[LUAU] a different open source issue, from Maui

[Tim Newsham]

> There seem to be a lot more than that one page:
> http://www.drunkenblog.com/drunkenblog-archives/000501.html
> If you follow the links in any of these pages, you can find more and more. 
> Some of this may not be proven in a legal sense, but I think its unlikely 
> that there's no code shared between the two. I suppose some of these may be 
> libraries automatically added by compilers for all I know, but some of it 
> looks pretty bad.

I also looked over this.  The majority of the evidence on this
page is tied to "same string" type evidence.  I dont think thats
an invalid approach but they never bothered to track down the
source of the common strings.  Are the common strings due to
the pearpc source code or can they be attributed to a common
library or artifacts of compilation?

There are one or two pieces of information that seem more damning;
the best one I've seen is in relations to openvpn and not pearpc
itself.

If these people are serious why dont they do a proper analysis.
Get the pear pc source code.  Identify functions in cherryos
with IDA pro.  Determine if their function is similar to one
in pearpc and then compare the disassembly with the source code.
Identify common strings between the source code and the cherryos
binary.  Compile the pearpc binary with the same compiler as was
used to build cherryos and compare functions from the pearpc binary
that are from the source code (and not third party libraries)
against the cherryos binary, using the object file relocations as
wildcards.  There are tools out there to help.  There are people
out there who know how to properly analyze binaries.

Also statements along the lines of 'setup your voip phones to
dial the developers number repeatedly' don't help their cause.
If it turns out that cherryos is blatantly stealing, they will
get theirs in court.

> -Eric Hattemer

Tim N.