For years, embedded device manufacturers have been illegally using Linux. Typically, they use Linux without publishing their device’s source code, which Linux’s GNU General Public License version 2 (GPLv2) requires them to do. Well, guess what? Another vendor, this time Symantec, appears to be the guilty party.
This was revealed when Google engineer and Linux security expert Matthew Garrett was diving into his new Norton Core Router. This is a high-end Wi-Fi router. Symantec claims it’s regularly updated with the latest security mechanisms. Garrett popped his box open to take a deeper look into Symantec’s magic security sauce.
What he found appears to be a Linux distribution based on the QCA Software Development Kit (QSDK) project. This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system.
For Symantec’s purposes, QSDK and OpenWrt are an excellent choice. Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management. This enables Symantec to easily customize its router with updated security features.
But — and it’s a big but — if it’s indeed based on QSDK and OpenWrt, Symantec needs to share the Norton Core Router’s code with the world. As Garrett tweeted. “Hi @NortonOnline the Norton Core is clearly running Linux and the license requires you to distribute the kernel source code so where can I get it?”
Making matters even more perplexing, according to the Norton Core license, “The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.” So, right there in black-and-white is a fundamental GPLv2 conflict.
So, what does Symantec have to say for itself? A Symantec representative responded, “Symantec is fully committed to complying with its license obligations in connection with use of open source components in its products. We take these claims seriously and are looking into the matter.”
This wouldn’t be the first or last time someone added an open-source program to other programs or a product without realizing what they were legally obligating themselves to do. That’s why GitHub and FOSSA are both offering programs to help find and fix open-source license concerns before they become problems. It’s also why GPLv2 violations, even when done by a Linux insider, are taken seriously. And, it’s why Linux-using companies, even Microsoft, are working on how to handle GPLv2 problems when they appear.
It’s to be hoped that Symantec will quickly do the right thing here and release the code rather than let it fester.