VIA Pulls PadLockSL

yipyow writes "A few weeks ago VIA Technologies posted software based on Nullsoft's WASTE, as reported here a few days ago. VIA PadLockSL included both a Windows and Linux client and some special extensions to work with security hardware built into certain VIA products. It was released under the GPL so I managed to snag a copy of the source code right before VIA suddenly removed their page (Google cache). I have posted Linux compilation instructions and mirrored the source here. If VIA has decided not to pursue the project further, I think the F/OSS community should turn this project into something, it has potential to be a great tool."

Be careful

It might be a good idea to find out why it was removed. Perhaps they discovered a license violation and took it down to prevent a lawsuit. While noble, the automatic assumption that they simply don't want to pursue the project could be placing yipyow in an actionable position.

Re:Be careful

then it's GPL forever baby

Not if some of the source is based on a license that doesn't permit use of the GPL. If they accidentally included some proprietary or closed source to which they didn't have full rights, then their release of the software under GPL would be illegal.

Re:Be careful

Again, you can only set copyright licensing terms if you own the copyright to begin with! The original WASTE was released under the GPL without permission by someone without the authority to license it (although he was the author, copyright is granted to the employer). Therefor the original GPL license is no more valid then if you were to release the leaked windows source under the GPL. That being said, unless VIA got permission from AOL to release it, they too licensed it illegaly making their GPL release invalid as well.

Re:Be careful

Perhaps they discovered a license violation and took it down to prevent a lawsuit.

They gave Nulloft/Justin no credit for their work, even though the headers clearly had WASTE code in it, their work reports included with the source code mention finding/researching a certain "open source project", and even Justin's documentation was nearly copied and pasted for their User Guide.

All of that was reported on here [inthegray.com].

The only reference to WASTE that you could mentioned on their page was buried in a forum discussion [viaarena.com].

Re:Gave Nulloft/Justin no credit

They gave Nulloft/Justin no credit for their work, even though the headers clearly had WASTE code in it, their work reports included with the source code mention finding/researching a certain "open source project", and even Justin's documentation was nearly copied and pasted for their User Guide.

So what? Correct me if I'm wrong, but did VIA not make substantial additions to the functionality of the code, GPL'd their source and released it back to the community? That is the extend of their obligations according to the license that the WASTE author elected to use when he released his source, is it not?

Re:Gave Nulloft/Justin no credit

They didn't remove the copyright info, they copied it verbatim as the GPL licensing files. This is all they are required to do. The GPL does not have an advertising clause and in fact is incompatible [gnu.org] with the "old" BSD license with the advertising clause.

Re:Not a troll

What *are* you talking about.

The idea isn't being hurt, just 1 particular project.

You cannot release someone else's code under a different license without their permission. This is exactly what keeps GPL software *free* so how could it possibly be ironic?

Licenses are *necessary*. They are, in essence, a contract between supplier and recipient. They detail that which each party can expect from the arrangement.

Without the licenses that say 'do what you will with this' there would be no OSS to keep airborne.

In case you hadn't noticed, OSS took off a long time ago.

Re:Be careful

Perhaps they decided that it would be counter to their interest in selling hardware encryption appliances which do the same thing. Why release software that can do the job of something you can *sell* hardware for?

Re:Be careful

The first rule of the internet is like the first rule of the Westerns: download first and ask questions later.

Re:Be careful

It seems you are exactly right.

I don't think so.

Let's see. Nullsoft's employee posted it who has had the authority to post in the past. It appeared for how long (?) on their site listed as GPL. Their statement mentions nothing about infringement on others copyrights or patents.

IANAL. To me, it seems me, however, that Nullsoft did in fact make this GPL software. If I were to use it, say, for remote encryption key generation linked to openSSL or openSSH or whatever, I'd consult my lawyer first but it looks like they've got no recourse. The post by AC I'm responding to claims that Nullsoft discovered a license violation which it doesn't, other than to now claim that it's copyrighted software. I think they might be able to claim that if you got it after that date, they've changed the license but if someone got it prior to that and reshared it with ANY mods, the GPL stands.

This strikes me as akin to a company doing unauthorized work, billing for it and then hoping that you'll pay just because they sent you an invoice. Or better yet, you recieve an unsolicited radio in the mail in the mail from me. You turn it on and I attempt to bill you. In the US, it's a gift. No contract existed, I didn't ask for it and you sent me something with no legal strings attached. It's not a misshipped package. It doesn't matter if it's a $5 radio and you billed me $5 or a $5 radio and you tried billing me $5000.

additional mirror

Here's an extra mirror: http://evilpen.net/PadLockSL.src.zip [evilpen.net].

[Mirror posted in article seems to be slowing down, it's getting around 20k/sec at the moment.]

Re:additional mirror

Yes, I saw this, but I don't think I'm doing a bad thing necessarily...if this is legit code, and a legit usage of the GPL, etc., then why are Nullsoft/others making such a big deal out of it? Open source projects get forked all the time, though VIA didn't exactly give WASTE proper credit, they did release it under the GPL. Many companies would just claim it was theirs entirely, and not release the code at all. If this is a legit usage of the GPL, and VIA don't want to support the community, the community can pick up the source code and use it however they can. That is (in my mind) how the Free Software world works, that's the whole point of releasing source code in the first place. PadLockSL is, as far as I can see, a legitimate derivative work as described under the GPL. Can anyone prove me wrong?

De-ja Vu?

Gee, this seems somewhat familiar... Do you suppose that VIA also 'revoked' the license? Heh.

Re:De-ja Vu?

The GPL is irrevocable, so they can't revoke it. The only "official" things they can do to stop people developing it further are:

• Claim that the employee didn't have permission to release it under the GPL, or
• Claim that they didn't have permission from the original copyright holder (as AOL claim WASTE wasn't really released under the GPL), or
• Stay quiet and hope AOL go after the others and not them.

Given that the second option would be an admission of copyright infringement, and the first option is on shaky ground, I can see them choosing the last option.

Thank goodness for GPL conservators

I wonder sometimes how many projects start up, fail for some reason, and then the code is lost. Not lost because it's proprietary but lost because it just goes the way of crumbs under the table? How much good work is going down the drain.

I'm glad you managed to save the code, GPLd as it is it has the right to live or die according to popularity. Hope it works.

shak's nude anime gallery [slashdot.org]

Re:Thank goodness for GPL conservators

This makes the assumption that the GPL license originally given for the original code is actually valid. The common point that people make is that Justin Frankel wrote the code while working for AOL, and depending on his contract with AOL, code he writes while working for them (or while in the office?) may be owned by AOL, meaning the license he put on the code may not be valid. Like someone pointed out earlier, if I stuck a GPL COPYING file in with the Windows 2000 source code, it wouldn't suddenly become legit. So if AOL didn't "authorize" the release of the program, the source code for waste is just as 'leaked' as the win2k source code.

It's probably...

just a WASTE of time :)

sig(h)

Unauthorized software?

Perhaps this [nullsoft.com] has something to do with it?

Re:Unauthorized software?

Unfortunately you have to know a little history that wasn't explained to "get" this story. After NullSoft (who produce Winamp) was bought out by AOL, a Winamp programmer wrote Waste and posted it to their site (evidentally on May 28, 2003). AOL got mad and made them take it down and posted this notice. Now, VIA (from the sounds of it) has taken what is obviously source code from Waste and turned it into a new program. The parent is speculating that the reason VIA has now taken down this new source is that the original work is not actually and legally GPL'd.

Re:Software is void, revoked and terminated.

Can one really "revoke" a gpl computer license?

No. But note that a piece of software is not necessarily licensed under the GPL just because it is accompanied by a text which claims so. Otherwise, I could legally redistribute (e.g.) Microsoft Windows by claiming it is under the GPL.

If someone from Nullsoft posted the software to the website, they are acting as Nullsoft, even if they do so amidst objections of their co-workers.

Most likely, the copyright of the software is and always was held by Nullsoft, not the author. Therefore, the author didn't have the right to license the software under the GPL (or any other license) in the first place. Same thing as the Microsoft analogy.

This is also the reason why the Free Software Foundation requires copyright disclaimers from the employers of software authors. They don't want to suddenly find out that they never had any rights to a software which they allegedly distributed under the GPL.

Re:Software is void, revoked and terminated.

In the case of Nullsoft, the guy who released waste, obviously had the authority to do so.

Why are you so sure he indeed had the authority to do so (source code and all w/ a GPL license? Are you his boss, perhaps, or maybe a Nullsoft lawyer? Have you read the Nullsoft source release policy statement? Do you have the employee's job description on your desk? Are you bugging Nullsoft's corporate offices? Why are you so obviously authoritative on this issue? Inquiring minds want to know!

Windows Binary Mirror

I ganked the windows binary before it was pulled if anyone cares get it here PadLock [robsell.com]

Wang33

Security chip and continued development.

Although without the support of VIA how would one keep developing this since it uses their security hardware. As chip design changes, you would need to know how to make calls to the chip or the program becomes useless... Does VIA offer documentation on their chipsets?

Re:Security chip and continued development.

No, it doesn't. I've used on non-via hardware. Where did you get the idea that it requires their hardware?

To Quoeth The Homer...

Forbidden Code... *drool*

Possible unlawful use of code

People might want to consider that the release of WASTE was indeed unlawful under current law, AOL/Nullsoft was within their rights to withdraw the code and the GPL was applied to the code under wrong circumstances. A lot of people have mentioned in previous WASTE related stories something to the tune of "It was GPLed, I dont care who GPLed it, Im not discontinuing my use or distribution of it" while not actually considering that just because it had the GPL applied to it, the GPL was lawfully applied.

Since this product was based on WASTE, this is possibly why it was taken down, and if so, then the fact that a major company thinks the GPL wasnt applied lawfully to it, then Im inclined to think that all the other archives of it around are infringing as well.

Just my 2 cents on the matter. In the origional WASTE story, i offered to mirror the source code. I did this until i actually sat back and thought about it, then I removed the code because I didnt think its release was lawful.

Re:Possible unlawful use of code

A lot of people have mentioned in previous WASTE related stories something to the tune of "It was GPLed, I dont care who GPLed it, Im not discontinuing my use or distribution of it" while not actually considering that just because it had the GPL applied to it, the GPL was lawfully applied.

Seriously. This is the kind of attitude that Steve Ballmer and folks can point to and say "See how viral the GPL is? Some guy under contract to AOL simply put the word GPL in the source - they didn't even have to make sure the release complied with the terms of the GPL, and now AOL's valuable IP is gone." And then millions of PHBs will ban the use of the word GPL in their offices, because Ballmer provided 'proof' that it was bad.

The GPL does not let you take any source code anywhere and release it under the GPL. If it did, we'd have seen GPL'd Windows 2000 from the leaked MS source, and a GPL'd version of every piece of source that was ever leaked onto the net. Heck, we could solve Xfree86 problem in a second - someone just grab the latest source with the annoying license, untar it, stick in a GPL LICENSE and COPYING files, tar it back up, and distribute it. Bingo - problem solved. Yet for some strange reason, no one has done that yet. Because it's not allowed. I bet even RMS would agree with that.

The GPL provides an awful lot of protection, but that all goes out the window if the inital release under the GPL was unlawful. And one such case would be if you signed an employment contract stating that any code you wrote was property of the company. If you plan to work on GPL stuff, either get a waiver beforehand, or find another job. But you don't get to decide that part of your contact doesn't apply because you don't like it or feel it's "wrong". If so, I could decide that I don't feel like repaying my car payment, or that I want to knock down a few walls in my apartment, regardless of what my lease says. The courts get to strike down parts of a contract after it's signed - the average person doesn't.

I'd say

this is the reason it was pulled:
http://sourceforge.net/forum/forum.php?forum_id=36 8414

Apparently, there were some GPL violations in the code but it doesn't sound like a permanent problem

Via's RNG publicity and a conspiracy theory...

VIA's random number generator greatly increases the speed to generate the keys (ie faster than p4 2.6 ghz on VIA's 1Ghz proc).
However there is a full software mode so it still works.

I think VIA knew that waste's code was dodgy in the first place. They published it so it would make some noise and draw some attention to their hardware specs.

Or one of the US 3 letter agencies might have requested not to publish secure tools?
Anybody here thinks that securei easy IM might not facilitate terrorist message interception?

I mean if one uses secure IM, than they immediately draw attention of the security agencies. Now if everyone uses secure IM who can they focus on?

Re:Via's RNG publicity and a conspiracy theory...

VIA's random number generator greatly increases the speed to generate the keys (ie faster than p4 2.6 ghz on VIA's 1Ghz proc).

There are other hardware crypto accelerators [soekris.com]. OpenBSD uses them to offload all possible crypto and random functions from the CPU whenever one is present. VIA's is nice, in that it comes with the computer, but $100 will get you the same functionality in a PCI card.

Anybody here thinks that securei easy IM might not facilitate terrorist message interception?

You mean, like Jabber with SSL? That cat's already out of the bag.

TEN FOOT POLE

If the Nullsoft release was unauthorized (what constitutes unauthorized is not as clear-cut as AOL would have us believe) then the fact that the code was GPL'd is irrelevant. Go roll your own people. Don't even look at the WASTE source. You'll be tainted.

Re:TEN FOOT POLE

Go roll your own people.

I'm working [winw.org] on it.

don't do that

Merely the fact that the software had a GPL copyright on it and happened to be available somehow doesn't mean that you can redistribute it. Until a piece of software has been intentionally released by its owner under the GPL, it is not covered by the GPL.

Furthermore, one of the most likely reason VIA pulled this is that they don't have the right to distribute it (patents, other people's copyrights, etc.). Then, even if you acquired a copy under the GPL, you couldn't use it because the GPL would be invalid.

Also, the person posting it may not have been authorized to do so by the copyright holder (the company itself). That would also mean that you don't, in fact, have the right to use it under the GPL because the GPL is an agreement between you and the copyright holder (VIA), and VIA has not entered into that agreement with you.

Even if you could get away with it legally for some reason, I really think it's a bad idea to behave that way. Good relations between VIA and OSS developers are essential in order to have Linux run well on their hardware. There is no hard-and-fast line, but in a situation like this (it seems it has had no widespread announcement, no user community, no external contributions), the creators of such a software package should be allowed to change their mind at the last minute.

tum-te-tum...

% cp /usr/src/linux/COPYING /downloads/KaZaa/WindowsSource/

Hey presto everyone, GPL'd Windows Source code!!!

But wait a minute...

If Nullsoft claims that the WASTE release is illegal, why haven't they bothered to take the waste project of SourceForge? Isn't this based on the same code?

I love it!

This program is just too cool! There are some things it could obviously use, such as an easier way for users to share their public keys(ala PGP key servers. The use of actual PGP/GPG keys would be really cool too!) and a few dedicated hosts to start a network(because direct peer to peer isn't always desireable or feasible, but the security through a dedicated host is good enough for most circumstances...) I guess what I'd really like to see is AIM support public key encryption, something that has always been lacking in the instant messenger app of choice for most people. Perhaps the open source community can make this a reality. And gaim encryption just doesn't work for enough people and isn't as strong as this...

WASTE is GPL, set in stone.

I'm not a lawyer, and I don't use the dumb geek acronyms to shorten that phrase down, but:

The WASTE software and source code was posted on the Nullsoft website by a Nullsoft employee who's always posting software to the site, who happens to also be the author of WASTE.

Let me repeat: an officer of the company and the author of the software made this software available under the GPL on the company website.

This seems open and shut to me: it's still GPL'd software. Sure the employee may have acted against the wishes of his gods, but its too late, it was released by the author, on the company website.

This would set a dangerous precedence if this were successfully challenged in court. Any company could virtually release a product under the GPL and later revoke it at their whim, claiming its unauthorized and that everyone must destroy their copies.

cumulative mirror

http://www.mousearmy.net/tech/

In the top section I've posted the original waste source, current waste source, PadLockSL source and some of the windows binaries mirrored in this thread.

This should consolodate the mirrored files in one place.

Of course it got pulled

Didn't AOL say when they pulled it that it was still their proprietary software and that it had been released without its OK? That the GPL license was null and void?

Via can't give away something it doesn't have rights to any more than Justin could.

tainting - license issues

How is using waste any more naughty than gnutella? After all, nullsoft released that and AOL pulled it too.

And also, the code is in dispute maybe, but what about reverse engineering the protocol? Without protocol docs, you'd have to download and run this in a testing environment if you wanted to reverse engineer the protocol to roll your own code.

Maybe someone should fix the GPL violation

If all this effort that people are spending to keep putting this thing up when people take it down were instead spent actually working on the code, perhaps the non-GPL'ed parts could be rewritten, and then it wouldn't keep disappearing.

SCO Arguments and WASTE

Has anyone else noticed that some of the arguments advanced by SCO relating to the alleged iuclusion of proprietary code in the linux kernel are very similar to the WASTE situation? I mean, clearly they aren't directly analogous, and SCO are litigous bastards etc., but think about it: Justin Frankel, while working under a contract that makes all of his software belong to AOL/TW, releases a piece of software under the GPL without authorization. Some people argue that the initial release makes it GPL forever and ever amen, but as many smart comments have pointed out on this thread, that's just false. That's *sorta* similar to SCO's continued distribution of the linux kernel post-IBM lawsuit, isn't it?

Either way, seems to me that between the WASTE situation and the SCO lawsuit, that open-source insurance is a good idea.

maybe the code is borked

and they took the junk down hoping no one would try and develop anything with it. Be careful what you pull out of the garbage... reminds me of some tomatoes once that... nevermind

companies

Corporations are "treated as individuals under our law" right?

Can I retract my own action of releasing something under GPL by saying that the part of my brain that so did, was not authorized by "me"?

No?

then Why can corporations retract their own actions by saying that "the part of the company (or the individual who did it) was not authorized by the "central part of the company" ?

Autonomous Darknets

it seems my post was cencored out!? so i am posting it again. WASTE is real strong in being the first in several areas: purep2p, anarchistic (WASTE is the most anarchist p2p because it implements security culture, free association and mutual aid. This is thanks to it's Decentralization, Encryption and preferences/features) , passive to passive transfers (via [sic] unique routing), & in being 'illegal' open source , I think more Open Source projects should reclaim proprietary ideas that were developed/discovered in places like public schools and return the knowledge to the public so we can be more self-sustainable and sharing. shutting down lifeless entities control over our intellect. Padlock is not compatible I've tried. it's also got allot of disabled features. it's like a whitewash. my hope is that the sourceforge open source WASTE team http://sf.net/projects/waste/ kicks into action to make a mockery of this via project much like has been done to neomodus dc over dc++ , but this is a reverse hijacked fork protocall type thing. not that i think it even matters much. i value having a network name/ID and full control of options that are in WASTE and not in Padlock. there interface is kinda weak ,with huge buttons and striping? i guess just watch and see if they add the rest of wastes advanced features or make a more restricted program from the most anarchistic p2p i love and call WASTE. oh ya and did you all notice that Padlock is removed from the VIA site now?

It's pretty simple

Two things here. One, the source code probably is GPL. Two, it doesn't matter, it still makes perfect sense that VIA would pull it.

Finkel wrote the code while working for AOL, so depending on the terms of a contract we can't see, the code may be AOLs. But, there is some evidence that Finkel was able to release code in his capacity as an agent of AOL. (This may also be contingent on a contract we don't have.) So it's likely that the code is actually under the GPL.

But I said likely, not certain. AOL disagrees. So, some VIA developers convince their legal department, possibly without telling the whole story, that WASTE is GPL'd, and legal gives them the thumbs up. They write Padlock, put it on the web, and it gets Slashdotted. But now AOL finds out, and they send a threatening letter to VIA's legal department. What does VIA do?

Obviously, they withdraw it. Yes, it's GPL (though nobody is trying to convince them of that), but AOL can still sue them. Since Padlock is of no real importance to VIA, it's financially smarter for them to just drop it.

I think it's safer for someone to just re-implement it, possibly in a better way. I doubt AOL has patents on it, because why would they have gone to the trouble to obtain patents if they weren't going to release the software, and probably didn't know it was being written?

Re:I can see it already.

Oh yeah, and for our protection, I think laws should passed worldwide that anything posted on the Internet and subsequently removed cannot be recalled once downloaded by at least one person, so that if a company releases something as GPL and then pulls it, even if that is due to copyright violations on their part in including the thing in a GPL download, that company is subject to damages but not the downloaders, since they downloaded something as licensed under the GPL.

In other words, you want the international community to pass a law that makes it so that if someone steals my code and posts it online and then has a friend download it, I lose all rights to that code.

That's a very bad idea.

Re:I can see it already.

I don't think I'm reading his post selectively.

If someone steals my code, then posts it online under the GPL illegally and then other people download it, I don't think that those other people should have Carte Blanche to do what they want with my code. I think that if I inform them and can prove to them that they are using code that should never have been in the GPL, then they have an obligation to stop using my code.

If we go with the great-grandparent's plan, then anything released under the GPL, no matter how it got there, would stay GPL. In other words, thieves would be totally free to steal and distribute code.

Which is a very bad idea, I think

Re:I can see it already.

You just wait. I give this thing about 30 days, and then people will start hearing from all kinds of lawyers, and we'll have another SCO on our hands, claiming we jacked source code which we did not, in fact, jack.

Huh? Tell me, if I had a job as a janitor at Microsoft headquarters, and grabbed a copy of the Windows source code, would I be able to release it as GPL? And would the people downloading and spreading it be in the right? Of course not!

This is essentially AOL's argument: that somebody released the WASTE code under the GPL when they had no right to. If that is true, then they acted accordingly - they pulled the source and put up a notice in its place.

Now along comes VIA, who haven't got the message that their license is not valid. They "release" their derivative work, and then find out about the licensing screwup. They pull the software.

No matter how many people have downloaded the code, none of them have a valid license. VIA were never in a position to grant licenses.

So sure, if somebody is mistakenly under the impression that their license is valid, then they shouldn't be punished. But you are advocating ignoring the fact that the license is invalid, and committing copyright infringement.

But instead of using it to build the product, use it to plan a completely new design, and build that as a separate project altogether, using none of the original source code. Call it a different name, make it do slightly different things... when they come to bitch and moan, the damn thing won't share any lines of code. Shit, if there's int i in that source, our version should define int to INT and write INT i, just to throw off code comparison.

No, that's a derivative work, and is also covered by AOL copyright. Any attempt to "throw off code comparison" would be strong evidence that you knew that the license wasn't valid, which, I believe, triples damages when you inevitably lose the copyright infringement lawsuit.

Oh yeah, and for our protection, I think laws should passed worldwide that anything posted on the Internet and subsequently removed cannot be recalled once downloaded by at least one person, so that if a company releases something as GPL and then pulls it, even if that is due to copyright violations on their part in including the thing in a GPL download, that company is subject to damages but not the downloaders, since they downloaded something as licensed under the GPL.

So the janitor at Microsoft snarfs the source code, gets a new job at Sun, and uploads it onto their servers. Bingo, Free Windows, no more Sun.

Re:I can see it already.

our version should define int to INT and write INT i, just to throw off code comparison.

If they compare the code after the preprocessor pass, that would be a waste of time. If it's written from scratch, why bother? (Besides, they just need a lawyer to wave a prop briefcase with "millions of lines of stolen code". Reality seems to have nothing to do with it.)

Re:Why?

Moderators: This person is not offtopic, they are WRONG. This is NOT "just a fancier GUI on WASTE". It is an entirely new GUI, and a different encryption algorithm. The RSA code was (C) RSA and including it in a GPL program is a GPL violation. The AES code used in Padlock SL is dual-licensable; The default license in the program is essentially BSD, but it says you can instead license it as GPL so long as you retain the original copyright notice. Sounds good to me.