back to article BMW complies with GPL by handing over i3 car code

BMW has sent Terence Eden a DVD containing GPL-licenced code used in its electric i3 model . Why should you care? Because Oxford resident Eden last month inadvertently caused something of a global stir when he pondered the quality of the i3's software and the security of BMW's update mechanisms. Along the way he noticed that …

  1. Martijn Otto

    The source code should have been available somewhere on their website from the start. Employees not understanding software licenses is not an excuse.

    1. Martin Summers Silver badge

      To be fair to the CS agents it is a bit of a niche query they would not be geared up for as the guy said. What they did do wrong was just flat declining because they didn't understand, they either lack initiative and shouldn't be in customer care or are told not to escalate things which I'd have thought unlikely.

      1. Doctor Syntax Silver badge

        "or are told not to escalate things which I'd have thought unlikely."

        ISTM that typical call centres today completely lack escalation. Queries just get bounced round between front line agents to fail repeatedly because front line is all there is.

        1. Sir Sham Cad

          Re: lack escalation

          Outsourced call centre, off-script = "we can't do that"

          Having worked (a long time ago) in a BT call centre, there was a time limit on how long a call centre operative could spend on any one call (2 minutes - yes, even technical support) so if it seemed like the query was going to bust your 2 minute deadline then you needed to dump the call ASAP. I assume something similar here.

          1. Alan Brown Silver badge

            Re: lack escalation

            "Having worked (a long time ago) in a BT call centre, there was a time limit on how long a call centre operative could spend on any one call"

            Which is why when you're pissed off with a company, it's a fun game to keep one call centre operator on the phone for an hour. Yes, I've managed to do that (or longer). You can tell that they're getting increasingly desperate, but they're not allowed to hang up on you either. (They're invariably outsourced. Properly run companies have decent escalation procedures and can fix problems before they've dragged on for months)

            1. joeW

              Re: lack escalation

              Why wreck some poor outsourced phone drone's stats for the week because you're pissed off with a company he doesn't even work for? I can assure you, he doesn't want to be there any more than you want to be phoning in.

              1. Anonymous Coward
                Trollface

                Re: lack escalation

                > Why wreck some poor outsourced phone drone's stats for the week ... ?

                So he'll quit or get fired, obviously.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: lack escalation

                  > Why wreck some poor outsourced phone drone's stats for the week ... ?

                  So he'll quit or get fired, obviously.

                  Unless this person is engaged in direct sales, why is that a desirable outcome? Do you really think the poor schmuck would work there if he/she had a choice?

                  Maybe I'm biased because I work with a lot of frontline staff, but I always first try to give them an opportunity to help. If their script does not allow this, I'll either ask for escalation or get means to contact the companies' legal team - as we record calls too, I have a handy, legally usable resource.

                  Having said that, if I'm faced with an impenetrable wall of stupidity (deliberately or process imposed) I may not bother calling back to get someone else - the company may instead end up being blacklisted by us. Depending on contract this can have further consequences.

            2. the northern bull
              Terminator

              Re: lack escalation

              "Having worked (a long time ago)"

              Times have moved on from targeting advisors on their Total Call Handling Time (TCHT) Although not completely extinct, there are so many other means to contact companies these days e.g web chat, social media, email etc.. so agents are afforded more time to spend with the customers. Companies now shift their focus to dealing with queries start to finish often advising agents to spend as much time as they need to resolve the query. I also think it's a bit naive to think there is no escalation process "because front line is all there is" - who do you think manages the front line, and who manages the managers?

              As far as this particular query is concerned, it's not a subject that would be priority in any of the afore mentioned staff training so i would agree with Terence in saying the staff wouldn't be equipped to deal with that sort of query. Common sense would say look for your answers by aiming a little higher in the hierarchy and wait for a response from someone who is trained in what you're asking.

              "What's that sir, you would like the building regs of our contact centre in Coventry? I'm afraid i can't help you with that"

      2. Dazed and Confused Silver badge

        ReL or are told not to escalate things

        You'd have thought that people in call centres would be told to escalate things when the guy on the other end of the phone says things like "you do realise that what your company is doing here is against the law". This should ring an alarm bell which goes something like "I'm not paid enough to deal with this shit" and make it an SEP* as fast as possible.

        (*) SEP, Somebody Else's Problem(TM)

        (TM) the late great Douglas Adams

        1. Vince

          Re: ReL or are told not to escalate things

          "you do realise that what your company is doing here is against the law"

          Yes, but if you had a rule that says when a customer says that, you need to escalate, you'd also need a shedload more people to escalate to as in my experience, claiming something is illegal is one of the first misfires of a typical complaint that will ultimately and typically be the "customers" fault in reality.

          1. Anonymous Coward
            Anonymous Coward

            Life in a Call Center

            While things are better if you work in an internal call center, third party call centers are pretty much useless for this type of scenario.

            In an outsourced call center:

            1. You do not escalate. Because there is no one to escalate to. If a customer is sufficiently irate, you can get a senior phone jockey to try to calm him down, but you can't pass the customer to level 2 support.

            2. Because you don't know who or where L2/L3 support is. You're allowed to create a handful of ticket types, which either magically get fixed, or the customer calls back the next day even more irate than before.

            3. There is no ticket queue for legal. If a customer threatens legal action, you're specifically instructed to hang up on him. If a customer has a question for the legal department, they have to do the leg work to find out how to contact them first.

            4. Different call centers prioritize different things. We were told to keep call times down, but we prided ourselves on actually solving customer problems, in contrast to another branch that just kicked them off the line after 15 seconds. And, yes I once spent an hour walking some old lady through the steps to fix her computer.

            5. Customer service representatives are usually trained for the specific scenarios that they will be responding to. In my case, we were told that we were hired because we had good customer service skills and some technical background. So, if a customer asks a question outside of the CSR's training, they can try to ask their neighbor or a senior CSR, but that's it. Maybe they can put in a ticket, probably not.

            Of course, things are better in internal call centers. You probably do know the (one!) guy that does each type of level 2/3 support. You can escalate problems to management when they're in the office. And management usually wants things to actually get fixed, even if it takes a while.

            1. DougS Silver badge

              Re: Life in a Call Center

              Is there still such a thing as a non-outsourced call center?

              1. Keith Glass

                Re: Life in a Call Center

                I've encountered one. And I've been working professionally for 40 years.

                Surprisingly enough, it was inside the US Government. . .

              2. Anonymous Coward
                Anonymous Coward

                Is there still such a thing as a non-outsourced call center?

                Yes - Boots had one until a few weeks ago - now it is the same people working for a 3rd party.

                1. Kubla Cant Silver badge

                  Re: Is there still such a thing as a non-outsourced call center?

                  I think the company I'm working for at the moment has a call centre downstairs. And I've worked for another company recently with an internal call centre. When they're internal, they're less likely to be called a "call centre" and the people who staff them have less of a call-centre outlook, so you don't hear about them.

                  I guess the hierarchy from best to worst is: internal, external UK based, offshore with good English, offshore incomprehensible.

              3. kain preacher Silver badge

                Re: Life in a Call Center

                AT&T. There call center tech support is a mixture of out source and in company call center for level 1. When you get to Level 2 support it's all internal with a mixture staff agencies and actual AT&T employees all on AT&T premises.

              4. herman Silver badge

                Re: Life in a Call Center

                Yes, military call centres are not outsourced - guess why not...

            2. Gwaptiva

              Re: Life in a Call Center

              And this is the exact reason that once you made the phone call without a resolution, you write a letter (or email if you are in a hurry) to the CEO or Chairman of the company you are trying to deal with with your complaint.

              In the majority of organisations, these "executive complaints" get handled by a special team, with loooads of leeway and leverage, considering they were told by the CEO -- in reality his/her secretary, to make the complaint go away.

              1. Anonymous Coward
                Anonymous Coward

                Re: Life in a Call Center

                And this is the exact reason that once you made the phone call without a resolution, you write a letter (or email if you are in a hurry) to the CEO or Chairman of the company you are trying to deal with with your complaint.

                If you write, yes, but in general you're quicker when you do some digging in company data to identify who runs the show, then find the HQ phone number and ask for his or her secretary whose job it is to handle these things and who generally has quite a lot of power and discretion to get things sorted.

                However, never use that route in anger. If you're the type who gets agitated, first cool down and then write yourself a note with the briefest description of the issue you can work out and supporting data, and come up with a realistic idea what you want the company to do about it. If you call thus prepared you will be amazed at how effective one such a phone call can be.

                And yes, I have such a secretary too.

                By the way, avoid dealing with any company that hides behind customer support lines, forums and social media. A company that hides has reasons for that, and they're never in your favour.

      3. PNGuinn
        Flame

        CS agents

        To be fair...

        The typical CS agent wouldn't understand what grease was let alone being greased up about it. (I'm not being specific to anyone here.)

        It's up to the company - any company - to make sure that (a) the quality and training of their staff is adequate for the job and (b) the information immediately available to them is up to date, easy to assess, readily understandable AND ABOVE ALL ACCURATE.

        In other words - typical response of "sod off you're the product not the customer" IS NOT ACCEPTABLE.

        1. Bananimal

          Re: CS agents

          To be fair...

          many CS agents are educated to degree level these days (in particular if not in the UK, but also in the UK depending on location and industry). Unfortunately the average customer these days expects an instantaneous resolution to their query, no matter the query.

          So where the company has satisfied both (a) and (b), a call like this would be likely to throw the agent as it's a one in a million call. It is very difficult to make all of the information that an agent might require available to them immediately and easily.

          In this instance, it would appear from the correspondence that the CS agent consulted with someone that should have known better, and responded to that effect.

      4. mstreet

        "...they either lack initiative..."

        If BMW's customer service is run anything like the call centre at my company, or for that matter like any call centre I've ever heard of, showing any sign of initiative is usually followed by a walkout the front door with a security guard escort.

    2. Anonymous Coward
      Anonymous Coward

      The source code should have been available somewhere on their website from the start.

      Does it say that in the GPL somewhere?

      1. Lars Silver badge
        Linux

        "Does it say that in the GPL somewhere?". Yes you have to tell where the source can be found, Like in the media you deliver with your software or on the web, for instance. If it's about a vanilla Linux kernel I suppose you just have to tell which version.

        -

        1. DropBear Silver badge
          WTF?

          "Yes you have to tell where the source can be found"

          Have you ever actually read it? There is no such requirement. What you are required is to supply it on request against no more than a reasonable fee covering the media and shipping. You are absolutely not required to have it available 24/7 anywhere if you don't feel like it.

          1. PNGuinn
            Facepalm

            Source Code Availability

            Considering the price this bunch of boy-racer cowboys charge for their toys if they had any common decency they'd have put it up on the technical part of their website with a note of the url in the owner's handbook.

            And possibly included a cd (with a note in the readme that updated software might be available online) with the technical info supplied with the car. They do supply a proper workshop manual / partslist and online access to updates?

            (Making an assumption here - no intention of slandering someone doing the right thing) No? Thought not.

        2. Andraž 'ruskie' Levstik

          The GPL specifically states you do not need to provide source code unless requested to do so. And that you will be able to provide it for at least 3 years.

          It nowhere requires you to provide the source code up front. You can even charge shipping and such for it.

          1. BitDr

            Charge for shipping..

            Yes you can charge for shipping, but it specifically states;

            "for a charge no more than your cost of physically performing source distribution"

            Taken from the following (Section 3 paragraph "a")

            "Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,"

            This should effectively keep the shipping cost from becoming a profit-centre.

        3. brotherelf
          Headmaster

          No, §6b(1) lets you ship physical media on demand, and charge for media and p&p.

          You may now start to argue that the screen notice does not constitute a written offer and possibly the license text wasn't in the user manual (I can't be arsed to check), instead.

        4. Lars Silver badge
          Happy

          "Does it say that in the GPL somewhere?". Damn you guys. Just read the GPL2. If you use it and deliver it and modify it then you have to reveal what you did with the original code. And that is it, how damned difficult is that to understand. If you don't like it use BSD like Apple, take it and do what ever you like with it. Kids commenting, nothing wrong with kids, i have three, but just read the GPL before you comment, it's not that difficult after all.

      2. This post has been deleted by its author

        1. herman Silver badge

          RMS calls it Copy Left - it is quite ingenious actually if you ever bother to read both the GPL and the Copyright Act and the Geneva agreements and treaties with other countries.

  2. Anonymous Coward
    Anonymous Coward

    If you read the letter they haven't actually complied with the GPL because they have not provided their modified/derived source only the sources of included open source software.

    1. Doctor Syntax Silver badge

      "they haven't actually complied with the GPL because they have not provided their modified/derived source."

      The letter says that they're sending the code "as far as it is required by the OSS licence conditions". They say that there is vehicle code that they haven't sent. There's no indication as to whether this is modified/derived source so there's no basis for assuming that it is.

      There seems to be a widespread assumption that because a program runs on some particular platform it must be a derivative of it. It's perfectly possible to write a program which compiles unchanged and runs on multiple platforms so what's the basis for thinking that it's derivative of one of them?

      1. Anonymous Coward
        Anonymous Coward

        These open source elements have be integrated into their UI so at least their UI should be GPL too. The letter indicates that they have only provided the source for what they included and not the derivatives which must also be GPL'd.

        There may well be further proprietary source from the car that they don't need to include but anything that incorporates opensource components takes on the opensource licence and must be provided, it does not appear they have done that.

    2. aelfric

      Failed English comprehension

      @AC That letter does not say that. You are making unwarranted assumptions. The modified/derived code would still count as OSS (depending on licence, but you're assuming GPL, so let's go with that). The letter says that the OSS code is included so you can assume the modified code is included. What is not included is the rest of the source code for the car that is not OSS and has not been tainted with GPL linking etc. This is legal and complies with GPL v2. If any GPL v3 code is included that is a different matter, but there is no reason to assume that there is.

      1. Anonymous Coward
        Anonymous Coward

        Re: Failed English comprehension

        I'm not making any assumptions. The letter states that they included only the source for OSS they used. The github repo where he has uploaded the files does not contain any of the modifications or derived source so they have NOT complied with the GPL. Again I have not made any assumption about the licence, the components that have been provided are GPL licenced.

        So let me repeat: They have not provided their sourcecode. They have not complied with the GPL.

        1. Anonymous Coward
          Anonymous Coward

          Re: Failed English comprehension

          1. You're still assuming that they made changes to the GPL'd code.

          2. You're assuming that all open source software is GPL'd.

          3. No company in their position would be using GPL code for anything sensitive. There's tons of fully open code (non-GPL) available to use, and they would be stupid to let the GPL anywhere near their engine code.

          1. Anonymous Coward
            Anonymous Coward

            Re: Failed English comprehension

            It is not an assumption that they modified code. Their UI integrates the code which is GPL'd and therefore must also be GPL'd. They have not provided ANY of their own code.

            I'm not assuming that all open source is GPL'd, they have used GPL'd code so that is the licence that is relevant to this discussion.

            No one is asking for engine code, but they have not made any attempt to comply with the GPL at all. They have not provided their code for their software which incorporates GPL'd components they have simply tried to fob us off with the raw source for the components (which is not compliance).

            1. BinkyTheMagicPaperclip Silver badge

              Re: Failed English comprehension

              I don't really care, as personally my Unix of choice is BSD, but I'm going to apply Occam's razor here.

              Who do I think is right?

              a) someone being loud on the Internet

              b) A company that

              i) explicitly lists LGPL 2.1 software (that's 'L') being used in their publicly available product

              ii) has an e-mail for further information

              iii) ..and is described as being in open source support

              I'm going to hazard a guess they've thought about this already and know the difference between GPLv2, LGPLv2, GPLv3 and other OSS licences.

              1. Anonymous Coward
                Anonymous Coward

                Re: Failed English comprehension

                I've looked at the files and they have not provided what they are required to. Have you checked them? Go look and see for yourself.

                Who do I think is right, someone who has actually checked the files and seen that the required source is missing or the company that is trying to get away without providing their code? Why would you not go look for yourself? Clearly a bunch of BMW shills trying to shut people up.

        2. anonymous boring coward Silver badge

          Re: Failed English comprehension

          "The github repo where he has uploaded the files does not contain any of the modifications or derived source so they have NOT complied with the GPL"

          Peresumably they have just called various functions in the GPL:ed code, without having to modify it?

  3. Anonymous Coward
    Coat

    950 MB

    It's the runaway complexity that bothers me - and that's just the open-source portion of code running on the car.

    "German engineering"....??!

    Off to the ole horse'n'buggy shoppe...

    1. Tom Chiverton 1
      FAIL

      Re: 950 MB

      According to the file tree on github, it has tcpdump installed. On a car. WTF.

      1. no-one in particular

        Re: 950 MB

        > According to the file tree on github, it has tcpdump installed. On a car. WTF.

        Who says that tcpdump is installed on the customer's car? If a customer asks for the sources to the OSS in the product we supplied they are likely to get a shed load of stuff that is only used for dev and testing simply because it isn't worth the time/effort to strip it out: just copy the entire OSS directory onto the DVD and stick it in the post.

  4. Anonymous Coward
    Anonymous Coward

    What we want to know is...

    does the i3 use leftpad()?

    1. no-one in particular

      Re: What we want to know is...

      Did the car stop for no apparent reason on the 23rd?

  5. Joerg

    Car thieves will be very happy with it...

    Car thieves will be very happy with it... they will be able to hack into cars and steal quicker thanks to the open source scam.

    1. NotBob
      Trollface

      Re: Car thieves will be very happy with it...

      Oh no! Someone will see the super secret open source place where the software hides a spare set of keys! (The car puts a set on top of the driver's front wheel when you park, it's part of the open source car_key package.) They might also find out that if you say "friend" in elvish, the doors open.

    2. EveryTime Silver badge

      Re: Car thieves will be very happy with it...

      Why would car thieves find this useful?

      What makes you think that the older closed-source systems are more secure for being closed source?

      BMW relied on security-by-obscurity for their key system. It meant that for a long while only thieves could make keys, while regular people had to go to the dealer for their $250 replacements. Or spend far more if they ran out of the firmware limit of 10 key codes.

      Eventually the same techniques used by thieves filtered down to serious hobbyists and now to less-dedicated car people. With an $60 AK90, it just takes following directions to read and modify the key module, and write new key transponders. Including re-using key slots so that you don't need to buy a new key module and new keys if a few keys have been lost.

      Some of the newer models were reverse-engineered so thoroughly that new firmware was written. (Or perhaps they just discovered an existing hidden function.) The key ECU can be manipulated so that it would detect a blank key transponder in the ignition and write the contents to work with the car, without additional hardware . Yes, the car would bypass its own electronic security. Right now that system is many thousands of dollars, but I'm guessing that it will soon be available for much less.

      1. DougS Silver badge
        Coat

        AK90?

        I'll bet you could get into the car much quicker with an AK47.

  6. Nigel 11

    Go-faster patches

    It will be interesting to see if there is now a flood of completely open BMW i3 go-faster software, and what effect it has on the car's hardware components and the insurance industry. (c.f. go-faster chips in engine ECUs).

    Interesting times.

    1. Boris the Cockroach Silver badge
      Facepalm

      Re: Go-faster patches

      Utterly wrong

      The machine tools I deal with every day have GPL code in them (because they're linux based), but the actual operating software that runs the entire thing once the kernal has booted is called Heros, and that aint GPL software, its a dreaded binary blob (as the linux freaks term it) so there no reason to thing BMW would do anything different.

      Unless they are totally stupid of course...

      Wonder if they've included the emission control software too

  7. Justin Clift
    Facepalm

    OpenSSL

    Looks like they're using a remotely exploitable version of OpenSSL:

    https://github.com/edent/BMW-OpenSource/tree/master/FOSS_S1/openssl

    Oops. ;)

  8. Herby Silver badge
    Joke

    Now we have the option of...

    Re-booting the software right after a crash to see if it happens again.

    Look, aren't you supposed to power cycle and try again??

    This begs the question: What would you do if it were Windows based? Wait for the update?

  9. Henry Wertz 1 Gold badge

    "Is there still such a thing as a non-outsourced call center?"

    Yeah, Mediacom (local cable company) has this. It's nice, they have what they call a "virtual call center". They have local call centers throughout their service area (typically you're within 50 miles of it, in my case it's about 2 miles away.) But in case of heavy call volume (like severe storms, tornados, or hurricane knocking out service in a large area) the calls from (mostly) people saying "hey, my service is down" will spill over into other call centers instead of putting them on some collosal hold queue.

  10. Anonymous Coward
    Anonymous Coward

    Now you have over 900MB of source code to dig in.

    I would take my sweet time to search for improvements in the infotainment software, put the bloody geographical coordinates up front on the GPS app should I ever need rescue from the Fire Department after getting bogged down in the middle of nowhere (you know, longitude, and latitude), or turning the car's screens in a permanent rear view mirror like Tesla did.

    Or, changing the layout of everything. Or putting the whole electrical management of the car in the display, a la Prius. Or teaching the car to email its own telemetry to your personal address every 24hours, like it was black box recorder. (I assume all of these items are available on the car). Whatever tickles your fancy.

    There are so many useful things that could be done on that code, and "suggested" over to BMW as "customized improvements".

    1. MacGyver

      Re: Now you have over 900MB of source code to dig in.

      I "suggested" to them that they should not let the alarm be disarmed from the drivers-side key-lock, and only with the key fob, they didn't listen. They also did nothing to strengthen the metal retaining that lock cylinder in place. So basically anyone with a corkscrew can pull out the lock-cylinder through the opening, disarm the alarm and unlock the doors using a long screw-driver behind where the lock used to be, and once inside you can simply recode a blank key to the car and drive away or just disassemble and steal anything (It's not like the alarm is going to go off anymore). $500 for an alarm that can disarmed with a screwdriver and a corkscrew, quality.

      I agree that being able to update the stereo would be cool, but if you think they will listen, then boy do I have a great deal a slightly used bridge you might like. I can use the money to replace the $7,000 worth of dash I had stolen because of the above flaw that has been there for 10 years.

  11. Anonymous Coward
    Anonymous Coward

    Why does it need cups?

    I can only assume it's for some kind of self-congratulatory / positive re-enforcement print out function it offers? Maybe when they use their indicators?

  12. Richard Boyce

    Patience, grasshopper.

    Alas, there are fewer people these days who are old enough to remember where this phrase was first popularised.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019