UPDATED: April 20, 2011 - Boxee confirms presence of GPLv3 binary. GPLv3 binaries still distributed in current firmware. See below.
Modify the open-source software on your Boxee Box.
The TrickBoxee has included cryptographic controls to block you from using your software on the Boxee Box. Both D-Link and Boxee refuse to release the key files required to pass these checks.
The TwistThe GPLv2 did not specifically prohibit blocking installation. The newer version, the GPLv3, prohibits this explicitly.
The TruthYour Boxee Box was shipped containing GPLv3 software. You should be able to install modified versions of software to your Boxee Box.
Promises and License
by a Big-Money Corporation
License was written to protect the
freedoms that have brought the world so many useful things, including
like Linux and XBMC,
from which Boxee has taken its code base. One of those essential
freedoms is to be able to change open-source software to make it better
suit a purpose. It is essential to the evolution of open-source
projects that people are free to take something and run with it as they
see fit. This is how Free Software has come so far. D-Link
and Boxee have now
trick on the people who made it possible (developers
and customers), by trying
to hide behind games and
deceit to exert control over your hardware. They have blocked
installation of custom software on the Boxee Box.
Boxee is NOT a
small-time open-source community project by people who do it out of
love; it is now a big
operation and they are using dirty tricks to exert control
they should not have. They use customers' and investors' money to
parties while users who have already paid are left
with alpha-quality software and no way to fix it themselves. They
have decided to have a 3 month (forced) release cycle, making many
users wait with completely disabling bugs.
What is also
striking is Boxee's abandonment of development on the open
platforms. Progress has all but stopped, and you never see
tweeting about the PC version. Little wonder, when they imagine
for themselves a future of total power on the Boxee Box.
There has been
a freight train of broken promises along the way, with the Netflix Promise
Debacle and VUDU
(it was on the retail box but didn't work) being some of the more
publicized. The option to use XBMC instead
does not exist, and soon there will be a big surprise for many Boxee
Box owners... The option to control the
volume with the remote will disappear! Because of the forced
updates, if you don't like something, too bad for you. Don't get
too attached to that volume function on the D-pad of the remote.
Moreover, the closed hardware breaks promises made during its promotion, by none other than Boxee CEO Avner Ronen:
mice, windows or labyrinthine menus. It should be calm and it
should be beautiful. And it *must* be open."
Instead we have labyrinthine
menus, no option to skin or customize,
visualizations, and a COMPLETELY CLOSED SOFTWARE. The
deception continues: blog posts like this from before the release of
the Boxee Box have been hidden. (Track back through the pages and
see that the history has been cut off)
Part of this hacking would be the ability to use XBMC
instead of Boxee on the box:
Many people made buying decisions on that claim
alone. Strung along with false promises and deceptive tactics,
many return periods lapsed before people realized what was
happening. Now they
D-Link and Boxee are using Tivoization to control something that belongs to you.
What is Tivoization? From the website of The Free Software Foundation (the authors of the GPL):
“Some devices utilize free software that can be upgraded, but are designed so that users are not allowed to modify that software. There are lots of different ways to do this; for example, sometimes the hardware checksums the software that is installed, and shuts down if it doesn't match an expected signature. The manufacturers comply with GPLv2 by giving you the source code, but you still don't have the freedom to modify the software you're using. We call this practice tivoization.
When people distribute User Products that include software under GPLv3, section 6 requires that they provide you with information necessary to modify that software. User Products is a term specially defined in the license; examples of User Products include portable music players, digital video recorders, and home security systems.”
“Tivoization is a dangerous attempt to curtail users' freedom: the right to modify your software will become meaningless if none of your computers let you do it. GPLv3 stops tivoization by requiring the distributor to provide you with whatever information or data is necessary to install modified software on the device. This may be as simple as a set of instructions, or it may include special data such as cryptographic keys or information about how to bypass an integrity check in the hardware. It will depend on how the hardware was designed—but no matter what information you need, you must be able to get it.
This requirement is limited in scope. Distributors are still allowed to use cryptographic keys for any purpose, and they'll only be required to disclose a key if you need it to modify GPLed software on the device they gave you. The GNU Project itself uses GnuPG to prove the integrity of all the software on its FTP site, and measures like that are beneficial to users. GPLv3 does not stop people from using cryptography; we wouldn't want it to. It only stops people from taking away the rights that the license provides you—whether through patent law, technology, or any other means.”
|Boxee publishes the source code
to the Boxee Box software. This is actually a farce and and
insult to the community that carried it this far. The binary
distribution that is automatically forced upon users arrives in a
that contains much more than the binaries from the source code.
It also contains signature files which are not available from the
source code itself. The private key is held, presumably, only by
Boxee. Without being able to produce these signature files, even
changing the filesystem one bit would cause a failure of the whole
system to load.
would like to confirm for
yourself that this software (and currently, the violation) exists,
multiple occasions, both companies have been contacted seeking the
rights granted under the GPL. Neither
company has taken responsibility and complied with their GPLv3
D-Link responded with a mix of denial and passing the buck:
John M at dlink.com:
Boxee responded with avoidance and
Marcel Hass replied:
|There are things that can be
done. Contact both D-Link and Boxee. Contact
the FSF and request that they pursue
this GPL violation. Contact
lawyers who want a piece of that $16.5 million. And raise
this on the web. The more links and connections the better.
Companies abuse users because they get away with it. Actions like this make D-Link and Boxee very bad citizens of the community that gives them life.
Don't let D-Link and Boxee abuse what the community has given them.
If you are tech savvy, you might take a look at http://boxeeboxwiki.org where there is some excellent information about the Boxee Box.
|UPDATED: April 20, 2011
Boxee has confirmed the presence of GPLv3 software distributed in the Boxee Box.
In the response, it is noted that gpgv2 was included in a pre-release. This release is, however, the software that comes loaded on the device from retail. Is that a pre-release? In any case, gpgv2 itself was also released in subsequent firmwares. It has been removed from the current firmware, but other GPLv3 binaries are still being distributed in the current firmware. Every Boxee Box on the globe currently has GPLv3 software in it, in the factory-reset memory AND the currently running binaries.
There are now further questions.
Is yes-I-stole-the-candy-bar-but-I-did-not-eat-it-so-I-will-put-it-back-now-that-I-am-busted a valid argument?
Can Boxee un-distribute the binaries already distributed? The GPLv3 binaries were not only in the pre-release version. They were in the release version. And the versions after that. And the CURRENT version. Can Pandora's Box be closed again? See below for details on the current version.
Even if they delete the binaries in future releases, anyone can simply put them back into violation with a factory restore. Does Boxee have the right to change that factory restore firmware? Can Boxee reach into the homes of users and change devices the users paid for?
Is "Yes we stole software but we want to make money" an adequate excuse?
How does the US Government and Customs and Border Protection view Boxee making them implicitly profit (via import tariffs) from the import of software piracy?
GPLv3 SOFTWARE IN THE CURRENT FIRMWARE
Boxee contends that since its new firmwares do not contain gpgv2, they do not need to honor the license terms. As expressed above, it is possible that this is flatly incorrect. As an interesting moot point (since the distributing of GPLv3 software has already been acknowledged), the current firmware still contains GPLv3 binaries. It is downloadable from their website.
If you'd like to confirm this yourself, follow these steps:
Perhaps it wasn't made clear enough, but some people have been confused on why a single file requires the opening of the whole platform. It has to do with how the Boxee Box is set up. As noted in the original article, the firmware arrives in a squashfs filesystem. This filesystem is only unpacked by the Boxee Box if the signature accompanying it is correct, signed with a private key held by Boxee. If you were to add a even single text file to the filesystem, the signature would fail, and so would the boot/install. The terms of the GPLv3 require that Boxee enable users to succeed in doing this. It does not require them to provide technical support to users' modified firmwares.
As an aside, others have commented that buying decisions should have been made on what was available at the time. This is also problematic, as Boxee is planning on removing features in upcoming builds. Users do not have the option to decline a new build. Nor do they currently have the ability to build and install their own version with their preferences enabled.
Please feel free to email at any time: