I would like to know what I have to do to comply to the licenses of the various open source software tools and libraries that my embedded Linux system uses.
My situation is as follows:
I have an embedded Linux system running on an embedded device. It uses a root file system image that was provided by a third party together with the toolchain that is beeing used to develop.
I have made some modifications to the root file system image by adding some compiled open source programs (under various licenses) and it now also contains Qt (LGPL).
My applications dynamically links to the libraries on the root file system and also uses Qt.
The devices are delivered to the end user with a preinstalled kernel, rootfs and application. The application including the rootfs and possibly the kernel can be updated/upgraded.
I have seen that on Android the files and their corresponding license are simply listed in a long text file. Is it necessary to list all the individual files in this way or are there other ways to handle this problem?
How is this usually done?
First, if there is any possibility you'll suffer a loss as a result of getting licensing wrong, go and see a real lawyer. The Internet is NOT a real lawyer, and you can't sue the Internet for malpractice if it gives you bad advice.
Second, I am not a lawyer, nor are most people here. The following is my take on things based on experience over the years. Don't blame me if you follow my advice and it backfires on you.
Third, read ALL the licenses and make damned sure you understand what they're saying. If not, seek clarification from my first point.
Fourth:
The GPL/LGPL make no requirement to provide the source with the application. They make a requirement to provide the source "on request". Putting it on a password protected web page, or keeping a copy you can burn to CD and mail (you can charge for the CD and postage) if someone asks is sufficient.
You are obliged to provide the source to any binary you distribute, even if those binaries came to you from a third party. If the third party won't provide you with their source then you should either point out the GPL requirements or find another vendor. It is not sufficient to direct requests for GPL code to the upstream vendor or the webpage for the unmodified package, particularly if it came from a third party vendor who likely modified it. You'll want to be careful about matching the correct version of the code to each binary release you make so you can provide the source to any particular release of your product.
You should attribute all of the free (and non-free) software and their licenses. Some licenses don't require it, some (early BSD) do. Better to be safe than sorry. It's also a good way of showing the user what the various licenses are and allowing them to make a decision about whether to use your product.
You will want to be very careful about linking if you have a proprietary application that's linking [L]GPL code. There exists the possibility that you could inadvertently link code with a viral license (GPL) and then you're in trouble if someone notices and demands the source. Be certain that you do not statically link LGPL code for the same reason (More: Can I inline function calls to functions defined in headers of LGPL packages?).
You should also consider including the source for your toolchain if you are using a custom cross compiler. I am not certain that the GPL actually requires it, but it's a bit of a bastard move to give someone the source then have them not able to actually compile it up and target your device. I am aware of at least one vendor who did that - they modified the language some and patched their compiler. They didn't distribute the compiler and so had no requirement to hand out the source. As a result it was impossible to build from the supplied source to match the target. AFIK they have stopped doing that so I won't name names.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With