- | Home |
- Company |
- Contact |
- News |
- S/ware Eng |
- Standards |
- Academic Support |
- Documents |
- | Requirements |
- Validation |
- RTOS |
- Analysis |
- Software |
- Resources |
- Products |
 |
Embedded Systems Europe
|
 |
These are my own personal views and not those of my company Phaedrus Systems see www.phaedsys.com which is where the full version of this column, with links etc, resides under the Documents tab.
I was interested in Jack’s Column in the Jan/Feb issue where he cited a report that said C compilers did not handle volatile well… on closer inspection of the 13 compilers 10 were GCC variants and the other three did handle volatile. So it was a report on how GCC does not handle volatile. This flaw in GCC has been known for some time, at least I have heard comments about it for some time in several places. It is also one of the problems of GCC and Linux in that there are very many versions about, all slightly different in performance and bugs. In fact I have an email from a senior developer at a GCC/Linux company who says that they have to check version numbers very carefully as performance, features and bugs can vary wildly from version to version of their own variant never mind anyone else’s. He also said theirs are completely different (as are most others) from the core FSF version. Also the authors of the report Jack cited said to me that “We are seeing widely varying bugs across versions” and that was for GCC compilers on the same platform/target.
This tallies with complaints from a debugger company who say that the debug information from GCC can vary greatly from version to version and is incompatible across even minor versions on occasions. I think this stems from the problem that as everyone has the source “Everyone” wants to do modifications and patches. Not just for bugs but for “cool improvements” that may be good for them but are of little interest to others.
According to a compiler developer I know “The last year or so has seen a lot of fragmenting of GCC and there are increasingly more GCC support companies that are protecting their added IP.” This coincides with an article by Dick Sellwood, who has discovered that there is a lot of POSS (Professional Open Source Software) companies who, whilst fragmenting the GCC and Linux further are incorporating more and more closed source and other IP that they are protecting.
This has caused some problem with the GPL and there are splits between those using GPL V2 and GPL V3 and the GPLL licenses. This makes it a bit of a nightmare for anyone using Open Source as several large companies have discovered. The Free Software Foundation is taking them to court as they used GCC and did not release all the system code!
The new GPLv3 has some interesting sections (see http://www.fsf.org/licensing/licenses/quick-guide-gplv3.html )
“Tivoization is a dangerous attempt to curtail users' freedom: the right to modify your software will become meaningless if none of your computers let you do it. GPLv3 stops tivoization by requiring the distributor to provide you with whatever information or data is necessary to install modified software on the device. This may be as simple as a set of instructions, or it may include special data such as cryptographic keys or information about how to bypass an integrity check in the hardware. It will depend on how the hardware was designed-but no matter what information you need, you must be able to get it.”
So if you are distributing Linux as the embedded OS in your product you MUST give people the ability to get in and modify it and bypass any hardware and security checks… It gets worse as they specifically mention supplying cryptographic keys! At the moment it looks like Cisco have fallen foul of FSF… If they can get it wrong what hope is there for the rest of us. GCC and Linux may be “free” but what cost for the lawyers to work out implications of the licensing? Never mind the actual effects. At least the licenses for commercial software is designed for commercial use not some utopian dream.
The tone of the GPLv3 can be seen in the following and that is exactly how this legal license spells DRM… You're probably familiar with the Digital Restrictions Mismanagement (DRM) on DVDs and other media. You're probably also familiar with the laws that make it illegal to write your own tools to bypass those restrictions, like the Digital Millennium Copyright Act and the European Union Copyright Directive. Nobody should be able to stop you from writing any code that you want, and GPLv3 protects this right for you. It's always possible to use GPLed code to write software that implements DRM. However, if someone does that with code protected by GPLv3, section 3 says that the system will not count as an effective technological "protection" measure. This means that if you break the DRM, you'll be free to distribute your own software that does that, and you won't be threatened by the DMCA or similar laws.
That will have some people worried. On the other hand does the GPLv3 license actually have the power to grant immunity from the DMCA and EU copyright Directive? I am not so sure and I for one do not want to be the test case… It has just occurred to me that it could be less expensive to use a Safety Critical SIL3 RTOS and commercial compilers than the “Free” software and pay the legal and other miscellaneous costs of just preparing the case and going to court for the initial hearings never mind actually fighting the case in court. Let alone the costs if you loose
.
The problem is that “everything” is now connected to “everything”. Even if your products are not now they will probably in the medium term “get connected”. The GPLv3 effectively means that if you use Open Source all your “security” will be available to everyone… Never mind your competitors what about the bad guys… Note competitors are not the bad guys!
To compound matters a recent article in Internet news
Discovered that most organizations have some kind of IT security policy however they are still at risk. Why? Not only is it often not properly implemented it is often not properly used by the staff, some times because no-one has properly explained it to the staff. Ironically the company who did the study is also one using open source software who is in court and may have to release all their product source…
This does not bode well… people are often the weakest link in security but if the communications, protection and security software is effectively in the public domain you don’t even have a door to bolt.
Now we have a new phenomenon Cloud Computing… This is where you use resources in some one else’s computer. Good idea. Why have a big server that is there for peak demand? Farm out some tasks and software to where there are spare resources. Borrow software on a per use basis. Lower your carbon footprint and costs in one go… Good idea.
The trouble is if you use some resource in company B but to make it work they use some modules or applications in company C who use…… You only need a security hole in one of them, accidental or intentional, to have all your data compromised. Depending on the resource, if it is a two-way communication, have you just opened the door into your company systems? There is enough of a problem with security lapses and hackers now without releasing the source of the system if there is Open Source somewhere inthe mix. The problem need some very serious though before we all climb on the bandwagon and have our heads in the clouds. It is a long drop to solid earth.
Author Details and contact
Eur Ing Chris Hills BSc CEng MIET MBCS MIEEE FRGS FRSA is a Technical Specialist and can be reached at This Contact
Copyright Chris A Hills 2003 -2008
The right of Chris A Hills to be identified as the author of this work has been asserted by him in accordance with the Copyright, Designs and Patents Act 1988