Forgot your password?
typodupeerror

Does Using GPL Software Violate Sarbanes-Oxley? 272

Posted by ScuttleMonkey
from the dispelling-fud dept.
Anonymous Coward writes "eWeek is reporting that The Software Freedom Law Center has published a white paper that dismisses recent publications from embedded systems seller Wasabi Systems. Wasabi recently released statements focusing on alleged GNU General Public License violations in relation to the Sarbanes-Oxley Act of 2002. The white paper, titled "Sarbanes-Oxley and the GPL: No Special Risk," essentially counsels users of the free software license that they have no need to worry."
This discussion has been archived. No new comments can be posted.

Does Using GPL Software Violate Sarbanes-Oxley?

Comments Filter:
  • Worded poorly. (Score:3, Informative)

    by Short Circuit (52384) * <mikemol@gmail.com> on Tuesday March 07, 2006 @04:32PM (#14869442) Homepage Journal
    The SFLC wrote the paper titled "No Special Risk" ... Wasabi Systems [wasabisystems.com] alleged SO violations.

    And no surprise...they advertise BSD-based products on their front page. (Not dissing Any of the BSDs, they're cool, IMO.)
    • by Anonymous Coward
      People who think for themselves will one day realize that in the end, it's all about FREEDOM. Corporations do not have your best interests at heart and never will. The GPL is where the future of free software is, and only the GPL. People who bitch and moan about things will one day thank the GPL for being what it is. Corporations are becoming stronger. GPL software can never be stopped by anyone, ever, anytime.
    • Re:Worded poorly. (Score:5, Informative)

      by ShieldW0lf (601553) on Tuesday March 07, 2006 @08:47PM (#14871483) Journal
      Situation One: Your company owns the copyright to the software outright, released it under the GPL, and doesn't accept contributions. No problems. Situation Two: Your company distributes GPL software that it didn't write, with or without modifications. Your company recogizes that this is not its intellectual property, and never should have been, being that it wasn't written by them, and doesn't claim it as an asset. No problems. Situation Three: Your company distributes GPL software that it didn't write, with modifications. Your company fails to recognize that part of this software was never theirs in the first place and that the rest of it is not an economic asset because they do not have the ability to control access to it in exchange for money, but you try to pull some bullshit with the numbers to make it seem like an asset. By doing this, you're misleading your investors and committing fraud. You have a problem. But the problem isn't with the law. The law is working exactly as it should. If you're an OEM using open source software that you sourced externally for free and modified, it's not your property, and you shouldn't be listing it at all. If you've built your business around this lie, you're SUPPOSED to be fucked. That's what the law is for.
  • by un1xl0ser (575642) on Tuesday March 07, 2006 @04:33PM (#14869447)
    Who can recommend a good book on IT 404?
  • by Anonymous Coward on Tuesday March 07, 2006 @04:34PM (#14869460)
    they want their boring back.
  • More info on SOX (Score:5, Informative)

    by kebes (861706) on Tuesday March 07, 2006 @04:34PM (#14869461) Journal
    In case you have no clue what "Sarbanes-Oxley" is, you can check out official info [aicpa.org] and the Wikipedia article [wikipedia.org]. Basically it is a set of laws that place limits on what companies (and those working for them, especially upper management) can do. This has mostly to do with declaring assets and transfers of money. It tries to prevent companies from defrauding investors and so on. These laws were enacted after the Enron scandal.

    Wasabi's complaint [wasabisystems.com] is that under these laws, you have to declare all assets, including intellectual property. Their rationale is that using open-source software, you may be in violation of the law if you do not review and declare that usage.

    As was pointed out last time this was discussed on slashdot [slashdot.org], a company would only be in trouble if they were already doing something illegal: violating the GPL. If you violate the GPL, then you're misrepresenting your ownership of IP (claiming to have a license you don't), and thus are also violating Sarbanes-Oxley.

    So what's the problem? If a company follows the GPL, then everything is fine. They have nothing to worry about. If they violate the GPL, then they're breaking multiple laws. So, as always, companies should make sure that what they are doing is legal. This in no way diminishes the extent to which GPL software can be used in commercial environments. Wasabi acts as if there is some tremendous additional legal burden to using GPL software. However it seems that Sarbanes-Oxley would equally apply if you mis-represented your ownership of non-GPL software. So there's no difference. (You can read the Software Freedom Law Center white paper [softwarefreedom.org] for a more complete explanation.)
    • by Jeffrey Baker (6191) on Tuesday March 07, 2006 @04:48PM (#14869577)
      More importanly, you can substitute any other license for "GPL" in the parent post. If you misappropriate software under any license, you could have some liability. Duh.
      • by booch (4157) <slashdot2010 AT craigbuchek DOT com> on Tuesday March 07, 2006 @05:12PM (#14869745) Homepage
        In almost EVERY argument against the GPL, you can substitute any other license for "GPL", and the argument would still hold true.

        One of the biggest arguments against the GPL is that if you use it in your own code, you have to agree to its terms. In the case of the GPL, those terms mean that your code must be GPLed. Other licenses set other terms; many licenses don't even ALLOW you to use their code in your code. In any case, if you don't follow the terms, you can be sued for copyright violation. So you always have a choice, no matter what the license -- either follow the license, or get sued.
        • One of the biggest arguments against the GPL is that if you use it in your own code, you have to agree to its terms.

          How is that an argument against the GPL? In most other cases, even getting the code will violate several laws, and you have no right to use it in your product. Seems the GPL gives you more than most. If you just want a library, the choice is simple - make your stuff GPL or don't use the library (with some exceptions).

        • Re:More info on SOX (Score:5, Informative)

          by zero1101 (444838) on Tuesday March 07, 2006 @06:16PM (#14870302) Homepage
          One of the biggest arguments against the GPL is that if you use it in your own code, you have to agree to its terms. In the case of the GPL, those terms mean that your code must be GPLed.

          This is an extremely misleading statement, if not outright false. Your code must only be GPLed *if you redistribute it*. There are, unfortunately, plenty of cases where PHB's decide not to use GPL software because they don't understand this. And apparently neither do many Slashdot readers.
      • by jbn-o (555068) <mail@digitalcitizen.info> on Tuesday March 07, 2006 @08:57PM (#14871547) Homepage

        The reason why they're making their case against the GPL is important. Proprietors are saying that the GPL makes them nervous, they don't like the commons the GPL creates and maintains. Proprietors want to discourage everyone from using and developing GPL-covered code so that they have less competition and won't have to spend their time lobbying governments around the world to help make Free Software implementations of various programs impossible. Thus this is just another legal risk FUD case against the most widely used Free Software license, the GNU GPL which fails to mention what the Software Freedom Law Center points out:

        "Historically, GPL violations have not triggered massive lawsuits for damages the way that violations of proprietary license agreements have. The primary enforcer of the GPL is the Free Software Foundation (FSF), who has never used a GPL violation as the basis to go to court to seek a large damage award or enjoin software distribution. The FSF's stated policy is to ensure compliance, not to prevent software distribution or to seek damages.

        What this means practically for the vast majority of companies complying with SOX is that the threat to their businesses posed by potential GPL license violations, both inadvertent and intentional, is so low as to be immaterial. In any case, the financial impact of GPL violations is likely to almost always be lower than the impact of proprietary license violations, for which parties routinely bring suit for damages."

        And when it comes to GPL-covered software being so complicated to deal with, the SFLC has this to say:

        "In most instances, compliance with proprietary licenses is much more complex than GPL compliance because the GPL is a general license with obligations that are fairly simple and understandable. No money changes hands, seats are not counted, and licenses are not time-limited. GPL compliance is a fairly simply matter, and if a company has concerns about how to comply, the FSF is staffed with experts who can and do help companies create efficient compliance procedures. Proprietary licenses, on the other hand, often contain both a greater number of provisions and a greater complexity than the GPL. Thus, a company trying to understand its rights and comply with its obligations under such a complex and detailed license will have a much harder time than one who must merely comply with the GPL. Accordingly, the risk of inadvertent license violation is often greater with non-GPL licenses."


    • My understanding is that one of the reasons that Enron got as far as it did was because of the absence of laws that declared a conflict of interest if the same firm used for accounting/auditing, was also used for consulting. Doing the right thing would have meant giving up either of those roles, and all the money that went with it. Money talks, integrity walks.

      If my understanding is accurate, I wonder why it wasn't fixed by simply closing this loophole. Seems like every time something goes wrong (and it wen
    • Re:More info on SOX (Score:5, Informative)

      by Tony Hoyle (11698) <tmh@nodomain.org> on Tuesday March 07, 2006 @06:47PM (#14870540) Homepage
      In practice though GPL stuff isn't enforced...

      Witness the number of embedded devices (particularly routers) where you can't get the source code to the GPL parts, and where you can, they're hard linked to closed source binaries with 'no unauthorised distribution' clauses (Yes I mean you Broadcom!).

      So it's perfectly legal to modify the GPL bits, but illegal to distribute the resultant code... thus the GPL is defeated by apathy because nobody cares.
      • by kesuki (321456)
        but illegal to distribute the resultant code

        I think you meant 'binaries' of course, obviously you can redistribute the source code, it just won't Compile or if it compiles it won't 'run' without the proprietary bits that you had to seperate out.

        anyways, it's just a sign of how sad and pathetic things are nowadays. back in the old days if you invented something, but hated patents, you could just tell people how to do it, and no one else could patent it, because you'd proven how to do it first... but with s
      • Re:More info on SOX (Score:4, Informative)

        by jschrod (172610) <jschrod.acm@org> on Tuesday March 07, 2006 @09:42PM (#14871823) Homepage
        Check out http://www.gpl-violations.org [gpl-violations.org].

        Witness the cases where GPL gets enforced legally, when embedded devices violate the copyright of the netfilter project.

  • by dada21 (163177) * <adam.dada@gmail.com> on Tuesday March 07, 2006 @04:35PM (#14869466) Homepage Journal
    Some think that these situations are unintended consequences of laws that have "good" effects. Sarbanes-Oxley was intended, from the start, to be the ultimate way for governmentto control any corporation at will.

    The law was initially meant to "fix" problems such as the Enron fiasco, but if you rewind just a few years, you see that most of these fiascos came directly out of trying to take advantage of loopholes in previous laws. The SEC colludes with the rest of the all powerful federal government to constantly keep non-preferred companies on their toes, while giving excessive power to the cronies. Sarbanes-Oxley will have the same effect.

    The one light in Congress, Dr. Ron Paul, made an excellent note [lewrockwell.com] regarding Sarbanes-Oxley and the cost it will pass on to consumers. The Mises Institute also has a ton of great articles and blog posts [google.com] regarding the horrors of this law.

    It is time to realize that government is NOT good at regulating business, except from the point of view of the cronies. Bills like this will rarely be used for their original intent, and the un?-intended consequence in the long run is to see criminals made of innocents that had nothing to do with the law's purpose.

    Instead of voting, I think we need to start pitching money in a hat to buy rope for those who violate their oath to uphold the Constitution.
    • So if you really want to go after a company who is violating the GPL ... just put a call explaining how they are voilating Sarbanes-Oxley regulations. This could be a very complicated and expensive (for taxpayers and laywers) way of dealing with GPL violations in the US of A.
    • Yes we should just let the corporations go wild. They would never do anything to harm anybody anyway.
      • by dada21 (163177) * <adam.dada@gmail.com> on Tuesday March 07, 2006 @04:53PM (#14869618) Homepage Journal
        Yes, let them go wild. It will teach the average "investor" that there is no such thing as a free lunch. You should NEVER put your money into a business that you don't have faith in or trust. If you make it government's job to make people "tell the truth" you'll get lies covered by legal loopholes.

        The problem starts with the Fed (Greenspan, Bernanke and their inflationary cycle) that makes money worthless over time so we seek to invest it to at least break even. The problem is made worse by the same inflationary cycle that makes our salaries go up slower than the inflationary cost of living increases (which go up because of the money printing). It goes downhill from there -- the SEC makes investors believe they're protected, which in a free market is a fallacy. You are only protected through contracts, not through law forcing people to act a certain way. Beyond contracts you protect yourself by doing business with people with a history (see eBay's feedback system).

        This is all a mess, made worse by people who have faith in others. I have no faith in others except those who have proven their trustworthiness to me. This is why I only invest in businesses I have direct contact with.
        • Well we are letting them go wild in deregulation and we are experiencing things like all the telecoms merging back together again. They never learn.

          The people who oppose big government and any regulation are accountants with clipboards and calculators who make no business decisions. They only tell their corporations if they met expectations or didn't in the current quarter and penalize anyone who doesn't financially.

          Its like swallowing yoru own tail as government intervention is taught as a good thing in an
          • Well we are letting them go wild in deregulation and we are experiencing things like all the telecoms merging back together again. They never learn.

            The telecom industry has never been deregulated in any way -- it has only been re-regulated -- some regulations were ended, many more began. Don't believe for a minute that the industry is running in a free market, it is heavily regulated and subsidized.

            Supply side economics doesn't work in every situation and we are having problems now due to it. The debt is o
        • You are only protected through contracts, not through law forcing people to act a certain way

          Contracts are only worth the paper they're printed on because the law enforces consequences if they're broken. In the end, it still falls back on the law to enforce good behavior. The problem isn't that the laws to force the truth don't work- its that they aren't actively investigated or enforced until after a major collapse such as Enron. And that even after that, most of the people get away with it. What we

          • Contracts can be enforced in a private market without the force of law. If you sign a contract, you take out contract insurance through a private company. This company issues a "bond" against your signature, guaranteeing the other party that you'll follow through, and also offering you insurance against the other party running off. This happens all the time in the construction industry (I should know, I own a business that gets bonded on each project).

            Beyond just getting contract insurance, we can also c
            • Right off the bat, I'd like to say that I don't share the beliefs you have expressed in this thread. I'm aquainted with a number of people that share your beliefs, but do so for knee-jerk, tinfoil hat, militia sort of reasons. However, your points seem well thought out.

              So I was hoping you could explain some things that others haven't. Do you believe in public property? What about government regulation for companies/corporations with regard to polution?

              • Great questions. I don't believe in public property, but I do believe that there is enough desire amongst members of a community to endow a trust to own land that is available to the public. I've been to private land shelters (Vermont, Idaho and Montana) and they are healthier, cleaner and safer than the public parks I've been to. I've been thinking about filming both public and private parks to show the difference, actually.

                Pollution is a very difficult situation for me. I'm not sure what the answer is
            • by AuMatar (183847) on Tuesday March 07, 2006 @06:19PM (#14870329)
              Contracts can be enforced in a private market without the force of law. If you sign a contract, you take out contract insurance through a private company. This company issues a "bond" against your signature, guaranteeing the other party that you'll follow through, and also offering you insurance against the other party running off. This happens all the time in the construction industry (I should know, I own a business that gets bonded on each project).


              No, it can't. First off- I sure as hell shouldn't HAVE to take out insurance for every one of my contracts. Yeah, thats a great idea- lets build up yet another level of middle men into society. Second off- its rife for corruption. For example, say I have a contract with a big company- say WalMart (no reason for picking them except their size). The bond company does hundreds of contracts with WalMart a year. They do 3 or 4 with me. We have a disagreement. WalMart tells them to side with WalMart, or they'll never give them buisness again. Who do you think they're going to side with?

              The free market doesn't work on situations like this. They're called externalities, and covered in econ 101. A course I become more increasingly sure no libertarian has ever taken.

              Sure, someone can take their terrible negative feedback and start anew with another company, but would you trust a 30 year old with zero feedback? Neither would I.


              So in a world already hampered by big corporations, you want to add another artificial stumbling block raising the barriers to entry and allowing the big corps to fuck you over even more. Another great idea.

              Don't forget to factor in that over half of all buisnesses fail in under 5 years. So yes, there would at any one time be a majority of buisnesses with little to no feedback. You'd also have a whole new class of crooks- feedback scams. They happen on ebay all the time- someone creates an account, sells a few dozen items to friends to build up feedback, then scams some unlucky guy (or frequently several unlucky guys) out of thousands of dollars in a big sale.

              In a free market, interest rates are free to go up and down. Banks that need money can offer better rates than those who have money. Also, in a free market with a fixed money supply (100% reserves) we'd see soft deflation, which is good for the economy -- it gives people reason to save, increasing the money supply to banks for loans to GOOD businesses, not junk ones.


              Deflation is no better than inflation. Both are good for different sectors of the economy and different economic classes. Inflation is good for people in debt (they need to pay less when the debt is due), deflation is good for debt owners (the debt is worth more when it is due). There's good reasons for prefering inflation to deflation- inflation makes credit very expensive. It makes buisnesses hard to start and homes hard to buy. Historicly inflation in this country was pushed for by farmers, who were land rich and cash poor, so they could more easily utalize their land to generate debt in bad years and repay in good.

              As for a fixed money supply- thats not a good thing. One of the biggest problems in the middle ages was that the fixed money supply frequently left too little cash money in an area, limiting economic growth. The basic macroeconomics equation is change in money supply+ change in velocity of money=change in GDP plus inflation. If the money supply is fixed, you either have no change in GDP or you end up having money cycle very quickly. Quickly cycling money lowers savings rates (you have to spend it more often). Its much preferred to have a slowly increasing money supply. The ideal is to increase the money supply just enough so that inflation is 0, but this is nearly impossible to do. In practice its better to overincrease it and have mild inflation than the reverse.
        • If everything was dependent on contracts the civil courts would be so bogged down nothing would get done. If a corporation thug came to your house and killed your grandfather because he was costing too much to maintain then you would have to sue them in civil court. They in turn would drag the case out till you were broke and you would be shit out of luck.

          Corporations would love nothing better to be completely free to poison the waters, kill people who are claiming insurance benefits etc, buy and sell slave
          • What makes you think it won't happen again?

            Primarily the web, honestly. In the past, I could accept some government oversight as the people had very little interaction with one another outside of their community. But now that we can share information about bad businesses instantly, I think there is less need for the use of force to govern businesses and individuals. Hell, the entire stock market can be taken apart and let shareholding be deregulated -- people can trade and exchange stocks and bonds throu
            • "Primarily the web, honestly. "

              During the age of the copper barrons people had telegraphs, telephones, newspapers, and mail. They were able to communicate with the outside world just fine. It was not the internet but it was communication nevertheless. Despite the this entire towns were living as indentured slaves. In some places the air was literally toxic and there was a blanket of smog so thick it was like lving in a fog of soot 24/7 and the visilibility was never more then a dozen yards or so.

              The barron
              • Funny. I just returned from a 3 week trip to Europe and Asia, to see some of the worst 3rd world countries. What did I see? Millions of people trying to make money outside of government -- so called black money. Capitalism is voluntary cooperation between two parties for the mutual profit of both. This is what I want.

                Here in America it is almost impossible to open a business today (I know, I've succeeded and I've failed), mostly due to government at every level. There is so much red tape and so many r
                • In india you can buy and sell children. In fact many children are sold to quarries where they carry stones on top of their heads until they are about 15 or 16 because by that time they are crippled by either a leg injury of a spine injury. By the time they are that old they are also deeply in debt to the company they are working for because the company has been charging them for rent and food (which by coincidence is more then they earn). Their only way out is to have children and then sell the children to
        • 30 years ago we had a fed we had investors and we had corporate leadership that wasn't corrupt. People who told lies who had VP for C something before their name did time for lying.
    • Instead of voting, I think we need to start pitching money in a hat to buy rope for those who violate their oath to uphold the Constitution.

      Nonono - you got that all wrong. It's "we need to start pitching money in a hat to buy our own senators". Don't vote with a voting box - vote with your dollar! Isn't that the american way anyway?

  • by gregor_b_dramkin (137110) on Tuesday March 07, 2006 @04:37PM (#14869480) Homepage
    violators of GPL are violators of Sarbanes-Oxley.

    solution: don't violate the GPL.
  • by endrue (927487) on Tuesday March 07, 2006 @04:38PM (#14869499)
    Does the GPL Violate Sarbanes-Oxley?
    [E]ssentially counsels users of the free software license that they have no need to worry.

    Coming soon:

    Does peanut butter taste like fish?
    No

    Is water wet?
    Yes

    Short and informative - this is great stuff!
  • If you rely on public websites for your corporate legal advice, you deserve exactly what you pay for it.

    Ultimately, there is only one kind of person who can tell you if it is legal or not. That person is called a Judge or, in rare instances for corporations, a Jury.
    • you know (Score:3, Insightful)

      by Ender Ryan (79406)
      I really hate to think that the law is so fucking insane that your "regular," above average intelligence bloke can't figure it out for himself. If that truly is the case, which it most certainly seems to be, we seriously need to start all over again. Start with the Constitution, and go from there, and try a little fucking harder to prevent it all from being corrupted like it is now.

      The Founders of this insane country have got to be spinning in their graves.

  • by futuresheep (531366) on Tuesday March 07, 2006 @04:41PM (#14869531) Journal
    SOX requires strict change management controls over financial systems. When we went through our audit, the auditing company was mostly concerned with how changes were made to these systems, what management controls were in place to monitor these changes, and the processes that were in place to ensure their integrity. None of the OSS software used in these processes was given a second glance beyond the aforementioned items. As an example, our use of Nessus as one the our tools for network audits and our archive of Nessus scans was applauded.

    Just my Experience.
    • I like what you said, but let's be clear... SOX says nothing about change management.

      SOX can be boiled down to two things: #1) The opinion from the auditor of how effective your controls are (this includes everything from IT to Payroll, and everything in between), and #2) The opinion from the auditor expressing their evaluation of if or if not you are following the controls.

      Now. Consider what you said:

      "SOX requires strict change management..." -- While true, it is somewhat misleading. Your company has esta
      • I like what you said, but let's be clear... SOX says nothing about change management.

        Not directly. PCAOB Audit Standard #2, however, does. The PCAOB Audit Standard is the SEC approved audit standard to which US Public Companies filing under Sarbanes-Oxley are held.

        Paragraph 50 of the standard requiter that Change Management over financial systems should be tested by the auditor.
  • by Tweekster (949766) on Tuesday March 07, 2006 @04:43PM (#14869541)
    What would use of software have to do with the GPL... The user does not have to accept the terms of the GPL to USE the software...
  • I don't understand neither the original article title nor the Slashdot article title. How can GPL (or using GPL'ed software) violate the SOX, if GPL'ed software is used as the license permits? Reading the article didn't give me any insight about this issue.
    • by ZachPruckowski (918562) <zachary.pruckowski@gmail.com> on Tuesday March 07, 2006 @04:52PM (#14869612)
      How can GPL (or using GPL'ed software) violate the SOX, if GPL'ed software is used as the license permits? Reading the article didn't give me any insight about this issue.

      You can not get in trouble for using software you have a license to use. Period. If you follow the GPL, you have a license to use OSS. Break the GPL, and well, you don't have that license anymore. Ditto with normal software. If you violate an EULA, or steal software, you don't have a license anymore. Using software you don't have a license to is a SOx violation, regardless of whether the software is free or not.
    • According to SOX you need to give an account on who owns all your IP.

      The counterlink given in this article is just as biased.

      Here is the problem. You run linux and your software is an asset used to help run your company. Who owns it? Does Linus own the kernel? What about the distro owner? How about the 250 people who contributed to the kernel?

      Wasabi is saying that you need to keep track of all the thousands of kernel and FOSS developers since they own the copyright on the code in your accounting reports. Si
      • by booch (4157) <slashdot2010 AT craigbuchek DOT com> on Tuesday March 07, 2006 @05:22PM (#14869807) Homepage
        According to SOX you need to give an account on who owns all your IP.
        OK.
        Here is the problem. You run linux and your software is an asset used to help run your company. Who owns it?
        I still don't see the problem. It's not my IP, so I don't have to account for it. Really, you'd have the same problem with code from Microsoft and other proprietary software vendors. Much of the code they sell is sub-licensed code owned by other companies. Heck, some of it is even BSD-licensed code.
        • And further, I think the GPP poster is trying to imply that no one "owns" linux which is not the case at all. I believe in order for the GPL to be in effect, the software must be copyrighted since that is the basis of the GPL. Therefore, there is a copyright holder who "owns" the software. I believe that it is probably the Free Software Foundation.
      • '' Here is the problem. You run linux and your software is an asset used to help run your company. Who owns it? Does Linus own the kernel? What about the distro owner? How about the 250 people who contributed to the kernel? ''

        That is really very simple. Your company can just make a statement like: "In our company, we are using 500 copies of Linux and 500 copies of OpenOffice. Both Linux and OpenOffice are owned by their respective copyright holders; we are using this software under the GPL license. We are a
  • What this means practically for the vast majority of companies complying with SOX is that the threat to their businesses posed by potential GPL license violations, both inadvertent and intentional, is so low as to be immaterial.

    Does the GPL Violate Sarbanes-Oxley? - No
  • by toby (759) * on Tuesday March 07, 2006 @04:49PM (#14869588) Homepage Journal
    Article here. [groklaw.net]

    Quoting a response by the Software Freedom Law Center:

    the latest Software Freedom Law Center white paper [softwarefreedom.org] maintains ... these issues were reviewed and it was found that there is in fact no special risk for developing GPL'd code under SOX. "Under most circumstances, the risk posed to a company by SOX is not affected by whether they use GPL'd or any other type of software. Arguments to the contrary are pure anti-GPL FUD [fear, uncertainty and doubt]," the paper says.
  • Wasabi = BSD zealots (Score:4, Interesting)

    by drwho (4190) on Tuesday March 07, 2006 @04:50PM (#14869605) Homepage Journal
    I contacted Wasabi hoping to buy some tools from them for BSD development on embedded platforms. When I asked about a platform they didn't support, the proceeded to criticize that CPU and Linux saying they were underpowered and immature, basically, they want you to buy their favorite CPU. Sadly, this company is made from NetBSD developers, who I had previously thought were among the less rabid BSD zealots.

    I stayed with Linux for embedded systems, and probably will forever, unless embedded BSD is freed from the grips of these people.
    • Management runs the company not its BSD founders. Also they sell their own embedded systems and highly discourage using your own as it would cost htem money.

      Management wants to kill linux as much as possible so you can run netbsd instead.

      It seems they are desperate at this point and bashing linux was not a good way to make a customer. It seems they have incompentant salesmen and upper management probably had a role in training them.

    • I am slightly familiar with their storage products. Perhaps the CPU you were asking about is new and really isn't mature?

      You can use NetBSD on some embedded platforms if you wished.
  • by rfolstad (310738) on Tuesday March 07, 2006 @04:53PM (#14869617) Homepage
    I speak from experience and people can and will use SOX as an excuse for anything and everything. The problem is auditors are now trying to understand technology and they just don't get it.

    The basics of SOX is that your CEO must sign that the proper controls are in place to ensure that all changes made to production systems that affect the reporting of financial information are approved changes.

    Companies can take this to mean that changes to your firewalls, mail servers and webserver need to be logged and monitored with scrutiny. And they will even send "auditors" in to take screenshots of /etc/shadow hahahahahahhaa.. It's hilarious.

    Realistically it is impossible to be 100% SOX compliant and profitable. This bill will be gone within 5 years and other countries without silly laws like this will prosper in the meantime.

    So yes. If there is a not an audit trail in place where someone approves of applying that patch to the linux kernel on all production machines then you are not SOX compliant. Just like if someone doesn't approve installing that critical service pack from microsoft. Without approval and test cases you will fail your SOX audit unless you pay the extortion^H^H^H^H^H^H^H^H^H fee that anderson^H^H^H^H^H^H^H accenture is charging these days.
    • I couldn't agree more. There's nothing about SOX that has any meaningful impact on security. We could easily be secure and not be SOX-compliant, and we could just as easily be insecure and be totally SOX-compliant. Trying to legislate information assurance from Capitol Hill is a complete joke, and the auditors are eating it up. I just hope this garbage gets repealed before it wraps the entire industry in thick, red government-issue tape.
    • SOX has become revenue stream for auditing firms. They took a very simple law (about 2 pages) that is as you stated "The basics of SOX is that your CEO must sign that the proper controls are in place to ensure that all changes made to production systems that affect the reporting of financial information are approved changes." and turned it into a complex cash cow.

      My company's parent company has several internal corporate auditors on staff that are extremely computer illiterate. They basically take what
  • by Fujisawa Sensei (207127) on Tuesday March 07, 2006 @05:03PM (#14869685) Journal
    Does Using GPL Software Violate Sarbanes-Oxley?

    Does this actually have anything to do with the article? No

    The Article says that violating the GPL may be a SOX violation, but no more so than any other EULA.

    I've seen a lot of complaints about Zonk; SM is worse.

  • Wasabi Burns (Score:5, Interesting)

    by Doc Ruby (173196) on Tuesday March 07, 2006 @05:16PM (#14869770) Homepage Journal
    I knew the founders of Wasabi Systems, here in NYC. The original "brains" behind the startup, which planned a "Red Hat for NetBSD", got screwed by his lawyer partner in the late 1990s, and left. No surprise to hear their business model is lying about GPL (Linux) in press releases.
  • What the FUD? (Score:3, Interesting)

    by redelm (54142) on Tuesday March 07, 2006 @05:31PM (#14869862) Homepage
    AFAIK, SOx is all about increasing "transparency", mostly records retention and statement quality. OSS can only help these, not hurt, unless the corp is incurring liability by violating licences.

  • No Violation (Score:2, Interesting)

    by stonetony (464331)
    The Government in notorious for telling you that you need to comply with regulations without telling you how to comply. This sounds great at first, but this also leaves you open for penalties later if they determine that the methods you chose were insufficient. There is nothing in Sarbanes-Oxley that restricts the use of any specific sort of software to comply.... as long as if/when they investigate you they determine that you are/were in compliance.
  • by Ratbert42 (452340) on Tuesday March 07, 2006 @06:46PM (#14870534)
    From my growing experience with SOX, I probably violate it every time I take a piss without capturing it.
  • Beware Your EULA (Score:4, Interesting)

    by Stephen Samuel (106962) <samuel.bcgreen@com> on Tuesday March 07, 2006 @08:13PM (#14871242) Homepage Journal
    Man, if you're worried about the GPL, imagine what happens if you use Microsoft Software?

    Under the MS EULA, once you upgrade your software, you have no rights to use the older version(s). This means that if the 'upgrade' breaks your mission-critical software you are so toast.
    If you don't revert your software, then your mission-critical software wll remain broken until Microsoft deigns to fix the issue.
    If you do revert your software then you're in violation of the EULA and subject to having Microsoft demand that you delete the entire package at any time.

    With the GPL, you're only likely to run into problems if you want to distribute the software without distributing the full source. You can sometimes get away with not publishing the source to isolated parts of software written by you, but at that point you're running on the border and should talk to lawyers to make sure that you're not crossing over the line.

    • Re:Beware Your EULA (Score:3, Informative)

      by julesh (229690)
      Under the MS EULA, once you upgrade your software, you have no rights to use the older version(s). This means that if the 'upgrade' breaks your mission-critical software you are so toast.

      I believe you are mistaken. Not only would it violate the principle that once you have paid for a license it is yours to dispose of as you wish (doctrine of first sale), Microsoft specifically grants downgrade rights in many of their licenses anyway -- e.g., if you want a second license for Office 97 you can buy a recent
      • Not only would it violate the principle that once you have paid for a license it is yours to dispose of as you wish (doctrine of first sale),

        If you're saying that, I'd have to conclude that you've never actually read (and understood) your MS windows EULA.

        Once you buy an article you can do what you want with it. Licenses are arbitrary... That's why the EULA has the claim "you agree that you have licensed this software, not purchased it (or something to that effect).

        Under general copyright there is n

Advertising is the rattling of a stick inside a swill bucket. -- George Orwell

Working...