Hello,
Several Cisco Meraki products (MX84, MX250) are using the coreboot bootloader. Meraki are also distributing coreboot builds for these products via their update mechanism.
In October 2021, I requested the corresponding coreboot source code for the MX84 from open-source@meraki.com. Another individual requested the coreboot source code for the MX250 around the same time. We own the devices in quesiton.
To date, Meraki have not provided the source code or provided an explanation as to the delay in providing the source code. The last reply I received was in January, and they have not replied to any of my follow up requests.
As coreboot is GPL licensed software, I wanted to inform the coreboot community that I believe Cisco Meraki are not acting in good faith and are, in my opinion, violating the GPL by not providing the coreboot source code upon request.
Kind regards, Hal Martin
I've asked the software freedom conservancy to take a look.
On Wed, Jun 29, 2022, 2:48 PM Hal Martin hal.martin@gmail.com wrote:
Hello,
Several Cisco Meraki products (MX84, MX250) are using the coreboot bootloader. Meraki are also distributing coreboot builds for these products via their update mechanism.
In October 2021, I requested the corresponding coreboot source code for the MX84 from open-source@meraki.com. Another individual requested the coreboot source code for the MX250 around the same time. We own the devices in quesiton.
To date, Meraki have not provided the source code or provided an explanation as to the delay in providing the source code. The last reply I received was in January, and they have not replied to any of my follow up requests.
As coreboot is GPL licensed software, I wanted to inform the coreboot community that I believe Cisco Meraki are not acting in good faith and are, in my opinion, violating the GPL by not providing the coreboot source code upon request.
Kind regards, Hal Martin _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Hello,
Meraki provided the coreboot source code for the MX84 on 2022-12-09.
I have uploaded the MX84 coreboot source code provided by Meraki to GitHub: https://github.com/halmartin/coreboot-mx84
The coreboot source code for the MX250 still has not been provided.
Kind regards, Hal
On Thu, Jun 30, 2022 at 3:47 AM ron minnich rminnich@gmail.com wrote:
I've asked the software freedom conservancy to take a look.
On Wed, Jun 29, 2022, 2:48 PM Hal Martin hal.martin@gmail.com wrote:
Hello,
Several Cisco Meraki products (MX84, MX250) are using the coreboot bootloader. Meraki are also distributing coreboot builds for these products via their update mechanism.
In October 2021, I requested the corresponding coreboot source code for the MX84 from open-source@meraki.com. Another individual requested the coreboot source code for the MX250 around the same time. We own the devices in quesiton.
To date, Meraki have not provided the source code or provided an explanation as to the delay in providing the source code. The last reply I received was in January, and they have not replied to any of my follow up requests.
As coreboot is GPL licensed software, I wanted to inform the coreboot community that I believe Cisco Meraki are not acting in good faith and are, in my opinion, violating the GPL by not providing the coreboot source code upon request.
Kind regards, Hal Martin _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Hi Hal, Thanks for bringing this up. I've added it to the agenda of the next coreboot leadership meeting to discuss how we want to handle this.
I'll reach out to the SFC again to see what we should expect in cases like this.
Martin
Dec 22, 2022, 13:42 by hal.martin@gmail.com:
Hello,
Meraki provided the coreboot source code for the MX84 on 2022-12-09.
I have uploaded the MX84 coreboot source code provided by Meraki to GitHub: https://github.com/halmartin/coreboot-mx84
The coreboot source code for the MX250 still has not been provided.
Kind regards, Hal
On Thu, Jun 30, 2022 at 3:47 AM ron minnich rminnich@gmail.com wrote:
I've asked the software freedom conservancy to take a look.
On Wed, Jun 29, 2022, 2:48 PM Hal Martin hal.martin@gmail.com wrote:
Hello,
Several Cisco Meraki products (MX84, MX250) are using the coreboot bootloader. Meraki are also distributing coreboot builds for these products via their update mechanism.
In October 2021, I requested the corresponding coreboot source code for the MX84 from open-source@meraki.com. Another individual requested the coreboot source code for the MX250 around the same time. We own the devices in quesiton.
To date, Meraki have not provided the source code or provided an explanation as to the delay in providing the source code. The last reply I received was in January, and they have not replied to any of my follow up requests.
As coreboot is GPL licensed software, I wanted to inform the coreboot community that I believe Cisco Meraki are not acting in good faith and are, in my opinion, violating the GPL by not providing the coreboot source code upon request.
Kind regards, Hal Martin _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
This is discussion based on experience and reading comprehension, not legal advice.
Hal Martin wrote:
As coreboot is GPL licensed software, I wanted to inform the coreboot community that I believe Cisco Meraki are not acting in good faith and are, in my opinion, violating the GPL by not providing the coreboot source code upon request.
Thanks for the heads up, but this is primarily actionable by yourself.
Whether in good faith or not (noone can know and it doesn't really matter) your supplier should of course comply with the GPL and provide you with the source code that you have a right to receive.
Remember that you may be the only one who has received a specific binary (we can't really know) and therefore you may also be the only one who has the right to receive corresponding source code.
Others - including the coreboot project and/or the Software Conservancy - don't per se have the particular right to receive source code that you have, that would only be the case if they've also received the same binary.
The coreboot project uses GPL so that at least someone (you!) has a right to receive source code.
Once you've received it you can also choose to contribute it into coreboot, because GPL applies.
(Whoever may own the copyright matters little as long as GPL applies.)
See also gpl-violations.org, an organization that could successfully achieve GPL compliance (this is the goal, not public shaming) in a number of high profile cases over the course of several years:
https://www.gpl-violations.org/faq/violation-faq/
Kind regards
//Peter
-
Hal Martin -
Martin Roth -
Peter Stuge -
ron minnich