Dave Anderson

How to tell your OSS is ridiculously popular: people aren't 100% sure they _didn't_ embed it, and tack on the software equivalent of "packaged in a facility where peanuts were also present" to the license list.

This watch contains software, so statistically probably contains at least traces of curl.

May 18, 2024 at 2:40amWeb
Show threadDave AndersonMay 18, 2024
Boring joke deflator: afaict it's just Garmin's standard wording so that they can splat in all licenses to everything involved in any of their products, rather than have to generate license compliance text specific to individual firmware builds. But also, lol
Show threadevanaMay 18, 2024
@danderson y'know, that worries me more than "may contain curl". You made the thing... you should know if there's curl in there or not!
Show threadDave AndersonMay 18, 2024
@evana Knowing nothing about how garmin build firmware, my suspicion is it's something like: this is a list of all OSS present in their Yocto source tree, or similar. Rather than track what OSS makes it into which firmware builds for which SKUs, they just make a list of all OSS that gets too close to their build system, and put that one list in all products. But I dunno 🤷
Show threadClemensMay 18, 2024
@danderson @evana This is the likely explanation. We did a similar thing for infotainment at an auto company I worked for: we listed the license of everything that was built in Yocto, but some of those (like GCC, bison, meson, autotools, and other build tools) are never shipped in the image, so technically we may not have needed to list them. The source code tarball you can request under the GPL written offer clause also contains those (even if they're not GPL).
Show threadAnkit PatiMay 18, 2024
@evana @danderson The “yous” that made the thing—engineers—know. The “yous” that decreed the text be put in there—lawyers—don’t.
Show threadStephan SchulzMay 19, 2024
@ankitpati @evana @danderson You'd hope the first part of the statement is true, but in general I doubt it...
Show threadIzzyMay 18, 2024
@evana What makes you think because they "made the thing" they know what's inside? At many vendors, what they call the "development team" is mostly clicking things together from some "modular system". They have no clue what gets dragged in or, when you tell them, how to get rid of some unwanted dependency ("but we don't use that!"). Telling them "use exclude:group in your build.gradle" overtaxes them (yepp, a real case I had) 🤷‍♂️ @danderson
Show threadevanaMay 18, 2024

@IzzyOnDroid @danderson I guess I need to be more clear:

I think it's unfortunate that our tools don't automatically record what they put inside. I'm hopeful that the addition of SBOM requirements for federal contracting will help drive improvements in the tooling so that we can get the contents of our software automatically.

Right now, I'm hearing that we know everything that goes into the factory, so we assume that all of that goes into the Twinkies that come out. Including the bolts...

Show threadIzzyMay 18, 2024

@evana Oopsie… No offense meant! Wasn't aware you were involved. Still, my "rant" holds its truth unfortunately in far too many places. But I should add that with the current tools it's not always easy to be aware what went it or what dragged in other things (well, one can check the dependency tree in most cases, but does not always remember too). One reason more than one FOSS dev expressed their thanks to the additional checks at the #IzzyOnDroid repo, for example…

So: apologies 4 my phrasing!

Show threadevanaMay 18, 2024
@IzzyOnDroid no problem! The post went a little further than I expected, and I wanted to follow up with how I thought we could genuinely make software better.
Show threadIzzyMay 18, 2024

@evana That's a driving force for me as well. If I might exaggerate a bit, I guess you'll have a hard time looking at just 10 Github repos without finding some issue, issue comment, PR or review by me 🙈 Especially if it's the repo of some Android app.

And it's usually a clear win-win. Not being an Android dev, I've learned a lot about that during the discussions – while my reports usually uncovered something the devs were not aware of. Respect from both sides, precious outcome for all 

Show threadStephan SchulzMay 19, 2024
@evana @IzzyOnDroid @danderson He's not a supplier (https://www.softwaremaxims.com/blog/not-a-supplier) and neither am I...although I still know what I ship and I'm so close to POSIX that I have to ship little...
I am not a supplier

For the past few years, we have seen a lot of discussions around the concept of the Software Supply Chain. These discussions started around the time of LeftPad and escalated with multiple incidents in the past few years. The problem of all the work in this domain is that it forgets a fundamental point.

Musings about software
Show threadPheebeUKFeb 18, 2025
@evana @IzzyOnDroid @danderson absolutely looking forward to SBOM being a requirement. Although the environment I work in is mostly Java, Python and C#, so we have it easier to figure out what actually gets included. Very glad I don't have to do this for C/C++ stuff any longer.
Show threadGeoff MatthewsMay 20, 2024
@evana @danderson maybe it’s packed in a factory that contains curl. You can never be too sure.
Show threadJacketMay 18, 2024
@danderson Good idea. We should make a github action that crawl github repos to gather every single MIT licenced projects and generate a text like that. This way you never have to disclose your actual open source usage again!!!
Show threadJason Parker (he/they)May 18, 2024
@danderson but then how would I know whether I can strap it to a nuclear weapon or not (Java)?
Show threadᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIESMay 18, 2024

@danderson

i am allergic to curl and that's why we need these warnings

if i have just a little gzipped curl or if i exchange files with someone who just ran curl i can go into a kernel panic shock

Show threadavronaFeb 18, 2025

@danderson
So they could write..

"This product may contains licenses of any open-source project in the world (or may not, who knows !)"

...and get away with it.

Show threadJason Parker (he/they)May 18, 2024
@danderson @bagder
Show threadRiley S. FaelanMay 18, 2024
@danderson "This software was generated in a datacentre where curl's source is also being digested by ChatGPT."
Show threadHaelwenn /элвэн/ May 18, 2024
@danderson Interestingly, they did it with a misidentification of the curl license for another one.
It isn't MIT/X11 but ISC with "and/or" changed into "and", and the no-advertising clause of the X11 license appended.
curl/LICENSES/curl.txt at master · curl/curl

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, MQTTS, POP3, POP3S, RTMP, RTMP...

GitHub
Show threadAzureArmageddonMay 18, 2024
@lanodan @danderson what's the no-advertising clause about?
Show threadCharlotte /Cinny     May 18, 2024
@danderson

⚠️ this product is known to the state of california to be able to download from a variety of protocols
Show threado ifrit 🌱May 18, 2024
@danderson
Curl alergic people are alive thanks to this messages 🙌
@skye
Show threadNick Selby May 18, 2024
@danderson @matthewskelton My favorite ingredient is “may contain one or more of the following:”.
Show threadNewkMay 18, 2024

@danderson

Important information for people with OSS allergies!

Show threadMicroBlog CastellanoMay 18, 2024
@danderson I requested Samsung the sources of the opensource software in my fridge. In the bundle (nearly 1 Gb of sources) went pieces of software probably never actually used (the only "smart" capability of my fridge is selecting temperature and detecting open door) but makefiles or info on how the different parts were built together were missing.
Show threadGwennMay 18, 2024

@danderson
And if curl is in fact not included, can I get a refund?
It's misleading advertisment!

I paid for a curl flavored product, I demand some curl in it.

Show threadTanguy ⧓ HerrmannMay 18, 2024

@danderson well, curl sounds a lot like curly.

Sooooooo…

Show threadenthraxxxMay 18, 2024
@danderson
But is it organically harvested? Is it Fair trade?
Those are the real issues Garmin isn't addressing.
😇
Show threadC-27733May 18, 2024
@danderson I guess fuck anyone alergic to curl
Show threadSeb-SolonMay 18, 2024
@danderson
It's the typical allergy warning right? Like for peanuts 😄
Show threadJoonas KuorilehtoMay 18, 2024
@danderson Could you make an uberlicense that includes all the copyrights you are allowed to include, just in case? Be compliant in case you happened to include one of the components.
Show threadJoonas KuorilehtoMay 18, 2024
@danderson And I mean not just those used by the vendor but like all the licenses in the world
Show threadRichard FontanaMay 18, 2024
@danderson being close to the field and the culture, this is open source compliance hacks being open source compliance hacks
Show threadClaudius LinkMay 18, 2024
@danderson
Ptraces?
😜
Show threadApostolisMay 18, 2024
@danderson I once had peanut butter that wrote in the label there could potentially be traces of peanuts.
Show threadRob Vincent (OLD ACCOUNT)May 18, 2024
@danderson Your watch both does and doesn't contain curl. Neither scenario is exclusively true until you collapse the wavefunction by examining the software. 
Show thread🐧DaveNull🐧 ☣️pResident Evil☣May 18, 2024

@danderson 🤣

Funny thing, curl is also embed in action cameras… It's literally an anything that has network

@dad

Show threadXer Shadow Tail ☄️🌺🏳️‍⚧️May 18, 2024
@danderson Definitely good to know because of my curl allergy! I use wget as an alternative.
Show threadAlesandro Ortiz 🇵🇷🏳️‍🌈May 19, 2024
@danderson Bets that curl runs on more devices than Java's 1 billion devices?
Show threadstevenrayMay 19, 2024
@danderson @mralex hilarious. I’ll have to see if my Garmin has the same thing.
Show threadAdamMay 19, 2024
@danderson @0xabad1dea
Show threadabadideaMay 19, 2024
@gamble [courtesy notice: if you intended there to be a message other than our usernames, it got yeeted somehow]
Show threadAdamMay 19, 2024
@0xabad1dea Oh thank you... ! Accidental tap/ reply via the app 😅
Show threadElricMay 19, 2024
@danderson (to the tune of Sex Bomb) SBOM, SBOM, where's that SBOM ... You can give it to me so I know what's going on.
Show threadSam May 20, 2024
@danderson GARMIN uses curl????
Show threadThomas Guyot-SionnestMay 21, 2024
@danderson pretty scary to know Garmin *may* or *may not* know what code ended up in their firmware releases...
Show threadfaxmodemFeb 18, 2025
@danderson why don't they say "might contain .*" ?
Show threadOzzelot Feb 18, 2025
@danderson (factory guy meme) i guess we doin curl now
Show threadCegorachFeb 18, 2025

@danderson ah, another garmin watch!

no, I can't tell by the looks of the device. And "it includes cURL" doesn't help of course.

But it lists these things in the exact same order as mine does… so that's a hint

Show threadJ. Brian CoyleFeb 18, 2025

@danderson
With a few hundred lawyers, tapping away at a few hundred keyboards, for a few hundred years, you MAY end up with disclaimers that contaIn cURL...

* apologies to the Infinite Monkeys (tm).

Show threadPilsnerdFeb 18, 2025
@danderson This product is known to the state of California to contain curl, distributed under the MIT/X License
Show threadKarpourFeb 18, 2025
@danderson they have to write that in case someone is allergic to curl
Show threadnLupo  Feb 18, 2025
@danderson How It can may contain?
Show threadPersonneFeb 19, 2025

@danderson

Well. That explains the rash.