-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix FAQ to properly describe LGPL in proprietary applications #2128
Comments
The community is aware of the issues with LGPL for RIOT. We are currently considering a switch to BSD (see http://lists.riot-os.org/pipermail/devel/2014-December/001468.html). If not done already, please register to the devel@riot-os.org and/or users@riot-os.org, and chip in your opinion there too! |
Will subscribe and I was informed on IRC that the license discussion was taking place. I am only advocating that the wiki be updated in the meantime. I would think that perhaps doing a strike-through through the whole Why LGPL section and a link to the BSD thread on the mailing list might be a good thing to do. |
That is not correct. LGPL doesn't make a difference between dynamically and statically linked code. |
kaspar030, I agree and even put "object files" in my initial post, but this is still pretty surprising vs the wording of the "Why LGPL?" section, don't you think? I ship an end user a device and they can request object files to build their own updated firmware? |
@aeruder agreed, the FAQ section wording is not optimal. Having to provide object files doesn't differ much from providing firmware files. RIOT will definately have security problems that might be remotly exploitable. The notion that an embedded device can be sold once without the ability to upgrade it is something that should be ditched for any internet connected device. Same goes with the idea that any vendor can or will respond to security problems that come up after a customer has already paid for a device. |
I updated the FAQ on the topic "why LGPL". Does it address the concerns? |
The FAQ is fine but the technical guide linked from the FAQ is perfect. |
@aeruder just to make sure: you are saying that the technical guide [1] is appropriate, right? [1] https://github.com/RIOT-OS/RIOT/wiki/LGPL-compliancy-guide |
Sorry for the confusion. Yes, the compliancy guide is good. |
The "Why LGPL?" section of the FAQ is VERY misleading and opens any proprietary application writers up to any number of very valid requests for source code or object code to their application. The LGPL only allows linking to a proprietary application in very specific instances. Section 6 outlines this with section 6b being the most often used option. It specifically requires that an end-user be able to replace the LGPL library with a modified version. Without some support for a dynamic linking application loader in RIOT this is basically impossible.
Long story short, the license for this project is actually pretty inappropriate if it intends to support proprietary applications. In the meantime the Why LGPL? section should be cleaned up. I know it is a Wiki but just wanted to solicit some conversation before having some random stranger show up and start changing the Wiki.
Also: as a project, the stance may be that the LGPL requirements are being loosened, but since copyright assignment is not required it opens up a proprietary application writer to requests from anyone holding copyright to any code in RIOT OS no matter how insignificant their contributions may have been.
The text was updated successfully, but these errors were encountered: