Full Disclosure mailing list archives
Re: The Trillian GPL violation allegations are confirmed false.
From: Tobias Weisserth <tobias () weisserth de>
Date: Sun, 29 Feb 2004 01:54:51 +0100
Dear Sean, I thank you very much for this detailed summary of your insights. Yet there remain some unanswered questions you can maybe explain to me. Am Sa, den 28.02.2004 schrieb Sean Egan um 19:39:
Concerned over allegations that Trillian stole source code from Gaim, Scott Werndorfer, co-founder and manager of Cerulean Studios and myself, lead developer of Gaim arranged for me to review Trillian's Yahoo! source code in order to confirm that it was not stolen from Gaim.
I guess everybody is very glad to hear that.
Obviously, I've signed an NDA that prevents me from discussing any specifics, but you can trust me that the code is very obviously not Gaim's (with the exception of the old authentication code written by myself which I've expressly permitted them to use, and the new auth code written by Scott which he's expressly permitted us to use).
Question: If Cerulean Studios let GAIM use parts of their codebase, how can the GAIM people license this under the GPL? Has Cerulean Studios given GAIM permission to do so or has this been sloppy work on their part? I have browsed through the tarball of the 0.75 version of GAIM and could not find any reference to this problem apart from a note in the changelog that they got some solutions to Yahoo problems from Trillian. No note concerning licensing on these solutions though so the unsuspecting developer using GAIM code can't know that there is maybe code included that doesn't necessarily fall under the GPL. Could you please clarify how developers should proceed with GAIM code when they maybe can't be certain if parts of it don't fall under the GPL or are used in non-GPL projects?
The code posted by Stefan Esser which started this issue (yahoo_packet_read in Gaim) is certainly similar enough to compile into the same machine language, but having compared the function in each codebase, I'm convinced this is entirely coincidental.
I find that somehow hard to understand. See below.
I challenge you to write code to parse an efficient, sensible Yahoo Messenger packet that compiles to something that doesn't resemble Gaim's or Trillian's.
There are enough clients that can connect to the Yahoo network and which haven't been vulnerable to the GAIM exploits (which were buffer overflows mainly if I remember correctly). So far Trillian seems to be the only client being vulnerable to GAIM exploits (with maybe minor modifications) AFAIK. Doesn't that mean that Trillian's Yahoo code and GAIM's Yahoo code must be VERY closely related, thus more than just "coincidentally"? I'm not into IM protocols and maybe I'm plain wrong so I would be grateful if you could elaborate on this again because I don't understand why it seems to be so hard to write a Yahoo client that doesn't have the buffer overflow vulnerabilities GAIM and Trillian share "coincidentally". I don't understand how these buffer overflow possibilities in the GAIM code are linked to Yahoo authentication in a way it can't be done otherwise. You gave me exactly this impression by stating that the resemblance of Trillian to GAIM is just coincidentally.
Trillian and Gaim have been friends for a long time. They've just allowed us to use their Yahoo authentication code and these attempts to silence attacks on their character (sending their own code to the lead developer of an open source competitor) are unprecedented. Trillian should be thanked, not slandered.
Everybody is glad that this seems to be a working example of cross-project cooperation. Though it would have helped immensely if the GAIM people had cared to include a clear and detailed note which parts of their code are also included in propriety products and don't necessarily fall under the GPL. This whole mess could have been avoided this way. A clean and complete documentation where code came from and who donated it under what terms is essential. I don't have a glass ball which tells me where which parts came from after all ;-) kind regards, Tobias Weisserth _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- The Trillian GPL violation allegations are confirmed false. Sean Egan (Feb 28)
- Re: The Trillian GPL violation allegations are confirmed false. Stefan Esser (Feb 28)
- Re: The Trillian GPL violation allegations are confirmed false. Tobias Weisserth (Feb 28)