back to article Debian components breach terms of GPLv2

A top Debian contributor has been left "pretty disappointed" by elements of the Debian community for failing to comply with the conditions of the GNU GPLv2 license. Daniel Baumann, who maintains the Debian Syslinux bootloader package, has said Debian components were being released only in binary form without source code - …


This topic is closed for new posts.
  1. Jamie Kitson
    Thumb Down

    Basic Checks

    Live CDs?

    Lenny, the latest version Debian?

  2. fluffy

    This doesn't sound like a GPLv2 violation

    The GPLv2 doesn't stipulate that source be bundled with the binaries, just that it be made available upon request.

  3. Goat Jam



    This guy is just another self-righteous zealot looking for something to upset him it seems.'

    God forbid that all distro's need to start shipping source for every single app they stuff onto their already overflowing install CD's. I'd need to use my entire monthly quota just to download the latest Ubuntu.

  4. Anonymous Coward
    Anonymous Coward

    Re: This doesn't sound like a GPLv2 violation


    please read GPL2, clause 3 (and more specifically 3b): If you distribute a binary without source, you need include a written offer, valid for at least three years, on how to request or optain the source.

    Debian doesn't do this for the syslinux binaries shipped on the installer images and therfore is not complying to GPL2, clause 3 (or more generic: breaching GPL as a whole for that component).

  5. CTG

    Nothing to see here, move along

    Indeed, there is nothing in any version of the GPL that says you are forbidden from distributing binary versions of software. The only provision is that for any given version of the software, you must easily be able to obtain the source code for that version. This can be as little as a readme file in the binary distribution that has a link to a website that has the source code.

    The disgruntled person here seems to be implying that the GPL means you *must* ship a distro that can be built from source only, which is certainly not the case.

  6. Anonymous Coward
    Anonymous Coward

    Supply on CD

    that's not really encouraged, it is there to allow fringe cases. It is problematic to not offer the source code, as you are then penalized by having to offer the source code via CD for many years to come. And it has to be a CD, not a DVD or a USB stick :)

    Debian should comply with the GPL and send the source out :)

    That lot are normally so sanctimonious when it concerns the GPL, quite amusing it has come back to bite them a bit.

    Though who knows this could be the one vocal voice for it in Debian, now we may never hear about it again :)

    I don't know why they cannot leave without some form of hissy, it is like some ritual, leave a distro have to have a reason, the more fundamental the better.

  7. James

    GPL requirements

    fluffy, it's a bit more restrictive than that: you have the option of providing an offer, *in writing*, to supply the source code to anyone who asks for it in exchange for a fee to cover duplication costs.

    Or, to quote the GNU GPL FAQ: "If you want to distribute binaries by anonymous FTP, you have to distribute sources along with them. This should not be hard. If you can find a site to distribute your program, you can surely find one that has room for the sources.

    The sources you provide must correspond exactly to the binaries. In particular, you must make sure they are for the same version of the program—not an older version and not a newer version."

    So, shipping the binary of version X and source of version Y isn't good enough, nor is shipping CDs of X with the source to Y and putting the source of version X on your website. It's a pretty minor and accidental 'violation' in this case, though, so just getting the versions back in sync should be good enough.

  8. Charles Manning

    GPL faq

    Be careful when quoting the GPL FAQ.

    The FAQ might help in you to understand GPL the way RMS intends, but it is not binding on the GPL. In other words, it you are interpreting the GPL you do not have to consider what is said in the GPL faq. The only thing binding on the GPL is the GPL itself.

    What the hell does a written offer mean these days? Is some text somewhere in a CD ISO good enough? Is a URL pointing to some text good enough? Is saying "we're GPL2" and thus implying that the source is available good enough? Or should every iso only be distributed in physical form with a typed letter making the offer?

    Thus sounds very much like sour grapes that anyone could sort out by being reasonable and just asking in a debian forum.

  9. Pete

    Oh Gnos!..

    imagine having problems after installing a BETA RELEASE OF DEBIAN.

    its BETA for a _REASON_.

  10. Dave Bell

    Untidy, and GPL isn't the real problem

    It's the way that, when sources are included, they don't match the binary.

    How do we know these mismatched binaries don't include some sort of malware?

  11. Hans Mustermann

    So get gentoo, if you're that paranoid

    "How do we know these mismatched binaries don't include some sort of malware?"

    So get gentoo ( if you're that paranoid, and compile everything yourself. Of course, just compiling KDE or Gnome take an afternoon, and OOo isn't much faster either. And generally, it's the choice for tough guys whose time is worth nothing, and who think the stone age and chipping your own flint spearhead was the golden age of user-friendliness.

    But in the end, it boils down to trust. If you don't trust Debian's binaries as they are, why would they trust them with sources included? Just because both the source and the program say version, isn't some kind of foolproof guarantee that noone added a bit of malicious code without changing the version number.

    Heck, even if you compile everything from scratch, if you use their compiler to start the whole thing, I'll kindly point out the ancient story of the compiler which would:

    1. add a backdoor to the login handling, when it recognized that piece of code, and

    2. added a bit of extra code to handle 1 and 2 to its own code, when compiling itself.

    So you'd look at the sources of the compiler and see nothing wrong. The malicious bits were removed from the source after compiling the malicious executable, since they weren't needed any more: the "infected" compiler would add those bits anyway when compiling itself. compile them with itself, and get a bit more than the sources said you'd get.

    How paranoid do you want to be there? Which starting point would you really trust, to start that cycle from?

    Or you could just realize that the Debian guys probably have better fish to fry than pwning your computer to send viagra spam ;)

  12. Cyfaill

    Debian "Lenny" great

    I have been building Debian desktops for some years now and mostly in the range of betas and some alpha "SID" versions, such as "Lenny-sid". sid is - still in development, not an acronym, just that Sid was the kid who broke all of the toys :)

    Lenny is still being finalized for preparation to be the next formal release... as it is as its always been, very good and I have been using the net install versions for some time now... I think that if I needed source code it was always available with just a little looking. but since everything evolves real fast and often... I just go with the flow, so to speak.

    The Debian community works real hard, and this is just par for the course.

    No great scandal here... just life at the bazaar.

    Looking for trying what ever follows the release of Lenny since I like to live near the cliff with a view of the future... fantastic system is Debian.

This topic is closed for new posts.

Other stories you might like