Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
TRACK B: Open source compliance in embedded systems/ Eli Greenbaum
1. May 1, 2013
Open Source Compliance in
Embedded Systems
Eli Greenbaum
Yigal Arnon & Co.
elig@arnon.co.il
May 1, 2013
2. May 1, 2013
Embedded Devices
• Network devices (Router, DSL Modem)
• Mobile Phones
• Televisions
• STBs, Digital Media Players
• Automobiles
• Aircraft
3. May 1, 2013
The BusyBox Cases
2007: Erik Anderson and Rob Landley vs.
Monsoon Media, Inc.
(Hava products, time and place shifting)
4. May 1, 2013
Busybox
• “Swiss Army Knife” of embedded Linux
• Lightweight set of standard utilities
• Optimized for smaller computing platforms
• Licensed under GPLv2
5. May 1, 2013
General Public License (GPL)
• Most popular open source license
• Depends on copyright
• Licensee can use, modify and distribute so long as:
- source code is also provided
- the GPL always applies
• Philosophy is to preserve the freedom of the user to
modify the software and run modified versions.
6. May 1, 2013
General Public License (GPL)
• Licensee must provide source code upon any
distribution, including
- distribution of a physical device with
software embedded in flash
- download of firmware update
- even if software was not modified
• Derivative works
7. May 1, 2013
Monsoon Media Claims
• Brought by BusyBox developers
• BusyBox is licensed under version 2 of the GPL
• BusyBox was included in firmware of Monsoon Media’s device
• Device was distributed without the BusyBox source code or a
written offer to receive source code.
• Copyright holders seek damages, litigation costs, injunction
against further use of the BusyBox software
8. May 1, 2013
2007: High Gain Antennas, LLC
(wireless router)
Xterasys Corp
(networking products)
Verizon Communications
(Actiontec Wireless Routers)
2008: Bell Microproducts
(Network attached storage device)
Super Micro Computer
(IPMI card)
9. May 1, 2013
2009: Best Buy (Blu-ray DVD player)
Samsung (HDTV)
Westinghouse (HDTV)
JVC (HDTV and network camera)
Western Digital (Media player)
Robert Bosch (Security system DVR)
Phoebe Micro (Wireless routers)
Humax (HDTV DVR)
Comtrend (ADSL modems)
Dobbs-Stanford (Digital media player)
Versa Technology (Outdoor WAP)
Zyxel (ADSL router)
Astak (Security camera system)
GCI (Digital music controller)
10. May 1, 2013
#1: Supply Chain
• SoC manufacturer
• ODM building circuit board
• SDK for SoC/board
• Application programs
• OEM selling product to end users
• Distributors/Retailers
11. May 1, 2013
#2: Build Scripts
• Source code includes:
“ scripts used to control compilation and
installation of the executable” (GPLv2); or
“all the source code needed to generate,
install, and … run the object code and to
modify the work, including scripts to
control those activities” (GPLv3)
12. May 1, 2013
#3: Installation Information
• Express requirement in GPLv3
• DRM to prevent users from running modified
versions of the software
• Cryptographic checks
of the bootloader or kernel
13. May 1, 2013
ComplianceTechnical
• USE open source software
• License compliance is a management and
engineering problem
• License compliance is relatively easy if done
during development
• Have a compliance policy!
14. May 1, 2013
Legal Compliance
• Warranties
• Indemnification
- Verizon was indemnified by Actiontec.
- Actiontec assumed obligations of the
settlement
• Due Diligence for both suppliers and OEMs
15. May 1, 2013
Open Source Compliance in
Embedded Systems
Eli Greenbaum
Yigal Arnon & Co.
elig@arnon.co.il
May 1, 2013