Robert Ladru
2017-Jan-19 12:36 UTC
[Samba] Multiple GPL violations including Samba in Auralic products
Hello, I recently bought an Auralic Aries Mini streamer. This little streamer can also function as a NAS when mounting a laptop drive or ssd inside, via samba. The box did not come with a media containing source code and did not include a GPL written offer. So I asked Auralic to provide the source code for all GPlv2 and v3 packages used. For the Linux kernel and their modifications, they asked to sign an NDA, which is clearly forbidden by the GPL. For Samba 3.6.23 which they use, they have no intentions to release the source, as they also have already stated on computeraudiophile.com that they only share the kernel, nothing else: http://www.computeraudiophile.com/f22-networking-networked-audio-and-streaming/alternatives-aries-23864/index4.html#post411669 "For the repository: We only publish what we believe is 'fully complete'. That's why the kernel source code was not published a long time ago because we do not consider it as 'complete'. Most of the open source code project in the community are full of bugs, I am pretty regret about this." Here's proof they use 3.6.23: Server Comment --------- ------- ARIES-1L9YS2O8 Samba 3.6.23 It's obvious they are using various loopholes to avoid sharing the GPL source code used in their products, and they only share the kernel, nothing else. They probably also violate busybox, as their embedded linux platform runs a dropbear (SSH-2.0-dropbear_2012.55), but the root password is not known, so the only way to know what other packages they violate is to hack the device. How can we obtain the source code of GPlv2 and v3 packages such as Samba when the vendor is refusing? Robert ---------- Forwarded message ---------- From: Xuanqian Wang (AURALIC LIMITED) <support at auralic.com> Date: Thu, Jan 19, 2017 at 7:56 AM Subject: [AURALIC LIMITED] Re: Auralic MINI GPL source To: Robert Ladru <robertladru at gmail.com> ##- Please type your reply above this line -## Your request (8980) has been updated. To add additional comments, reply to this email. Xuanqian Wang (AURALIC LIMITED) Jan 19, 14:56 CST Hello Robert: Yes, the Linux operation system we are using is under GPLv2 license framework including the kernel and file system with all library. We will be happy to provide you the source code of the that part. To received the source code, we will need to collect the following information from you: 1, Receipt of your purchase order to prove that you own the machine. 2, Your photo ID issued by government for us to prepare NDA agreement. 3, A secondary identification document that we can verify your name and address, such as bank statement, utility bill. Xuanqian Wang | CEO & Designer | support at auralic.com
Jeremy Allison
2017-Jan-20 00:42 UTC
[Samba] Multiple GPL violations including Samba in Auralic products
On Thu, Jan 19, 2017 at 01:36:18PM +0100, Robert Ladru via samba wrote:> Hello, > > I recently bought an Auralic Aries Mini streamer. This little streamer > can also function as a NAS when mounting a laptop drive or ssd inside, > via samba. > The box did not come with a media containing source code and did not > include a GPL written offer. > > So I asked Auralic to provide the source code for all GPlv2 and v3 > packages used. > > For the Linux kernel and their modifications, they asked to sign an > NDA, which is clearly forbidden by the GPL. > For Samba 3.6.23 which they use, they have no intentions to release > the source, as they also have already stated on computeraudiophile.com > that they only share the kernel, nothing else: > > http://www.computeraudiophile.com/f22-networking-networked-audio-and-streaming/alternatives-aries-23864/index4.html#post411669 > > "For the repository: We only publish what we believe is 'fully > complete'. That's why the kernel source code was not published a long > time ago because we do not consider it as 'complete'. Most of the open > source code project in the community are full of bugs, I am pretty > regret about this." > > > Here's proof they use 3.6.23: > > Server Comment > --------- ------- > ARIES-1L9YS2O8 Samba 3.6.23 > > It's obvious they are using various loopholes to avoid sharing the GPL > source code used in their products, and they only share the kernel, > nothing else. > They probably also violate busybox, as their embedded linux platform > runs a dropbear (SSH-2.0-dropbear_2012.55), but the root password is > not known, so the only way to know what other packages they violate is > to hack the device. > > How can we obtain the source code of GPlv2 and v3 packages such as > Samba when the vendor is refusing?Thanks for reporting this. I'll take this up further with the vendor and see if we can get this fixed. Are you willing to help us by providing binary extracts of the firmware etc. to allow us to prove this is our code ? Thanks, Jeremy.
Robert Ladru
2017-Apr-20 10:07 UTC
[Samba] Multiple GPL violations including Samba in Auralic products
Hello, Auralic does not provide binaries or firmware images for download. But an smbclient -L proves they run Samba 3.6.23: # smbclient -L 172.20.1.138 Enter root's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23] Sharename Type Comment --------- ---- ------- README Disk IPC$ IPC IPC Service (Samba 3.6.23) Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23] Server Comment --------- ------- ARIES-1L9YS2O8 Samba 3.6.23 Workgroup Master --------- ------- WORKGROUP ARIES-1L9YS2O8 The 1L9YS2O8 is the serial number of my device, which I can also prove as it's written on the box. Furthermore samba is explicitly mentioned in their firmware build release notes: http://support.auralic.com/hc/en-us/articles/206062858-Firmware-Version-2-2-Build-20150320 I have asked Auralic to provide the "installation information" as written in the GPLv3, which is based on this clause: “Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. In this case, installation information are the username(s)/password(s) to correctly login the device via SSH. These clauses were added to the GPL to protect against Tivo's practices. They also apply to Auralic. In his latest reply, Xuanqian Wang, CEO of Auralic, refers to his earlier mail reply of 19th Jan 2017 that we need to sign an NDA and also provide him with photo ID and proof of address to prepare an NDA: 1, Receipt of your purchase order to prove that you own the machine. 2, Your photo ID issued by government for us to prepare NDA agreement. 3, A secondary identification document that we can verify your name and address, such as bank statement, utility bill. This is a violation of the GPL. Furthermore if Auralic had complied with the GPL in the first place, they would have never asked for photo ID and other privacy sensitive documents, and force an NDA to know who is trying to exercise their GPL based rights. I can forward the original support reply mails from Auralic, but they may contain HTML which is not appropriate for the list. Robert On Fri, Jan 20, 2017 at 1:42 AM, Jeremy Allison <jra at samba.org> wrote:> On Thu, Jan 19, 2017 at 01:36:18PM +0100, Robert Ladru via samba wrote: >> Hello, >> >> I recently bought an Auralic Aries Mini streamer. This little streamer >> can also function as a NAS when mounting a laptop drive or ssd inside, >> via samba. >> The box did not come with a media containing source code and did not >> include a GPL written offer. >> >> So I asked Auralic to provide the source code for all GPlv2 and v3 >> packages used. >> >> For the Linux kernel and their modifications, they asked to sign an >> NDA, which is clearly forbidden by the GPL. >> For Samba 3.6.23 which they use, they have no intentions to release >> the source, as they also have already stated on computeraudiophile.com >> that they only share the kernel, nothing else: >> >> http://www.computeraudiophile.com/f22-networking-networked-audio-and-streaming/alternatives-aries-23864/index4.html#post411669 >> >> "For the repository: We only publish what we believe is 'fully >> complete'. That's why the kernel source code was not published a long >> time ago because we do not consider it as 'complete'. Most of the open >> source code project in the community are full of bugs, I am pretty >> regret about this." >> >> >> Here's proof they use 3.6.23: >> >> Server Comment >> --------- ------- >> ARIES-1L9YS2O8 Samba 3.6.23 >> >> It's obvious they are using various loopholes to avoid sharing the GPL >> source code used in their products, and they only share the kernel, >> nothing else. >> They probably also violate busybox, as their embedded linux platform >> runs a dropbear (SSH-2.0-dropbear_2012.55), but the root password is >> not known, so the only way to know what other packages they violate is >> to hack the device. >> >> How can we obtain the source code of GPlv2 and v3 packages such as >> Samba when the vendor is refusing? > > Thanks for reporting this. I'll take this up further with the > vendor and see if we can get this fixed. Are you willing to > help us by providing binary extracts of the firmware etc. to > allow us to prove this is our code ? > > Thanks, > > Jeremy.