track b: open source compliance in embedded systems/ eli greenbaum
DESCRIPTION
TRANSCRIPT
May 1, 2013 1
Open Source Compliance in Embedded Systems
Eli GreenbaumYigal Arnon & [email protected]
May 1, 2013
May 1, 2013 2
Embedded Devices
• Network devices (Router, DSL Modem)• Mobile Phones• Televisions• STBs, Digital Media Players• Automobiles• Aircraft
2
May 1, 2013 3
The BusyBox Cases
2007: Erik Anderson and Rob Landley vs. Monsoon Media, Inc.
(Hava products, time and place shifting)
May 1, 2013 4
Busybox
• “Swiss Army Knife” of embedded Linux• Lightweight set of standard utilities • Optimized for smaller computing platforms• Licensed under GPLv2
4
May 1, 2013 5
General Public License (GPL)
• Most popular open source license• Depends on copyright• Licensee can use, modify and distribute so long as:
- source code is also provided- the GPL always applies
• Philosophy is to preserve the freedom of the user to modify the software and run modified versions.
5
May 1, 2013 6
General Public License (GPL)
• Licensee must provide source code upon any distribution, including
- distribution of a physical device with software embedded in flash- download of firmware update - even if software was not modified
• Derivative works
6
May 1, 2013 7
Monsoon Media Claims
• Brought by BusyBox developers• BusyBox is licensed under version 2 of the GPL• BusyBox was included in firmware of Monsoon Media’s device• Device was distributed without the BusyBox source code or a
written offer to receive source code.• Copyright holders seek damages, litigation costs, injunction
against further use of the BusyBox software
7
May 1, 2013 8
2007: High Gain Antennas, LLC(wireless router)
Xterasys Corp(networking products)
Verizon Communications(Actiontec Wireless Routers)
2008: Bell Microproducts(Network attached storage device)
Super Micro Computer(IPMI card)
8
May 1, 2013 9
2009: Best Buy (Blu-ray DVD player)Samsung (HDTV)Westinghouse (HDTV)JVC (HDTV and network camera)Western Digital (Media player)Robert Bosch (Security system DVR)Phoebe Micro (Wireless routers)Humax (HDTV DVR)Comtrend (ADSL modems)Dobbs-Stanford (Digital media player) Versa Technology (Outdoor WAP)Zyxel (ADSL router)Astak (Security camera system)GCI (Digital music controller)
9
May 1, 2013 10
#1 :Supply Chain
• SoC manufacturer• ODM building circuit board• SDK for SoC/board• Application programs• OEM selling product to end users• Distributors/Retailers
10
May 1, 2013 11
#2 :Build Scripts
• Source code includes:“ scripts used to control compilation and installation of the executable” (GPLv2); or“all the source code needed to generate, install, and … run the object code and to modify the work, including scripts to
control those activities” (GPLv3)
11
May 1, 2013 12
#3 :Installation Information
• Express requirement in GPLv3• DRM to prevent users from running modified
versions of the software• Cryptographic checks
of the bootloader or kernel
12
May 1, 2013 13
ComplianceTechnical
• USE open source software• License compliance is a management and
engineering problem• License compliance is relatively easy if done
during development• Have a compliance policy!
13
May 1, 2013 14
Legal Compliance
• Warranties• Indemnification
- Verizon was indemnified by Actiontec.- Actiontec assumed obligations of the
settlement• Due Diligence for both suppliers and OEMs
14
May 1, 2013 15
Open Source Compliance in Embedded Systems
Eli GreenbaumYigal Arnon & [email protected]
May 1, 2013