Does Using GPL Software Violate Sarbanes-Oxley?

Anonymous Coward writes "eWeek is reporting that The Software Freedom Law Center has published a white paper that dismisses recent publications from embedded systems seller Wasabi Systems. Wasabi recently released statements focusing on alleged GNU General Public License violations in relation to the Sarbanes-Oxley Act of 2002. The white paper, titled "Sarbanes-Oxley and the GPL: No Special Risk," essentially counsels users of the free software license that they have no need to worry."

SOX is change management over financial systems

[futuresheep]

SOX requires strict change management controls over financial systems. When we went through our audit, the auditing company was mostly concerned with how changes were made to these systems, what management controls were in place to monitor these changes, and the processes that were in place to ensure their integrity. None of the OSS software used in these processes was given a second glance beyond the aforementioned items. As an example, our use of Nessus as one the our tools for network audits and our archive of Nessus scans was applauded.

Just my Experience.

Since when is the GPL a EULA

[Tweekster]

What would use of software have to do with the GPL... The user does not have to accept the terms of the GPL to USE the software...

Groklaw quotes Moglen: FUD, plain and simple.

[toby]

Article here. [groklaw.net]

Quoting a response by the Software Freedom Law Center:

the latest Software Freedom Law Center white paper [softwarefreedom.org] maintains ... these issues were reviewed and it was found that there is in fact no special risk for developing GPL'd code under SOX. "Under most circumstances, the risk posed to a company by SOX is not affected by whether they use GPL'd or any other type of software. Arguments to the contrary are pure anti-GPL FUD [fear, uncertainty and doubt]," the paper says.

Wasabi = BSD zealots

[drwho]

I contacted Wasabi hoping to buy some tools from them for BSD development on embedded platforms. When I asked about a platform they didn't support, the proceeded to criticize that CPU and Linux saying they were underpowered and immature, basically, they want you to buy their favorite CPU. Sadly, this company is made from NetBSD developers, who I had previously thought were among the less rabid BSD zealots.

I stayed with Linux for embedded systems, and probably will forever, unless embedded BSD is freed from the grips of these people.

Sarbanes-Oxley is a joke

[rfolstad]

I speak from experience and people can and will use SOX as an excuse for anything and everything. The problem is auditors are now trying to understand technology and they just don't get it.

The basics of SOX is that your CEO must sign that the proper controls are in place to ensure that all changes made to production systems that affect the reporting of financial information are approved changes.

Companies can take this to mean that changes to your firewalls, mail servers and webserver need to be logged and monitored with scrutiny. And they will even send "auditors" in to take screenshots of /etc/shadow hahahahahahhaa.. It's hilarious.

Realistically it is impossible to be 100% SOX compliant and profitable. This bill will be gone within 5 years and other countries without silly laws like this will prosper in the meantime.

So yes. If there is a not an audit trail in place where someone approves of applying that patch to the linux kernel on all production machines then you are not SOX compliant. Just like if someone doesn't approve installing that critical service pack from microsoft. Without approval and test cases you will fail your SOX audit unless you pay the extortion^H^H^H^H^H^H^H^H^H fee that anderson^H^H^H^H^H^H^H accenture is charging these days.

Re:Intended Consequences of laws

[dada21]

Yes, let them go wild. It will teach the average "investor" that there is no such thing as a free lunch. You should NEVER put your money into a business that you don't have faith in or trust. If you make it government's job to make people "tell the truth" you'll get lies covered by legal loopholes.

The problem starts with the Fed (Greenspan, Bernanke and their inflationary cycle) that makes money worthless over time so we seek to invest it to at least break even. The problem is made worse by the same inflationary cycle that makes our salaries go up slower than the inflationary cost of living increases (which go up because of the money printing). It goes downhill from there -- the SEC makes investors believe they're protected, which in a free market is a fallacy. You are only protected through contracts, not through law forcing people to act a certain way. Beyond contracts you protect yourself by doing business with people with a history (see eBay's feedback system).

This is all a mess, made worse by people who have faith in others. I have no faith in others except those who have proven their trustworthiness to me. This is why I only invest in businesses I have direct contact with.

Re:Wasabi = BSD zealots

[Billly Gates]

Management runs the company not its BSD founders. Also they sell their own embedded systems and highly discourage using your own as it would cost htem money.

Management wants to kill linux as much as possible so you can run netbsd instead.

It seems they are desperate at this point and bashing linux was not a good way to make a customer. It seems they have incompentant salesmen and upper management probably had a role in training them.

Wasabi Burns

[Doc Ruby]

I knew the founders of Wasabi Systems, here in NYC. The original "brains" behind the startup, which planned a "Red Hat for NetBSD", got screwed by his lawyer partner in the late 1990s, and left. No surprise to hear their business model is lying about GPL (Linux) in press releases.

What the FUD?

[redelm]

AFAIK, SOx is all about increasing "transparency", mostly records retention and statement quality. OSS can only help these, not hurt, unless the corp is incurring liability by violating licences.

Re:Intended Consequences of laws

[rossifer]

would you mind reading just one free tiny e-book that covers mine? http://www.mises.org/money.asp [mises.org] This is Rothbard's basic book regarding money and what government has done to destroy the economy.

I went ahead and read it, and the author makes the same mistake that all advocates of the gold standard make: they fail to understand that currency and value are separate. Further, the author completely misunderstands the role of the central bank (The U.S. Federal Reserve Bank) in a paper money economy: which is to stabilize the relationship between currency and value. This deliberate stabilization is impossible in a gold standard economy (more precisely, there are too many players who can influence the quantity of currency in circulation in a gold standard economy to know who they are, let alone understand their motivations).

I admit, most people don't understand why certain pieces of paper are more valuable than others, but that lack of understanding does not mean that we should revert to the gold standard (which has an equally misunderstood relationship between currency and value). All the gold standard buys you is less control.

Government destroyed our currency by getting off of a 100% reserve system in 1913. It has destroyed any reason to save (the best way to create a strong economy is through savings, not public credit),

This statement presupposes that inflation alone is a disincentive to savings. Which is false.

The incentive to save is based on relative returns. If the available interest rate of savings accounts is above the inflation rate, there is an incentive to save. At the moment, this is not true. After taxes, bank interest rates on savings accounts, most CD's and most money markets are below the inflation rate. But this inversion of returns, and the problematic incentives that provides is a recent (over the last 20 years) event, not stretching back to 1913.

You'll have to come up with another theory. I agree that bank regulation is to blame, but to describe a new set of regulations that provide for banks to make a profit on savings and to offer a competitive interest rate is beyond my limited knowledge of economics and monetary theory.

Regards,
Ross

Re:Coming soon to slashdot:

[MP3Chuck]

Really? Does it change from H2O when it changes phase? ;)

No Violation

[stonetony]

The Government in notorious for telling you that you need to comply with regulations without telling you how to comply. This sounds great at first, but this also leaves you open for penalties later if they determine that the methods you chose were insufficient. There is nothing in Sarbanes-Oxley that restricts the use of any specific sort of software to comply.... as long as if/when they investigate you they determine that you are/were in compliance.

Re:Sarbanes-Oxley is a joke

[srNeu]

SOX has become revenue stream for auditing firms. They took a very simple law (about 2 pages) that is as you stated "The basics of SOX is that your CEO must sign that the proper controls are in place to ensure that all changes made to production systems that affect the reporting of financial information are approved changes." and turned it into a complex cash cow.

My company's parent company has several internal corporate auditors on staff that are extremely computer illiterate. They basically take what the external auditors say to do make us produce documentation for it. However, the auditing firms have made the requirements overly complex and the corporate guys don't understand the technology to know what really makes sense or not.

Case in point, our corporate guy decided that only 2 of the 4 admins at our company need admin access in the mrp system. So he directed one of the dedicated mrp people to remove my access. Now I can no longer unlock user accounts, etc., so my ability to help the company has been reduced. No where in the SOX law does it say that you can only have 2 people with admin rights. So where does the corporate guy get that impression --- from the auditing firm. I have since got my rights back due to confronting him if he could point out exactly where in the SOX law it says that only 2 people can have admin rights. He couldn't, and only said that [unnamed auditing company] said that was the right way.

As long as the external auditing companies make up the rules on what is covered and what is not, we will continue feeding the auditing company's cash cow called SOX.

Re:Intended Consequences of laws

[AuMatar]

Contracts can be enforced in a private market without the force of law. If you sign a contract, you take out contract insurance through a private company. This company issues a "bond" against your signature, guaranteeing the other party that you'll follow through, and also offering you insurance against the other party running off. This happens all the time in the construction industry (I should know, I own a business that gets bonded on each project).

No, it can't. First off- I sure as hell shouldn't HAVE to take out insurance for every one of my contracts. Yeah, thats a great idea- lets build up yet another level of middle men into society. Second off- its rife for corruption. For example, say I have a contract with a big company- say WalMart (no reason for picking them except their size). The bond company does hundreds of contracts with WalMart a year. They do 3 or 4 with me. We have a disagreement. WalMart tells them to side with WalMart, or they'll never give them buisness again. Who do you think they're going to side with?

The free market doesn't work on situations like this. They're called externalities, and covered in econ 101. A course I become more increasingly sure no libertarian has ever taken.

Sure, someone can take their terrible negative feedback and start anew with another company, but would you trust a 30 year old with zero feedback? Neither would I.

So in a world already hampered by big corporations, you want to add another artificial stumbling block raising the barriers to entry and allowing the big corps to fuck you over even more. Another great idea.

Don't forget to factor in that over half of all buisnesses fail in under 5 years. So yes, there would at any one time be a majority of buisnesses with little to no feedback. You'd also have a whole new class of crooks- feedback scams. They happen on ebay all the time- someone creates an account, sells a few dozen items to friends to build up feedback, then scams some unlucky guy (or frequently several unlucky guys) out of thousands of dollars in a big sale.

In a free market, interest rates are free to go up and down. Banks that need money can offer better rates than those who have money. Also, in a free market with a fixed money supply (100% reserves) we'd see soft deflation, which is good for the economy -- it gives people reason to save, increasing the money supply to banks for loans to GOOD businesses, not junk ones.

Deflation is no better than inflation. Both are good for different sectors of the economy and different economic classes. Inflation is good for people in debt (they need to pay less when the debt is due), deflation is good for debt owners (the debt is worth more when it is due). There's good reasons for prefering inflation to deflation- inflation makes credit very expensive. It makes buisnesses hard to start and homes hard to buy. Historicly inflation in this country was pushed for by farmers, who were land rich and cash poor, so they could more easily utalize their land to generate debt in bad years and repay in good.

As for a fixed money supply- thats not a good thing. One of the biggest problems in the middle ages was that the fixed money supply frequently left too little cash money in an area, limiting economic growth. The basic macroeconomics equation is change in money supply+ change in velocity of money=change in GDP plus inflation. If the money supply is fixed, you either have no change in GDP or you end up having money cycle very quickly. Quickly cycling money lowers savings rates (you have to spend it more often). Its much preferred to have a slowly increasing money supply. The ideal is to increase the money supply just enough so that inflation is 0, but this is nearly impossible to do. In practice its better to overincrease it and have mild inflation than the reverse.

Re:Intended Consequences of laws

[Qzukk]

The problem is that nobody out there has the time to engender the trust they'd want from every single individual they come in contact with, and corporations certainly won't go out of their way to help. Can I really trust the "Organic" produce sellers to not take the ugliest fruit from the truck and slap the organic label on it so they can mark it up? Can I really trust my water utility to purify the water I'm drinking and not feed me any strange chemicals for research purposes? Can I really trust the power plant next door to the house I live in to follow all applicable safety regulations? Can I really trust the medicine I bought to not be placebo pills?

How would these entities go about convincing me to trust them? What do I do if nobody decides that my trust is all that important? What is my recourse for cases where entities build up trust over time specifically to pull off a couple of big scams (see: ebay)?

Re:Intended Consequences of laws

[dada21]

I'm neither a libertarian nor a Rand-droid, fwiw :)

I do travel the world, in fact I just got back from a 3 week trip to Eurasia. My visits to Poland and India were eye opening, indeed. This summer I am traveling to 2 other continents, and following up with a late winter visit to Dubai, one of the my favorite cities in the world, and also the freest market to boot. I see growth everywhere I go, except in the US. Of all my businesses, my 2 biggest failures were due to regulation by the government. My 2 biggest successes were in the free markets that were unburdened by regulations.

I believe we've put too much faith in government, which is the reason things are as bad as they are. Most people don't notice it, though, but traveling to other countries has proven to me that we have no idea what we're talking about. The Chinese "slaves" working in the corporate towns are happier than those who don't have jobs. The Indian "slaves" working for the megacorps have a much higher standard of living than their neighbors. I'm not sure where the bad things are, but I keep looking for them and I find nothing.

When Ethiopia was "starving and the people were dying," I went there. I saw prosperous cities, people with brighter futures, and an economy that would explode if it wasn't for excessive regulations and taxes. I see the same thing today in Tunisia and other parts of Northern Africa.

My words don't come out of some utopian fantasy, they come from honest experience working with many people in many countries. Humans want to make themselves better, and they find ways to do it regardless of what government promises to do. Usually those promises are the main reason we can't better ourselves.

FWIW, I believe megacorporations come directly out of government support and subsidy. I don't know if we'd see the same megacorporation control in a free market, as most megacorps get there through utilizing regulations in their favor.

Re:Maybe I'm a bit thick but...

[gnasher719]

'' Here is the problem. You run linux and your software is an asset used to help run your company. Who owns it? Does Linus own the kernel? What about the distro owner? How about the 250 people who contributed to the kernel? ''

That is really very simple. Your company can just make a statement like: "In our company, we are using 500 copies of Linux and 500 copies of OpenOffice. Both Linux and OpenOffice are owned by their respective copyright holders; we are using this software under the GPL license. We are also using 500 copies of Windows XP and Microsoft Office which are both owned by Microsoft; we are allowed to do this because we paid Microsoft lots of money for the licenses. "

If in reality you only paid for 100 licenses of Windows XP and Microsoft Office and someone finds out, then you are not only in trouble with Microsoft, but also with SOX. And should you be violating the terms of the GPL license in such a way that you are not allowed to use Linux and OpenOffice (and I am not quite sure at the moment how you would do that), then you are also in trouble with SOX.

Beware Your EULA

[Stephen Samuel]

Man, if you're worried about the GPL, imagine what happens if you use Microsoft Software?

Under the MS EULA, once you upgrade your software, you have no rights to use the older version(s). This means that if the 'upgrade' breaks your mission-critical software you are so toast.
If you don't revert your software, then your mission-critical software wll remain broken until Microsoft deigns to fix the issue.
If you do revert your software then you're in violation of the EULA and subject to having Microsoft demand that you delete the entire package at any time.

With the GPL, you're only likely to run into problems if you want to distribute the software without distributing the full source. You can sometimes get away with not publishing the source to isolated parts of software written by you, but at that point you're running on the border and should talk to lawyers to make sure that you're not crossing over the line.

Very Stupid

[glrotate]

The Wasabi Whitepaper itself says it doesn't:

"None of this applies to companies who merely use GPL software, such as those who run Linux on their servers, as long as their software was created in a compliant way. In addition, none of this applies to companies using non-GPL open source software, such as BSD; in the case of BSD, there is no requirement to make modifications open source. Rather, the requirements discussed here apply to companies who modify GPL software, such as embedded OEMs
using Linux."

This is only about companies releasing products with GPL software.

Actually it would be good for Open Source if it was a violation. It would be leverage to use against these infringing embeded companies.

I've worked with Sarbanes Oxley

[Banner]

And it's a complete joke and waste of money. More of Congress making stupid laws and costing people more money, and now we have accountants telling us how to make software? And what counts as 'quality'? Please...

Re:Worded poorly.

[Anonymous Coward]

Situation four: Your company has taken GPL code, and modified it for internal use. This modified code is not distributed externally in object or source form.

The GPL is not violated since there in no distribution. However, if it is declared as a company asset, then you need to make it clear that only your modifications count as assets. As I understand it there is a possible violation of Sarbanes-Oxley here. But there's no special risk here - if the company declared public-domain code or BSD-licensed code as an asset they would be in violation too.