
List of Open Source Licences in Mercedes Cars [pdf] - Xylakant
http://www4.mercedes-benz.com/manual-cars/ba/foss/content/en/assets/FOSS_licences.pdf
======
binarymax
How long before cars are zero-day susceptible to remote wireless hacks that
can endanger lives of the passengers?

I have seen conspiracy theories about acceleration and brakes being tampered
with, but those allude to the tampering while the car was stationary.

When a vehicle has so much code in it, control systems are fly-by-wire, and
there is bluetooth and wifi access, it is not a stretch to imagine a malicious
entity driving on the highway and taking over nearby vehicles.

~~~
adisbladis
I would guess the control systems and entertainment/navigation systems are
separated for that very reason.

~~~
mcculley
They are not that separated. Some modern cars have the entertainment system
take note of the speed of the engine and adjust the volume accordingly. Some
flip the infotainment display to a backup camera when the transmission is
indicated to be in reverse.

This is in addition to some cars adjusting the side mirrors when in reverse. I
remember reading of an exploit that took advantage of the fact that the
security system was on the same network in a particular car and thieves were
able to crack off a side mirror and inject an "unlock" command. Does anybody
have a reference for that?

~~~
spatulon
They are typically connected, but (kind of) sandboxed. A small ECU acts as a
bridge between the infotainment system and the CAN bus.

~~~
tobithiel
These things not always work very reliably. A guy from a supplier once held a
security talk at our university. They basically filter out unwanted messages,
but the manufacturer often don't configure them very restrictive, but use
black list approaches.

------
sjwright
This shouldn't come as a surprise to anyone, and probably not worthy of
promotion on Hacker News. Consider the counterfactual: if Merc hadn't used
these open source libraries, they would have had to roll their own
implementations of PNG, ZIP, an XML parser... now that would be a story!

Similar hilariously long lists can be found on many web-connected devices,
from BMWs to iPhones.

(Pages 3 to 6 are the interesting ones though -- it shows that a majority of
these libraries/codebases apply to the brand new S-Class. And the most
noteworthy inclusion is AOSP, i.e. Android.)

~~~
Xylakant
I'm not surprised they use OS. Some of the libraries come as a surprise to me:

* gcc * libpcap * strace * netcat

I also found it slightly amusing that liboil is used in a car (and is
completely unrelated to "oil")

~~~
sjwright
My guess is it's a lot easier to add a bunch of licenses into the
documentation than it is to exclude diagnostic tools from production builds.

------
__alexs
Are drivers of the S-Class bound by the terms of the JSON license and so
better be careful not to do anything Evil lest they anger Crockford?

~~~
yitchelle
A snippet from the SQLite license...I wonder how the driver will comply to
this one....

May you do good and not evil.

May you find forgiveness for yourself and forgive others.

May you share freely, never taking more than you give

~~~
lucian1900
SQLite is public domain, that snippet is just a README.

~~~
Xylakant
For a work to be in placed in public domain, the author(s) must waive all
rights to the work. So the "license" part of the readme is actually "The
author disclaims copyright to this source code." You can actually obtain a
"real" license for sqlite since some jurisdictions do not recognize public
domain at all.

~~~
informatimago
Plus, the author should be dead in France for 70 years. "L'article L. 123-1 du
Code de la propriété intellectuelle précise : « L'auteur jouit, sa vie durant,
du droit exclusif d'exploiter son œuvre sous quelque forme que ce soit et d'en
tirer un profit pécuniaire. Au décès de l'auteur, ce droit persiste au
bénéfice de ses ayants droit pendant l'année civile en cours et les soixante-
dix années qui suivent. »" Notably, the authors are prevented to waive all
rights to the work, because this obliterate the rights of his heirs, present
and future.

~~~
pionar
Interesting. I think this presents the question, why should I be forced to let
my heirs have rights to my work? What if I really don't like them?

~~~
Thieum22
It is virtually impossible to disinherit a child in France. (But a child can
refuse an inheritance)

[http://www.telegraph.co.uk/property/internationalproperty/33...](http://www.telegraph.co.uk/property/internationalproperty/3363847/Property-
in-France-Keep-it-in-la-famille-now-and-for-ever.html)

------
apostlion
Just to clarify – there are 108 _distinct_ licenses used. So apart from
Apache, BSD, GPL v2, GPL v3, LGPL, there are 103 _different_ license terms
used.

IP law, as currently used, is something really overcomplicated.

~~~
the_mitsuhiko
> GPL v3

There is no [AL]?GPLv3 in those cars, it would be impossible to comply with
the license terms.

~~~
belorn
Why would it be impossible to comply with GPLv3, and allow people to change or
replace one program with a new one?

US car manufacturers are legally forced to provide documentation so car owners
can repair their car and replace parts. If a car owner want to change or
replace the car's breaks, they are legally allowed to do so. Why should it
matter that the software that then controls the break is made of 1 and 0 and
not of steel and plastic?

Do we really need a Motor Vehicle Owners' Right to Repair software Act? Do we
need one more law that says "we got that one previous act, lets copy paste
that one and add the word _" software"_ to it".

~~~
cbhl
I suspect it's similar to the reasons why many wireless drivers require binary
blobs (either firmware, or the entire driver) -- you can change the software
to let you operate outside of the limits allowed by federal regulators,
because those limits are enforced in software.

~~~
belorn
Same goes for the physical breaks on the car. If someone install custom breaks
on their cars that is found to be unsafe, it is illegal. This doesn't however
make installing custom breaks on your car illegal. On the opposite, the law
explicitly allows you to do so, and enforces the car manufacturers to give you
documentation so you can do it.

Why should federal regulators differential between someone installing custom
physical breaks on your car, or someone installing custom software that
controls the breaks. Whats the difference?

------
rajeemcariazo
This line has caught my attention "If you are affiliated in any way with
Microsoft Network, get a life" under Netcat License

------
femto
A cursory search of the net returns the license pdf, but no source code, list
of source code used or offer of source. Is this the sort of thing that comes
with the actual car?

Edit: My bad. The offer is in the pdf. Anyone actually looked at the provided
disk? What's on it?

------
pyalot2
Weirdly this is simultaneously pretty cool (yay, open source makes an impact,
take that Ballmer) and quite horrible (license jungle anyone?).

------
plaes
So, do they also provide downloads of source code and the modifications?

~~~
merijnv
I don't think they provide downloads, but the document includes an offer to
obtain the source:

Components of the software used in the vehicle may be free and open source
software licensed under the terms of license of the GNU General Public
License, Version 2 (GPLv2), GNU Lesser General Public License, Version 2.1
(LGPLv2.1) or GNU Library General Public License, Version 2 (LGPLv2). Upon
request, we will supply the source code of the components licensed under the
GPLv2, LGPL v2.1 and LGPLv2 on a data-medium (please specify the designation
of your vehicle). Please direct your request to the following address within
three years after vehicle delivery:

Daimler AG, HPC: CAC, Customer Service, D-70546 Stuttgart

The copyright holders usually do not provide any warranty and assume no
liability whatsoever for the free and open source software components. Note
that any modificati- on to the vehicle of any kind can void any warranty
claim.

~~~
blumentopf
Further ways to contact the Customer Assistance Center (not in the PDF):

phone: 00800 1 777 7777

e-mail: cs.deutschland@cac.mercedes-benz.com

------
olalonde
> NetFront (not China) > NF Browser (only China)

Anyone has a clue what is the difference between those and what it has to do
with China? The license terms are exactly the same except for the name of the
software. Also, NF Browser redirects to NetFront on Wikipedia
([https://en.wikipedia.org/w/index.php?title=NF_Browser&redire...](https://en.wikipedia.org/w/index.php?title=NF_Browser&redirect=no)).

------
powertower
The crypto stuff is handled by these guys -
[http://www.bouncycastle.org/](http://www.bouncycastle.org/)

I was originally looking at their library to help me programmatically generate
self-signed certificates via C# (that are Apache / openssl / mod_ssl
compatible), but ended up trying to use some native interop code and Windows
crypto-api, and could only get it 80% of the way, so I gave up and moved on.

------
robmcm
Interesting to see GTween in there, HTML animation lib simular to the AS3 API
used in the S-Class. So I guess the dash must have some browser in it. Seems
inefficient for something I imagine has a finite scope, such as open a car
door animation, or tween the temperate bar etc.

------
meshko
I got a little worried when I saw msdos_fsck in the list but then I remembered
that I don't own a Mercedes and calmed down.

~~~
microcolonel
That's for FAT filesystems... i.e. SD cards and the like.

------
stickydink
Has anyone driven an S-Class? It has almost every one on that list. What's it
got in there that the others don't?

~~~
Xylakant
Most interesting: Why libpcap, strace and netcat? Also: gcc in a car?

~~~
dagw
libpcap can sniff Bluetooth and the S-class has Bluetooth?

Otherwise I'm guessing it's probably all just part of their standard tool
chain and someone said "give me a list of all open source software you used
while developing the software for the S-class".

~~~
dominicgs
Bluetooth is certainly one possibility, although libpcap can be used for a
broad range of protocols, including USB and CAN, which are other candidates in
a system like this.

Everything in this header that starts with DLT_ is a supported data link type:
[https://github.com/mcr/libpcap/blob/master/pcap/bpf.h](https://github.com/mcr/libpcap/blob/master/pcap/bpf.h)

------
patrickg
Meta-question: what does [scribd] mean in the title?

~~~
homeomorphic
It's a link to a scribd version of the PDF. Try clicking.

~~~
patrickg
Duh! Thanks.

