Netgear delaying updated ReadyNAS GPL sources

Henrik Nordstrom henrik at henriknordstrom.net
Sat Oct 25 22:58:23 CEST 2008 

Hi,

how long delays in publishing updated GPL sources after an firmware
update is acceptable?

I own a Netgear ReadyNAS DUO 2150 home NAS server, and have been in
contact with Netgear regarding receiving updated GPL sources for their
current firmware (4.1.3 at the time, since then 4.1.4 has also been
released), and also regarding some components missing from their earlier
GPL archives.

My contact with Netgear was on Sep 10 regarding missing GPL sources for
busybox and avahi, and Sep 13 regarding GPL sources for the 4.1.3
release. Received an acknowledgement on the first message on Sep 30,
where they said "the missing avahi and busybox will be updated shortly",
but still no sign of making them available. I have not received any
response regarging the availability of firmware 4.1.3 GPL sources.

The latest GPL source archive for this product is from 22 Apr 2008 and
supposedly covers the 4.01c1-p2 release which is from about the same
time (the 4.01c1-p2 firmware file I have is dated 20 Mar 2008, exact
release date not known).

Since then there has been a large number of beta releases, followed by
new production releases in September.

GPL sources and their file dates on the netgear ftp server:
readynas_gpl.zip			27 Aug 2007
RNR4_RND4_RND2_4.01c1-p2_WW_src.zip	22 Apr 2008


Firmware releases (production releases only):

4.00c1-p2	Dec 19, 2007
4.01c1-p1	Mar 04, 2008
4.01c1-p2	Factory release for RND2150, exact date unknown.
4.1.3		Sep 11, 2008
4.1.4		Sep 28, 2008

On a related note I perhaps should mention that the firmware on these
boxes is partially locked down, with an encrypted kernel + initrd, and
some proprietary kernel modules only stored within the encrypted initrd,
so even if you have the complete GPL sources updating, replacing or even
copying certain GPL components such as the kernel or GPL binaries from
the initrd is somewhat tricky. The actual running system userspace is
fully accessible however and may be modified at will (SSH access is
provided). I know GPLv2 does not really enforce being able to replace
binaries when there is signing enforced, but it's still annoying to find
devices unneededly locked down like this.

Regards
Henrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://lists.gpl-violations.org/pipermail/legal/attachments/20081025/14ff16c8/attachment.pgp>

More information about the legal mailing list