Re: The Trillian GPL violation allegations are confirmed false.

[Tobias Weisserth <tobias () weisserth de>]

Dear Sean,

I thank you very much for this detailed summary of your insights. Yet
there remain some unanswered questions you can maybe explain to me.

Am Sa, den 28.02.2004 schrieb Sean Egan um 19:39:
> Concerned over allegations that Trillian stole source code from Gaim,
> Scott Werndorfer, co-founder and manager of Cerulean Studios and myself,
> lead developer of Gaim arranged for me to review Trillian's Yahoo!
> source code in order to confirm that it was not stolen from Gaim.

I guess everybody is very glad to hear that.

> Obviously, I've signed an NDA that prevents me from discussing any
> specifics, but you can trust me that the code is very obviously not
> Gaim's (with the exception of the old authentication code written by
> myself which I've expressly permitted them to use, and the new auth code
> written by Scott which he's expressly permitted us to use).

Question: If Cerulean Studios let GAIM use parts of their codebase, how
can the GAIM people license this under the GPL? Has Cerulean Studios
given GAIM permission to do so or has this been sloppy work on their
part? I have browsed through the tarball of the 0.75 version of GAIM and
could not find any reference to this problem apart from a note in the
changelog that they got some solutions to Yahoo problems from Trillian.
No note concerning licensing on these solutions though so the
unsuspecting developer using GAIM code can't know that there is maybe
code included that doesn't necessarily fall under the GPL. Could you
please clarify how developers should proceed with GAIM code when they
maybe can't be certain if parts of it don't fall under the GPL or are
used in non-GPL projects?

> The code posted by Stefan Esser which started this issue
> (yahoo_packet_read in Gaim) is certainly similar enough to compile into
> the same machine language, but having compared the function in each
> codebase, I'm convinced this is entirely coincidental.

I find that somehow hard to understand. See below.

> I challenge you to write code to parse an efficient, sensible Yahoo
> Messenger packet that compiles to something that doesn't resemble Gaim's
> or Trillian's.

There are enough clients that can connect to the Yahoo network and which
haven't been vulnerable to the GAIM exploits (which were buffer
overflows mainly if I remember correctly). So far Trillian seems to be
the only client being vulnerable to GAIM exploits (with maybe minor
modifications) AFAIK. Doesn't that mean that Trillian's Yahoo code and
GAIM's Yahoo code must be VERY closely related, thus more than just
"coincidentally"? I'm not into IM protocols and maybe I'm plain wrong so
I would be grateful if you could elaborate on this again because I don't
understand why it seems to be so hard to write a Yahoo client that
doesn't have the buffer overflow vulnerabilities GAIM and Trillian share
"coincidentally". I don't understand how these buffer overflow
possibilities in the GAIM code are linked to Yahoo authentication in a
way it can't be done otherwise. You gave me exactly this impression by
stating that the resemblance of Trillian to GAIM is just coincidentally.

> Trillian and Gaim have been friends for a long time.  They've just
> allowed us to use their Yahoo authentication code and these attempts to
> silence attacks on their character (sending their own code to the lead
> developer of an open source competitor) are unprecedented.  Trillian
> should be thanked, not slandered.

Everybody is glad that this seems to be a working example of
cross-project cooperation. Though it would have helped immensely if the
GAIM people had cared to include a clear and detailed note which parts
of their code are also included in propriety products and don't
necessarily fall under the GPL. This whole mess could have been avoided
this way. A clean and complete documentation where code came from and
who donated it under what terms is essential. I don't have a glass ball
which tells me where which parts came from after all ;-)

kind regards,
Tobias Weisserth

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html