Enforcing the GPL On Software Companies?

Piranhaa"I currently use an IPTV box that runs software by Minerva Networks. When you ssh into the box, you are greeted with a BusyBox v1.00 (ash) shell. It's clearly running a flavor of Linux (uname -apm outputs: Linux minerva_10_0_3_99 2.4.30-tango2-2.7.144.0 #29 Wed Mar 16 16:16:16 CET 2005 mips unknown). However, when you look at their Web site there is no publicly available source code. Since the GPL in both BusyBox and the Linux kernel require that anyone using and distributing the binaries of this software make source available to everyone, what would one do in order to enforce this? I've personally emailed Minerva and left voicemails with no reply."

Not available to everyone

IANAL but as I understand it the GPL requires that source is made available to customers, not everyone. Of course in this case they don't appear to be making it available to customers either.

Re:Not available to everyone

It depends. If they give the source code with the programs, then they can give it only to their customers, and they don't have to give it to anyone else. However if they decide instead to only give a written offer to ask the source with their programs, as allowed by the GPL, then they should give the source code to whoever is asking, not only customers.

Re:Not available to everyone

Yeah, that is correct. I am work for a company which I won't name(Not the company that the OP is talking about) that uses exactly this provision in the GPL to keep Source Code off of the main Website. I know that sounds bad, but the real reason is that we don't actually have 100% of the source code our self.

One of the original developers that worked on this product got lazy and originally most of the smaller parts of the system were actually pulled into the project in binary form from several different Linux distributions. The problem is we too this day don't know for sure where he got all of this stuff. We have been weeding it out of the image as time goes on but I know that even today there are a few things that are just being pulled into new images in binary form. I know that currently most of the stuff still in binary form is stuff that could be replaced with BusyBox but we don't like the busybox version for one reason or another.

But one really interesting thing I have learned is since we actually see all of the code requests come in is that so far nobody has really wanted to the code for a practical reason. All of the requests have been done for "GPL Activism". In the majority of cases when people ask for code they just wanted to see if we would let them have it. I only one case that I know of did anyone go so far as actually getting code. I am rather sure we just shipped him a burned CD with all of the code on it. But after he got it he told us that he didn't really want the code, he just wanted to see if we would give it to him just like all of the other requests.

In most cases these forms of source code dumps don't really give you much of anything useful. What you end-up with is a source code package on company server that may or may not have anything really useful the to rest of the open source community included in it. Someone could diff the public version and these private forks, generate patches and see if anything would be useful to merge into the mainline. But that is a lot of work for something that you don't even know is worthwhile from the get go. I will tell you that the majority of the software included in our firmware isn't modified.

I feel instead that when the company in question makes changes it's FAR more important that they submit patches to the mainline developers for possible inclusion. This is what we are actually doing, we have been working very closely with normal maintainers to add some major new networking features to Linux. And I know patches are going into the mainline version. I guess in the end what would most people rather have... Some files on a webserver that might have something really useful buried inside them or companies working with developers to get new features added to the mainline source code. I feel that this pressure to have source code posted on websites would be better spent trying to actually get a real dialog between these companies and the open source developers. Working with a developer is always going to be harder than just slapping up some source code on a webserver. Which is why I feel that it's just an easy out in many cases but doesn't really help the community.

p.s. Our biggest sort-of competitor also uses open source software... They allow everyone to download the software in binary form. But if you want source code... you have to Wire Transfer ~$50 to former a USSR country... which in and of itself is a violation of the GPL. And given some of the features that they have added is to software packages that they don't even list as being included really makes me wonder what you get for $50...

End User Not Owner?

IANAL but as I understand it the GPL requires that source is made available to customers, not everyone. Of course in this case they don't appear to be making it available to customers either.

What if the end-user, the guy with the box, doesn't own it? Suppose the IPTV company maintains ownership of the box? Than the end-user wouldn't need to be provided with the code?

Re:End User Not Owner?

What if the end-user, the guy with the box, doesn't own it? Suppose the IPTV company maintains ownership of the box? Than the end-user wouldn't need to be provided with the code?

That's what free.fr (a french isp renting box running linux and other GPL software) is doing. But this is sort of a grey area here, the GPL doesn't talk about ownership, it talks about distribution, and this is up to the judge to decide whether it is distribution or not in this case. Here some people are going to sue free.fr because they refuse to distribute the sources they modified, we'll see what happens ...

Re:End User Not Owner?

Working at a company with multiple physically distant colos, our legal dept informed us that we could not alter GPL code and push it to the servers without distributing the source publicly, because copying it over to the physically distant servers could be (and was presumed to be) "distribution". So, even "owning" every box it ran on, and giving binaries to no one else, legal felt distribution was taking place--or at least, felt it was a serious enough interpretation that they wouldn't want us to get sued after assuming it was false.

Re:End User Not Owner?

You may want to send your legal department a copy of the GPL [gnu.org], and possibly a copy of the accompanying FAQ [gnu.org], which explains things in terms simple enough for non-lawyers or even just really confused lawyers to understand.

Notify the authors

You could notify the authors (and copyright holders) of BusyBox [busybox.net].

Unlike Linus, they are pretty strict on companies infringing on the GPL, and have sued (and won) several times.

Take a look at gpl-violations.org [gpl-violations.org] or google "busybox gpl violation" for more information.

Re:Notify the authors

From busybox.net:
"The email address gpl@busybox.net is the recommended way to contact the Software Freedom Law Center to report BusyBox license violations."

Contacting the busybox developers and the SFLC is the first to do. Then post all information you know at the technical mailing list of gpl-violations.org.

thats at least what i did to get to the Hammer MyShare GPL sources -> http://blog.nas-central.org/2008/06/18/on-the-news-gpl-violation-of-bell-supermico/

Big Companies and Hotshot Lawyers

Sometimes companies with hotshot lawyers deliberately put their head in the sand regarding the GPL. They want to use the code but don't want to make their changes public for "intellectual property" reasons, even if it's something as trivial as a few patches to fix some bugs in Linux or some existing drivers. They will "educate" staff as to why they can do what they do with GPL software "legally." The hotshot lawyer has it all figured out, and engineers don't really need to know the details. The excuse is that they "buy their Linux" from a 3rd party so that means that all the conditions of the GPL are not relevant for some lawyerish reason. Oh, and the GPL is "contentious" about what you actually have to do regarding distributing source.

Make sure to notify the FSF and gpl-violations.org

FSF and gpl-violations.org are co-operating closely. gpl-violations and FSF have handled some cases regarding busybox before and have handled them successfully (i.e., out-of-court settlements have been achieved).

And a settlement resulting in GPL compliance - that's what enforcing the GPL is all about.

As Eben Moglen, legal counsel to the FSF for many years, put it (in a keynote address in October 2006):

---
When I went to work for Richard Stallman in 1993, he said to me at the first instruction over enforcing the GPL, "I have a rule. You must never let a request for damages interfere with a settlement for compliance."

I thought about that for a moment and I decided that that instruction meant that I could begin every telephone conversation with a violator of the GPL with magic words: We don't want money. When I spoke those words, life got simpler. The next thing I said was, We don't want publicity.

The third thing I said was, We want compliance. We won't settle for anything less than compliance, and that's all we want.

Now I will show you how to make that ice in the wintertime. And so they gave me compliance.
---

http://www.geof.net/blog/2006/12/10/eben-moglen [geof.net]

Not the first time

Last year BusyBox successfully enforced their copyrights in at least two [groklaw.net] instances [groklaw.net]. While the terms of the settlements have not been disclosed, I'm sure the SFLC will be happy to get involved again.

Re:They is no such requirement...

They are distributing the software and have to provide an offer of the source. I am sure this came up with distributions who were basing their distro off Ubuntu and assumed their customers could get the source from there.

When you think about it, it makes sense. Even if they base their software off a distribution from a known source that source might not be around when it is needed.

Re:They is no such requirement...

Sounds like you need to take the GPL quiz [gnu.org]. This particular issue is addressed in Question 1 of said quiz.

Don't worry, you're definitely not alone in any misunderstandings of the GPL...lots of people think they understand all the legal aspects of it completely when they don't. I used to be guilty myself. Now I just don't claim to know everything about the GPL ;-).

Re:They is no such requirement...

No you don't. If you distribute any version of a GPLed piece of software, you must make the source available upon request to the person you distributed it to. Modification is irrelevant. Modification only matters when you modify something for your own use and do not distribute it- then you don't have to provide source because there's no one to provide it to.

However, this does not mean you need to put it up on a webpage for everyone to download, or provide it on the disk. The GPL requires only a written offer of source code upon request, at a cost of no more than shipping and the media. I have no idea if this particular vendor is complying, but not having a link on their webpage does not mean non-compliance.

Re:To quite true

He requested. Read the summary.

Re:Write to the FSF.

http://www.gpl-violations.org/ [gpl-violations.org]

might be a good place to start.

License enforcement

As the parent says, only the copyright holder can actually take any legal action.

For busybox, you can see on http://busybox.net/license.html [busybox.net] that:

"BusyBox's copyrights are enforced by the Software Freedom Law Center (you can contact them at gpl@busybox.net)"

This an effective process, but a slow one (expect it to take 6 months+ for any response on past experience).

For the linux kernel, lkml is perhaps an appropriate place.

FSF can't help, since they don't own any of the software.

You perhaps want to consider how you're wording your requests. If a polite (or impolite) request for source code has been refused, you might want to try a different track, pointing out that the hardware contains software that they have no valid license to distribute and is hence illegal, and would they like to discuss this further before you contact the copyright owner.

Under copyright law, there is absolutely no requirement for them to provide the source code. One possible legal conclusion is that they pay court decided damages to the copyright owners for illegal distribution to date, and cease further distribution. If they wish to continue distribution, it's likely that they're only available option is to open the source code, especially since their are often multiple copyright holders, especially in the linux kernel.

(Disclaimer, I'm not a lawyer, and some points will vary between jurisdictions.)

Re:License enforcement

I was actually just thinking about this, and here's a thought. If you have actually been damaged by someone refusing to distribute the source code as required by the GPL, you may be able to bring a lawsuit as an intended third-party beneficiary [wikipedia.org] of the contract between the copyright holder and the licensee. If you really want a good time, and you and other people have had small but measurable damages, you could bring a class action.

Re:Have you checked /src/?

# ls /src ls: /src: No such file or directory

First place I checked actually =)

The system only comes with 60MB of non-volatile flash on a jffs(2) filesystem and 32MB are free.

Re: GPL makes me angry.

For a FOSS license GPL seems to be very unfree - imposing restrictions or rules... just a crock of sh!t really. GPL makes me angry. MIT or BSD for the win. GPL for the sux.

WTF?

The GPL applies only to GPL code ... in this case the Linux kernel and the Busybox code. It is a license that lets some people, who did not write that code, nevertheless use the code ... often without any fee. The only "restriction or rule" is that the code must not be hidden if you re-distribute it. Since you received the source code yourself, and you did not write it ... you are obliged to give it to other people under those same conditions.

Why should there not be such a condition? It isn't your code, you didn't write it ... and the source is already public anyway so how on earth does it hurt you to give the source out when you distribute your product?

Re: GPL makes me angry.

Ikarys, you either have a lot of fun trolling this way, or you've not looked into the history of the GPL and the other licenses. Your posting history shows that you enjoy doing these drive-by instigations, but nevertheless, some newer folks on Slashdot may not know enough to realize why some folks say this.

GPL was formed to protect developers and users against restrictive licenses that prevented them from seeing or modifying their programs. It's a bit paranoid, but with reason. The DRM being inflicted on software, the security by obscurity, the locking in of software by refusing to permit non-vendor software to be installed, the refusal to allow others to modify and publish the software, all have been a real problem with other licenses.

GPL has effectively prevent hardware/software lockins, by Netgear and Linksys. The new GPLv3 will block patent lockins, such as those espoused by Microsoft, and DRM lockins, used by Tivo. None of the other licenses would have prevented this. We've also seen very specific abuses of the other licenses already, such as the Microsoft abuse of the MIT license on Kerberos to break non-Microsoft published Kerberos clients. And the GPL has already helped several companies that I'm aware of from simply adding on their own modifications, refusing to publish their modifications, deliberately making it inoperable with other's versions, and locking clients in this way.

The GPL protects the freedom of users, and other developers. The sacrifice of what is not freedom over the software, but power over its modification, comes at the benefit of retaining such power over the rest of GPL freedom, and I find it very handy.

Re:PHB

I know you're joking, but section 6 of the GPL prevents this most commonly by using the phrase: "on a durable physical medium customarily used for software interchange."

The GPL is a very carefully written document.

Re:PHB

It is, isn't it? While Richard Stallman certainly did not write all of it, the document shows his experience and intelligence at dealing with odd interactions. It's what I'd expect from someone so deeply involved in creating gcc and glibc and emacs, and the development of so many other GNU software tools.

Richard does not put in the odd language or strange requirements for no reason: he's usually quite correct in being paranoid of those strange cases, because as an experienced programmer and now an experienced political activist he's seen compelling reasons to handle them specifically. It's why code by older programmers often is longer and more extensive than the simpler, cleaner, but more trusting software written by less experienced developers. The new developers with exciting new approaches often haven't learned the lessons of our experience, and by the time they've done all the patching to avoid the same pitfalls, their code will be as arcane as ours.

Re:Enforce? That's eeeevil!

How can we decry copyrights as evil, when we keep trying to enforce the GPL?

"We" decry copyrights as evil because they reduce the freedom of the end-user.
The GPL uses copyright law to turn that situation around, effectively guaranteeing the freedoms of the end-user.
There is no contradiction.

What if a company wants to use that piece of code, and not release the source for it?

They are free to do so, the GPL does not restrict how a person or a company uses a piece of code.
However, if they wish to distribute it to end-users beyond themselves, then they must ensure that those end users are given the same amount of Freedom that the company received.

Information wants to be free, you know.

Precisely. Free as in Liberty, not as in price.