An interesting hypothetical over at ESR’s blog, “Plug for a worthy project: Softbound“. I encourage you to read the post and commentary after my brief summary, so you can see if your thoughts change after reading the discussion there!
The Facts
SoftBound is a BSD-licensed “value-added” compiler. Give it some source code and it can produce “hardened” binaries that are more secure because they are immune to buffer overflows. It makes no changes to the source code.
The Hypothetical
A company, using a proprietary and closed “value-added” compiler compiles GPL software and sells the binaries. Source code available. Binaries locked up tight.
The Question
Is this a problem? By “problem” I mean is this forbidden under the GPL (v2 or v3), and if it is or isn’t should it or should it not be?
#1 by saulgoode on March 10, 2010 - 7:51 pm
I fail to see why this is an issue.
The binaries are not “locked up tight” — if the original software was GPLed then the binaries are also under the original GPL licensing (GPLv2 §2a or GPLv3 §5c). This means that recipients of the binaries are free to use them without restriction, to demand copies of the source code, and to make and share copies of both the source and the binaries.
ESR seems to be suggesting that one can produce non-GPLed binaries from GPLed source code — permission for such re-licensing is not granted by the GPL and is otherwise prohibited by copyright law, regardless of what build chain is employed.
#2 by Michael Johnson on March 11, 2010 - 2:32 am
I don’t believe it’s a problem. First, source is available as per the GPL. Second, the binaries are not locked up. You can happily recompile source with another compiler and replace the Softbound binary.
The only place I think this will run afoul (and this is purely hypothetical) is if you have a platform that requires binaries compiled using Softbound’s proprietary tools. I believe that will pass the GPL2 but not GPL3. Since Softbound is not making the tools available to compile the code for the platform in a manner compliant with GPL3′s anti-Tivoization clauses, it would violate those clauses.
#3 by Lex on March 16, 2010 - 12:57 am
GLP code compiled with that compiler would be a GPL library/executable. So all the code of that library/executable must be available under GPL, that includes the code generated or otherwise inserted by the compiler. If the company would try to sell such executables they would be forced to release parts/all of their compiler under GPL.
The real problem to be concerned about is inability for anyone to decompile the code to the original source. This way it becomes impossible to verify if the program was compiled from GPL source or not. So it becomes feasible to compile GPL code and lie that you are the developer of the code, while selling binaries.
#4 by Jason on March 16, 2010 - 6:48 am
These are all great comments – thanks so much to everyone weighing in.
I think there is a distinction between a “cheating” compilation scenario – this would be where the source is encrypted, obscured, digitally signed or whatever, and an “value-added” compilation scenario – this would be where the source is the source and the compiler produces “safer”, “faster”, “better-tasting” binaries.
It seems to me that in the first (cheating) scenario – there are GPL problems, but in the second there are not.
#5 by nautical on March 16, 2010 - 8:11 am
I’d say it depends on what compilation techniques are used. If the binaries are hardened because the compiler writers employed clever tricks, there’s not much one can do but try and reverse engineer those tricks.
If the compiler includes extra bytes to make sure everything is safe those bytes must originally come from some source code.
It’s not hard to imagine a compiler automatically inserting eg a banner that displays itself before the compiled program jumps to its original main function for every program it compiles, even though the code for this banner is nowhere in the original source code. Since it must come from somewhere, it’s probably embedded in the compiler.
Note that this is only a problem when *distributing* the banner-infested program, where you can’t comply with the GPL since you’d need to distribute the source code of the program *and* the source of the compiler of which there is a tiny bit embedded in the binary. Users would still be free to use this banner-adding compiler to compile binaries for use on their own computers.