
BMW are complying with the GPL - edent
https://shkspr.mobi/blog/2016/03/bmw-are-complying-with-the-gpl/
======
suzeanne
Interesting: BMW did share the OSS they used, and in the process they also
revealed lots of outdated packages in use. This of course leads me to wonder:
Vulnerabilities?

It is after all an Internet-connected vehicle.

Despite the article author's recognition given for BMW's OSS compliance, I am
dismayed to see yet another example of likely inconsideration given toward
implementation of security in the engineering of an Internet-connected
vehicle.

This sort of negligence is eventually going to result in some rather ugly
outcome.

~~~
a3n
Total guess: as a regulated company, they may have to get approval for their
code, which would include validated versions of 3rd party code. If they have
to go through that with any new version of 3rd party code, they may not want
to make that effort.

~~~
suzeanne
Well, the first time a hacker vehicle exploit results in one or more deaths of
the driver and/or passengers of one of these Internet-connected vehicles, it's
going to be all over the news. Right around then... and when the lawsuits hit,
some execs/directors are going to realize that such effort is far less costly
than the PR disasters that can unfold when corners are cut.

I mean, obviously some people at Volvo thought that actual emissions
compliance was far too costly to bother with --and that didn't even result in
a vehicle accident or personal injury. Certainly their bottom line has had a
major impact as a result. The potential for PR disaster with Internet-
connected vehicles is certainly much more concerning.

The inevitability of some such future tragedy and resulting media-fueled PR
disaster for one or more vehicle manufactures is a certainty. It's only a
matter of when and which vehicle manufacturer(s) will be liable. When that
happens, I’m certain that such sizable companies can figure out how to
streamline the approval process with whatever regulatory bodies might be
involved, or they’ll just learn to live with the pain… for being for less than
the much greater pain of a PR disaster.

~~~
slgeorge
> Well, the first time a hacker vehicle exploit results in one or more deaths
> of the driver and/or passengers of one of these Internet-connected vehicles

It's the infotainment system according to one of the original blog posts. And
in fairness the previous post was all about the updates they were providing -
albeit unencrypted.

~~~
suzeanne
It doesn't matter if it's the infotainment system so long as it's connected to
the rest of the electronics. Yes, hacks have already exploited critical
vehicle controls via Internet infotainment systems. So long as vehicle
manufacturers do not physically separate the electronics, such vulnerabilities
will surface. Currently, the standard practice is to build out the electronics
for a vehicle as a single system.

~~~
noselasd
I'd rather wait until your claims of security issues and remote hacks are
verified for the particular vehicle here.

All of this is just crying wolf so far.

~~~
nitrogen
Remote-drive vulnerabilities have been demonstrated in infotainment systems,
proving that the class of vulnerabilities is real. There's no need to prove it
can happen for every single vehicle to be concerned about general best
practices.

~~~
noselasd
Yes there is. If this system have no write ability onto the relevant CAN-bus,
the class of vulnerability you talk about (which comes from the Jeep hack)
does not exist.

But sure - best practices should be followed.

------
zamalek
I've got a draft to our CEO sitting in my inbox outlining why we should open
source _some_ of our code - the majority of the argument posits that
"technical investment" (as a corollary to technical debt) is possible. OSS can
be viewed as a "technical share market," and by moving non-competitive code to
open source you stand to reap "technical profit" or dividends. Not to mention
that open-sourcing code usually entails a major cleanup effort (technical debt
removal) prior to release.

I've already got CoreCLR listed as a positive example of this process and I
really hope that BMW is rewarded for compliance (with feedback and patches) -
having more examples will only strengthen my point that more can be gained by
working with open source, instead of merely consuming permissive open source.

Either way, it's great to see compliance from such a large corporate.

~~~
yjgyhj
Send it. If I can control and extend the computing environment in my car, I
will buy that car. I will also release the code I write for it - which creates
apps other car makers don't have.

~~~
antaviana
If you end up tweaking the breaking system, just don't do it too late at night
and remember putting an "I hacked my car's software" sticker somewhere visible
from other cars in the road.

~~~
LeifCarrotson
The "braking" system - or was that typo intended?

Either way, you don't need a license or even much in the way of special tools
to replace the brake pads, rotors, calipers, or hoses on any vehicles on the
road today. The parts are casually sold at tens of thousands of auto stores
across the country in enormous volumes every day, many of them to ordinary men
and women working on their cars in their garages. Not all of them get it
right, but there is no outcry against this maintenance - why should there be a
problem with software?

To further assuage your fears, braking systems and other safety-critical
components have layers of software and physical fail-safes. If the wheel
sensors report unusual data, all-wheel-drive may be disabled. If the anti-lock
code doesn't work, you still have regular brakes. If the vacuum assist doesn't
work, you still have manual brakes. Similar layers are present in the steering
and engine control. If a mechanic applies caliper grease to the brake pads,
all of this is for naught - but there is little the software can do to
completely disable the brakes.

~~~
yetihehe
> Either way, you don't need a license or even much in the way of special
> tools to replace the brake pads, rotors, calipers, or hoses on any vehicles
> on the road today.

Some cars sold today require connecting of specialised diagnostics tool which
will allow to change brake pads. Without this tool your calipers will not
open. What this tool does? It just sends some commands through vehicle CAN
bus, but those commands are proprietary, so you need to pay them about
$10k-$100k a year to have access to commands for their cars and licence to use
them in your tool.

------
SyneRyder
Good to see the follow up on this. And for what it's worth, I think Terence
has handled this well and is being overly harsh on himself. The original
comment was just a throwaway aside and not even an accusation. I don't think
he should hold himself responsible for how others took the comment & inflated
it.

As the owner of a BMW, he's entitled to ask BMW for a copy of the LGPL source
used. Job well done.

~~~
jordigh
I wish people stopped trying to tip-toe around the poor, hurt feelings of BMW.
BMW is a big company and can afford to have properly trained customer reps
that know how to point to the source code. We're the little guy here trying to
figure out how our cars work; BMW is the giant just meeting their bare minimum
requirements.

~~~
slagfart
BMW doesn't actually have any feelings - it's a corporation, and it doesn't
care how much some hacker is upset when a twitter rep doesn't know what open
source is. The only people who care about software licences are people who
write software. Deal with it.

~~~
pessimizer
> The only people who care about software licences are people who write
> software.

This is not true in any way - people who use and sell software, such as BMW,
spend a lot of time, money, and lawyers on licensing issues.

Corporations care about anything that affects their bottom line, and a
distinguished hacker who raises a small ruckus could ultimately build into
disaster. It's simply responsible to have your front line know who to refer
people to when they ask if you're in compliance with the law.

------
pksadiq
Some thoughts:

Most of the companies ship older pieces of software for one important reason:
They need to avoid GPL/LGPL/AGPL version 3. Version 3 of GNU GPL gives users
more freedom which companies hate.

For GPLv2 the companies had to just give away the source code. But they need
not give away a way to change the software in the hardware. Which was then
popularized as Tivoization. Version 3 of GNU GPL family of licenses fixed
that. But companies didn't.

So you can see a pattern in any hardware (routers, Cars, etc.) and even in OS
like Mac, *BSD etc. And the pattern is they always avoid GPL v3. So they
always have old gcc, coreutils, bash, and everything else. They say its GPL,
but there is a vendor lock-in, as always.

~~~
xyzzy_plugh
TL;DR: Companies don't hate "giving users more freedom"

Having worked with IP lawyers on multiple consumer electronic products across
multiple companies, I believe you are over-simplifying the situation. Every IP
lawyer I've talked to didn't care about tivoization -- if you want to go run
your own code on our hardware, great, good luck. The main issue with GPLv3 was
always the patent clause:
[http://www.gnu.org/licenses/gpl-3.0.en.html#section11](http://www.gnu.org/licenses/gpl-3.0.en.html#section11)

I've never met an IP lawyer working for a company with many (hundreds to
thousands) of patents allow use of the GPLv3, out of fear that it could
undermine their ability to enforce patent rights defensively. Hardware
companies produce a ton of patents. The manufacturers of routers, cars, and
even Apple care deeply about their patents. They're not willing to toy with
some untested clause in a license of some free software, when there is a
perfectly usable version of that software without such a clause.

IANAL so I don't know for sure if this is the case, but speaking from
experience, this is what lawyers have always told me.

Second, companies generally don't make it easy for users to run custom
software on their products for a few reasons. You generally put software on
products one of two ways: physically, or over-the-air (wifi/ethernet/some
other way). With both methods, "signed" payloads are usually used for one of
two reasons: to make sure it is error free. It's difficult to have the device
already know the checksum, but calculating a signature against a pre-installed
signing certificate is easy and works pretty well. You also get the added
benefit of decreasing the surface area for remote attackers, since only the
trusted company can sign the payloads. Typically, also, physical writing is
"disabled" during assembly (e.g. not populating components, sealing off
access, etc.) which helps keep costs down and keep the design looking slick.

The second reason "signed" payloads are used is for "Tivoization". I've never
heard anyone say "we don't want customers putting their own software on a
device they purchased." No doubt it happens, but it is rare for sure.

Should companies spend more time and resources to make it easy for their
customers to modify their devices, in a sane and secure manner? Possibly. But
in today's cutthroat consumer-electronics world, you'd be hard pressed to find
a company willing to spend that extra engineering effort on something so
frivolous.

~~~
belorn
I have heard this theory before but the one fact that speaks against it is the
Apache license. GPLv3 did not not invents its own patent clause, but rather
copied significant parts of apache as a base (stand on the shoulders of
giants, avoid NIH, and so on...).

 _" Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to make, use,
sell, offer for sale, import and otherwise run, modify and propagate the
contents of its contributor version."_

 _" each Contributor hereby grants to You a perpetual, worldwide, non-
exclusive, no-charge, royalty-free, irrevocable (except as stated in this
section) patent license to make, have made, use, offer to sell, sell, import,
and otherwise transfer the Work"_

They did add one major change (beside rewording and reordering), and that was
to address the Microsoft-Novell patent agreement. A distributor can not chose
to exclusively grant the patent rights to just a selected group, but must do
so on a all-or-nothing deal. Once you provide a patent grant and complying
with the license, the patent grant is given to everyone who might later
receive a copy.

So for all those companies that are happy to distribute apache licensed
software but not gplv3 software, and is objecting on the subject of patent
clause, one must ask why they have a problem that the patent grant is extended
to everyone.

~~~
xyzzy_plugh
Well, the Apache license is different from GPL in that you are not required to
distribute any source, and your "derivative works" do not fall under the
license. I can freely use Apache licensed software and jumble in all my
patents and even statically link it all together there is no impact to my
patents whatsoever.

The point you make covers contributors, which is great! It means if I
contribute to an open-source project that uses the Apache license, there are
no catches, not even if I contributed something I or my company has patented.
So you, as an end user, or consumer of this software, are safe w.r.t. patents.
Hurray!

(Again, IANAL!)

------
garethadams
One of these things is not like the other… [https://github.com/edent/BMW-
OpenSource/blob/master/FOSS_S1/...](https://github.com/edent/BMW-
OpenSource/blob/master/FOSS_S1/desktop.ini)

~~~
nfrmatk
Why do they have cups? Is there a 'print from car' button?
[https://github.com/edent/BMW-
OpenSource/tree/master/FOSS_S1/...](https://github.com/edent/BMW-
OpenSource/tree/master/FOSS_S1/cups)

~~~
joosters
They could be providing lots of extra unrelated source code packages to the
guy, perhaps just to be thorough and to avoid missing anything, perhaps to
just fill the DVD (don't let those ones and zeroes go to waste!), or perhaps
to mess with people :) (e.g. throw in a SNES emulator source code to make
hackers spend days searching fruitlessly trying to figure out how to make the
BMW interface start playing Mario)

------
SXX
Just wonder is anyone tried to get (L)GPL sources from Tesla?

~~~
greglindahl
Yes. I asked 2.5 years ago, no reply.

~~~
ashitlerferad
Probably time to get Software Freedom Conservancy involved:

[https://sfconservancy.org/copyleft-
compliance/](https://sfconservancy.org/copyleft-compliance/)

------
unethical_ban
Off-topic: The title and several post refer to BMW as a plural: "BMW are
complying" and "Do BMW have any obligation...?"

I know BMW stands for Bavarian Motorworks, a plural, but so does the US, and
it is a singular entity today.

Are the people using BMW plural non-American? I've never heard that here in
Texas.

~~~
fucking_tragedy
They (BMW) are a group of people. They (BMW) are complying.

That's the way I've had it explained to me.

~~~
sk5t
How is that an appropriate explanation, when you--presumably--wouldn't say
"The group are complying"?

~~~
fucking_tragedy
Corporations are viewed as collective nouns to be used with plural verbs,
where as "group" is a collective noun that is treated as singular. I can't
think of a context in which I'd use a plural verb with it, but I can think of
dozens of such nouns that I would. You can say "The group is complying. They
have an obligation." without it sounding awkward, however.

Something about formal, notional and situational agreement[0].

The "they" explanation just helped bridge the gap in my mind.

[0]
[https://en.wikipedia.org/wiki/Comparison_of_American_and_Bri...](https://en.wikipedia.org/wiki/Comparison_of_American_and_British_English#Formal_and_notional_agreement)

------
viraptor
There are some interesting things in there. tcpdump? Locally patched one at
that? I wonder how is it used... maybe it's just used for debugging, but given
that it's part of the deployed packages it's still interesting.

edit: it looks like it was added specifically for IEEE 802.15.4 debugging

------
bkuhn
As someone who has enforced the GPL for a few decades, I have to note the GPL
compliance process isn't done here yet. Someone actually has to verify that
the "scripts used to control compilation and installation of the
executable"(s) actually work. Is anyone working on that?

------
ashitlerferad
Interesting that they use SuperH CPUs. There is an in-progress Debian SH4
port. Debian on your car!

[https://wiki.debian.org/SH4](https://wiki.debian.org/SH4)

~~~
wrigby
The Linux on Dreamcast effort made a ton of progress running on SH4. I haven't
touched it in years, but I remember it being pretty mature, and that was quite
a few years ago.

I guess this means that BMWs are basically just a Dreamcast with wheels?

------
merb
Most of these packages aren't modified at all? Wouldn't it be just enough to
provide the Links?

~~~
cyphar
I think GPLv3 lets you just provide links to upstream mirrors if it's
unmodified, but GPLv2 doesn't have such a provision.

------
smegel
What about their in-house software that links against this software? Or is it
all LGPL?

~~~
tossaway1
How would inhouse software affect GPL compliance?

~~~
smegel
They are possibly distributing a derivative work without releasing the source
code, if it GPL licensed.

------
Jedd
The string 'open source' appears three times in the article, the word 'free'
doesn't appear (outside of the file listing, in the context of things like
FreeScale, etc).

The string 'open source' does not appear at all on either:

    
    
      http://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html
    
     or
    
      http://www.gnu.org/licenses/gpl-3.0.en.html
    

Relevant as we're specifically referring here to the GNU Public Licence.

