Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible LGPL Violation by Idemia #2462

Closed
eidins opened this issue Dec 10, 2021 · 10 comments
Closed

Possible LGPL Violation by Idemia #2462

eidins opened this issue Dec 10, 2021 · 10 comments

Comments

@eidins
Copy link

eidins commented Dec 10, 2021
edited
Loading

For the Latvian eID card, Latvia has a deb package you install. The log lines below were produced with the previous version latvia-eid-middleware_2.0.6-1_amd64.deb.gz. Link to most recent version is maintained at the Arch AUR

This package is maintained by Idemia,

root@72b261f16a76:/pkg# sha256sum latvia-eid-middleware_2.0.6-1_amd64.deb
af66b9ec4e689b1404aba364e0aeaccbd76e2e4e43f32cb869ecd4ade1e441ad  latvia-eid-middleware_2.0.6-1_amd64.deb
root@72b261f16a76:/pkg# dpkg -I latvia-eid-middleware_2.0.6-1_amd64.deb
    ...
 Maintainer: IDEMIA <contact@idemia.com>
 Description: Middleware for using Latvia-eid smart cards

If you install DigiDoc with the Latvian middleware, then when executing the software with the environment variable set LATVIAEID_DEBUG=9, I got the
below logs,

0x7f4ea77fe640 17:21:29.352 [opensc-pkcs11]
card-iasecc.c:3799:iasecc_pin_get_policy: returning with: 0
(Success)
0x7f4ea77fe640 17:21:29.352 [opensc-pkcs11]
card-iasecc.c:4139:iasecc_pin_cmd: returning with: 0 (Success)
0x7f4ea77fe640 17:21:29.352 [opensc-pkcs11]
sec.c:219:sc_pin_cmd: returning with: 0 (Success)

The logged lines do not exist in their released source code. I cannot find other source code anywhere. eParaksts responded that they don't maintain the middleware, therefore do not have access to the source code.

Perhaps this is already known, but as Idemia has a business in national ID cards, they may have violated LGPL for other cards. For example, French eID
@frankmorgner
Copy link
Member

@eID-LV ?

@frankmorgner
Copy link
Member

frankmorgner commented Dec 10, 2021
edited
Loading

The source code needs to be available along with the binaries - whether or not someone is the "maintainer" of the software doesn't matter. If the source code isn't available with the software, then the violation is done by the distributor.

The package doesn't hide its origin (in contrast to #1992), so let's hope they react on the requests and just publish the code.

@frankmorgner
Copy link
Member

@martinpaljak , do you want to take the lead for getting the communication started?

@eidins
Copy link
Author

eidins commented Dec 11, 2021

I imagine they just forgot to publish the new version of the code given that they published the previous version.

Relevant points of contact,

https://www.eparaksts.lv/en/about_us/Kontakti
https://www.pmlp.gov.lv/en/departments
contact@idemia.com

I've contacted all of them. Only eparaksts replied, but said they didn't have the source code. Maybe you will get better luck if you have some official opensc.org email or something.

They are releasing new versions of the package, so someone has the source code.

@eidins
Copy link
Author

eidins commented Dec 14, 2021

@kaaposc Do you happen to know how to get the source code for your the Latvian eID middleware? I see you maintain https://github.com/kaaposc/latvia-eid-middleware/

@mvilks
Copy link

mvilks commented Dec 14, 2021
edited
Loading

Sorry, don't know about the source code. My maintained package uses the deb package from eparaksts.lv repository, it just extracts and copies already built binaries.

ETA: sorry used wrong github account to reply, I'm @kaaposc 🤦‍♂️

@eidins
Copy link
Author

eidins commented Dec 14, 2021

https://www.eparaksts.lv/files/ep3updates/debian/dists/focal/InRelease

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Origin: www.euso.lv
Label: LVRTC apt repository
Codename: focal
Date: Fri, 05 Nov 2021 13:21:26 UTC
Architectures: amd64
Components: eparaksts
Description: LVRTC debian package repo
  ...

https://www.eparaksts.lv/files/ep3updates/debian/public.key
https://www.eparaksts.lv/files/ep3updates/debian/dists/focal/eparaksts/binary-amd64/Packages

info@euso.lv might be the distributor

@metsma
Copy link
Contributor

metsma commented Dec 14, 2021

This is source of the packages
https://www.pmlp.gov.lv/en/how-prepare-computer-operations-personal-certificate
and pmlp.gov.lv is responsible organization

@frankmorgner
Copy link
Member

I contacted all the organizations referenced above, we'll see...

@frankmorgner
Copy link
Member

The current source code of the software has now been released here:
https://github.com/eID-LV/eID-LV-Middleware-public-version

This includes the changes made to their variant of OpenSC (seemingly based on version 0.19.0). All their code seems to be licensed with LGPL v2.1, so this should allow others to port their driver to a recent version of OpenSC...

I think this fulfills the license restrictions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@frankmorgner @metsma @mvilks @eidins