Sveasoft third party firmware
Recently, the company's development team has been reduced to the sole owner, James Huston Ewing. The company is managed by Sweden native Asa Birgitta Erlandsson, who acts as Board Deputy for the company. As of September 8, 2006, the company has reported losses of 159,000 Swedish krona, or $21,449. For financial reasons, nearly all assets in the United States have been liquidated. Sveasoft produces a third party firmware upgrade for Broadcom based routers such as the Linksys WRT54G and WAP54G, Belkin F5D7230?-4, Buffalotech WBR-G54, and ASUS wl500g.
Firmware and support is available at http://www.sveasoft.com.
Firmware additions include power boost, client mode, WDS repeater mode, OSPF routing, QoS bandwidth management, SSH, telnet, WOL, SNMP, PPTP, IPSec, RP-PPPoE, to name a few.
Stable versions of the firmware are released to the public. Development versions and support are available via a $20 per year subscription.
Sveasoft - Some thoughts
Sveasoft has a paid support and development web site for the Linksys WRT54G Linux based wireless router.
This, once public, forum has now been closed, with access granted only to paid subscribers.
Sveasoft offers stable versions of firmware binaries and source free of charge and charges a $20 per-year subscription fee for experimental binaries and the new 50$ charge for the source on CD (only by snail mail) which includes access to a support forum.
A small but vocal group claim this violates the GPL. Richard Stallman has voiced an opinion that this model is in line with GPL stipulations. The GPL does not concern itself with the distribution model, rather it states that source must always be available when binaries are distributed. Therefore, the Free Software Foundation has reviewed the Sveasoft subcription model and concluded it fully complies with the GPL license stipulations. Read more in the Sveasoft FAQ at http://www.sveasoft.com/modules/phpBB2/viewtopic.php?t=2823 and on third party forums http://forum.bsr-clan.de/viewforum.php?f=12.
An interested onlooker addition:
Dude, I don't think the issue is totally about GPL - i think it is more to do with interesting "tactics" to obtain market share - and mindshare. Think about it this way, someone comes along and graciously devotes a lot of time and energy into hosting forums etc. This is embraced by the "community" and a lot of very valuable information is contributed to the forums. Now imagine how you would feel to find that the forums are now the proprietary resource of the hoster for developing his distribution and support business - Some may say it is clever business practice - I suspect most will feel it's a little dirty.
All kudos to the guys that cracked this router in the first place - it was a cool hack - but once the code was released, it dosn't take a rocket scientist to expose the config parameters that were already there. Good luck with your business - The rest of us can bask in the warm glow of doing something that is fun.
MD5 hashes in regards to Sveasoft firmware
Binarys released outside of the Sveasoft distribution network have been accused of being interfered with, to the extent that they may damage your hardware or allow malicious access. Proponents of non-subscriber distribution claim that this is untrue. However unlikely it may be, it is impossible to say whether a pre-compiled binary from a P2P network is hacked or not. This is because Sveasoft is yet to release MD5 checksums for its firmware. This means that if you want to be sure that your firmware hasn't been interfered with, you need to download straight from Sveasoft. This isn't perfectly safe, however, as the lack of MD5 checksums means we have no proof that the Sveasoft servers haven't been comprimised and the firmware replaced with hacked versions. If you are paranoid about your router, you'd be best to stick with the Linksys firmware and install nothing onto it. This would change if Sveasoft released MD5 checksums. Unfortunatly, critics claim that checksums aren't released because it would prove that P2P firmware was untampered with.
As I understand it from postings on the Sveasoft subscriber forums (Jul 21, 2004), the reason Sveasoft doesn't give MD5 hashes for the firmware downloads is because each download is slightly different. This is because stenography is used to embed a subscriber ID into each download so pirated firmware can be traced to the original subscriber and their account(s) then disabled. Apparantly the stenography is strong enough to survive the comparison of several different firmware downloads via different subscriber accounts, so if folks try to team up to remove the steno then they'll all be discovered. It was unknown if or how the source was protected, but the binaries definitely were protected (in unused portions of the file system IIRC).
barlach asked: (they refers to folks on a Slashdot forum) "Can you comment on the watermarks they claim you apply to the binaries, to supposedly catch subscribers that distribuite the firmwares ? have you really equipped the firmware with "phone-home" code ?"
sveasoft: "There is no malicious code or any code change of any kind in the binaries or source. Fractal based steganography is used to embed an encrypted date and downloader ID in non-code portions. So when you download pre-release source and/or binaries they are linked to your forums ID. Recompiling does not change the binary created for your ID.
The policy here is that you can redistribute pre-releases should you choose to, but your subscription terminates at this point. If you want to redistribute you are welcome to but you cannot redistribute and then come back for a second (or third, fourth, etc) helping of pre-releases.
The NSA might possibly crack the encryption if they could identify the fractal generater, but I think the two combined are pretty much unbreakable. (Yes, I used to write crypto software)."
Notes on Sveasoft releases
Alchemy 5.3 is astoundingly buggy, considering that many of the broken bits worked as far back as Satori 2.07, and some (like SSHd) worked in the previous release (Alchemy 5.2.3)
22 November 04 (Tom Malcolmson) - I believe that the Alchemy version of the Sveasoft firmware has not been released yet, so the comment in the preceding paragraph about 'Alchemy v5.3' must be about some sort of of pre-release version.
In response to the above: Sveasoft's Alchemy firmware has been available to paid subscribers for a very long time. A public release is expected soon, this will be when Sveasoft starts releasing the Talisman firmware to subscribers. Sounds quite exciting.
Alternative firmware distribution
Sveasoft subscribers pay for the distribution method, priority to releases and technical support. Please see here for an alternative distribution method:
Sveasoft firmware is now available via your favourite torrent software. Please see here for details:
Most importantly, please keep seeding! It's going really well so far, thanks to everyone who's participated.
Seattlewireless' coverage of Sveasoft
The above comment "and the reason behind..." is an interesting one. It assumes that Matt is against Sveasoft because of his own interests in financial gain. This is clearly not true. No one that edits this page has a finacial motive to do so, no one except Sveasoft. Interestingly, they're the chief wreckers of this source.
Sveasoft source not covered by the GPL/LGPL
Sveasoft now is trying to relicense its firmware and get rid of the GPL.
Sveasoft claims that the following packages included in the Sveasoft firmware are not licensed under the GPL or LGPL:
src/router/cron - cron daemon
src/router/dropbear - SSH client and server
src/router/httpd - web server daemon
src/router/libnet - network access library
src/router/libpcap - network filter library
src/router/misc - root fs setup scripts
src/router/nas - 802.1x/WPA utility
src/router/netconf - network configuration utility
src/router/nvram - flash nvram parameter utilities
src/router/openssl - SSL and crypto library and utilities
src/router/pipsec - ipsec utilities
usr/src/pppd - ppp daemon, plugins, and utilities
src/router/pppdump - ppp monitoring utility
src/router/pppoecd - PPPoE daemon
src/router/pppstats - ppp statistics utility
src/router/pppd - additional pppd daemon
src/router/radvd - IPv6 routing daemon
src/router/rc - router control daemon and utilities
src/router/rflow - remote ntop rflow monitor
src/router/shared - shared libraries for router httpd daemon, utilities
src/router/snmp - SNMP daemon and utilities
src/router/utils - router utilities for wireless and ethernet control
src/router/wlconf - wireless control and initialization utility
src/router/rts - CRC utility
src/router/tools - upnp, firmware packaging, and misc tools
Question: Do the above modules fall under the GPL, Apache license, or whatever?
A: I think the point is the GPL doesn't apply. Most open source licenses like BSD, Apache, or MIT don't require source code release. I guess they could remove these and still be GPL compliant. Would be a shame though.
I've heard rumours that the soon to come Talisman release will include the Sveasoft core released under the GPL, with the above components (and more, I pressume), released to paying subscribers. If the above components have no GPL derived code, then there can be no reason to argue with the scheme. This would seem like a perfect way of distributing the firmware and resolving this edit war. I think everyone concerned would applaud Sveasoft if they adopted this policy. Anyone at Sveasoft care to comment?
The case against SveaSoft's GPL Compliance
I write this because I believe all users should make an informed choice about their firmware for their own WRT54G.
Of course, since SveaSoft are blocking me from their site (see below), I can't read their FAQ, but they are technically right, as long as that is what they are doing. However, once they make releases including GPL'd source, the GPL still applies to all GPL'd binaries that they do not own the copyright to. It is true that the binaries that they own copyright of sveasoft does not have to give out the source, and can in fact charge for the binaries. That's not in doubt. However, they must provide their souce code modifications to GPL'd binaries to any third party for any release. I cover this more below and it's also covered in the GPL FAQ.
And that was the situation early this year. SveaSoft claimed to only email a pre-release of their firmware to selected parties. Some people, including I, noticed it happened to leak on their ftp site. Someone asked for the source code for that pre-release. Sveasoft was right to not have to distribute their own copyrighted binaries, but according to my memory (again, I can't see their site could be faulty) they merely pointed back to the Linksys website. But the crucial question lie with who owned the copyright to what and to which patches were distributable under the GPL. I, myself, thought it was a fair question.
That's when the acrimony started. People got banned. People got angry. Some sociopath DDoS'd sveasoft.com.
In March, SveaSoft tried to get people to sign a nondisclosure agreement for their firmware. This was blatantly a GPL violation as they did not own all the copyrights to the binaries they were distributing with their firmware. Specifically it violated clause 6 of the GPL
More Acrimony with a capital A.
So anyway we get to their policy now, which is compliant as long as they are not patching GPL'd source and distributing binaries while forcing nondisclosure agreements of GPL'd source. I have no way to confirm nor deny this, of course. You do as long as you keep your mouth shut and agree that Sveasoft is the greatest thing since sliced cheese, and have always been absolutely 100% GPL compliant.
Anyway, technically, they are not in compliance with the GPL (at least with me and the Samadhi2 release). Note that I have not posted to their web site, only here on seattlewireless.net. And for that I was banned from *.sveasoft.com. I haven't directly or indirectly attacked their servers or website. They are doing it clearly because they don't like what I have to say about SveaSoft and their history.
So I feel they are in violation of GPL. Why? As they have chosen their website to distribute their sources, and have banned me from their website, I can no longer get the source directly from them as is required by the GPL. If you doubt this, don't take my word for it, read this.
Also, barring third parties from directly receiving the source based upon what they say is an implied restriction barred by clause 6 of the GPL. Again, don't take my word on it, read it yourself. The extra restriction they are imposing on me is that I (and therefore you) must agree with them on all issues about their past and current GPL compliance, or I don't get access to the source code. Again, don't take my word for it, try posting that to their website and see what happens. Specifically mention the prerelease that they let slip out and banned everyone who asked for the souce code. ;^)
Also, check out the edits to the SveaSoft page. If you doubt *.customer.telia.com is actually SveaSoft on the history page, then I suggest you don't take my word for it, check it out yourself:
$ dig sveasoft.com ; <<>> DiG 9.2.2-P3 <<>> sveasoft.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58904 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;sveasoft.com. IN A ;; ANSWER SECTION: sveasoft.com. 85943 IN A 220.127.116.11 ;; AUTHORITY SECTION: sveasoft.com. 85943 IN NS ns1.granitecanyon.com. sveasoft.com. 85943 IN NS ns1.sveasoft.com. ;; Query time: 2 msec ;; SERVER: 192.168.2.1#53(192.168.2.1) ;; WHEN: Fri Jun 18 00:46:29 2004 ;; MSG SIZE rcvd: 96 $ host 18.104.22.168 22.214.171.124.in-addr.arpa domain name pointer 62-20-102-131.customer.telia.com.
Finally, I'm not saying I've got all the facts right. My memory of details has faded over the last few months and I no longer have access to their site. But I do feel they should be free to comment so long as they don't delete/modify other's posts on seattlewireless.net. I just wish they would extend me the same offer. ;^)
SveasoftSucks.com - Sveasoft controversy site.
Sveasoft Watch - Blog detailing controversial Sveasoft events.