.c
arch/arm/mach-msm/board-heroc-panel.c
arch/arm/mach-msm/board-heroc-mmc.c
arch/arm/mach-msm/board-heroc-camsensor.c
arch/arm/mach-msm/board-heroc-rfkill.c

I would like to receive those files, plus any others that are necessary to build the kernel as distributed on the US-spec CDMA Hero. The terms of the GNU Public License mandate that anyone distributing the specific software (Linux kernel) MUST make available all files used to build that software, including any modifications that they made to that software.  HTC is required by US and International copyright law to do so.

Please ensure that this request is handled by someone familiar with the development of the kernel for the US-spec CDMA Hero. If this request is not met, then HTC is required by law to cease and desist distribution of said software (Linux kernel), which would require ceasing distribution of the US-spec CDMA Hero phone as currently configured.

Thank you sincerely for your time in handling this matter in a competent and detailed manner. I will expect to hear back promptly.


Permalink | Reply | 5 comments |
headers
Neil Brown | 5 Jan 2010 17:56
Picon
Favicon

Re: Linux kernel on HTC Hero Android phone (CDMA/US-Spec)

(Originally replied just to Chris, by accident, so copied back onto list)

Quoting Chris McCracken <chrismc <at> ozarkmountain.net>:

> HTC is required by US and International copyright law to do so.

This is, perhaps, a little misleading, at least to my understanding-  
HTC is required by the terms of GNU GPL to do so (as you point out  
above), not by any copyright law. If HTC does not comply with the  
terms of the licence, then, HTC may infringe copyright, but there is  
no requirement of copyright law as such to make the source code  
available.

> If this request is not
> met, then HTC is required by law to cease and desist distribution of said
> software (Linux kernel), which would require ceasing distribution of the
> US-spec CDMA Hero phone as currently configured.

Similar to the above - this may be an aspect of US law with which I am  
not familiar, but, in the UK, there is no legal requirement to cease  
distributing something, even if it is infringing copyright, without a  
court order requiring this - it's just that the distribution would  
amount to an infringement of copyright.

In any case, were the request not met, cessation of distribution would  
be insufficient, to my mind, since this only prevents future  
infringement - it does nothing to remedy past infringement.

Just my thoughts, as always!

--

-- 

Neil

neil <at> neilzone.co.uk | http://neilzone.co.uk
Permalink | Reply | 3 comments |
headers
Chris McCracken | 5 Jan 2010 18:16

Re: Linux kernel on HTC Hero Android phone (CDMA/US-Spec)

I would agree that its not terribly clear on the legal ramifications. The inference I'm making is that the law says that you have to honor the copyright wishes and licenses of the copyright holder.  Since I'm sending it to tech support, and not the legal department (nor would I send to legal, since IANAL), I didn't want to get too particular about the legalities.  I intentionally avoided writing anything threatening, and instead kept the tone just "informational" enough to get their attention. I'm hoping to resolve the issue with a specific request from techie-to-techie and no legal intervention, but wanted things to be well documented in case it comes to that.

Thanks for your insight, and I'll post up if I hear (or don't hear) anything from them.

-Chris

On Tue, Jan 5, 2010 at 10:56, Neil Brown <neil <at> neilzone.co.uk> wrote:
(Originally replied just to Chris, by accident, so copied back onto list)


Quoting Chris McCracken <chrismc <at> ozarkmountain.net>:

HTC is required by US and International copyright law to do so.

This is, perhaps, a little misleading, at least to my understanding- HTC is required by the terms of GNU GPL to do so (as you point out above), not by any copyright law. If HTC does not comply with the terms of the licence, then, HTC may infringe copyright, but there is no requirement of copyright law as such to make the source code available.

If this request is not
met, then HTC is required by law to cease and desist distribution of said
software (Linux kernel), which would require ceasing distribution of the
US-spec CDMA Hero phone as currently configured.


Similar to the above - this may be an aspect of US law with which I am not familiar, but, in the UK, there is no legal requirement to cease distributing something, even if it is infringing copyright, without a court order requiring this - it's just that the distribution would amount to an infringement of copyright.


In any case, were the request not met, cessation of distribution would be insufficient, to my mind, since this only prevents future infringement - it does nothing to remedy past infringement.


Just my thoughts, as always!

--



Neil

neil <at> neilzone.co.uk | http://neilzone.co.uk



Permalink | Reply | 1 comment |

Gmane