[Samba] Multiple GPL violations including Samba in Auralic products

Robert Ladru robertladru at gmail.com
Thu Apr 20 10:07:30 UTC 2017 

Hello,

Auralic does not provide binaries or firmware images for download. But
an smbclient -L proves they run Samba 3.6.23:

# smbclient -L 172.20.1.138
Enter root's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23]

        Sharename       Type      Comment
        ---------       ----      -------
        README          Disk
        IPC$            IPC       IPC Service (Samba 3.6.23)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23]

        Server               Comment
        ---------            -------
        ARIES-1L9YS2O8       Samba 3.6.23

        Workgroup            Master
        ---------            -------
        WORKGROUP            ARIES-1L9YS2O8

The 1L9YS2O8 is the serial number of my device, which I can also prove
as it's written on the box.

Furthermore samba is explicitly mentioned in their firmware build release notes:

http://support.auralic.com/hc/en-us/articles/206062858-Firmware-Version-2-2-Build-20150320

I have asked Auralic to provide the "installation information" as
written in the GPLv3, which is based on this clause:

“Installation Information” for a User Product means any methods,
procedures, authorization keys, or other information required to
install and execute modified versions of a covered work in that User
Product from a modified version of its Corresponding Source. The
information must suffice to ensure that the continued functioning of
the modified object code is in no case prevented or interfered with
solely because modification has been made.

In this case, installation information are the username(s)/password(s)
to correctly login the device via SSH. These clauses were added to the
GPL to protect against Tivo's practices. They also apply to Auralic.

In his latest reply, Xuanqian Wang, CEO of Auralic, refers to his
earlier mail reply of 19th Jan 2017 that we need to sign an NDA and
also provide him with photo ID and proof of address to prepare an NDA:

1,  Receipt of your purchase order to prove that you own the machine.
2, Your photo ID issued by government for us to prepare NDA agreement.
3, A secondary identification document that we can verify your name
and address, such as bank statement, utility bill.

This is a violation of the GPL. Furthermore if Auralic had complied
with the GPL in the first place, they would have never asked for photo
ID and other privacy sensitive documents, and force an NDA to know who
is trying to exercise their GPL based rights.

I can forward the original support reply mails from Auralic, but they
may contain HTML which is not appropriate for the list.

Robert

On Fri, Jan 20, 2017 at 1:42 AM, Jeremy Allison <jra at samba.org> wrote:
> On Thu, Jan 19, 2017 at 01:36:18PM +0100, Robert Ladru via samba wrote:
>> Hello,
>>
>> I recently bought an Auralic Aries Mini streamer. This little streamer
>> can also function as a NAS when mounting a laptop drive or ssd inside,
>> via samba.
>> The box did not come with a media containing source code and did not
>> include a GPL written offer.
>>
>> So I asked Auralic to provide the source code for all GPlv2 and v3
>> packages used.
>>
>> For the Linux kernel and their modifications, they asked to sign an
>> NDA, which is clearly forbidden by the GPL.
>> For Samba 3.6.23 which they use, they have no intentions to release
>> the source, as they also have already stated on computeraudiophile.com
>> that they only share the kernel, nothing else:
>>
>> http://www.computeraudiophile.com/f22-networking-networked-audio-and-streaming/alternatives-aries-23864/index4.html#post411669
>>
>> "For the repository: We only publish what we believe is 'fully
>> complete'. That's why the kernel source code was not published a long
>> time ago because we do not consider it as 'complete'. Most of the open
>> source code project in the community are full of bugs, I am pretty
>> regret about this."
>>
>>
>> Here's proof they use 3.6.23:
>>
>>         Server               Comment
>>         ---------            -------
>>         ARIES-1L9YS2O8       Samba 3.6.23
>>
>> It's obvious they are using various loopholes to avoid sharing the GPL
>> source code used in their products, and they only share the kernel,
>> nothing else.
>> They probably also violate busybox, as their embedded linux platform
>> runs a dropbear (SSH-2.0-dropbear_2012.55), but the root password is
>> not known, so the only way to know what other packages they violate is
>> to hack the device.
>>
>> How can we obtain the source code of GPlv2 and v3 packages such as
>> Samba when the vendor is refusing?
>
> Thanks for reporting this. I'll take this up further with the
> vendor and see if we can get this fixed. Are you willing to
> help us by providing binary extracts of the firmware etc. to
> allow us to prove this is our code ?
>
> Thanks,
>
> Jeremy.

More information about the samba mailing list