Stuxnet/Flame/Duqu Uses GPL Code 221
David Gerard writes "It seems the authors of Stuxnet/Duqu/Flame used the LZO library, which is straight-up GPL. And so, someone has asked the U.S. government to release the code under the GPL. (Other code uses various permissive licenses. As works of the U.S. federal government, the rest is of course public domain.) Perhaps the author could enlist the SFLC to send a copyright notice to the U.S. government..."
Re:is the CIA selling these viruses? (Score:5, Informative)
No, selling or not selling is irrelevant. "Distributing" is the key.
LZO Licensing (Score:5, Informative)
From http://www.oberhumer.com/opensource/lzo/lzodoc.php:
"Special licenses for commercial and other applications which are not willing to accept the GNU General Public License are available by contacting the author."
RTFA. (Score:4, Informative)
So our questions is: Please, Dear Authors of Duqu (whoever they are), hand over the source code of Duqu (or Beacon/NYT), as it contains GPL code.
Disclaimer: This post is for fun, don’t take it too seriously, but the questions are still valid.
OT - GPL violation doesn't necessarily open code (Score:5, Informative)
Just as an aside, whenever some commercial entity finds itself in violation of the GPL, people start talking like they expect the code to magically be revealed and gifted to the community. This perpetuates the lie that the GPL is viral and can "infect" closed-source code. The reality is far different. If a company is found to be in violation of the GPL, they find themselves in a copyright violation situation. This means that they must a) stop further distribution and b) potentially be held liable for monetary damages resulting from the distribution. They absolutely don't have to release their code. However if they want to continue to distribute and sell their product they will have to do one of three things: 1) remove infringing code, 2) license the infringing code under acceptable terms, possibly by paying a licensing fee to the copyright holder, or 3) release their derivative code under the GPL.
Re:Ask away (Score:4, Informative)
This.
I mean, I'm seeing a leap of logic where we look for a piece of GPL code to throw a legality at the US government, but of course, neglect the little detail that no one knows who wrote it, and that the US government certainly hasn't admitted it.
This just sounds like a strange mixture of anti-government outrage mixed with GPL advocacy which is nothing more than an attention whoring exercise in wankery.
Actually, the GPL isn't very cancerous. (Score:1, Informative)
As an author of GPLed code, I've read the GPL license. It isn't possible for a random person, including the author of the GPLed works being distributed, to request source code. The only GPL provision for that is if the author distributes binaries of modified GPL code, at which point the author would need to distribute source code as well. Here's the sticky point, whoever requested source code wasn't the recipient of the binaries; therefore, they are not entitled to any source code. The authors of the GPLed source code are not entitled to it either, for the same reason. In fact, the only one who could demand (in theory at least) the source code would be the persons receiving the binaries containing the modified GPL code.
Then there's the point that bundling GPL software with your product doesn't necessarily mean that you're extending that product and therefore bound by the GPL. Not every piece of software compiled on/for Linux is bound by the GPL -- even if that software is distributed as part of a Linux distribution (i.e., bundled as part of a bigger package). Software that has an API and offers services to other software -- compression libraries, SQL, etc -- are expected to offer services to other software. Granted, some developers have taken the stance that if proprietary software works with only a specific GPL software (say, MySQL) and that particular GPL software is distributed with the proprietary software, that it violates the GPL, and a proprietary license is required. However, that is a developer stance, not necessarily a legal one.
So even if the government used GPL software (which may not be the case considering a non-GPL license is available for the software in question), it wouldn't necessarily be required to release any source code. There's a pretty good chance that it didn't change any GPLed source code -- even if it did bundle it with its own software and wrap everything up in a clever installer.
"anyone who possesses the object code" (Score:4, Informative)
Under the GPL, only people that the executable was distributed to are allowed to request the code
As I understand the GPL, this offer must be extended to "anyone who possesses the object code" (GPLv3) or "any third party" (GPLv2). Anyone who has ever had a PC infected with any of these viruses "possesses the object code".
Re:Not gonna happen (Score:5, Informative)
The FAQ section you linked to is specific to the LGPL. The LZO library is licensed under the GPL, which means any application that uses it, and is distributed publicly, must be released with full source licensed under the GPL. This is an important distinction between the LGPL and GPL...
Re:Who gets to request code? (Score:5, Informative)
Under the GPL, only people that the executable was distributed to are allowed to request the code
It's perhaps a little more nuanced than this, to my mind.
Under GNU GPL 2.0 [gnu.org], a distributor of a binary of the Program has two main options for distributing the source code:
b.) Accompany it with a written offer ... to give any third party ... a complete machine-readable copy of the corresponding source code...
If the source code does not accompany the binary, the binary must be accompanied by a written offer to give the source to "any third party" — it does not say "to give any third party who possesses the object code" or similar.
However, the GPL FAQs [gnu.org] (which I'd treat as one interpretation of the licence), comment that:
The offer must be open to everyone who has a copy of the binary that it accompanies. This is why the GPL says your friend must give you a copy of the offer along with a copy of the binary—so you can take advantage of it.
However, this is not what the wording says — that the offer must be open to "any third party." If I get the binary directly from you, the status is clear, as is the situation in which I get the binary from my friend, who got it from you — but it's unclear, to my mind, what happens when I do not have the binary. I'd probably leave it that you have an obligation to provide the source code to me — an obligation to provide the source code to "any third party" — but that, without a copy of the offer myself, I'd likely have a very difficult time enforcing the obligation.
GNU GPL 3.0 clears this up, with clause 6(b) providing that a non-source distribution on a physical medium can take place if
accompanied by a written offer ... to give anyone who possesses the object code [the source or access to the source]
However, the fact the words are *not* in GNU GPL 2.0 but *are* in GNU GPL 3.0 does not necessarily mean that they should be read in...
YVMV, of course :)
It's a joke (Score:5, Informative)
Quoting the article because so far no one actually followed the link and read it (as usual).
Re:Not gonna happen (Score:5, Informative)
LGPL provides a "just linking" exception and is used 99:1 instead of GPL for libraries because the GPL makes no exception for linking. If your code uses GPL code, your code must be GPL.
Generally the only people who write GPL libraries is the GNU Foundation itself, and even then they only do it when they think they have something so awesome people will adopt the GPL license to use it (like libreadline, which is).
Re:Implications (Score:4, Informative)
And what happens when people don't have that revolution?
Mass slaughters still happen, just elsewhere. Instead of having it here, we have a judicial system run amok that has filled the prisons far past any sane levels with non-violent "offender" after non-violent "offender", where often offences are often nothing more than smoking the wrong plant.
I say we have the revolution now while the people who brought us all this are old and can suffer for lack of their public benefits that they intended to rely on.
Re:is the CIA selling these viruses? (Score:5, Informative)
5.56x45mm is the specifications for the NATO-standard small-arms ammunition, used by pretty much every modern military assault rifle that isn't a Kalashnikov derivative (and some that are), as well as some police sniper rifles and various civilian rifles.
And now I've explained the joke.
Re:Implications (Score:5, Informative)
I would wager that in 1776 well over 50% of the population of the nascent United States of America was willing to outright defy the ruling government, while somewhere north of 90% of the remainder at least supported said dissidents.
And you'd be wrong. It's widely accepted that only 1/5 of population were rebels. Another 1/5 were loyalists. The remaining 3/5 were neutral (with a number joining one army or the other for purely economic reasons without actually believing in one side or another). We only won because England was at war with everyone else at the same time.
Re:Implications (Score:2, Informative)
We can't see much of anything via Intelsat - it's a communications satellite organization. From the oracle of all knowledge [wikipedia.org] :
"Originally formed as International Telecommunications Satellite Organization (INTELSAT), it was—from 1964 to 2001—an intergovernmental consortium owning and managing a constellation of communications satellites providing international broadcast services. As of March 2011, Intelsat operates a fleet of 52 communications satellites, which is the world's largest fleet of commercial satellites."