[License-discuss] Reverse Engineering and Open Source Licenses

lkcl . luke.leighton at gmail.com
Sat Mar 7 02:25:40 UTC 2015


thufir, hooray!  there is something which i can agree with you on.  read on...

On Fri, Mar 6, 2015 at 11:43 PM, thufir <hawat.thufir at gmail.com> wrote:
> On 2015-03-06 03:30 PM, thufir wrote:
>>
>> "For example, my capable colleague Helene Tamer constantly insisted, that
>> Deutsche Telekom AG could not give up her restrictions to use LGPL
>> libraries until
>> I had offered a reliable proof that the LGPL does not require reverse
>> engineering."
>
>
> Admittedly, I have no idea how to parse that sentence and lost interest at
> that point.  First off, it doesn't matter what LGPL has to say about,
> because, at least in the U.S.A., reverse engineering is legal:
>
> 'Sec. 103(f) of the DMCA
> <http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act> (17 U.S.C. §
> 1201 (f)
> <http://www4.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00001201----000-.html>)
> says that a person who is in legal possession of a program, is permitted to
> reverse-engineer and circumvent its protection if this is necessary in order
> to achieve "interoperability"'  -wikipedia

 likewise in the E.U. member states - where each country is required
to enact laws that comply with the Directives issued - it is similarly
recognised in the Directive on Copyright Law.  this may be more
relevant to you karsten as you are in danger of misadvising your
colleagues at Deutsche Telecom, which is required to obey Germal Law.
i therefore strongly STRONGLY advise you to take legal advice.


> So, even if the LGPL prevents, or allows, reverse engineering, it doesn't
> matter, because reverse engineering is legal.

 this is my understanding as well.  and it is also the case from the
latest EU Copyright Directive.  the license is completely irrelevant.
the thing is: it doesn't matter if one part of a license's statements
permit or do not permit you to do one thing or another: if there is a
Law in a particular country which says "this is legal or this is
illegal", what the license states is COMPLETELY irrelevant.
[side-note: this is why there are always those stupid-sounding clauses
in software licenses which say "anything which makes this clause
irrelevant doesn't mean that the entire license may be disregarded"
because otherwise a lawyer would be able to go "ah ha!  you got the
law wrong!  therefore my client can do whatever they like!  har har"]

>  No license can make reverse
> engineering illegal.

 ... in the countries where there are laws that permit
reverse-engineering for interoperability purposes: correct.

"So, I thankfully can now o
er a thoroughly elaborated proof for the assertion
that there - in general - is a way to distribute open source software
compliantly
without permitting reverse engineering,"

no, karsten, you may not provide any elaborated proof, nor may you
provide any such assertion.  ok, let me clarify: you may *of course*
do so, but... how do i be subtle about this... if you do so, you are
in danger of misadvising the people who may be taking your advice
authoritatively when they should instead be consulting proper legal
advice on Copyright Law within the legal jurisdiction in which they
operate.

there is a *very very good reason* why any Corporation should do that,
and it's this: when a Corporation takes legal advice, then as long as
they follow that advice to the letter, they are then indemnified
through insurance of the legal firm should the legal advice they are
given turn out to be completely wrong.

if that company has *not* taken legal advice, and their actions turn
out to be wrong, they may be sued *without* recourse to indemnity
insurance.

so - please karsten: GET LEGAL ADVICE.

and, when consulting that legal advice, please present them with the
following statements for evaluation:

karsten has unfortunately made incorrect assertions that are in danger
of being at odds with the EU Copyright Directive which permits
reverse-engineering.  in the case where software is distributed in
accordance with the LGPL, the source code is required to be released,
and, as such, she is correct in that reverse-engineering would be
illegal because it would, if the license was properly complied with,
*not even be necessary* on that specific software component.  this is
assuming that the distributor of the software is actually compliant
with the LGPL license, because if they do not comply with the license
(including releasing all source code of the LGPL licensed software)
then that is a different matter.

to reiterate: software that is released in full compliance with the
LGPL should have its source code made fully publicly available, thus
making reverse-engineering of that SPECIFIC SOFTWARE AND THAT SPECIFIC
SOFTWARE ONLY, not only unnecessary (i.e. entirely moot) but also,
interestingly - and this is entirely a side-note - illegal to even
attempt [in the USA and the E.U. member states at least]

HOWEVER, karsten, compliance with the LGPL is very very specific.  you
MUST ensure that the ENTIRE TOOLCHAIN is made available, to the extent
where the PRECISE and EXACT binary may be reproduced without fail
without exception down to the absolute without fail absolute
guaranteed 100% absolute last binary digit.

[in carrying out LGPL and GPL compliance checks, many developers will
use the exact same tools as made available then carry out a "binary
diff".  if anything other than the date of compilation (which is
inserted into the binary by the compiler) is different, then the
company is NOT in compliance with the software license, usually
because they have provided different versions of the tools by mistake.
i.e. if you have not provided the exact and same tools, you are NOT in
compliance with the LGPL/GPL].

so, coming back to that side-note: the ONLY reason why (under both the
USA law and the EU Copyright Directives) it would be illegal to
attempt to reverse-engineer properly-compliant LGPL software is
precisely and exclusively *because* it is a requirement of the LGPL to
make all source and tools available, such that the entire binary may
be recreated exactly and precisely from its original source code.
that this is so DOES NOT extend that illegality or "unnecessariness"
to:

* any software that *uses* that LGPL component or any other LGPL
components involved in the software
* any software that is LGPL licensed which is released incorrectly or
not properly in accordance with the intended software license.

so in short: in the case where software is released under the LGPL,
the full source and tools shall be made available thus making
reverse-engineering completely moot (unnecessary), and in the case
where there exists proprietary code - even code which uses
LGPL-licensed dynamic libraries - the proprietary code has absolutely
nothing to do with the LGPL so is specifically "back to square one",
and may *legally* be a target of reverse-engineering efforts as part
of any interoperability efforts on the part of any individual within
the jurisdiction of either the USA or any E.U. member state or any
other country in which reverse-engineering is permitted.

so karsten, i apologise for not reading the full text of what you
wrote, but i don't have to: just by looking at the conclusion that you
wrote, i can see that what you wrote is at best irrelevant, but in the
worst-case scenario you are in danger of misleading people within
Deutsche Telekom, who should be taking legal advice rather than
believing at face-value the conclusions that you draw.

PLEASE GET PROPER LEGAL ADVICE.  it is *really* important, in a
corporate context, for the reasons outlined above as related to
indemnification.

l.



More information about the License-discuss mailing list