Intellectual property activist Florian Mueller offers up another blog installment in which he uncovers the presence of redistributed Oracle/Sun Java files in the Android codebase. He shifts focus away from the Android code repository and looks at what code some of the major Android handset OEMs have on offer.
Picking on three OEMs he finds plenty of examples of Oracle/Sun code in the packages published on the web:
Motorola offers some source code releases that contain both the decompiled security-related files I presented and the files marked as "PROPRIETARY/CONFIDENTIAL". I found them in the packages containing the source code of the Droid X, Droid 2 Global, and Droid Pro. If you follow those links, you can either download the entire package ("Download Release") or download specific packages. The decompiled files are in the dalvik.tar.gz package, and the "PROPRIETARY/CONFIDENTIAL" files are in the external_sonivox.tar.gz package.
LG has the decompiled "acl" files in at least a couple of source availability packages. On the LG source code page you can search for particular devices. If you search for VS740 as the model number, you get a certain LG Ally model, and for LG509TN a certain LG Optimus T model.
Samsung offers source availability packages on opensource.samsung.com. In the "mobile" section you can find all of the source releases for Samsung's Android-based phones and tablets. For some examples of source code packages containing the decompiled "acl" files, see the GT-P1000_OpenSource.zip file or GT-P1000_OpenSource_Update1.zip file (Galaxy Tab), SCH_R880_OpenSource.zip file (Samsung Acclaim), GT-I5800_OpenSource.tar file (Galaxy 3), SCH-I500_OpenSource.zip file (Samsung Fascinate), or the SPH-D700_OpenSource.zip file (Samsung Epic).
Mueller goes on to explain the significance of the discovery of his code:
Just like their counterparts on the Android code website, the make files in those product-specific source code packages may not integrate any Oracle/Sun files into their production build by default. That still doesn't rule out the possibility of them being used in closed-source components, which are commonly added by vendors on top of the open source Android codebase. It also doesn't rule out the possibility of those files being used by device makers for internal purposes such as testing. Whether they just published the files on the Internet or use them in internal and/or external ways, they need a license from the actual right holder.
It seems that not all OEMs have chosen to distribute the files in question:
I haven't been able to check whether the relevant code is also shipped with the devices themselves. However, the online publication of those files is a risk in and of itself, for the reasons I explained. And since other vendors such as Dell and HTC decided to omit those files from their online source distributions, it could be that some of those very sophisticated companies who published the sources did so because they knew they built that code into the related products, or at least weren't absolutely certain that they didn't. It could, of course, be simply an oversight, although that would not make the distribution of those Oracle/Sun files any less copyright-infringing.
So is this a big deal? Mueller thinks so:
Whether they just published the files on the Internet or use them in internal and/or external ways, they need a license from the actual right holder.
So, the bottom-line question is a simple one - has Oracle/Sun licensed the creation and distribution of these files? If there isn't a license, then Engadget's Nilay Patel (who is a copyright lawyer) says, "once you've created or distributed an unauthorized copy, you're liable for infringement."