When asked for source code, MediaTek asks for money. They literally charge a Licensing Fee to device manufacturers for Linux Kernel source code.

It's a sad state of affairs when a manufacturer closes off GPL-protected Source Code.  It's even sadder when they are providing compiled firmware with several severe security vulnerabilities.  It's sadder even still when they require a license fee.  This is going on right now with MediaTek (MTK), and it's their standard operating procedure.

2014-03-22

There's a reason you don't see many MTK devices in the US and other regions with stricter license enforcement. They are a lawsuit waiting to happen. MTK disrespects not only their users, but every single Linux kernel developer. They do so in the form of a policy requiring a paid "Source Code License," which is likely the largest load of diarrhea this writer has ever heard of. You see, the Linux Kernel source code is licensed under GPLv2, which absolutely requires that you abide by the terms that include source code release. Failure to abide by the terms legally prevents you from distributing the Linux Kernel at all. Lets take a look at some excerpts:

3. b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; ................

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. ........

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works......

As developers, we have the ability to take code, recompile it, add features, and fix the security incompetence of manufacturers. Some of MTK's devices are loaded with broken features such as Bluetooth PAN buffers, and there are dozens of other examples. MTK's policy is in direct violation of all three of the above points, and its disheartening when you realize that they think they are providing a service to any customer by way of locked down and vulnerable chipsets. The reality of the situation is that MTK owes a copy of the full, buildable source code to each individual who purchases a device with the Linux Kernel, and obliging would only help them fix their broken source.

When source is available, issues are identified, troubleshooted, and patched. Those who are security conscious can get a jump on patching their devices, and those who aren't can simply wait for the patch to be sent to them. When source is not available, security issues can only be exploited, and patches never make it upstream.