
Ubiquiti Networks is creatively violating the GPL - futurerabbit
http://libertybsd.net/ubiquiti
======
drewcrawford
I'm puzzled that there is apparently a whole cottage industry that can protect
the rights of indie photographers [0] but we cannot do the same for free
software. The closest we come is like the SFLC, and they are really quite soft
on infringers in most cases.

I imagine that some of the puzzle is because DMCA is cheap and effective
against websites moreso than against hardware manufacturers. Even so, Ubiquity
Networks provides web downloads of their firmwares [1] so surely DMCA notices
could at least impair their update distribution, which would annoy customers
and put pressure on them that way. Meanwhile there is plenty of "purely web"
software license violations.

I know that many projects don't get the copyright registered, which puts them
at some legal disadvantage. But it's cheap to do, it's something that
developers can be educated about, and it is economical for lawyers to take
those cases (if facts and registration are strong) on contingency.

So I don't understand why there's not a little cottage industry for it like
there is for the photographers.

[0] [https://www.imagerights.com](https://www.imagerights.com)

[1] [https://www.ubnt.com/download/](https://www.ubnt.com/download/)

~~~
lambda
In part because the "cottage industry" for photographers rights is based on
getting people to pay, while most free software authors aren't actually
interested in being paid for it, they are just interested in keeping it free.
When the focus is on getting paid, a cottage industry can form that is based
off the revenue from extracting royalties, but getting injunctions that apply
until someone comes in compliance with a license is expensive due to lawyers
fees and court costs, without any revenue to offset it.

~~~
click170
Nailed it.

Which makes me wonder, perhaps in next iterations the GPL should include
provisions stating that intentional infringement (perhaps defined as failure
to comply after 1 year from date of the complaint) results in financial
penalties, thus allowing a cottage industry to form.

It could be argued that this would have a chilling effect on the adoption rate
of FOSS software in corporations, but I would argue we may have already
reached a critical mass where it's more costly to develop your own solution
and I would point out that this only applies to modifications that you make to
the source code before distributing the result. Anyone can still download and
use the software without worry.

~~~
geofft
You don't need an explicit penalty: if you violate the license, it terminates.

Here's the text of the relevant section of the GPLv3 (the GPLv2 only has an
equivalent to the first paragraph):

 _You may not propagate or modify a covered work except as expressly provided
under this License. Any attempt otherwise to propagate or modify it is void,
and will automatically terminate your rights under this License (including any
patent licenses granted under the third paragraph of section 11)._

 _However, if you cease all violation of this License, then your license from
a particular copyright holder is reinstated (a) provisionally, unless and
until the copyright holder explicitly and finally terminates your license, and
(b) permanently, if the copyright holder fails to notify you of the violation
by some reasonable means prior to 60 days after the cessation._

 _Moreover, your license from a particular copyright holder is reinstated
permanently if the copyright holder notifies you of the violation by some
reasonable means, this is the first time you have received notice of violation
of this License (for any work) from that copyright holder, and you cure the
violation prior to 30 days after your receipt of the notice._

So, on a second violation of the GPLv3, or on a first violation if it takes
longer than 30 days, the rightsholder can already say "You need to pay me if
you want your rights reinstated."

Conservancy has been using a variant of this tactic: they get a friendly,
clear rightsholder for something like Busybox (which has relatively few
authors), inform a company that they're violating the GPL and revoking the
Busybox license, and demand GPL compliance for _all_ software, including stuff
like Linux which has so many authors that getting a clear rightsholder
involved is harder, before reinstating the Busybox license.

------
mightyhops
I contacted support@ubnt.com and info@ubnt.com about the issue and received a
quick reply:

Unfortunately we no longer offer support for our SDK, and I'm not able to
divulge in the specific differences between airOS and openwrt. Also, we don't
share u-boot GPL source. We used to in the past but not any more. This
decision was taken keeping the security of the users in mind. I hope you
understand.

However, you can find the GPL archive for our devices from here:

[https://www.ubnt.com/download/](https://www.ubnt.com/download/)

(Please refer the "GNU General Public License link" under the Firmware and
Software section from the above link page provided).

If you have any other questions, please let us know.

Thanks!

xxxx Ubiquiti Networks

~~~
striking
>This decision was taken keeping the security of the users in mind. I hope you
understand.

Funny, because this is the exact inverse of the situation. They introduce
security bugs and then we are unable to fix them ourselves.

They are legally _required_ to provide the sources they use for u-boot.

~~~
ploxiln
It is funny... I get the feeling that they still give this response, because
everyone who's gotten it doesn't know how to respond, it's so obviously wrong.

They use a lot of open source software and make firmware updates and
controller software readily available, so how could they not know that

* The GPL's legal requirements come before your products needs, your users security or whatever. If you can't use GPL'd software, then don't.

* open source software has always proven to be more secure, because relatively serious and obvious security bugs linger in closed source software for a long time. How can we know that your closed source software is better than history suggests (unless you release the source...)

ridiculous. I kinda hope some of their engineers notice this on HN and can use
evidence of "public" (engineer) sentiment to pressure the management

------
AceJohnny2
Ironic, considering Torvalds himself uses their zero-handoff wifi access
points:
[https://plus.google.com/+LinusTorvalds/posts/HQF92MY5y8o](https://plus.google.com/+LinusTorvalds/posts/HQF92MY5y8o)

(and more amusingly, had to turn off the very feature he got them for because
of a wireless scale...
[https://plus.google.com/+LinusTorvalds/posts/WppMs5XEa3X](https://plus.google.com/+LinusTorvalds/posts/WppMs5XEa3X))

------
notacoward
Worth remembering: under many other popular licenses, there would be _no
possibility whatsoever_ of legal action that leads to Ubiquiti releasing the
full/proper source for what runs on their devices.

~~~
tbrownaw
Yup. Only with GPL do sloppy development practices (lack of automated builds,
sloppy version tracking, ...) tend to directly result in legal liability.

Other licenses just don't make those sorts of demands.

~~~
simoncion
Not so.

Think of a license that limits you to X deployments per unit of time, and
forbids any additional deployments.

If your automated deployment system performs X+Y deployments (where Y > 0) in
a unit of time, then you're in violation of your contract and legally liable
for your actions.

Is this contrived? A little. But, realistically:

1) The GPL isn't the only license that you can violate with sloppy dev
practices.

2) In the overwhelming majority of GPL violation cases, the remedy is for the
violator to simply comply with the code's license and ship the code covered by
the GPL.

~~~
tbrownaw
Contrived examples are contrived.

1) Sibling post mentioned forgetting to include notices in the documentation.
Which is a valid counterpoint, but I would assume requires more of a one-time
effort than a _permanent_ change (improvement) in work procedures.

2) Assuming they can even find the right version.

~~~
simoncion
> I would assume [remembering to put copyright notices in documentation]
> requires more of a one-time effort than a permanent change (improvement) in
> work procedures.

You assume wrong. There is _always_ another project, or another library.

------
voltagex_
Similar shennanigans have happened with just about every router, AP and modem
manufacturer. They just don't care. I'm not sure why u-boot always seems to be
the sticking point but heaven forbid if you actually want to try bringing your
board up from scratch.

------
tjakab
The article doesn't mention if they've contacted the FSF about the violation.
Looks like they may be able to provide some assistance, particularly if any of
the code is directly copyrighted to the FSF.

[http://www.fsf.org/licensing/compliance](http://www.fsf.org/licensing/compliance)

[https://www.gnu.org/licenses/gpl-
violation.html](https://www.gnu.org/licenses/gpl-violation.html)

------
naringas
maybe they have some compelling (and secret) reasons to introduce security
vulneravitilites and close the source code...

~~~
fapjacks
This is what I'm thinking, as well. My spidey sense is tingling on this one.

------
jimrandomh
The problem is almost certainly internal disorganization: the person who put
together the shipping firmware either isn't hearing about the requests for
source code, or has moved on to another company.

~~~
JoshTriplett
That's not an excuse; that's something you figure out _before_ you ship a
product.

~~~
tbrownaw
It's extra paperwork that _is not needed_ unless you use GPL code.
Idiosyncratic requirements are annoying.

~~~
simoncion
I'm not sure what you're angling for with your anti-GPL comments in this
thread, but _all_ software licenses have requirements that are burdensome to
one degree or another.

Frankly, the paperwork required to keep track of installed instances of -say-
volume licensed MSFT software is a fair bit more burdensome than procedures to
handle source code requests for GPL'd code.

Hell, you _can_ automate _both_ processes, but -in places that are like the
dev shops that I've worked in- you're _far_ more likely to automate the GPL
compliance procedure. :)

~~~
tbrownaw
Mostly just thinking out loud (congratulations, you're a rubber duck).

I think I heard something a while back, about Microsoft changing how they did
volume licensing. Because it really was too much of a PITA, and they wanted to
simplify things.

I suppose one different would be what's required to get back into compliance
one you inevitably stuff things up. In the one case, you have to probably pay
(money is fungible) and/or _remove_ things you have installed. In the other
case, you have to _find_ something you might not know where it is (if it even
still exists) and provide it to the public (and be sure _that_ doesn't violate
an other licenses you have). ...I think I might be moving the goal posts a bit
here, but that's what you get for being a rubber duck. ;)

If you follow what's generally considered good development practices
(automated builds, everything in version control, etc), GPL compliance should
be dead simple. So congrats, it sounds like you work for people who _don 't_
have their heads up their asses.

...hey, maybe that would be a good basis if we ever did turn into a proper
profession: version tracking and automated builds.

~~~
simoncion
You're right, you _are_ moving the goalposts.

People screw up all sorts of compliance issues. All but a tiny handful of
software licenses out there can be violated by sloppy practices or mistakes of
one kind or another. The GPL is not unique in this regard.

You should try your attempts to paint a different picture in another forum:
all but the greenest programmer has far too much experience to be convinced by
your argument.

------
feld
Never attribute to malice that which is adequately explained by stupidity.

If you've ever used a Ubiquiti product you'd believe they're just stupid

~~~
GabrielF00
Really? I haven't used Ubiquiti hardware in a few years, but my recollection
was that their stuff was inexpensive, easy to set up, and very powerful. We
used their Bullet and Nanostation line of products.

~~~
feld
The rule we developed at a previous job for doing upgrades on their products
is to reboot twice to avoid bricking it. Yes, twice. Sometimes once isn't
enough for an unknown reason.

Also their web interface has terrible memory leaks which causes loads of other
issues.

Don't forget the management network interface that just stops being able to be
pinged until you reboot. Have seen this on everything up to AirFibers.

~~~
fapjacks
Yeah, I like the hardware well enough, but the software is atrocious. It is
ugly, slow, counterintuitive with settings in all sorts of strange places, and
makes me feel insecure about my own wireless network. The hardware is alright,
but it feels like really shoddy software engineering work whenever you need to
interact with it.

------
EvanAnderson
This is disturbing. I've been recommending their gear for the last couple
years. Now I'm wondering if that's such a great idea.

------
zobzu
Such a classic. Unfortunately. And they probably have nothing to fear.

------
java-man
Who is going to take them to court? Who can take them to court?

~~~
davexunit
The page says that a u-boot copyright holder asked for source and got nothing.
Perhaps they could bring this case to the Software Freedom Conservancy and
file a lawsuit if necessary?

~~~
pthreads
Can the copyright holder take them to small claims court? He/she ought to be
able to file one without needing a lawyer and for minimal costs. At the very
least the court may force them to release the source code.

~~~
gnu8
You could take their customers to small claims court one by one, they'd each
be on the hook for the purchase price of their access points. This would go a
long way toward generating publicity and forcing compliance.

~~~
tbrownaw
Er, how? What have the customers done to violate GPL?

------
william20111
urghhh really. This has annoyed me, I have an edgerouter lite and its really
good! But this is really shady stuff...

------
anonbanker
I'm of the opinion their firmware is real swiss-cheese'd, and they're not
allowed to disclose the firmware and source modifications under EO12333 or
other nonsense.

Hence, if you had a ubiquity contract, and demanded GPL compliance, you could
sue for quite a bit of money for selling you pirated software (GPL license is
revoked when source is not provided), and they would settle, rather than
violate national security.

------
mrbig4545
it's more than I ever got out out Coolpad or Mediatek. i can't even find a
valid email address for Coolpad to ask for android kernel source :(

~~~
listic
Have you tried coolpad@yulong.com?
[http://www.coolpad.com/en/contactus.html](http://www.coolpad.com/en/contactus.html)

~~~
mrbig4545
yep, it bounces

------
antocv
Huawei does the same.

Phillips too, with their smart TVs running Linux and other FOSS.

They just provide some vanilla random .tar.gz of "gpl source CODE" and thats
it, not really the version thats running on the device or that was distributed
by them.

The actual binary, firmware, is encrypted too.

0 fucking freedom for a normal user in age of FOS software all around us.

It would have been better with proprietary software. Then I wouldnt have
gotten pissed.

~~~
mindslight
Franklin Wireless U770. Running a telnet daemon, I managed to get root through
modding an update. FWIW, the default root password is 'frk770' and it appears
to listen on the WAN interface in the default config. No idea what
modifications the kernel has - I'm not too interested in customizing software
running on pwnt Qualcomm chips, I just wanted a prompt.

Sierra Wireless 803s - running Linux as far as I can tell (nmap -O, update
files, GPL license text in manual). Once again there's not even really a
website for the device, nevermind some token source tar. Haven't yet broken
into this device, I'm assuming there's a JTAG on its 60 pin debug connector,
but I need to try the easier route of hacking an update first.

The theory goes that manufacturers should realize that obscuring their systems
gives them no benefit (especially since they're able to put different
copyrights on the parts they actually write eg the webuis), while opening them
should give goodwill, but this has not played out in practice. Manufacturers
clearly care about some aspects of licensing, given that they'll include
license texts/notices/etc in the manual. We need a way of making the two line
up.

But the unfortunate reality is that we're on shaky ground. The rise of
embedded devices with baked-in binaries has shifted the landscape. In this
environment, BSD-style licenses _fail_ Freedom 1
([https://www.gnu.org/philosophy/free-
sw.html](https://www.gnu.org/philosophy/free-sw.html)).

The Linux kernel is the main item that is infringed upon (presumably because
its too complex for eg Google to reimplement as BSD like they did with the
Android userland). And its developers have stubbornly stuck with the broken
GPL2, making it so that even with perfect enforcement (which they also don't
seem interested in), _make && make install_ is not an achievable goal.

~~~
mindslight
Typo: the U770 default root password is 'frk700' (in case anybody ends up here
searching).

