LaForge's home page (Posts about gpl-violations)https://laforge.gnumonks.org/blog/tags/gpl-violations.atom2022-06-21T07:49:56ZHarald WelteNikolaReport from the Geniatech vs. McHardy GPL violation court hearinghttps://laforge.gnumonks.org/blog/20180307-mchardy-gpl/2018-03-07T00:00:00+01:002018-03-07T00:00:00+01:00Harald Welte<p>Today, I took some time off to attend the court hearing in the <a class="reference external" href="https://www.heise.de/newsticker/meldung/Linux-in-Elektronikgeraeten-Streit-ueber-Lizenzbedingungen-geht-in-naechste-Instanz-3986181.html">appeal
hearing related to a GPL infringement dispute between former netfilter
colleague Partrick McHardy and Geniatech Europe</a></p>
<p>I am not in any way legally involved in the lawsuit on either the
plaintiff or the defendant side. However, as a fellow (former) Linux
kernel developer myself, and a long-term Free Software community member
who strongly believes in the copyleft model, I of course am very
interested in this case.</p>
<div class="section" id="history-of-the-case">
<h2>History of the Case</h2>
<p>This case is about GPL infringements in consumer electronics devices
based on a GNU/Linux operating system, including the Linux kernel and at
least some devices netfilter/iptables. The specific devices in question
are a series of satellite TV receivers built by a Shenzhen (China) based
company Geniatech, which is represented in Europe by Germany-based
Geniatech Europe GmbH.</p>
<p>The Geniatech Europe CEO has openly admitted (out of court) that they
had some GPL incompliance in the past, and that there was failure on
their part that needed to be fixed. However, he was not willing to
accept an overly wide claim in the preliminary injunction against his
company.</p>
<p>The history of the case is that at some point in July 2017, Patrick
McHardy has made a test purchase of a Geniatech Europe product, and
found it infringing the GNU General Public License v2. Apparently no
source code (and/or written offer) had been provide alongside the
binary - a straight-forward violation of the license terms and hence a
violation of copyright. The plaintiff then asked the regional court
of Cologne to issue a preliminary injunction against the defendant,
which was granted on September 8th,2017.</p>
<p>In terms of legal procedure, in Germany, when a plaintiff applies for a
preliminary injunction, it is immediately granted by the court after
brief review of the filing, without previously hearing the defendant in
an oral hearing. If the defendant (like in this case) wishes to appeal
the preliminary injunction, it files an appeal which then results in an
oral hearing. This is what happened, after which the district court of
cologne (Landgericht Koeln) on October 20, 2017 <a class="reference external" href="http://docs.dpaq.de/13314-urteil_lg_k_ln.pdf">issued ruling 14 O 188/17
partially upholding the injunction</a>.</p>
<p>All in all, nothing particularly unusual about this. There is no
dispute about a copyright infringement having existed, and this
generally grants any of the copyright holders the right to have the
infringing party to cease and desist from any further infringement.</p>
<p>However, this injunction has a <em>very wide scope</em>, stating that the
defendant was to cease and desist not only from ever publishing,
selling, offering for download <em>any version of Linux</em> (unless being
compliant to the license). It furthermore asked the defendant to
cease and desist</p>
<ul class="simple">
<li><p><em>from putting hyperlinks on their website to any version of Linux</em></p></li>
<li><p><em>from asking users to download any version of Linux</em></p></li>
</ul>
<p>unless the conditions of the GPL are met, particularly the clauses
related to providing the complete and corresponding source code.</p>
</div>
<div class="section" id="the-appeals-case-at-olg-cologne">
<h2>The appeals case at OLG Cologne</h2>
<p>The defendant now escalated this to the next higher court, the higher
regional court of Cologne (OLG Koeln), asking to withdraw the earlier
ruling of the lower court, i.e. removing the injunction with its current
scope.</p>
<p>The first very positive surprise at the hearing was the depth in which
the OLG court has studied the subject matter of the dispute prior to the
hearing. In the many GPL related court cases that I witnessed so far, it
was by far the most precise analysis of how Linux kernel development
works, and this despite the more than 1000 pages of filings that parties
had made to the court to this point.</p>
<p>Just to give you some examples:</p>
<ul class="simple">
<li><p>the court understood that Linux was created by Linus Torvalds in 1991 and
released under GPL to facilitate the open and collaborative development</p></li>
<li><p>the court recognized that there is no co-authorship / joint authorship
(German: Miturheber) in the Linux kernel as a whole, as it was not a
group of people planning+developing a given program together, but it
is a program that has been released by Linus Torvalds and has since
been edited by more than 15.000 developers without any "grand joint
plan" but rather in successive iterations. This situation constitutes
"editing authorship" (German: Bearbeiterurheber)</p></li>
<li><p>the court further recognized that being listed as "head of the
netfilter core team" or a "subsystem maintainer" doesn't necessarily
mean that one is contributing copyrightable works. Reviewing
thousands of patches doesn't mean you own copyright on them, drawing
an analogy to an editorial office at a publisher.</p></li>
<li><p>the court understood there are plenty of Linux versions that may not
even contain any of Patric McHardy's code (such as older versions)</p></li>
</ul>
<p>After about 35 minutes of the presiding judge explaining the court's
understanding of the case (and how kernel development works), it went on
to summarize the summary of their internal elaboration at the court
prior to the meeting.</p>
<p>In this summary, the presiding judge stated very clearly that they
believe there is some merit to the arguments of the defendant, and that
they would be inclined in a ruling favorable to the defendant based on
their current understanding of the case.</p>
<p>He cited the following main reasons:</p>
<ul class="simple">
<li><p>The Linux kernel development model does not support the claim of
Patrick McHardy having co-authored Linux. In so far, he is only
an <em>editing author</em> (Bearbeiterurheber), and not a co-author.
Nevertheless, even an <em>editing author</em> has the right to ask for cease
and desist, but only on those portions that he authored/edited, and
not on the entire Linux kernel.</p></li>
<li><p>The plaintiff did not sufficiently show what exactly his contributions
were and how they were forming themselves copyrightable works</p></li>
<li><p>The plaintiff did not substantiate what copyrightable contributions he
has made outside of netfilter/iptables. His mere listing as general
networking subsystem maintainer does not clarify what his
copyrightable contributions were</p></li>
<li><p>The plaintiff being a member of the netfilter core team or even the
head of the core team still doesn't support the claim of being a
co-author, as netfilter substantially existed since 1999, three years
before Patrick's first contribution to netfilter, and five years
before joining the core team in 2004.</p></li>
</ul>
<p>So all in all, it was clear that the court also thought the ruling on
all of Linux was too far-fetching.</p>
<p>The court suggested that it might be better to
have regular main proceedings, in which expert witnesses can be called
and real evidence has to be provided, as opposed to the constraints of
the preliminary procedure that was applied currently.</p>
<p>Some other details that were mentioned somewhere during the hearing:</p>
<ul class="simple">
<li><p>Patrick McHardy apparently unilaterally terminated the license to his
works in an e-mail dated 26th of July 2017 towards the defendant.
According to the defendant (and general legal opinion, including my
own position), this is in turn a violation of the GPLv2, as it
only allowed plaintiff to create and publish modified versions of
Linux under the obligation that he licenses his works under GPLv2 to
<em>any third party</em>, including the defendant. The defendant believes
this is abuse of his rights (German: Rechtsmissbraeuchlich).</p></li>
<li><p>sworn affidavits of senior kernel developer Greg Kroah-Hartman and
current netfilter maintainer Pablo Neira were presented in support of
some of the defendants claims. The contents of those are
unfortunately not public, neither is the contents of the sworn
affidavists presented by the plaintiff.</p></li>
<li><p>The defendant has made substantiated claims in his filings that Patrick
McHardy would perform his enforcement activities not with the primary
motivation of achieving license compliance, but as a method to
generate monetary gain. Such claims include that McHardy has acted in
more than 38 cases, in at least one of which he has requested a
contractual penalty of 1.8 million EUR. The total amount of monies
received as contractual penalties was quoted as over 2 million EUR to
this point. Please note that those are claims made by the defendant,
which were just reproduced by the court. The court has not
assessed their validity. However, the presiding judge explicitly
stated that he received a phone calls about this case from a lawyer
known to him personally, who supported that large contractual
penalties are being paid in other related cases.</p></li>
<li><p>One argument by the plaintiff seems to center around being listed as
a general kernel networking maintainer until 2017 (despite his latest
patches being from 2015, and those were netfilter only)</p></li>
</ul>
</div>
<div class="section" id="withdrawal-by-patrick-mchardy">
<h2>Withdrawal by Patrick McHardy</h2>
<p>At some point, the court hearing was temporarily suspended to provide the
legal representation of the plaintiff with the opportunity to have a
Phone call with the plaintiff to decide if they would want to continue
with their request to uphold the preliminary injunction. After a few
minutes, the hearing was resumed, with the plaintiff withdrawing their
request to uphold the injunction.</p>
<p>As a result, the injunction is now withdrawn, and the plaintiff has to
bear all legal costs (court fees, lawyers costs on both sides).</p>
</div>
<div class="section" id="personal-opinion">
<h2>Personal Opinion</h2>
<p>For me, this is all of course a difficult topic. With my history of
being the first to enforce the GNU GPLv2 in (equally German) court,
it is unsurprising that I am in favor of license enforcement being
performed by copyright holders.</p>
<p>I believe individual developers who have contributed to the Linux
kernel should have the right to enforce the license, if needed. It is
important to have distributed copyright, and to avoid a situation where
only one (possibly industry friendly) entity would be able to take
[legal] action.</p>
<p>I'm not arguing for a "too soft" approach. It's almost 15 years since
the first court cases on license violations on (embedded) Linux, and the
fact that the problem still exists today clearly shows the industry is
very far from having solved a seemingly rather simple problem.</p>
<p>On the other hand, such activities must always be oriented to
compliance, and compliance only. Collecting huge amounts of contractual
penalties is questionable. And if it was necessary to collect such huge
amounts to motivate large corporations to be compliant, then this must
be done in the open, with the community knowing about it, and the
proceeds of such contractual penalties must be donated to free software
related entities to prove that personal financial gain is not a
motivation.</p>
<p>The rumors of Patrick performing GPL enforcement for personal financial
gain have been around for years. It was initially very hard for me to
believe. But as more and more about this became known, and Patrick
would refuse to any contact requests by his former netfilter team-mates
as well as the wider kernel community make it hard to avoid drawing
related conclusions.</p>
<p>We do need enforcement, both out of court and in court. But we need it
to happen out of the closet, with the community in the picture, and
without financial gain to individuals. The "principles of community
oriented enforcement" of the Software Freedom Conservancy as well as the
more recent (but much less substantial) kernel enforcement statement
represent the most sane and fair approach for how we as a community
should deal with license violations.</p>
<p>So am I happy with the outcome? Not entirely. It's good that an
over-reaching injunction was removed. But then, a lot of money and
effort was wasted on this, without any verdict/ruling. It would have
been IMHO better to have a court ruling published, in which the
injunction is substantially reduced in scope (e.g. only about netfilter,
or specific versions of the kernel, or specific products, not about
placing hyperlinks, etc.). It would also have been useful to have some
of the other arguments end up in a written ruling of a court, rather
than more or less "evaporating" in the spoken word of the hearing today,
without advancing legal precedent.</p>
</div>
<div class="section" id="lessons-learned-for-the-developer-community">
<h2>Lessons learned for the developer community</h2>
<ul class="simple">
<li><p>In the absence of detailed knowledge on computer programming, legal folks
tend to look at "metadata" more, as this is what they can understand.</p></li>
<li><p>It matters who has which title and when. Should somebody not be
an active maintainer, make sure he's not listed as such.</p></li>
<li><p>If somebody ceases to be a maintainer or developer of a project,
remove him or her from the respective lists immediately, not just
several years later.</p></li>
<li><p>Copyright statements do matter. Make sure you don't merge any patches
adding copyright statements without being sure they are actually valid.</p></li>
</ul>
</div>
<div class="section" id="lessons-learned-for-the-it-industry">
<h2>Lessons learned for the IT industry</h2>
<ul class="simple">
<li><p>There may be people doing GPL enforcement for not-so-noble motives</p></li>
<li><p>Defending yourself against claims in court can very well be worth it,
as opposed to simply settling out of court (presumably for some
money). The <cite>Telefonica case in 2016 <>_</cite> has shown this, as has this
current Geniatech case. The legal system can work, if you give it a
chance.</p></li>
<li><p>Nevertheless, if you have violated the license, and one of the
copyright holders makes a properly substantiated claim, you still will
get injunctions granted against you (and rightfully so). This was
just not done in this case (not properly substantiated, scope of
injunction too wide/coarse).</p></li>
</ul>
</div>
<div class="section" id="dear-patrick">
<h2>Dear Patrick</h2>
<p>For years, your former netfilter colleagues and friends wanted to have a
conversation with you. You have not returned our invitation so far.
Please do reach out to us. We won't bite, but we want to share our
views with you, and show you what implications your actions have not
only on Linux, but also particularly on the personal and professional
lives of the very developers that you worked hand-in-hand with for
a decade. It's your decision what you do with that information afterwards,
but please do give us a chance to talk. We would greatly appreciate if
you'd take up that invitation for such a conversation. Thanks.</p>
</div>Report from the VMware GPL court hearinghttps://laforge.gnumonks.org/blog/20160225-vmware-gpl/2016-02-25T00:00:00+01:002016-02-25T00:00:00+01:00Harald Welte<p>Today, I took some time off to attend the court hearing in the <a class="reference external" href="https://sfconservancy.org/copyleft-compliance/vmware-lawsuit-faq.html">GPL
violation/infringement case that Christoph Hellwig has brought against
VMware</a>.</p>
<p>I am not in any way legally involved in the lawsuit. However, as a
fellow (former) Linux kernel developer myself, and a long-term Free
Software community member who strongly believes in the copyleft model, I
of course am very interested in this case - and of course in an outcome
in favor of the plaintiff. Nevertheless, the below report tries to
provide an un-biased account of what happened at the hearing today, and
does not contain my own opinions on the matter. I can always write
another blog post about that :)</p>
<p>I <a class="reference external" href="http://laforge.gnumonks.org/blog/20151029-vmware_gpl/">blogged about this case before</a> briefly, and
there is a lot of information publicly discussed about the case,
including the information published by the Software Freedom
Conservancy (see the link above, the <a class="reference external" href="https://sfconservancy.org/news/2015/mar/05/vmware-lawsuit/">announcement</a> and the
associated <a class="reference external" href="https://sfconservancy.org/copyleft-compliance/vmware-lawsuit-faq.html">FAQ</a>.</p>
<p>Still, let's quickly summarize the facts:</p>
<ul class="simple">
<li><p>VMware is using parts of the Linux kernel in their proprietary ESXi
product, including the entire SCSI mid-layer, USB support, radix tree
and many, many device drivers.</p></li>
<li><p>as is generally known, Linux is licensed under GNU GPLv2, a
copyleft-style license.</p></li>
<li><p>VMware has modified all the code they took from the Linux kernel and
integrated them into something they call <em>vmklinux</em>.</p></li>
<li><p>VMware has modified their proprietary virtualization OS kernel
<em>vmkernel</em> with specific API/symbol to interact with <em>vmklinux</em></p></li>
<li><p>at least in earlier versions of ESXi, virtually any block device
access has to go through <em>vmklinux</em> and thus the portions of Linux
they took</p></li>
<li><p><em>vmklinux</em> and <em>vmkernel</em> are dynamically linked object files that are
linked together at run-time</p></li>
<li><p>the Linux code they took runs in the same execution context (address
space, stack, control flow) like the <em>vmkernel</em>.</p></li>
</ul>
<p>Ok, now enter the court hearing of today.</p>
<p>Christoph Hellwig was represented by his two German Lawyers,
<a class="reference external" href="http://www.jbb.de/en/attorneys/dr-till-jaeger">Dr. Till Jaeger</a> and
<a class="reference external" href="http://www.jbb.de/en/attorneys/dr-miriam-ballhausen">Dr. Miriam Ballhausen</a>.
VMware was represented by three German lawyers lead by
<a class="reference external" href="http://www.freshfields.com/profiles/matthias_koch/">Matthias Koch</a>,
as well as a US attorney,
<a class="reference external" href="http://www.mofo.com/people/j/jacobs-michael-a">Michael Jacobs</a>
(by means of two simultaneous interpreters). There were also several
members of the in-house US legal team of VMware present, but not
formally representing the defendant in court.</p>
<p>As is unusual for copyright disputes, there was quite some audience
following the court. Next to the VMware entourage, there were also a
couple of fellow Linux kernel developers as well as some German IT press
representatives following the hearing.</p>
<div class="section" id="general-introduction-of-the-presiding-judge">
<h2>General Introduction of the presiding judge</h2>
<p>After some formalities (like the question whether or not a ',' is
missing after the "Inc." in the way it is phrased in the lawsuit), the
presiding judge started with some general remarks</p>
<ul class="simple">
<li><p>the court is well aware of the public (and even international public)
interest in this case</p></li>
<li><p>the court understands there are novel fundamental legal questions
raised that no court - at least no German court - had so far to decide
upon.</p></li>
<li><p>the court also is well aware that the judges on the panel are not
technical experts and thus not well-versed in software development or
computer science. Rather, they are a court specialized on all sorts
of copyright matters, not particularly related to software.</p></li>
<li><p>the court further understands that Linux is a collaborative,
community-developed operating system, and that the development process
is incremental and involves many authors.</p></li>
<li><p>the court understands there is a lot of discussion about interfaces
between different programs or parts of a program, and that there are a
variety of different definitions and many interpretations of what
interfaces are</p></li>
</ul>
</div>
<div class="section" id="presentation-about-the-courts-understanding-of-the-subject-matter">
<h2>Presentation about the courts understanding of the subject matter</h2>
<p>The presiding judge continued to explain what was their understanding of
the subject matter. They understood VMware ESXi serves to virtualize a
computer hardware in order to run multiple copies of the same or of
different versions of operating systems on it. They also understand
that vmkernel is at the core of that virtualization system, and that it
contains something called <em>vmkapi</em> which is an interface towards Linux
device drivers.</p>
<p>However, they misunderstood that this case was somehow an interface
between a Linux guest OS being virtualized on top of vmkernel. It took
both defendant and plaintiff some time to illustrate that in fact this
is not the subject of the lawsuit, and that you can still have portions
of Linux running linked into vmkernel while exclusively only
virtualizing Windows guests on top of vmkernel.</p>
<p>The court went on to share their understanding of the GPLv2 and its
underlying copyleft principle, that it is not about abandoning the
authors' rights but to the contrary exercising copyright. They
understood the license has implications on derivative works and
demonstrated that they had been working with both the German
translation a well as the English language original text of GPLv2. At
least I was sort-of impressed by the way they grasped it - much better
than some of the other courts that I had to deal with in the various
cases I was bringing forward during my gpl-violations.org work before.</p>
<p>They also illustrated that they understood that Christoph Hellwig has
been developing parts of the Linux kernel, and that modified parts of
Linux were now being used in some form in VMware ESXi.</p>
<p>After this general introduction, there was the question of whether or
not both parties would still want to settle before going further. The
court already expected that this would be very unlikely, as it
understood that the dispute serves to resolve fundamental legal
question, and there is hardly any compromise in the middle between
using or not using the Linux code, or between licensing vmkernel under a
GPL compatible license or not. And as expected, there was no indication
from either side that they could see an out-of-court settlement of the
dispute at this point.</p>
</div>
<div class="section" id="discussion-of-specific-legal-issues-standing">
<h2>Discussion of specific Legal Issues (standing)</h2>
<p>In terms of the legal arguments brought forward in hundreds of pages of
legal briefs being filed between the parties, the court summarized:</p>
<ul class="simple">
<li><p>they do not see a problem in the fact that the lawsuit by Christoph
Hellwig may be funded or supported by the Software Freedom
Conservancy. Christoph is acting on his own behalf, using his own
rights.</p></li>
<li><p>they do not see any issues regarding the place of jurisdiction being
placed in Hamburg, Germany, as the defendant is providing the disputed
software via the Internet, which according to German law permits the
plaintiff to choose any court within Germany. The court added, of
course, that whatever verdict it may rule, this verdict will be
limited to the German jurisdiction.</p></li>
<li><p>In terms of the type of authors' right being claimed by the plaintiff,
there was some discussion about paragraph 3 vs. 8 vs. 9 of German
UrhG (the German copyright law). In general it is understood that
the development method of the Linux kernel is a sequential,
incremental development process, and thus it is what we call
<em>Bearbeiterurheberecht</em> (loosely translated as <em>modifying/editing
authors right</em>) that is used by Christoph to make his claim.</p></li>
</ul>
</div>
<div class="section" id="right-to-sue-sufficient-copyrighted-works-of-the-plaintiff">
<h2>Right to sue / sufficient copyrighted works of the plaintiff</h2>
<p>There was quite some debate about the question whether or not the
plaintiff has shown that he actually holds a sufficient amount of
copyrighted materials.</p>
<p>The question here is not, whether Christoph has sufficient copyrightable
contributions on Linux as a whole, but for the matter of this legal case
it is relevant which of his copyrighted works end up in the disputed
product VMware ESXi.</p>
<p>Due to the nature of the development process where lots of developers
make intermittent and incremental changes, it is not as straight-forward
to demonstrate this, as one would hope. You cannot simply print an
entire C file from the source code and mark large portions as being
written by Christoph himself. Rather, lines have been edited again and
again, were shifted, re-structured, re-factored. For a non-developer
like the judges, it is therefore not obvious to decide on this question.</p>
<p>This situation is used by the VMware defense in claiming that overall,
they could only find very few functions that could be attributed to
Christoph, and that this may altogether be only 1% of the Linux code
they use in VMware ESXi.</p>
<p>The court recognized this as difficult, as in German copyright law there
is the concept of <em>fading</em>. If the original work by one author has been
edited to an extent that it is barely recognizable, his original work
has <em>faded</em> and so have his rights. The court did not state whether it
believed that this has happened. To the contrary, the indicated that it
may very well be that only very few lines of code can actually make a
significant impact on the work as a whole. However, it is problematic
for them to decide, as they don't understand source code and software
development.</p>
<p>So if (after further briefs from both sides and deliberation of the
court) this is still an open question, it might very well be the case
that the court would request a techncial expert report to clarify this
to the court.</p>
</div>
<div class="section" id="are-vmklinux-vmkernel-one-program-work-or-multiple-programs-works">
<h2>Are vmklinux + vmkernel one program/work or multiple programs/works?</h2>
<p>Finally, there was some deliberation about the very key question of
whether or not <em>vmkernel</em> and <em>vmklinux</em> were separate programs / works
or one program / work in the sense of copyright law. Unfortunately only
the very surface of this topic could be touched in the hearing, and the
actual technical and legal arguments of both sides could not be heard.</p>
<p>The court clarified that <em>if</em> vmkernel and vmklinux would be considered
as one program, then indeed their use outside of the terms of the GPL
would be an intrusion into the rights of the plaintiff.</p>
<p>The difficulty is how to actually venture into the legal implications of
certain technical software architecture, when the people involved have
no technical knowledge on operating system theory, system-level software
development and compilers/linkers/toolchains.</p>
<p>A lot is thus left to how good and 'believable' the parties can present
their case. It was very clear from the VMware side that they wanted to
down-play the role and proportion of vmkernel and its Linux heritage.
At times their lawyers made statements like <em>linux is this small yellow
box in the left bottom corner</em> (of our diagram). So of course already
the diagrams are drawn in a way to twist the facts according to their
view on reality.</p>
</div>
<div class="section" id="summary">
<h2>Summary</h2>
<ul class="simple">
<li><p>The court seems very much interested in the case and wants to
understand the details</p></li>
<li><p>The court recognizes the general importance of the case and the public
interest in it</p></li>
<li><p>There were some fundamental misunderstandings on the technical
architecture of the software under dispute that could be clarified</p></li>
<li><p>There are actually not that many facts that are disputed between both
sides, except the (key, and difficult) questions on</p>
<ul>
<li><p>does Christoph hold sufficient rights on the code to bring forward the legal case?</p></li>
<li><p>are vmkernel and vmklinux one work or two separate works?</p></li>
</ul>
</li>
</ul>
<p>The remainder of this dispute will thus be centered on the latter two
questions - whether in this court or in any higher courts that may have
to re-visit this subject after either of the parties takes this further,
if the outcome is not in their favor.</p>
<p>In terms of next steps,</p>
<ul class="simple">
<li><p>both parties have until <strong>April 15, 2016</strong> to file further briefs to
follow-up the discussions in the hearing today</p></li>
<li><p>the court scheduled <strong>May 19, 2016</strong> as date of promulgation. However,
this would of course only hold true if the court would reach a clear
decision based on the briefs by then. If there is a need for an
expert, or any witnesses need to be called, then it is likely there
will be further hearings and no verdict will be reached by then.</p></li>
</ul>
</div>The VMware GPL casehttps://laforge.gnumonks.org/blog/20151029-vmware_gpl/2015-10-29T00:00:00+01:002015-10-29T00:00:00+01:00Harald Welte<p>My absence from blogging meant that I didn't really publicly comment on
the continued GPL violations by VMware, and the <a class="reference external" href="https://sfconservancy.org/news/2015/mar/05/vmware-lawsuit/">2015 legal case
that well-known kernel developer Christoph Hellwig has brought forward
against VMware</a>.</p>
<p>The most recent update by the Software Freedom Conservancy on the VMware
GPL case can be found at
<a class="reference external" href="https://sfconservancy.org/news/2015/oct/28/vmware-update/">https://sfconservancy.org/news/2015/oct/28/vmware-update/</a></p>
<p>In case anyone ever doubted: I of course join the ranks of the long
list of Linux developers and other stakeholders that consider VMware's
behavior completely unacceptable, if not outrageous.</p>
<p>For many years they have been linking <em>modified</em> Linux kernel device
drivers and entire kernel subsystems into their proprietary vmkernel
software (part of ESXi). As an excuse, they have added a thin shim
layer under GPLv2 which they call vmklinux. And to make all of this
work, they had to add lots of vmklinux specific API to the proprietary
vmkernel. All the code runs as one program, in one address space, in
the same thread of execution. So basically, it is at the level of the
closest possible form of integration between two pieces of code:
Function calls within the same thread/process.</p>
<p>In order to make all this work, they had to modify their vmkernel,
implement vmklinux and also heavily modify the code they took from Linux
in the first place. So the drivers are not usable with mainline linux
anymore, and vmklinux is not usable without vmkernel either.</p>
<p>If all the above is not a clear indication that multiple pieces of code
form one work/program (and subsequently must be licensed under GNU
GPLv2), what should ever be considered that?</p>
<p>To me, it is probably one of the strongest cases one can find about the
question of derivative works and the GPL(v2). Of course, all my
ramblings have no significance in a court, and the judge may rule based
on reports of questionable technical experts. But I'm convinced if the
court was well-informed and understood the actual situation here, it
would have to rule in favor of Christoph Hellwig and the GPL.</p>
<p>What I really don't get is why VMware puts up the strongest possible
defense one can imagine. Not only did they not back down in lengthy
out-of-court negotiations with the Software Freedom Conservancy, but
also do they defend themselves strongly against the claims in court.</p>
<p>In my many years of doing GPL enforcement, I've rarely seen such a
dedication and strong opposition. This shows the true nature of VMware
as a malicious, unfair entity that gives a damn sh*t about other
peoples' copyright, the Free Software community and its code of conduct
as a whole, and the Linux kernel developers in particular.</p>
<p>So let's hope they waste a lot of money in their legal defense, get a
sufficient amount of negative PR out of this to the point of tainting
their image, and finally obtain a ruling upholding the GPL.</p>
<p>All the best to Christoph and the Conservancy in fighting this fight.
For those readers that want to help their cause, I believe
they are looking for more <a class="reference external" href="https://sfconservancy.org/supporter/">supporter donations</a>.</p>Talk Idea: How to write code to make later enforcement easyhttps://laforge.gnumonks.org/blog/20130204-talk_idea_write_code_for_enforcement/2013-02-04T03:00:00+01:002013-02-04T03:00:00+01:00Harald Welte<p>
During FOSDEM 2013, I spoke with some fellow Free Software developers
about how my knowledge on copyright and specifically legal aspects of
software copyright has influenced the way how I write code, and
particularly how I design architecture of programs.
</p>
<p>
This made me realize that this would probably make a quite interesting
talk at Free Software conferences: How to architect and write code in
order to make later [GPL] enforcement easy.
</p>
<p>
Of course there are all the general and mostly well-known rules like
keeping track of who owns which part of the copyright, having proper
copyright claims and license headers, etc.
</p>
<p>
But I'm more thinking in the sense of: How do I write code in a way to
make sure people extending it in some way with their own code will be
forced to create a derivative work. If that is the case, they will have
absolutely no choice but to also license that under GPL.
</p>
<p>
This is particularly important in the case of GPL licensed libraries.
The common understanding in the community is that writing an executable
program against a GPL licensed library will constitute a derivative work
and thus the main program must be licensed under the GPL, if it is ever
distributed.
</p>
<p>
However, in reality there is of course no precedent, and in some
particular cases, the legal framework, depending on the jurisdiction,
might come to different conclusions if it ever ended up in court. The
claim of a 'derivative work' would be particularly weak if the main
program is only using a set of standard function calls whose function
declarations are the same in many versions of the GPL licensed library
you link against. So let's assume there was a GPL licensed standard C
library for stuff like open(), close(), printf() and the like. I think
it would be very difficult to argue in court that a program written
against those functions and linked against such a library would
constitute a derivative work of the library. As in fact, there are many
other implementations providing the exact same interface, under
different licenses, and the API was not even drafted by the author of
the GPL licensed implementation.
</p>
<p>
So I think there are some things that an author of an (intentionally)
GPL licensed library can do while writing the code, which will later
help him to establish that an executable program is a derived work.
</p>
<p>
The same is true to some extent for executable programs, too. I
very intentionally did not introduce a plug-in interface for BTS drivers
in OpenBSC, even though while technically it would have been possible.
I _want_ somebody who adds code for a different BTS to touch the main
code of the program instead of just writing an external plugin. The
mere fact that he has to edit the main program in order to add a new BTS
driver indicates that he is creating a derivative work.
</p>
<p>
So I'll probably try to submit a talk on this topic to some
upcoming conference[s]. If you think this is an interesting topic and
want me to talk about it at a FOSS related event, please feel free to
send me an e-mail.
</p>Some comments on the heated debate on SFC / Busybox / Linux GPL enforcementhttps://laforge.gnumonks.org/blog/20120209-linux_gpl_enforcement_conservancy_busybox/2012-02-09T03:00:00+01:002012-02-09T03:00:00+01:00Harald Welte<p>
During the past week[s], there has been a <a href="https://lwn.net/Articles/478249/">heated debate</a> on the alleged
methods of GPL enforcement as it is performed by the <a href="http://sfconservancy.org/">Software Freedom Conservancy</a> on
behalf of the Busybox copyright holders.
</p>
<p>
The extent of license enforcement on Busybox has apparently triggered the <a href="http://www.elinux.org/Busybox_replacement_project">proposal to
create a non-GPL replacement for it</a>, which in turn has received
quite harsh responses e.g. from <a href="http://mjg59.dreamwidth.org/10437.html">Matthew Garrett</a>.
</p>
<p>
It's been relatively difficult for me to figure out what is really going
on here. It is well-known that the Free Software Conservancy has been
actively enforcing the GPL on Busybox. But then, at the same time
gpl-violations.org has been (and still is!) similarly active in
enforcing the GPL on the Linux kernel. Still, I haven't yet seen calls
to write a non-GPL Linux kernel replacement. Of course, the complexity
is on an entirely different scale, so this point is moot.
</p>
<p>
However, for quite some time there have been rumors about the intensity
(some would say aggressiveness) of the enforcement. I don't want to
accuse anybody of anything, so I'm going to write speculatively about
it.
</p>
<p>
This post is to summarize my thoughts on all of this:
</p><ul>
<li><p>It is well within the right of each author / copyright holder to
decide on the enforcement strategy and license interpretation. As such,
I respect the decision of the authors. It is their work, they should
decide what to do.
</p></li>
<li><p>In any kind of GPL enforcement, you of course not only want the
complete corresponding source code to one program, but to all of the
GPL/LGPL/AGPL or otherwise copyleft licensed programs contained in the
product. We at gpl-violations.org have always been requesting the
complete corresponding source code to all GPL licensed software during
our communication with the infringing companies. This request was
typically honored by everyone, without the need to apply any pressure
onto it. After all, releasing only one bit of code causes the risk to
get sued by somebody else who owns the other not-yet-compliant part of
the code.</p><p>
Now there have been rumors that SFC was not only requesting non-Busybox
source code, but also making it a condition for the explicit
re-instatement of the license on Busybox. Whether or not there was
such a hard condition is subject to debate and there are different
opinions on it. For those in the field of FOSS licensing, it has always
known that there are different lines of thought with regard to the
requirement to explicit reinstatement. We in Germany generally think
that it is not required at all, and the existing preliminary injunctions
at least implicitly acknowledge that as they enjoin companies from
distributing a product <i>as long as it is not in compliance with the
license</i>. In other (particularly the U.S.), it is generally assumed
that explicit reinstatement is required. In such a case, it may very
well be legally possible to use it as a lever to obtain source code for
other programs like the Linux kernel. However, I am personally not sure
if that really is the right strategy. Not everything that is possible
legally is ethically the right thing to do. But then, ethics and legal
customs differ widely in the FOSS communities, as they do in society in
general. Some countries and communities believe in the death penalty,
others don't. Some countries allow abortion, others don't. Some allow
prostitution, others don't. So when judging about whether that
"reinstatement lever" is acceptable or not, we have to accept that there
may be different lines of thought. I for my part definitely think that
the far superior method is, beyond doubt, to have a rights holder on
those other program in order to make any demand for source code (as
opposed to a mere request without implicit or explicit legal threat).
</p></li>
<li><p>
There also have been rumors about a requirement on submitting future
source code releases to a compliance audit by the Conservancy.
According to SFC sources, there never was any such demand, and the
rumors are likely spawned by some incorrect claims of a defendant in a
court case, which ended up in the public record. If there was such a
requirement, I wouldn't think it is just - at least not for a first-time
non-intentional infringement case. If there was repeated infringement
and a clear sign that it would happen again and again, such a
requirement for future audits may be justified, depending on the case.
</p></li>
<li><p>
People who claim that GPL enforcement is scaring away companies from
using Linux and/or other Free Software also have to be careful in what
they say. If a commercial entity enters a new market (let's say Android
Tablets), then there is a certain due diligence required <i>before</i>
entering that market. So if you don't understand Free Software and
particularly GPL licensing, then you shouldn't place a Linux-based
device on the market. Just think about an analogy: If you have a
recycling company and enter a new market (disposal of hazardous
chemicals), then you cannot simply treat those chemicals as regular
waste, wait until you run into legal trouble and expect to get away with
it.</p><p>
I think there are still far too many GPL violations out there, and we
need to see more enforcement in order to get all the major players in
their respective lines of business into compliance. But come on,
dealing with embedded devices in 2012 and still getting compliance
outright wrong really means that there has not been the least bit of
attention on this subject. And without enforcement, it is never going
to change. People who want no enforcement should simply use
MIT-style licenses.
</p><p>
Last, but not least, I also think GPL compliance is a matter of fair
competition. There are some companies who really do a good job in
ensuring compliance with the various Free Software licenses. If their
competition doesn't invest the funds into the respective skills,
procedures and business processes, they are getting an unfair
competitive advantage against those who are doing it right. If there
was no enforcement, the motivation would be to reduce efforts in
compliance, not increase it.
</p></li>
</ul>
<p>
Let me conclude with a clear statement to anyone who thinks that by
replacing Busybox with a non-GPL licensed project they can evade GPL
enforcement: It will not work. There are others out there enforcing
the GPL. Last but not least gpl-violations.org. Despite the
notoriously outdated webpage, we are still alive and kicking, churning
down on the violation reports that we receive. Armijn Hemel, Joachim
Steiger, Tim Engelhardt, Julia Gebert and Till Jaeger deserve much of
the credit for all that work, while I'm mostly spending each awake
minute hacking <a href="http://osmocom.org/">Free Software for mobile
communications</a>. Yes, we should publish more about our activities,
and I hope to find the time to do so. There should at least be an
annual report with the number of cases...
</p>HTCs delays in releasing Linux source code are unacceptablehttps://laforge.gnumonks.org/blog/20111224-htc-delays-gpl/2011-12-24T03:00:00+01:002011-12-24T03:00:00+01:00Harald Welte<p>
The Taiwanese smart phone maker HTC is widely known to be delaying its
Linux kernel source code releases of their Android products. Initially,
this has been described to to the requirement for source code review,
and making sure that no proprietary portions are ending up in the
release.
</p>
<p>
While the point is sort-of moot from the beginning (there should be no
proprietary portions inside the Linux kernel for a product that wants to
avoid entering any legal grey zone in the first place), I was willing to
accept/tolerate it for some time.
</p>
<p>
At one point more than one year ago, gpl-violations.org actually had the
opportunity to speak in person to senior HTC staff about this. I made
it very clear that this delay is not acceptable, and that they should
quickly fix their processes in order to make sure they reduce that
delay, eventually down to zero.
</p>
<p>
Recently, I received news that the opposite is happening. HTC still has
the same delays, and they are now actually claiming that <i>even a 120 days
delay is in compliance with the license</i>.
</p>
<p>
I do think neither the paying HTC customers, nor tha Free Software
community as a whole have to tolerate those delays. It is true that the
GPLv2 doesn't list a deadline until when the source code has to be
provided, but it is at the same also very clear what the license wants:
To enable people to study the program source code. Especially in todays
rapid smart phone product cycles, 120 days is a <a>very</a> long time.
</p>
<p>
So I hereby declare my patience has ended here. I am determined to
bring those outrageous delays to an end. This will be one of my new
year resolutions for 2012: Use whatever means possible to make HTC
understand that this is not how you can treat Free Software, the
community, its customers, the GPL and in the end, copyright itself.
</p>Back home after successful KOSS Legal Conferencehttps://laforge.gnumonks.org/blog/20111128-review_koss_law_conf/2011-11-28T03:00:00+01:002011-11-28T03:00:00+01:00Harald Welte<p>
The first incarnation of the <a href="http://www.kosslaw.or.kr/conference/conference01.php">KOSS Legal
Conference</a> was a big success. There were many participants from a
variety of backgrounds, such as
</p><ul>
<li>Independent Korean legal experts</li>
<li>Legal scholars from Korean law schools</li>
<li>International legal experts (e.g. Till Jaeger, Carlo Piana, etc.)</li>
<li>Representatives from the major Korean IT industry</li>
<li>Representatives of the community organizations like FSFE</li>
<li>Independent technical experts like Armijn Hemel and myself</li>
</ul>
<p>
The discussions have been a big success, with significant participation
from the floor. There are many events that I attended where it was hard
to actually get any participation from the audience - but the KOSS Law
conference was definitely not one of them. Some of the questions were
easy to respond to, some other questions really tackled the difficult
issues in Free Software License Compliance.
</p>
<p>
What was clear to see from the Industry participants: FOSS License
Compliance has become an important topic in the last couple of years:
One the one hand as a result of virtually no TV set / mobile phone / PMP
or other device running without Linux or other FOSS. On the other hand,
I'm sure that the enforcement efforts of gpl-violations.org and the SFLC
also have had significant impact on that.
</p>
<p>
What I personally find important is that compliance is only considered
as part of the overall FOSS picture. Complying with the license text is
the minimum that companies involved with FOSS should do. Rather, they
should look beyond mere compliance and consider the benefit of engaging
more actively with the community, contribute code back upstream/mainline
and really becoming a first-class citizen of the Free Software world.
</p>
<p>
As a big surprise to everyone, Jim Zemlin of the Linux Foundation made a
surprise visit towards the end of the second day of the conference.
</p>
<p>
Many thanks to the KOSS Law center for bringing this together and
organizing such an event. Thanks also to the Korean NIPA (National IT
Industry Promotion Agency) and the FSFE for their support of the event.
</p>Going to attend Korean FOSS legal conferencehttps://laforge.gnumonks.org/blog/20111108-koss_law_conf/2011-11-08T03:00:00+01:002011-11-08T03:00:00+01:00Harald Welte<p>
Recently I had been invited by the Korean Open Source Software (KOSS) Law
Center to attend their 2011 KOSS conference scheduled for November 17
and 18 in Seoul, Korea.
</p>
<p>
This conference is organized by the KOSS Law Center with support by the
Korean Government (National IT Industry Promotion Agency). Its primary
purpose is to share best practises in terms of FOSS licensing, license
compliance but also FOSS community interaction within the Korean IT
industry and the public sector.
</p>
<p>
I'm happy to present on <i>Beyond Legal Compliance - Embracing the FOSS
community</i>, where I will outline that the primary focus should not be
on to-the-letter legal compliance, but to a proactive way of interacting
with the FOSS community. After all, collaborative development is what
FOSS is all about...
</p>
<p>
However, due to a schedule conflict with the DeepSec 2011 conference in
Vienna (where I'm giving a two-day GSM security workshop), I'm only able
to attend the second day of the KOSS conference.
</p>
<p>
The speaker line-up for the KOSS conference is quite impressive, and it
includes Karsten Gerloff (FSFE), Till Jaeger (JBB), Carlo Piana (FSFE),
Keith Bergelt (OIN), Armijn Hemel (gpl-violations.org/Tjaldur) and others.
</p>
<p>
Unfortunately there seems to be no homepage, at least none with an
English language title that Google would be able to find. Carlo Piana
has <a href="http://piana.eu/koss_conf">mentioned the event in his
blog</a> four days ago.
</p>
<p>
<b>UPDATE:</b> There now is a <a href="http://www.kosslaw.or.kr/conference/conference01.php">conference
page</a>, although in Korean language only ;)
</p>Unbelievable statements in GPL related case in the Supreme Court of Mauritiushttps://laforge.gnumonks.org/blog/20110627-gpl_surpreme_court_mauritius/2011-06-27T03:00:00+02:002011-06-27T03:00:00+02:00Harald Welte<p>
I've recently received some documents regarding a court case at the <a href="http://www.gov.mu/scourt/home/welcome.do">Supreme Court of
Mauritius</a>.
</p>
<p>
The plaintiff is a company called <a href="http://www.linuxsolutions.mu/">Linux Solutions Ltd.</a> in
Mauritius. It seems to be covering an alleged breach of an NDA between
a contracted freelancing developer and a company in Mauritius. That
contractor (the defendant) has apparently published some of the work he
had done while contracting for the plaintiff.
</p>
<p>
While none of that seems to be clearly connected with the GPL, what is
extremely disturbing is the sworn affidavit / oath by one of the
executives of the plaintiff. It says things like:
</p>
<p>
<em>5. Licenses of open-source software like "Linux" and "Asterisk" have
<b>no copyright restrictions</b> which in effect puts <b>no restrictions
on their use or distribution</b>. As a consequence, <b>any work which is
derived from the open source software</b> as conceptualized, created,
installed and managed, by the Applicant <b>becomes the ownership of the
Applicant</b>.</em>
</p>
<p>
<em>6. In the light of the above, therefore, <b>the applications</b>,
configuration files <b>and features so developed by the Applicant are the
sole property of the Applicant</b>, make up the knowledge base of the
Applicant, make the basis of its business operations, and are highly
confident in nature. The applications, configurations and features have
been built and acquired by the Applicant through important capital
investments and manpower over a period of time.</em>
</p>
<p>
So let me phrase this more clearly: Somebody, <b>under oath</b> is
stating at the Supreme Court, that GPL-Licensed software (which the
Linux kernel definitely is), has no copyright restrictions? And
that any derived work is the sole property of whoever created the
derivative? What kind of pot are they smoking in Mauritius?
</p>
<p>
If there's anyone in the Free Software legal community interested in
filing some kind of legal document to the Supreme Court of Mauritius to
clarify this issue, feel free to contact me for more details on the
case. No matter whether the defendant has broken some NDA, I think it's
unacceptable to see such ridiculous claims being made at a Supreme
Court.
</p>
<p>
In case you don't believe it, here are some scanned samples:
<img src="http://laforge.gnumonks.org/misc/linux_solutions_affidavid1.png">
<br>
<img src="http://laforge.gnumonks.org/misc/linux_solutions_affidavid2.png">
</p>AVM trying to spread FUD about the Cybits casehttps://laforge.gnumonks.org/blog/20110624-avm_cybits_gpl_fud/2011-06-24T03:00:00+02:002011-06-24T03:00:00+02:00Harald Welte<p>
Unsurprisingly, <a href="http://www.avm.de/en/news/artikel/2011/AVM_on_the_Cybits_Case.html">AVM
is now trying to claim their legal action is not related to any GPL
violation</a>. This couldn't be further from the truth.
</p>
<p>
In both the court hearings (in two independent cases), AVM has
repeatedly declined to make a clear statement that the modification and
installation of modified version of the GPL-Licensed parts (like Linux)
is acceptable to them.
</p>
<p>
We have raised this question in front of court and out of court, and
AVM was not willing to make such a declaration. If they had, I don't
think I would have had much reason to join the lawsuit on the side of
the defendant.
</p>
<p>
I have no connection to Cybits (the defendant). There has never been
any business or other relationship to them, and they have not been
involved in funding my legal expenses. To be honest, I don't even care
about child filtering software in general, no matter from which vendor.
</p>
<p>
But I do care about the GPL, and the freedoms it grants. The GPL is
intended to allow <i>any third party</i> to modify, recompile,
re-install and run modified versions of the respective GPL licensed
program. Any court order / verdict / judgement that tries to undermine
this freedom is a substantial danger to the Free Software movement - and
as such I will do what I can to prevent it.
</p>
<p>
AVM has stated in front of the court that <i>AVM releases the source
code compliant with the GPL, anyone can download, compile and use it -
just not on OUR hardware</i>. There you can clearly see their attitude:
They see the FritzBox as <i>their</i> hardware. Last time I checked,
the unit is not rented by AVM, but is legally sold to the customer. It
is his decision to do with it what he wants. Under the terms of the
GPL, it is his decision to install whatever software on the hardware,
including modified versions of the GPL licensed Linux kernel.
</p>
<p>
Just imagine a world, where you buy a Laptop from HP, with Windows
pre-installed. Now further imagine that there is a third-party software
vendor (e.g. Canonical with its Ubuntu). Now imagine that HP was suing
Canonical for offering different software that runs on <i>their</i>
hardware. This is the kind of analogy that you need to think about.
</p>
<p>
I don't think AVM is truly understanding the daemons they are calling
here. If they actually manage to get a finally awarded judgement that
deprives third parties of their rights under the GPL, AVM will have
violated the GPL, specifically clause 6: <i>You may not impose any
further restrictions on the recipients' exercise of the rights granted
herein.</i> And what would that mean? That the GPLv2 is revoked and
AVM looses the right to use the GPLv2 licensed software they use in the
product.
</p>Court hearing in the AVM / Cybits / GPL casehttps://laforge.gnumonks.org/blog/20110621-avm_cybits_court_hearing/2011-06-21T03:00:00+02:002011-06-21T03:00:00+02:00Harald Welte<p>
Today was the court hearing at the Berlin district court in the case
that I blogged about yesterday.
</p>
<p>
Nothing really new happened there. AVM still has a number of claims
that I consider extremely dangerous to Free Software in the embedded
market:
</p><ul>
<li><b>collective/aggregate work</b><br>They claim to have some rights on
the collective work of their own proprietary components and the GPL
licensed components. While that may or may not be true, they also argue
that based on such rights, they can legally prevent anyone from
installing modified versions of those GPL licensed components onto the
device. To me, that would clearly be a <i>further restriction</i> under
the GPL, and thus violate the terns of the License.
</li>
<li><b>using rmmod on proprietary kernel module is a modification under
copyright law</b><br>This is where it starts to get really ridiculous.
Both the module unload feature inside the kernel as well as the rmmod
command itself are licensed under GPL. Their sole intended purpose is
to unload modules from the Linux kernel. AVM now claims that the
defendant is violating AVMs copyright because he unloads a proprietary
AVM kernel module. Not only is it legally extremely questionable to
have binary-only kernel modules at all... but then trying to tell other
people they cannot unload such code is outrageous. AVM seems to not
understand that they have _sold_ the device to the user. He can stop
and unload any program on the device. The device is not owned by or
rented by AVM.
</li>
<li><b>copying code from NAND flash to RAM requires explicit
permission from the copyright holder</b><br>Once again, we have a
situation where the user has bought the AVM product. He has obtained a
license to the software programs. Under German copyright law there is
even no requirement to have a license for 'normal use of the program' as
long as the program was obtained lawfully. The CPU on the AVM device
(like any CPU in any computer) can only execute code that's accessible
to the memory/data bus. Code in NAND flash can never be executed
directly, it always has to be copied into RAM before it can be executed.
The claim that this operation requires separate permission by the
copyright holder is wrong. The copying happens as part of the 'normal
use of the program'.
</li>
</ul>
<p>
AVM has filed several other claims against Cybits based on trademark and
competition law. They go as far as to debating whether a certain LED on
the product malfunctions after the user has installed the Cybits
software on the product ;). I don't really want to go into details
here, but I think it's mainly arguing for the sake of the argument. AVM
wants to keep and extend its monopolistic power over those devices, even
after they have been sold. That's where the real anti-competitiveness
here is... If you look at popular alternative firmware projects like
OpenWRT, you will find many vendors and literally hundreds of supported
devices. None of them is from AVM. Isn't that striking, considering
that AVM is told to have > 60% market share in Germany?
</p>
<p>
The court has heard arguments from all sides and is now adjourned.
All parties are now again going to submit lengthy piles of paper to the
court. Within those originating from my lawyers and myself, we will
definitely once again outline our position. AVM can do whatever it
wants, but it cannot use legal means to disallow the legitimate and
intended modification + use of modified versions of GPL licensed code on
their devices.
</p>
<p>
The implications of such a legal win for AVM go way beyond AVM or the
DSL router business. They go all over the embedded market, and include
NAS devices, Android smartphones, e-book readers, etc. Just think about
the implications for OpenWRT, Cyanogenmod, Openinkpot and all the other
firmware modification and 'homebrew' projects out there.
</p>German dsl-router vendor AVM seeks to remove the GPLs freedomshttps://laforge.gnumonks.org/blog/20110620-avm_cybits_gpl_violation/2011-06-20T03:00:00+02:002011-06-20T03:00:00+02:00Harald Welte<p>
Today, there <a href="http://fsfe.org/news/2011/news-20110620-01.en.html">has been a joint press release of
gpl-violations.org and the Free Software Foundation Europe</a> on a
legal battle that has been ongoing for quite some time:
</p>
<p>
The German maker of popular dsl-routers (AVM) is using legal means to
try to halt a third party company (Cybits) from modifying the GPL
licensed components (like the Linux kernel) of AVM-branded routers.
Furthermore, it seeks to ask courts to halt Cybits from distributing
software by which end users can modify that GPL licensed software.
</p>
<p>
This is outrageous! AVM does not own the copyright to that GPL-licensed
software. How can they seek to prevent anyone from exercising their
right to modify the code and run modified versions of it? This is one
of the most fundamental freedoms that Free Software grants its users.
</p>
<p>
In the last lawsuits (preliminary proceedings) that AVM has brought
about, I have intervened on behalf of Cybits. At that time, the court
was impressed and has restricted a previously-granted preliminary
injunction against Cybits to not include any claims regarding the Free
Software portions of the product.
</p>
But meanwhile, AVM has filed for the main/regular proceedings. Tomorrow
(June 21st, 11am), there will be the first hearing at the district
court (Landgericht Berlin, Room 2709, Littenstr. 12-17, Berlin).
<p>
I have applied to be a side intervener in those main proceedings, too.
Given that the previous court accepted this, I assume it will be
accepted in the district court, too.
</p>
<p>
Normally I wouldn't care much if two companies are taking it to court.
But this case is not about Cybits or AVM. This case is about the
fundamental question of whether a device maker using Linux and other GPL
licensed software has the right to use legal means to prevent third
parties from exercising their fundamental rights granted under the GPL.
</p>
<p>
For more information about the case and background information, please
check out <a href="http://fsfe.org/projects/ftf/avm-gpl-violation.en.html">this background page at FSFE</a>.
</p>Interview with German newspaper <i>taz</i> about gpl-violations.org workhttps://laforge.gnumonks.org/blog/20110531-taz_interview/2011-05-31T03:00:00+02:002011-05-31T03:00:00+02:00Harald Welte<p>
There has been an interview for (at least) the online edition of the
German newspaper <i>taz - die tageszeitung</i>. If you understand
German, you can <a href="http://www.taz.de/1/netz/netzoekonomie/artikel/1/es-gibt-klare-regeln/">read
it here</a>.
</p>
<p>
By coincidence, I'm a subscriber to that very same newspaper for more
than 10 years ;)
</p>Apple not providing LGPL webkit source code for latest iOS 4.3.xhttps://laforge.gnumonks.org/blog/20110506-applewebkit_lgpl/2011-05-06T03:00:00+02:002011-05-06T03:00:00+02:00Harald Welte<p>
As some people may know, next to a plethora of BSD licensed code, Apple
is using some LGPL licensed code in their iPhone products.
</p>
<p>
So far, it seems they have always provided the respective source code in
a timely manner for each and every release they have made on a website
<a href="http://www.opensource.apple.com/">www.opensource.apple.com</a>.
</p>
<p>
However, in recent months it seems they have deviated from that policy
for unknown reasons. As <a href="http://zecke.blogspot.com/2011/04/collection-of-webkit-ports.html">my
friend and webkit developer zecke has blogged</a>, Apple has stopped to
release their webkit source code with iOS release 4.3.0. The <a href="http://www.opensource.apple.com/release/ios-43/">corresponding
website</a> simply states: "coming soon".
</p>
<p>
iOS 4.3.0 was released on March 10, 4.3.1 on March 25, 4.3.2 on April 14
and 4.3.3 on May 4. For all of those releases, no source code has been
published.
</p>
<p>
It cannot be a simple oversight, as multiple inquiries have been made to
Apple by interested developers. However, the source code yet has to be
released.
</p>
<p>
I think it is time that Apple gets their act together and becomes more
straight-forward with LGPL compliance. It is not acceptable to delay
the source code release for 8 weeks after shipping a LGPL licensed
software. Especially not, if you have already demonstrated in the past
that you are well aware of the obligations and have a process and a
website to release the corresponding source code under the license
conditions.
</p>Back from the GPL Compliance Engineering Workshop in Taipeihttps://laforge.gnumonks.org/blog/20101212-taiwan_workshop_report/2010-12-12T03:00:00+01:002010-12-12T03:00:00+01:00Harald Welte<p>
I've been a bit over a week in Taipei, mainly to co-present (with Armijn Hemel)
the <a href="http://www.openfoundry.org/en/workshop/details/115">GPL compliance
engineering workshop at Academia Sinica</a>. The workshop was attended by more
than 100 representatives of the local IT industry in Taiwan, from both legal
and engineering departments.
</p>
<p>
I think even only the sheer number of attendees is a great sign to indicate how
important the subject of Free Software license compliance has become in the IT
industry, and specifically in the embedded consumer electronics market.
</p>
<p>
I would like to use this opportunity again to thank the <a href="http://www.iis.sinica.edu.tw/page/research/OpenSourceSoftwareFoundry.html">OSSF
at Academia Sinica</a> for doing a great job in organizing this event.
</p>
<p>
Thanks also to <a href="http://www.upnp-hacks.org/contact.html">Armijn</a>, who
not only does excellent work at gpl-violations.org but also covered the
majority of the presentations at the workshop.
</p>
<p>
So what did I do the remaining week? Lots of meetings, mostly with companies
regarding GPL compliance, but also with old friends like <a href="http://en.qi-hardware.com/wiki/User:Wolfgang_Spraul">Wolfgang Spraul</a> and <a href="http://zecke.blogspot.com/">Holger Freyther</a>
who happened to be in the city at the same time.
</p>
<p>
I also had some very exciting meetings related to my various GSM related FOSS
projects, but it is too early to really say anything about them.
</p>GPL compliance workshop on December 2nd in Taipei, Taiwanhttps://laforge.gnumonks.org/blog/20101026-gpl_compliance_workshop-taiwan/2010-10-26T03:00:00+02:002010-10-26T03:00:00+02:00Harald Welte<p>
The <a href="http://www.iis.sinica.edu.tw/page/research/OpenSourceSoftwareFoundry.html">OSSF</a> at <a href="http://www.sinica.edu.tw">Academia Sinica</a> in Taiwan has kindly organized a full-day <a href="http://www.openfoundry.org/en/workshop/details/115">GPL compliance
workshop on December 2nd</a> in Taipei, Taiwan.
</p>
<p>
Armijn Hemel and myself will be presenting on a variety of topics regarding
GPL compliance, both from an administrative/organizational as well as a
technical compliance engineering point of view.
</p>
<p>
I think this is an excellent opportunity to get in touch with product managers
and engineers in Taiwan's computing and particularly embedded industry. We
definitely still need more awareness in that industry, as the majority of the
products in a variety of IT markets are predominantly designed in Taiwan.
</p>
<p>
So the better the know-how is there, the less GPL violations we will find
further down the supply chain and finally in the retail-stores around the
world.
</p>
<p>
Many thanks to the OSSF at Academia Sinica, and specifically Florence Ko and
Lucien Lin for making this workshop possible [and giving me a reason to come to Taipei again ;) ]
</p>GPL violation reports in HTC G2 Android phonehttps://laforge.gnumonks.org/blog/20101012-htc-g2-linux-gpl/2010-10-12T03:00:00+02:002010-10-12T03:00:00+02:00Harald Welte<p>
There have been various <a href="http://lwn.net/Articles/409548/">reports</a> and
<a href="http://www.freedom-to-tinker.com/blog/sjs/htc-willfully-violates-gpl-t-mobiles-new-g2-android-phone">blog posts</a> about HTC again committing copyright infringement by not fulfilling the GPLv2 license conditions in their latest Android phone, the G2.
</p>
<p>
While at this point I haven't studied the situation enough in order to confirm or
deny any actual violations, let me state this: The number of GPL Violation
reports/allegations that we receive at gpl-violations.org on HTC by far
outnumber the reports that we have ever received about any other case or
company.
</p>
<p>
In addition, HTC seems to have had a long trail of problems with GPL compliance
in their devices. Ever since they have started to ship Android devices containing the Linux kernel, licensed under GPLv2+, we have received those reports.
</p>
<p>
The reason I have never taken any legal action is merely a result of the fact
that HTC seems to first introduce their new devices in the US, then at some
point release the corresponding source code before shipping those devices into
Europe and Germany. So by the time the devices are sold over here, the legal
issues <i>appear</i> to have been resolved before.
</p>
<p>
Nonetheless, I think it is outrageous for a company of this size and
significance in the market to consistently commit copyright violation (or at
least walk borderline with it) and thus mistreat the very copyright holders
that have created the operating system kernel they use in their devices. The
linux kernel developers and the Free Software community as a whole deserve fair
treatment.
</p>
<p>
Also, the competitors of HTC deserve fair treatment: Samsung, e.g.
is very forthcoming with their Android phone source code releases. If I was
them and would see HTC to fail to comply with the GPL, I would consider filing
a unfair competition lawsuit...</p>Dell finally releases sources of GPL licensed software on the Streakhttps://laforge.gnumonks.org/blog/20100913-dell_streak_sources/2010-09-13T03:00:00+02:002010-09-13T03:00:00+02:00Harald Welte<p>
Today I have received news that Dell has released the source code of the
GPL licensed software on the Dell Streak at <a href="http://opensource.dell.com/releases/streak/">http://opensource.dell.com/releases/streak</a>.
This includes, among other things, the source code to the Linux kernel they are
using on the Qualcomm Snapdragon processor.
</p>
<p>
This is good news! However, I have not yet checked if that source code release
can be considered <i>complete and corresponding</i> as demanded by the GPL. At
least it includes a small README file explaining how to build the sources.
</p>
<p>
I'm not very much into the Android world, but I have heard that Dell is already
shipping different Android versions for the Streak. If this is true, then there
should be multiple source code releases, one for each binary release they have.
If you know more about available firmware versions for the streak, feel free to
contact me privately.
</p>
<p>
Overall, it is great to see this release. On the other hand, it is pretty sad
that we've had to do go down the gpl-violations.org enforcement route.
Ever since the Streak released in the US months ago, customers are claiming to have
contacted Dell forums, emailed Dell Support, asked in the Dell live web-chat and
asked via twitter - without the source code being released.
</p>
<p>
Also, if you are under the impression that the Dell GPL source code as it has
been released is incomplete, please let me know the exact technical details of
what you think is missing, or why that source code is not matching what is
running on your device. Thanks in advance.
</p>More GPL enforcement work again.. and a very surreal but important casehttps://laforge.gnumonks.org/blog/20100901-gpl_enforcement/2010-09-01T03:00:00+02:002010-09-01T03:00:00+02:00Harald Welte<p>
In recent days and weeks, I'm doing a bit more work on the gpl-violations.org
project than during the last months and years. I wouldn't say that I'm happy
about that, but well, somebody has to do it :/
</p>
<p>
Right now I'm facing what I'd consider the most outrageous case that I've been
involved so far: A manufacturer of Linux-based embedded devices (no, I will
not name the company) really has the guts to go in front of court and sue
another company for modifying the firmware on those devices. More specifically,
the only modifications to program code are on the GPL licensed parts of the
software. None of the proprietary userspace programs are touched! None of
the proprietary programs are ever distributed either.
</p>
<p>
If that manufacturer would succeed with such a lawsuit, it would create
some very nasty precedent and jeopardize the freedom of users of Linux-based
embedded devices. It would be a direct blow against projects that provide
"homebrew" software for embedded devices, such as OpenWRT and many others.
</p>
<p>
I've seen many weird claims and legal strategies when it comes to companies
trying to deprive developers of their freedom to modify and run modified
versions of Free Software. But this is definitely so weird that I still feel
like I'm in a bad dream. This can't be real. It feels to surreal.
</p>
<p>
It's a pity that I cannot speak up more about the specific company in question
right now. I'm desperately looking forward to the point in time where I can
speak up and speak out about what has been happening behind the scenes.
</p>More thoughts on FSF action against Apple over GNU Gohttps://laforge.gnumonks.org/blog/20100615-more_thoughs_on_fsf_apple/2010-06-15T03:00:00+02:002010-06-15T03:00:00+02:00Harald Welte<p>
Last week, <a href="http://laforge.gnumonks.org/weblog/2010/06/11#20100611-apple_go_gpl_distribution">I blogged about the FSF action against Apple</a>. This week, I intend to add a bit to that.
</p>
<p>
As it has been pointed out to me, Apple has immediately removed the GPL-infringing
software from its app store. This of course means they have refrained from
further infringing the GPL. It is not publicly known if they have made a
declaration to cease and desist or not.
</p>
<p>
So yes, by removing the software that was distributed in violation of the GPL
terms, Apple has done legally the right thing: Reduce the danger/risk of
committing further (knowing) infringement.
</p>
<p>
The FSF (and probably the Free Software community in general) of course want
something else: For Apple to alter their app store terms in a way that would
enable software authors to have Apple distribute their GPL licensed software
in it. While this might be possible very easily with small modifications to
their legal terms and to the implementation of the app store, it is probably
not quite easy to make a legal claim and try to force this upon Apple.
</p>
<p>
Anyone always has the choice to either distribute GPL licensed software
compliant with its license terms - or not distribute it at all. If Apple
prefers the latter, this is very unfortunate (and you might call it anti-social
or even anti-competitive) but something that they can very well do.
</p>
<p>
The only questions that I see remaining from a legal point of view: What about
the previous GPL infringements? What can (and/or has) Apple to do in return
to the previous distribution of infringing software? This is where the legal
pressure of the copyright holders leaves room for negotiation. Instead of
monetary damages (which don't really resolve what the GPL aims to do), there
could possibly be a solution where Apple has to provide the GPL license text and complete corresponding source code to the Go program through their app store.
And while they're at it, they might just solve the <i>distributing source code
for copyleft style licensed software</i> problem in a generic way. Or they
might just decide that they're stupid and stubborn and not interested in
solving any problems in the first place.
</p>My take on the FSF action against Apple over GNU Gohttps://laforge.gnumonks.org/blog/20100611-apple_go_gpl_distribution/2010-06-11T03:00:00+02:002010-06-11T03:00:00+02:00Harald Welte<p>
About two weeks ago, the <a href="http://www.fsf.org/news/2010-05-app-store-compliance">FSF announced that it has taken action against the Apple App Store over their distribution of GNU Go</a>. This has apparently set off some people like <a href="http://opensourcetogo.blogspot.com/">lefty</a> and triggered a length and wide debate.
</p>
<p>
I personally very much support the action the FSF has taken. Anyone involved
in distribution of copyrighted material is required to do due diligence on
checking that he actually has a license to do so. This is not really related
to the GPL.
</p>
<p>
Yes, this means that I can take GPL enforcement action to a retail store that
is selling/distributing infringing products, and I can make them provide a
declaration to cease and desist from further infringements. Of course,
that declaration would only be valid for this single retail store. This is
why in our gpl-violations.org work, we always try to go after whatever entity
is responsible for the majority or all of those infringements, rather than
after a single store owner.
</p>
<p>
The reason for this is simple: In many cases, it is impossible for you as the
rights holder to find out who sold the product to the retail store, and track
the entire supply chain back to whoever caused the GPL violation in the first
place. Also, some of those entities might reside in a different jurisdiction,
so you go after the first element in the supply chain that is in your own
jurisdiction, to minimize the legal risk for you as plaintiff and maximize the
output in terms of your local market.
</p>
<p>
But the case with Apple is different. They are not a small retailer down the
road, but the entity responsible for providing the infringing software to
(almost?) all of its users. They are running that App store as a commercial
company and earn money from running it (even if individual apps might be free
of charge). Free Software and copyleft licenses like the GPL are a very real
phenomenon in the software industry today, so they should better have thought
about a proper solution, not just for GNU Go but for the tens of thousands of
existing GPL licensed software projects which people might want to port or
re-use in iPhone applications.
</p>
<p>
They are already doing all kinds of verification/checking/review of software
for other reasons (things many people might call censoring), and as part of
that process they could just as well determine the license of the software,
and provide a source code download link from their store. What is the big deal?
If they (or other similar app store / market / ... providers) had thought
how to address the problem, there are easy and pragmatic solutions to
solve them in the architecture of such a app store / marketplace system.
</p>
<p>
Also, the fact that the FSF is taking legal steps is not wrong. Even if some
people might dispute whether they actually have a valid case or not (I believe
they do): This is what legal cases are for: To create a clear legal situation
for all participants in the dispute, and to set precedent for future similar
cases. Even only from that point of view it is good that they're doing this case.
At the end of it, the legal situation will be more clear, both for Apple as well
as for people who want to distribute GPL licensed software through their store.
</p>New binary analysis tool for license compliance audits releasedhttps://laforge.gnumonks.org/blog/20100415-binary_analysis_tool_announced/2010-04-15T03:00:00+02:002010-04-15T03:00:00+02:00Harald Welte<p>
My friends at <a href="http://www.loohuis-consulting.nl/">Loohuis
Consulting</a> and <a href="http://www.opendawn.com/">Opendawn</a> have
just announced the first public release of their novel <a href="http://www.binaryanalysis.org/en/home">binary analysis tool</a>.
</p>
<p>
This is a modular (python) framework facilitating the audit of compiled
object code. Using it, you can analyze executable code
(programs/libraries) or entire filesystem images or even complete
firmware images and search it for strings, symbol tables and the like.
Using a corresponding knowledge base, it can match this information
against information derived from software source code and thus give
some indication of whether a particular source code seems to have been
used to create the binary.
</p>
<p>
It doesn't do actual instruction-level analysis or any of that sort, but
it can help to automatize some of the steps that a license compliance
engineer so far had to do entirely manually.
</p>
<p>
Let's hope this is a successful launch and that the project will find
contributors to grow beyond the initial feature-set.
</p>
<p>
Thanks to the <a href="http://www.nlnet.nl/">nlnet foundation</a> and
the <a href="http://www.linuxfoundation.org/">Linux Foundation</a> for
sponsoring this project. I'm sure it will soon become a vital tool in
compliance engineering.
</p>Palm sued over GPL violation in muPDFhttps://laforge.gnumonks.org/blog/20091207-palm_sued_over_gpl_violation/2009-12-07T03:00:00+01:002009-12-07T03:00:00+01:00Harald Welte<p>
As you <a href="http://www.techworld.com.au/article/328719/lawsuit_alleges_palm_pre_violates_copyright">can see in this techworld post</a>.
</p>
<p>
Apparently they are using the GPL licensed muPDF library and link it against
their proprietary PDF viewing application. If that is true, then it would be a
very straight-forward, FAQ-type violation. muPDF is not LGPL but GPL licensed,
thus you cannot create derivative works without licensing them under GPL, too.
</p>
<p>
The whole license management and even software release management at Palm
seems to be very sloppy. For example, based on the object code and disassembly,
I can prove that the source code for libpurpleadapter on opensource.palm.com
does not (or no longer) correspond to the object code that they ship.
</p>
<p>
What's particularly surprising is that Palm actually is forcing Artifex to go
to court over this issue. You would expect such a straight-forward issue
to be resolved fairly quickly and settled out of court, before it ever escalates
or turns into a PR disaster.
</p>
<p>
You would expect a company that is regularly building and releasing firmware
images to have an automatic process that packages the source code as part of the
build process. In fact, Palm uses OpenEmbedded to build their images, and it
is a standard feature of OpenEmbedded to create the corresponding source tarballs
for everything it builds.
</p>
<p>
Furthermore, the Palm kernel contains several binary-only modules that indicate
MODULE_LICENSE("GPL") in it - which is clearly not true. If you inquire about
the sources, they will respond that they will not provide the sources.
</p>Palm Pre GSM model source code availablehttps://laforge.gnumonks.org/blog/20091016-palm_pre_gsm-source_code/2009-10-16T03:00:00+02:002009-10-16T03:00:00+02:00Harald Welte<p>
Last night I got an e-mail by palm, that following-up to my request, the source code releases for the WebOS 1.1.2 and 1.1.3 releases have been uploaded to <a href="http://opensource.palm.com/">opensource.palm.com</a>.
</p>
<p>
I think the response time was very quick, and I thank them for that. However,
still sad that one has to remind them of it. Let's hope with future releases
they have a fully automatic process for that.
</p>
<p>
Just to be very clear: The GPL does not state that you have to automatically
have the source code on a web site. But the way how Palm's written offer is
phrased, they say that you should visit the website to download the sources.
In that case, the web site of course needs to contain the sources...
</p>
<p>
Additionally they also offer the source code on a storage medium, if you write
them snail mail to a specific address - which is a good safeguard since the GPL
says it has to be made available on a storage medium commonly used for software
interchange.
</p>Palm Pre GSM Version sells in Germany - No corresponding source codehttps://laforge.gnumonks.org/blog/20091014-palm_pre_gsm-no_source_code/2009-10-14T03:00:00+02:002009-10-14T03:00:00+02:00Harald Welte<p>
Some 4 months ago, <a href="http://laforge.gnumonks.org/weblog/2009/06/11#20090611-palm_pre-gpl_incompliance">I wrote about Palm shipping the Palm Pre CDMA version in a GPL incompliant
way</a>. You should assume that the company has learned about their mistakes
and created <a href="http://opensource.palm.com/">opensource.palm.com</a> as a
site to host their source code, compliant with the GPL and other Free Software
licenses
</p>
<p>
Yesterday, the Palm Pre GSM model started to ship in Germany through O2
Telefonica. The WebOS version installed on the device is 1.1.2, and they are
doing an OTA upgrade to 1.1.3.
</p>
<p>
Both of those versions are not available on the Palm opensource website!
</p>
<p>
Again the same mistake!
</p>
<p>
I wonder how much this tells us about the development procedures and release
management inside Palm. We know they use OpenEmbedded to build their packages
and filesystem image. OpenEmbedded can automatically generate the source code
tarballs (+ patches), so the entire process of putting them up at the website
could and should be automatized. No manual intervention, no mistakes, no
license violations.
</p>
<p>
I have asked my lawyers to send a letter to Palm, demanding immediate release
of the complete corresponding source code. If they do not comply, I am prepared
to take legal action against O2 who is distributing the devices in Germany. I
desperately hope we do not have to escalate to this point. If we go there, I'd
better not imagine how upset O2 will be about Palm and how this will affect their
business relationship.
</p>
<p>
It is <b>so easy</b> for Palm to have that source code on their website. We
know that for technical reasons (see above). Why are they deliberately exposing
themselves to the legal risk? Why are they willing to accept all the negative
PR from them not respecting copyright and the GPL?
</p>
<p>
Please don't get me wrong. I am not set out to continuously complain about
Palm. I would like to see more Linux phones. But why do they have to do
everything wrong they can do wrong? Why do they not have somebody to advise
them on playing nicely with the legal requirements of the technology they use?
</p>TI tries to stop alternative operating systems on its calculators by the DMCAhttps://laforge.gnumonks.org/blog/20091014-ti_calculators-dmca-eff/2009-10-14T03:00:00+02:002009-10-14T03:00:00+02:00Harald Welte<p>
Apparently, TI has been trying to use the DMCA and U.S. copyright to stop
third-party developers from working on or distributing alternative operating
systems for some of their calculators.
</p>
<p>
The stock OS that TI is shipping uses a cryptographic signature process to
prevent the user from booting any non-TI operating system. However, the
signature verification was broken and people have managed to run their
own software, developed independent from TI's software.
</p>
<p>
TI is not claiming that the DMCA DRM restrictions are applicable to this case,
and that the signature process constitutes a DRM system. This is obviously
bogus to any technical person. The TI firmware is not encrypted, and you can
copy and run it on other hardware or an emulator if you please. The protection
mechanism is rather the other way around: The hardware authenticates the OS.
</p>
<p>
The <a href="http://www.eff.org/">Electronic Frontier Foundation</a> has taken
up the case and is defending some of the affected people from the community
against TI.
</p>
<p>
As you can see <a href="http://www.eff.org/files/filenode/coders/TI%20Claim%20Ltr%20101309.pdf">from the EFF letter to TI</a>, the EFF cites a number of precedent cases where the courts have ruled in very similar cases that such mechanism is not a DRM system on the software.
</p>
<p>
That precedent summarized in the EFF letter is actually very exciting to me.
It is directly applicable to all kinds of locked-down devices. Let's assume
we're talking about a Linux-powered device like the Tivo, Motorola MAGX phones,
the G1 phone (non ADP-Version). They all use GPL Licensed software that is
cryptographically signed to prevent the user from exercising his Freedom to run
modified versions of the GPL licensed program.
</p>
<p>
Precedent that indicates that such a system does not constitute DRM as
protected by the DMCA means there is a lot more freedom for people to break
such systems and freely talk about how it was performed, as well as distribute
alternate software images for the respective devices - as long as the code they
use is either their own or Free Software and does not contain proprietary bits
of the device vendor.
</p>Netgear trying to fool their users with "Open Source Router"https://laforge.gnumonks.org/blog/20091007-netgear_myopenrouter/2009-10-07T03:00:00+02:002009-10-07T03:00:00+02:00Harald Welte<p>
Two days ago, <a href="http://www.netgear.com/">Netgear</a> <a href="http://www.netgear.com/About/PressReleases/en-US/2009/20091005.aspx">has
announced</a> the so-called "Open Source" WNR3500L router, together with an equally "Open Source" <a href="http://www.myopenrouter.com/">MyOpenRouter</a> community.
</p>
<p>
The problem with this <i>Open Source</i> router is: It ships with binary-only kernel modules. Not only is this extremely Closed Source, but it also
</p><ul>
<li>has very practical security implications: You can never update your Linux kernel to get the latest security fixes, but have to run vulnerable old kernel versions</li>
<li>is a very questionable legal practise. Netgear as the vendor is simply
relying on the fact that none of the authors who have written parts of the
kernel against which their binary-only module links will ever make copyright claims against them</li>
</ul>
<p>
One would have hoped that Netgear did thoroughly study the Open Source market
that they're trying to address. Apparently they either did not do that, or
they chose to ignore the values/rules by which this community works, or they had
somebody with limited understanding to advise them on this.
</p>
<p>
If anyone has a relationship with Netgear and contacts to the product manager
responsible for this product, I would like to ask them for an introduction to
that product manager. I would be very happy to help them understand the
embarrassment and PR impact that they are putting themselves into by releasing
an "Open Source" product that is in fact legally questionable and proprietary.
</p>
<p>
There are people in the various communities (like OpenWRT or OpenMoko) who have
a very clear understanding of what it takes to create a true Open Source
product to address the Open Source market. Why are they not asking those
experts?
</p>
<p>
Netgear, you can do much better than that!
</p>GPL case in Denmark potentially involving NDS Viasat A/S and/or Samsunghttps://laforge.gnumonks.org/blog/20090819-gpl_case_in_denmark/2009-08-19T03:00:00+02:002009-08-19T03:00:00+02:00Harald Welte<p>
As you can <a href="http://duff.dk/viasat/">at this website</a>, somebody
has discovered what seems very clear GPL violations in a device called "Samsung
DSB-H670N". At the moment it is not clear who is the actual cause of the GPL
violation.
</p>
<p>
However, what is outstanding about this case is that an individual on its own
tries to bring the respective companies into compliance. I think it serves as
a great example what somebody can do even if he is not one of the clear copyright
holders and just keeps insisting enough and communicating with the companies
involved.
</p>
<p>
I'm definitely looking forward to see how this turns out. gpl-violations was
not involved in any sort. We're continuing with many cases at any time, so
don't worry. I just thought this particular action is worth mentioning to the
interested reader. Maybe some other people get inspired by it and also stand
up for their rights to the source code of GPL licensed programs.
</p>Launch of International FOSS Law Reviewhttps://laforge.gnumonks.org/blog/20090720-foss_law_review/2009-07-20T03:00:00+02:002009-07-20T03:00:00+02:00Harald Welte<p>
I'm a bit late with this, but the occasional reader of my blog might be
interested to hear about the launch of
<a href="http://ifosslr.org/">ifosslr.org: International Free and Open Source
Software Law Review</a>, the only legal journal that focuses entirely on legal
aspects of FOSS, which obviously includes license and specifically GPL related
issues.
</p>
<p>
If you <a href="http://www.ifosslr.org/ifosslr/about/displayMembership/1">look
at the editorial committee</a>, you will realize many prominent names in this
field.
</p><p>
It's very good to see this, as it means that more lawyers now have a resource
for enhancing and sharing their knowledge about legal aspects of FOSS.
</p>
<p>
I have heard about this project from its beginning in the Legal Network of the
FSFE Freedom Task Force. I know there has been a lot of (volunteer) work into
the publication of this first edition/volume. Thanks to everyone involved,
from authors to editors to people who took care of administrative issues.
</p>NerdAlert podcast / radio showhttps://laforge.gnumonks.org/blog/20090708-nerdalert/2009-07-08T03:00:00+02:002009-07-08T03:00:00+02:00Harald Welte<p>
Today, I was invited for an interview with the German <a href="http://nerdalert.de/">nerd alert</a> podcast. The show was also
broadcasted live via the free public FM radio station <a href="http://fsk-hh.org/">FSK Hamburg</a>.
</p>
<p>
Much of the interview is about my work at <a href="http://gpl-violations.org/">gpl-violations.org</a>, but we also covered
quite a bit about <a href="http://www.openmoko.org/">Openmoko</a> as well as <a href="http://openbsc.gnumonks.org/">OpenBSC</a>. I had a good time in the
more-than-one hour interview, despite it somehow being too short to cover
more about the motivation and reasons behind each of the projects....
</p>
<p>
I'm not sure if the podcast is available yet, but I suppose it will be
accessible from <a href="http://nerdalert.de/sendung/2009-07-08">the homepage
of todays show</a>.
</p>ScummVM settles GPL duspute with Mistic softwarehttps://laforge.gnumonks.org/blog/20090620-scummvm_mistic_settlement/2009-06-20T03:00:00+02:002009-06-20T03:00:00+02:00Harald Welte<p>
As you can see <a href="http://www.scummvm.org/news/20090616/">from this press
release</a>, ScummVM alleged Mistic Software and its distributors from infringing
the GNU GPL in some proprietary games based on ScummVM.
</p>
<p>
As it seems, this case was now settled. The press release does not make any
statement on how the actual GPL issues were solved (i.e. "where is the source
code"), but I would assume they would not want to settle unless the conditions
of the GPL are fulfilled...
</p>
<p>
If anyone has more information, I'm interested to learn about that.
</p>I'll be talking about GPL violations at LiSoG on July 1st in Munichhttps://laforge.gnumonks.org/blog/20090616-lisog_july-gpl/2009-06-16T03:00:00+02:002009-06-16T03:00:00+02:00Harald Welte<p>
At the <a href="http://www.lisog.org/Members/Geschaeftsstelle/linux-stammtisch-munchen-juli-2009/">LiSoG meeting on July 1st</a>, I'll be presenting on GPL violations and their international enforcement.
</p>
<p>
The LiSoG meetings have been repeatedly pointed out to me as some of the best
Linux meetings out there, with a lot of professionals from the Munich area
being present. I'm happy to be invited to join and present, even if it means
I'll have to escape for a day from my most exciting project in Hamburg.
</p>
<p>
So if you happen to be in the Munich area and interested in meeting with a
crowd of Linux people and/or interested in hearing about GPL enforcement
efforts, feel free join.. But you have to to register [for free], as per
instructions on the page linked above.
</p>Palm Pre is shipping GPL incomplianthttps://laforge.gnumonks.org/blog/20090611-palm_pre-gpl_incompliance/2009-06-11T03:00:00+02:002009-06-11T03:00:00+02:00Harald Welte<p>
As it has been reported at many places online, the Palm Pre has started to ship
as a CDMA model in the United States. However, as it seems, at this time it is
not GPL compliant and thus a copyright infringement!
</p>
<p>
The Pre undoubtedly contains Linux and other GPL licensed software. So it
ships with the GPL license text as well as a written offer indicating to obtain
the source code. So far so good.
</p>
<p>
But if you contact the respective address, you get a response like this:
</p><pre>
Hello Harald and thanks for your email.
We are in the process of preparing the packages and our modifications
to upload them to our open source web site - http://opensource.palm.com.
We expect to have all packages and modifications uploaded and available
to the public in about 2 weeks from today.
If you prefer to get the packages and our modifications on a CD/DVD,
please provide us with your mailing address and we will gladly ship it to
you as soon as they are available on our web site.
Please let us know if you have any further questions.
All the best,
Palm Open Source Team
</pre>
<p>
I think it is a bad sign that they write they are <i>in the process of
preparing the packages and our modifications</i>. This sounds suspiciously
like "we didn't think about it early enough and now we need to reproduce the
soruce code that was used for actually compiling the build that is installed
on the devices".
</p>
<p>
Since when did the object code exist before the source code? If you compile
e.g. the Linux kernel, you _have_ the source code before you generate the object
code. So you should be easily able to make the source code available at the
same time as the object code!
</p>
<p>
I would have expected much more from a company like Palm. If you as a
commercial entity want to use GPL licensed software, you don't have to pay one
cent in licensing or any royalties. All that you have to do is to make sure
you have the <i>complete corresponding source code</i> that was used for
compiling the actual binaries available at the time you start shipping the
object code.
</p>
<p>
Providing a written offer and then delaying is not good GPL compliance practise
and introduces legal [and thus business] risks that could have been easily
avoided. Let's hope the source code is really <b>complete and corresponding</b>
within those two weeks. And let's hope they never repeat this with another
product, or with software/firmware updates for the Pre.
</p>Some notes about the FSFE FTF Legal Workshophttps://laforge.gnumonks.org/blog/20090424-fsfe_ftf_legal_workshop/2009-04-24T03:00:00+02:002009-04-24T03:00:00+02:00Harald Welte<p>
I'm currently on the train heading back home from Amsterdam, where the last two
days I've been attending the 2009 Legal Workshop of the Legal Network of the
Free Software Foundation Europe.
</p>
<p>
I have to admit that it was a big surprise to me that the constructive
atmosphere and the quality of the presentations, panels and hallway discussions
has even improved beyond the already exceptional level last year.
</p>
<p>
So even if some of the more technical readers of this blog would find it hard
to agree: It can actually be a lot of fun to spend two days locked up in a
conference room full of 40 lawyers :)
</p>
<p>
It was very clear that the Free Software license compliance has moved ahead
quite a bit since its early days. We have had a number of independent lawyers
as well as corporate legal counsels from various backgrounds, as well as
some folks like myself with a very technical background but a vested
interest in legal aspects of FOSS.
</p>
<p>
Let me report on some of the most exciting parts of the workshop, at least
from my perspective:
</p><ul>
<li>An official representative of WIPO reporting on their recent considerations
regarding collaborative creative work such as FOSS and the creative commons
projects</li>
<li>Very insightful talks about software patents and the various new projects
like the Open Innovation Network, LinuxDefenders, Peer-to-Patent, etc.
I believe the significance of this work for the future of FOSS cannot be
underestimated, no matter of which jurisdiction you are in.</li>
<li>This year, two legal experts from Taiwan were attending and received
considerable attention given the many problems that FOSS has both
legally and technically with products from the Taiwanese industry</li>
<li>Last, but not least, I have made some very interesting new contacts from
people involved in Linux on mobile phones</li>
</ul>
<p>
Thanks a lot to the FSFE and particularly Shane's excellent work in putting the
Legal Network and the conference together. Thanks also to the sponsors of the
workshop, including Canonical and Black Duck.
</p>German radio station to talk with me about GPL Violationshttps://laforge.gnumonks.org/blog/20090130-dlf_breitband_saturday/2009-01-30T03:00:00+01:002009-01-30T03:00:00+01:00Harald Welte<p>
Tomorrow at 2pm CET, I'll have a live interview in the <a href="http://www.breitband-online.de/">Breitband</a> show at the nation wide <a href="http://www.dradio.de/">Deutschlandradio</a> station. The show covers the
topic "Open Source and Business", and they want to talk to me for a couple of
minutes about the side-effects of businesses getting involved with
copyleft-style FOSS without respecting the rules as put forward by the
licenses.
</p>Talking to ASUS about preventing further GPL violationshttps://laforge.gnumonks.org/blog/20090119-asus/2009-01-19T03:00:00+01:002009-01-19T03:00:00+01:00Harald Welte<p>
Had a very productive meeting today with various representatives from ASUS
about how to make sure they don't continue their rather unfortunate series
of GPL violations in the last year.
</p>
<p>
It was a very good and productive atmosphere and I'm confident that they
are now committing the required resources and effort in fixing the mostly
organizational issues that prevent them every so often from fulfilling
their obligations under the GPL.
</p>
<p>
But in the end, what counts are hard facts. Let's look at the situation
again in one year and see what kind of progress one of Taiwans leading
companies has made in this regard.
</p>Free Software Foundation lawsuit against Ciscohttps://laforge.gnumonks.org/blog/20081212-fsf_lawsuit_cisco/2008-12-12T03:00:00+01:002008-12-12T03:00:00+01:00Harald Welte<p>
As covered <a href="http://lwn.net/Articles/310899/">at lwn</a> and other sites,
the Free Software Foundation (FSF) has filed a lawsuit against Cisco. This came
as a big surprise to me, but a very welcome one.
</p>
<p>
At gpl-violations.org, we had our fair share of dealing with Cisco (and
particularly Linksys, a Cisco division). Never we have received any entirely
satisfactory response. Sure, when you notify them of some GPL infringement, they
will take some steps here and there. But in all those years, I have not seen
a case where there was a thorough response. Whatever was disclosed as 'GPL
source' was incomplete, didn't compile, and with the next firmware release there
was again no source code for that new release. And then came the next product,
sourced-in from a different OEM, and the entire process had to re-start from
scratch.
</p>
<p>
Yes, they have gone and hired some engineer[s] to explicitly deal with the GPL
related issues, like they have taken other steps in the right direction. But it
was always superficial. Never addressing the problem at the root, i.e. have a
proper in-house business process and supply chain license management to ensure
the next product is not yet again a copyright infringement on GPL licensed
software. It is so easy to resolve at the source, and so hard to fix later.
</p>
<p>
So the FSF's decision to take this problem to court is the most appropriate
response that one can think of. A company of the size of Linksys clearly has
the manpower, skill and resources - as well as the economic power on their
suppliers - to once and all resolve any GPL licensing issues they might have.
Not only to the bare minimum that they might think, but all the way to leave
any legal grey area whatsoever. Only if there is a demonstration of a
_factual_ legal risk rather than a virtual legal risk, they will get the
motivation necessary to just 'stay clean' and not try to bend the license to
its extremes.
</p>
<p>
So you might think "why did you (i.e. gpl-violations.org) not take it to
court?" For once, I only hold copyright on certain parts of the Linux kernel,
and not for large amounts of code they use. Also, a number of the particularly
problematic products were not shipped into the German jurisdiction, and thus
a case could not be made over here. Furthermore, many of the violations are not
as clear black or white as most of the other cases that we take on. So the
amount of work and resources required in such a case would probably draw away
too much attention from all the other cases that we have.
</p>
<p>
But once again, I really welcome the FSF's action. It's funny how the historic
cycle closes. Originally I started gpl-violations.org because I thought the
FSF strategy was not aggressive/efficient enough in making Linksys/Cisco GPL
compliant in the infamous WRT54G case five years ago. Now, it seems that even
the tolerance and patience of the FSF has found an end.
</p>
<p>
Oh, and don't get me wrong: I never wanted to criticize the FSF for what they
did back then. They had and have their own strategy of what they think about
their own copyright. It's just that my strategy was different. It's up to
every author or rights holder to decide which legal strategy fits best.
</p>gpl-violations.org report in Financial Times Deutschlandhttps://laforge.gnumonks.org/blog/20080813-ftd/2008-08-13T03:00:00+02:002008-08-13T03:00:00+02:00Harald Welte<p>
The German business newspaper <i>Financial Times Deutschland</i> has published
<a href="http://www.ftd.de/karriere_management/recht_steuern/:Recht_Steuern_Software_Harald_gegen_Goliath/398129.html">an
article about my GPL enforcement work</a>. To the best of my knowledge, it is
the first such article in a general newspaper. All previous coverage was in
publications or magazines tailored to the IT industry.
</p>
<p>
However, the content is of very low quality, and the actual facts are wrong in
a number of cases. First of all, why go to a personal level and describe myself
as having a 'Harry Potter hairstyle', and then calling me "a mixture between
bill gates and a heavy-metal fan". I hereby deny any similarity with Bill
Gates. I had my hair style like this even in the nineties (before growing it
long around 1997-2000 and then cutting it again in 2001). And I listen to a
lot of weird music, though heavy metal is generally not on my playlist.
Anyway, what is the point of all of that? How does this help people to
evaluate the risk of GPL violations?
</p>
<p>
Further down, the article has claims like "the driver software of the router
also contained some lines of code that were originally written by Welte".
First of all, it is the firmware, not the driver. Secondly, it is more than a
couple of lines (since a couple of lines would probably not constitute a
copyrightable work).
</p>
<p>
The article also explicitly states that I am not fighting for money, but "out
of principle". Despite that, it also claims "The first couple of companies are
shivering expecting the destruction of their book value". That's illogical.
</p>
<p>
Furthermore, there are claims that I have focused on
companies that only used small amount of open source. To the contrary: The
majority of the products that I've enforced so far contain 75% or more open
source software. Only small portions were added by the respective vendors.
</p>
<p>
To the contrary, there was a <a href="http://www.morgenpost.de/berlin/article828349/Wie_Computerhacker_wirklich_sind.html">recent article in the Berliner Morgenpost paper one of the CCC Leaders</a> which was really well-researched and of high quality. Even that one gets some minor facts wrong, but still portrays a realistic picture.
</p>Receiving the 2008 Open Source Awardhttps://laforge.gnumonks.org/blog/20080724-oscon-award/2008-07-24T03:00:00+02:002008-07-24T03:00:00+02:00Harald Welte<p>
According to reports <a href="http://www.softwarefreedom.org/blog/2008/jul/22/welte-award/">here</a>
and <a href="http://google-opensource.blogspot.com/2008/07/and-winners-of-2008-google-oreilly-open.html">here</a>
I had the honor of being the recipient of one of the the <a href="http://code.google.com/opensource/osa-hall-of-fame.html">2008 Google+O'Reilly Open Source Awards</a> entitled <i>Defender of Rights</i>", presented by Google and O'Reilly.
</p>
<p>
I'm obviously very happy to see that my work has been recognized this way.
Following the FSF Award in March, this is definitely a big honor. Did anyone
else receive both awards in the same year so far? ;)
</p>
<p>
Thanks to the committee for the trust they put in my work. I'd also like to
use this opportunity to thank again my lawyer Dr. Till Jaeger and his law firm
<a href="http://www.jbb.de/">JBB</a>, as well as Armijn Hemel, who has been
running the day-to-day gpl-violations.org operations for quite some time now.
</p>Victory: Skype withdraws appeals case, judgement from lower court acceptedhttps://laforge.gnumonks.org/blog/20080508-olg_muenchen-skype/2008-05-08T03:00:00+02:002008-05-08T03:00:00+02:00Harald Welte<p>
The court hearing in the "Welte vs. Skype Technologies SA" case went pretty
well. Initially the court again suggested that the two parties might reach
some form of amicable agreement. We indicated that this has been discussed
before and we're not interested in settling for anything less than full GPL
compliance.
</p>
<p>
The various arguments by Skype supporting their claim that the GPL is violating
German anti-trust legislation as well as further claims aiming at the GPL being
invalid or incompatible with German legislation were not further analyzed by the
court. The court stated that there was not enough arguments and material
brought forward by Skype to support such a claim. And even if there was some
truth to that, then Skype would not be able to still claim usage rights under
that very same license.
</p>
<p>
The lawyer representing Skype still continued to argue for a bit into that
direction, which resulted one of the judges making up an interesting analogy
of something like: "If a publisher wants to publish a book of an author that
wants his book only to be published in a green envelope, then that might seem
odd to you, but still you will have to do it as long as you want to publish the
book and have no other agreement in place".
</p>
<p>
In the end, the court hinted twice that if it was to judge about the case,
Skype would not have very high chances. After a short break, Skype decided to
revoke their appeals case and accept the previous judgement of the lower court
(Landgericht Muenchen I, the decision was in my favor) as the final judgement.
This means that the previous court decision is legally binding to Skype, and we
have successfully won what has probably been the most lengthy and time
consuming case so far.
</p>Tomorrow: Court hearing in Welte vs. Skype GPL casehttps://laforge.gnumonks.org/blog/20080507-olg_muenchen-skype/2008-05-07T03:00:00+02:002008-05-07T03:00:00+02:00Harald Welte<p>
Tomorrow at 10:30am at the <a href="http://www4.justiz.bayern.de/olgm/">Oberlandesgericht Muenchen</a>
(higher regional court of Munich) there will be an oral hearing in the "Welte
vs. Skype Technologies SA" case. The hearing is to be held in room E.06.
</p>
<p>
This case is about a GPL violation of Skype, related to their sales of Wifi
Skype phones based on the Linux operating system kernel.
</p>
<p>
I'm fighting as part of the gpl-violations.org project in enforcing the GPL
against Skype since February 2007. Initially Skype didn't respond, we then
applied for a preliminary injunction. That injunction was granted by the
court in June 2007, but Skype chose to file an appeals case against it.
</p>
<p>
The court hearing tomorrow is exactly to debate about this appeal.
</p>
<p>
Interestingly, Skype is arguing against the validity of the GPL as a whole,
asserting that it is violating anti-trust regulation and similarly strange
claims.
</p>Report from FSFE FTF Licensing and Legal workshophttps://laforge.gnumonks.org/blog/20080412-fsfe_ftf-legal_workshop/2008-04-12T03:00:00+02:002008-04-12T03:00:00+02:00Harald Welte<p>
I'm on seven-hour train ride back from Amsterdam, where I've been attending the
<a href="http://mail.fsfeurope.org/pipermail/press-release/2008q1/000196.html">first Licensing and Legal workshop of the Freedom Task Force (FTF) of the Free Software Foundation Europe (FSFE)</a>.
</p>
<p>
While having a somewhat lengthy name, the FTF has been doing great work on
bringing together a large group of legal and technical experts in the field
of Free Software licensing. So far this was all 'virtual', happening on
mailing lists.` The meeting in Amsterdam was the first of its kind, and was a huge success.
</p>
<p>
By the nature of the FSFE, most of the people were from Europe, though there
were attendees from the US and even Australia, too.
</p>
<p>
There were many interesting and surprisingly interactive workshops. It was
also a good opportunity to meet Armijn (the second half of gpl-violations.org)
and Shane (full-time manager of the FSFE FTF), as well as many lawyers, both
corporate legal counsel and from law firms.
</p>
<p>
The interest in Armijns presentation about gpl-violations.org and Till Jaeger's
overview about the legal cases we've handled over the years in Germany were
very well received and there was more interest and questions than the short
time permitted.
</p>
<p>
What was really good for me to see is that large consumer electronics companies
in Europe and the US are now implementing internal business processes to ensure
GPL and other FOSS license compliance. They're also increasingly using very
clear contractual language throughout their supply chain to minimize the potential
risk of any "hidden" GPL surprises in products they source from OEM/ODM
companies.
</p>Meeting between gpl-violations.org and FSFE FTFhttps://laforge.gnumonks.org/blog/20080202-gplviolations-meeting/2008-02-02T03:00:00+01:002008-02-02T03:00:00+01:00Harald Welte<p>
The last two days, I enjoyed a meeting between <a href="http://gpl-violations.org/">gpl-violations.org</a> and the <a href="http://www.fsfeurope.org/ftf/">FSF Europe Freedom Task Force</a>.
</p>
<p>
Participating were Armijn Hemel (whom I have to thank to assure
gpl-violations.org doesn't die while I was in Taiwan for OpenMoko), Shane
Coughland (who is doing an excellent job coordinating the FTF) and myself.
For a couple of hours we've also been joined by Till Jaeger, who has handled
all the legal cases of gpl-violations.org so far.
</p>
<p>
This meeting has been over-due, mostly because I basically dropped off the
planet for way too long time. We've discussed all the current matters
regarding strategies for license enforcement, current cases, progress of the
FTF legal and technical networks, as well as future plans for incorporating the
gpl-violations.org project.
</p>
<p>
Yes, you have read correctly. I've been planning to do this for quite some
time, and I'm confident that 2008 will finally be the year in which this
happens. It's too early to talk about any details, but this is the logical
step to assure both financial and legal independence of the project from my
person, as well as scalability. As you might know, we have a couple of hundred
reported violations and can only cherry-pick those we consider particularly
important.
</p>
<p>
In any case, it was a very productive meeting. I seriously believe it has
helped to make all of us work together in a coherent manner, i.e. increased
productivity and effectiveness for a long-term strategy to increase the amount
of free software license compliance in the industry.
</p>HTC TyTN II / Kaiser doesn't look like a GPL violation!https://laforge.gnumonks.org/blog/20071214-tytn2_alleged_gpl_violation/2007-12-14T03:00:00+01:002007-12-14T03:00:00+01:00Harald Welte<p>
There have been numerous rumors floating around the net that the HTC TyTN II
(aka Kaiser) might be a GPL violation due to a number of strings in the firmware image referring to Linux and vmlinux.
</p>
<p>
I've done some analysis on this subject, and posted my preliminary results <a href="http://lkml.org/lkml/2007/12/14/105">in this posting to lkml</a> earlier today.
</p>
<p>
So as indicated, I do not see any reason to believe there is a GPL violation
with regard to the Linux kernel in the MSM7200 modem side as used in the
abovementioned device.
</p>
<p>
So please stop those rumors now. I'm obviously not opposed to people being
watchful and report/investigate potential GPL violations. But before you call
it an actual violation, please rather make sure that you have some evidence!
</p>Slowly getting back to work on gpl-violations.orghttps://laforge.gnumonks.org/blog/20071108-rt_cleanup/2007-11-08T03:00:00+01:002007-11-08T03:00:00+01:00Harald Welte<p>
Today I've finally started to pro-actively work on gpl-violations.org again. I
haven't been able to do any work on it for almost 1.5 years due to my intense involvement with <a href="http://www.openmoko.org/">OpenMoko</a>.
</p>
<p>
Among my first tasks was to update the ssl certificate for our internal
Request Tracker, which apparently expired quite some time ago. After that, I
went through all RT tickets and deleted tons of spam from it. Now it finally
looks like I can start working with it again :)
</p>
<p>
I'm also trying to catch up with all the gpl-violations.org related email, but
please give me a couple of weeks, there's just way too much of it :(
</p>Some more thoughts on the results of GPL enforcementhttps://laforge.gnumonks.org/blog/20061030-gpl-devices/2006-10-30T03:00:00+01:002006-10-30T03:00:00+01:00Harald Welte<p>
Just a small personal note: Yes, this blog is currently seeing close to no
updates. This is because I'm literally working every minute that I'm awake,
with no time for anything else.
</p>
<p>
But to get to the main point of this entry: The results we see from GPL
enforcement. I don't want to write about the legal results, since they have
always been successful, in 100+ violations that I've been dealing with so far.
</p>
<p>
I'd rather want to talk about other results. They mainly fall into two
categories:
</p>
<p>
<b>Structural results</b>, how I like to call them, show that the vendors
/ "the industry" now understand the GPL [better] and thus adopt policies and
business practises that are more likely to be GPL compliant from now on. This
is good, since it has the potential to prevent further GPL violations down the
road, presuming license compliance is something that we value and strive for.
</p>
<p>
But how does Free Software actually benefit from GPL enforcement? I'm talking
about the actual software, and not the movement, the community, the advocates,
etc.
</p>
<p>
How many times have you seen some code coming out of a "GPL code release" from
one of the many (mostly embedded) vendors that was actually useful to be
contributed back to an existing Free Software project, or even that spawned a
new Free Software project? I for my part am certain to say: Zero. The actual
number might be close to zero, but very small anyways.
</p>
<p>
The next logical question is to ask ourselves, why it is like that. First of
all, the code quality is usually extremely bad. Looking at kernel patches from
the various vendors, I'd say the code quality is _by far_ off any scale that
would ever even remotely be considered to be suitable for upstream inclusion.
Not only do those vendors not care about any CodingStyle (which could be easily
fixed), but they ignore any existing standard API's (why use them if we can
reinvent our own?), don't ever spend a single second on portability issues such
as SMP, DMA safe allocations, endian issues, 32/64bit, etc. This code is
"throw-away software". Fire and forget. The complete opposite of the
long-term maintainability goals of about any FOSS project I know.
</p>
<p> I would be the most embarrassed man if I ever was involved with any such
software. Having your name associated with such poor quality would be like a
stigma. Any technical person would laugh. And yet, the managers of those
respective companies proudly announce the availability of their so-called "GPL
code releases". If they only understood how ridiculous they make themselves in
the technical community. It's like if they were proudly presenting a drawing
from a three-year-old kid as the new Picasso. They just don't notice because
the number of people with a taste of art is apparently larger than the number
of people with a taste of source code quality and aesthetics.
</p>
<p>
The next big problem is the perpetual preference of vendors, even in a market
with only six month product life-cycles, to use ages old software to base their
code on. Of what use is e.g. an obscure netfilter patch that was developed
against kernel 2.4.18, something that is many years old and of no relevance to
current stable kernels or even current development?
</p>
<p>
Now you might argue "What about projects like OpenWRT?". While they are no
doubt very useful, it is quite simple. Those projects mainly benefit only the
customers of the (probably formerly GPL infringing) embedded devices.
Therefore, they benefit specific customers, and not Free Software Users in
general. Even if OpenWRT or others invest huge amounts of work and manage to
clean up / re-implement some of the awkward sources released by embedded
manufacturer X, and push it into the upstream project (e.g. Linux kernel), it
is something that most often only a very specific user base that benefits from
it. All the really interesting bits, if there are any at all, are kept
proprietary by the respective manufacturers, using legally extremely
questionable practises such as binary-only kernel modules.
</p>
<p>
If one thinks a bit more, this whole sad process could have envisioned before.
It's a myth to believe that Linux and other FOSS is so popular in the embedded
market because vendors think it is more reliable, or secure, or even because of
the maintainability, audit-ability, or even the benefits that users and
developers get from being able to run modified versions of the software. If
they were, we would see clean code and regular security updates. In reality
almost every product is one gaping security nightmare. None of those potential benefits are of any interest to embedded vendors.
</p>
<p>
The response to the 'why' question is quite simple: They use GNU/Linux because
this way they can avoid per-unit royalties that are very popular with
alternative (proprietary) embedded OS's. It's a cheap commodity. Thus, it's
not surprising how they treat GPL compliance. Disgruntled, not understanding
the issues behind, releasing only the most incomplete non-building source code
snippets that make any reasonable developer vomit at first sight. And since
they themselves lack the skilled developers internally (they're not cheap!),
their management goes ahead and releases something that is embarrassing. If I
wanted to evaluate the technical skill-set of a company before making
large-scale business with them, I'd [have somebody] look at their source code
releases. It can tell a lot about technical expertise and corporate style :)
</p>
<p>
Please don't get me wrong. I'm not complaining that there is any legal
shortcoming in those "GPL Code Releases" though there often is, but that is not
the point of this article). But if somebody asks me, how much the actual Free
Software source code benefits from the code that was released by the vendors,
my honest reply would be simple and sad: None.
</p>
<p>
While this whole post might sound bitter and resignated, and like I wanted to
give up GPL enforcement since it's not worth it: This is not the message that
I want to put out. GPL enforcement remains important. I never assumed that
there would be a lot of actual mainline-mergeable source code coming out of it,
so I'm not disappointed with the enforcement. I just have the constant feeling
that many people are driven by misconceptions, and nobody outside the hacker
community really knows what's going on on a technical level.
</p>gpl-violations.org prevails in court case against D-Link on the GPLhttps://laforge.gnumonks.org/blog/20060922-dlink-verdict/2006-09-22T03:00:00+02:002006-09-22T03:00:00+02:00Harald Welte<p>
A couple of weeks ago, I <a href="http://gnumonks.org/~laforge/weblog/2006/09/07#20060907-victory">mentioned
in this blog</a> that there was legal victory in a ground-breaking court case
on the validity and enforcibility of the GPL.
</p>
<p>
Today, I have <a href="http://gpl-violations.org/news/20060922-dlink-judgement_frankfurt.html">released this press release</a> stating some more details on the case, including the name of the defendant: D-Link.
</p>
<p>
I'm quite happy to see that our arguments have convinced the court outright,
and that we didn't have to go through a lengthy procedure of calling several
prominent kernel developers as witnesses, and getting statements from technical
experts or the like.
</p>
<p>
If you're interested in the (German) judgement of 16 pages, you can find it <a href="http://www.jbb.de/urteil_lg_frankfurt_gpl.pdf">at my lawyers'
website</a>. An English translation is in the works, but will take another
week or so.
</p>
<p>
We've already received some press coverage, mainly in Germany so far.
Interestingly, in a <a href="http://www.heise.de/newsticker/meldung/78541">statement of D-Link quoted
by heise.de</a>, D-Link seems determined to not take this to a higher court...
which means that this judgement will soon be considered legally binding,
and be one more tiny step in the clarification of legal questions on the GPL.
</p>
<p>
I'd like to thank my fellow developers Werner Almesberger and David Woodhouse,
as well as my lawyer Dr. Till Jaeger and his colleagues for all their support
and work. A lot of time and effort was spent in preparation of this case, and
as it turned out, exactly that preparation brought the case to a quick ending.
</p>Victory!https://laforge.gnumonks.org/blog/20060907-victory/2006-09-07T03:00:00+02:002006-09-07T03:00:00+02:00Harald Welte<p>
Today I have receive news that we've won the first regular civil court case on
the GPL in Germany. This is really good news, since so far we've only had a
hand full of preliminary injunctions been granted (and an appeal case against
an injunction), but not a regular civil trial.
</p>
<p>
The judge has ruled, but the details of the court order have not been publicised yet.
I'll publicised the full details as soon as thus details are available in the
next couple of weeks.
</p>
<p>
[p.s.: If you're from the press: Don't bother asking me about further details
on who the defendant was, or whatever else. Patience. All shall be revealed
soon]
</p>10 common misunderstandings about the GPLhttps://laforge.gnumonks.org/blog/20060831-10_misconceptions_gpl/2006-08-31T03:00:00+02:002006-08-31T03:00:00+02:00Harald Welte<p>
I'd just like to point out the excellent <a href="http://www.itmanagersjournal.com/article.pl?sid=06/08/21/1659203">article on
10 common misunderstandings about the GPL</a> by Bruce Byfield.
</p>
<p>
Meanwhile I'm still working in India, just returned back from Mumbai to
Bangalore. Two more days and I'll be back to Germany. For one week, at least.
</p>GPLv3 conference in bangalorehttps://laforge.gnumonks.org/blog/20060828-gplv3-bangalore/2006-08-28T03:00:00+02:002006-08-28T03:00:00+02:00Harald Welte<p>
It's already four days ago, but I just couldn't find some time to write about
it in this blog. The 4th international conference on GPLv3, held in Bangalore/India.
</p>
<p>
I've been to three of those four confrences now, and I guess that makes me the
only one apart from the FSF to judge how it actually went, compared to other events.
</p>
<p>
And I'm sorry that I have to say that it was by far the worst of these events :(
</p><ul>
<li>They closed down registration at some fixed limit (270?) because the auditorium couldn't
hold more people. However, since the registration was free, only 50% fo the people who
registered were actually present. And this at the expense of people apparently have been
turned away after the quota was filled. Now we had a half-empty auditorium, and people
who wanted to come but were rejected.
</li>
<li>The programme. Basically RMS and Eben did not only give there usual (every time updated)
great presentations on the spirit and the wording of the current license draft. But then
they were kept alone on the stage to reply to questions for about the same time. Nobody
else but them was giving any presentations on something that is really GPL<b>v3</b> related.
</li>
<li>The panels. What is the point of a "business panel" if all(most) you have
represented there is some small three-men-in-a-garage companies that are run by
free software enthusiasts? Where have beeen the Infosys, Wipro, ... companies?
Don't they have something to say about the GPLv3?
</li>
<li>The audience. How can you come to a conference on the <b>GPLv3</b> and then ask questions
that <ul>
<li> everybody knows will upset rms because they use Linxu with no GNU/ in front</li>
<li> are totally unrelated (how can I make Autocad work on Linux </li>
<li> reveal that you haven't even bothered reading the GPLv3 draft </li>
</ul>
Where were the GPL-savyy lawyers, free software developers and industry representatives
that had made their way to the Barcelona and Porto Alegre event?
</li>
<li>The [non-existing] moderation. Why was there nobody stopping all that
off-topic crap like endless discussions on why gnucash isn't conforming the
Indian accounting standards. I'm sure those are important problems to be
adressed (and somebody should just hack that code into gnucash if he has a need
for it). But who the hell cares about this on a conference specialized to
<b>license</b> questions?
</li>
</ul>Travelling to a gpl-violations.org related court hearing tomorrowhttps://laforge.gnumonks.org/blog/20060725-court_hearing/2006-07-25T03:00:00+02:002006-07-25T03:00:00+02:00Harald Welte<p>
Tomorrow morning I'll have the pleasure of travelling to Frankfurt,
where the first court hearing in a particular gpl-violations.org case will
happen.
</p>
<p>
Those of you who follow my actions closely (closer than the practically
non-existing PR work of gpl-violations.org allows) will notice that this is
actually the first 'regular court case'. So far we settled everything either
out-of-court, or sooner or later after a preliminary injunction, or an appeals
case thereof.
</p>
<p>
In this particular case the defendant claims that the GPL is not applicable to
them for a number of reasons, but at the same time argues that he still has the
right to use the software, despite not having obtained any kind of license.
</p>
<p>
I don't yet wan to disclose the identity of the defendant yet, but I'll
certainly post some more information on this pretty soon. You will all know
the company, though. A very popular vendor of embedded networking gear.
</p>Interview on gpl-violations.org with groklaw.nethttps://laforge.gnumonks.org/blog/20060627-interview-groklaw/2006-06-27T03:00:00+02:002006-06-27T03:00:00+02:00Harald Welte<p>
There seems to be "interview season", since just after the <a href="http://gnumonks.org/~laforge/weblog/2006/06/19#20060619-interview-lwn">lwn.net
interview</a>, <a href="http://www.groklaw.net/">groklaw.net</a> has now
published <a href="http://www.groklaw.net/article.php?story=20060626155526285">this
interview</a> with me on gpl-violations.org.
</p>
<p>
The interview was taken by Sean Daly, who has also been taking care of the
audio and video recordings at the <a href="http://www.germany.fsfeurope.org/projects/gplv3/europe-gplv3-conference">3rd
international GPLv3 Conference in Barcelona</a> last week.
</p>
<p>
Let's hope that those interviews will raise some more awareness and prevent more
violations from ever ending up in our request tracker.
</p>LWN publishes gpl-violations.org related interviewhttps://laforge.gnumonks.org/blog/20060619-interview-lwn/2006-06-19T03:00:00+02:002006-06-19T03:00:00+02:00Harald Welte<p>
<a href="http://lwn.net">Linux Weekly News</a> has just published <a href="http://lwn.net/SubscriberLink/186944/0ccd89b5598e797f/">the second part of an interview with
me</a>. This part is on <a href="http://gpl-violations.org/">gpl-violations.org</a>.
</p>Meeting up with Armijn Hemelhttps://laforge.gnumonks.org/blog/20060403-armijn/2006-04-03T03:00:00+02:002006-04-03T03:00:00+02:00Harald Welte<p>
During my short trip to Amsterdam, I had a chance to meet with Armijn for a
couple of hours. It's always good to meet people face-to-face when you're working
with them a lot, especially on delicate issues such as GPL enforcement.
</p>
<p>
We've decided on how to optimize our work-flow and how to improve internal
documentation of the individual cases. The usual thing when you're used to working
on something alone (i.e. knowing everything off your head) as opposed to other
people getting involved, etc.
</p>
<p>
Anyway, I'm extremely pleased that somebody is helping me out. There's also
another friend of mine who's starting to get involved in the project, mainly on
technical issues such as verification of the source code offered by the various
(formerly?) infringing entities.
</p>OpenWRT terminates GPL License to SveaSofthttps://laforge.gnumonks.org/blog/20060327-openwrt_sveasoft/2006-03-27T03:00:00+02:002006-03-27T03:00:00+02:00Harald Welte<p>
It might not be something new to you at all, but it was new to me, since it
happened during my holidays: <a href="http://openwrt.org/?p=27">OpenWRT has
sent SveaSoft a note of terminating of rights under the GPL</a>.
</p>
<p>
I've had SveaSoft on my radar several times, but the whole situation seems to
be so messy, and there seems to be a history of different violations with each
and every release they made. Also, there seems to be quite some confusion on
the whereabouts of the developer[s?], which makes it difficult to find an
applicable jurisdiction.
</p>How to boot your own kernel on the Thecus N2100 - and prove it violates the GPLhttps://laforge.gnumonks.org/blog/20060224-thecus/2006-02-24T03:00:00+01:002006-02-24T03:00:00+01:00Harald Welte<p>
My latest candidate for gpl-violations.org (and hopefully the last before
finally leaving for holidays): The <a href="http://www.thecus.com/">Thecus</a>
N2100 and N4100 NAS devices.
</p>
<p>
The Thecus boxes seem nice, at first sight. Apparently somebody recognized the
need for a bit more performance, so there's an Intel IOP 80219 with 64bit PCI-X
support, DDR400 memory (actually in a socket), an empty miniPCI slot (great!),
USB2.0 ports, and SATA (yay). This should definitely be more promising than the
usual 33MHz 32bit PCI / IDE / MIPS / SDRAM based smaller NAS boxes. The only
thing really lacking with those Intel I/O processors is a hardware crypto unit.
Who wants to have unencrypted storage these days?
</p>
<p>
Looking at the software, the problems start. First, there is no NFS support.
iTunes, SMB/CIFS, HTTP, FTP - but no NFS :( Secondly, the web configuration
frontend requires flash. Duh! How can you use something as ugly and
proprietary as flash for something as simple as a web configuration frontend
for an embedded box. God knows.
</p>
<p>
Anyway, let's get back to the GPL issue. As usual, I cannot make such a claim
without verifying it. First of all, the devices (and their firmware updates)
ship without a copy of the GPL, any indication that GPL licensed software was
used, no written offer and no source code.
</p>
<p>
But well, where the heck do I know from (and can prove) that they actually run
Linux? I won't disclose the reason for my initial hints, since I don't want
future vendors of future products to know how they can avoid me ;)
But anyway, let's assume I was surprised to see a nmap fingerprint that
indicates Linux on the box and now want to go further.
</p>
<p>
Looking at the firmware update images, they appear to be scrambled / encrypted
somehow. At least there is no gzip/bzip2/LZMA/ext3/cramfs/romfs/... signature
to be found in them. And even if the firmware updates contain Linux, this
doesn't actually prove anything about the software pre-installed on the device.
</p>
<p>
The running device also doesn't offer any ports apart from the SMB-related ones
and http(s). So we're stuck.
</p>
<p>
This is where I usually take the device apart, carefully analyze it's hardware and
go looking for a serial port with my Oscilloscope probe. Unfortunately the PCB
of the N2100 didn't seem to have one. It took me some time to figure out that the
serial port connector (there's actually a standard 9pin header) is on the SATA
backplane rather than on the CPU board ;)
</p>
<p>
Hooking up a serial console, you can see RedBoot wait for one second and then execute
a boot script that loads initrd and kernel, finally executes it. Yay!. Too bad that
the actual kernel seems to lack support for a serial console. So all you get
is the 'Uncompressing
Linux.........................................................................................
done, booting the kernel.' line. Together with the firmware scrambling/crypto,
this is definitely an attempt to hide the use of GPL licensed software and/or otherwise
lock the user out of the device.
</p>
<p>
Unfortunately hex-dumping the whole memory contents from RedBoot via the serial port,
and parsing it on the host side seemed like a rather clumsy - and otherwise
unproductive approach to finding proof of GPL licensed software in the device.
</p>
<p>
Luckily, you can interrupt RedBoot and configure the network device, set up
TFTP, cross-compile a kernel for the IOP 80219, and boot that. After some twisting
of the .config, I got it to boot without any crashes, and even the RedBoot partition
table is correctly recognized and parsed.
</p>
<p>
So now I'm running Linux on the device, great. But still I can't prove that the
device actually ships GPL licensed software in an incompliant way. So all that
is missing is a NFS-root capable installation of Debian-arm that we can boot into,
and which we can use to read out the mtd partitions.
</p>
<p>
Oh, and yes. While I appreciate their love for the netfilter project and it's software:
There's absolutely no place in a NAS box for having ip_conntrack linked statically into
the kernel - unless you voluntarily want to loose performance. At least to my knowledge,
performance of NAS devices counts. So, Thecus, in your own interest: disable ip_conntrack
in the kernels you ship.
</p>Buried alive in GPL violationshttps://laforge.gnumonks.org/blog/20060222-buried-alive/2006-02-22T03:00:00+01:002006-02-22T03:00:00+01:00Harald Welte<p>
It's not funny anymore. The current rate at which new GPL violations get
reported and/or discovered, especially from the appliance/embedded market
is really alarming.
</p>
<p>
For example, I haven't yet seen a single Linux-based NAS product that was
even remotely license compliant when first analyzing it. And I'm not only
talking about the SoHo NAS boxes with one or two hard disk drives, but even
about enterprise storage systems.
</p>
<p>
On the Enterprise end We're now also Seine carrier grade network equipment such
as SONET/SDH switches, metropolitan area Ethernet, DSLAMS and the like.
</p>
<p>
Also, in some areas of business, competing companies seem to make the same
mistake again, rather than learning from their competitor. Some time ago I had
to resolve GPL issues with Maxtor Shared Storage drives, when they were first
released. Now I found out that Western Digital has similar systems called
NetCenter. Ordered one, and it came without GPL license text, written offer
or source code.
</p>
<p>
Finally, there is one good example though. For a very long time, a product
that I analyzed was actually GPL compliant. It's good to see that there are a
few who get it right, from the beginning: The APC NetBotz family of products.
The manual contains a reference to the source code, which can be obtained from
ftp://ftp.netbotz.com/gpl/.
</p>
<p>
Anyway, I need a break (see my holiday related post). Hopefully I'll get back
from that trip rested, with lots of energy and an extra portion of patience.
This has become more of a burden than I ever thought.
</p>
<p>
The second and third quarter of this year definitely are the right time to
think of a way to incorporate gpl-violations.org as an NGO/non-for-profit.
One that can actually pay somebody hunting down those cases, doing the
day-by-day work. I have a dream that in some point in the future I can once
again concentrate on cool and interesting development, like most other hackers
do.
</p>Another unproductive day of GPL enforcement.https://laforge.gnumonks.org/blog/20060216-a_gpl_day/2006-02-16T03:00:00+01:002006-02-16T03:00:00+01:00Harald Welte<p>
I'm feeling terrible. The second day in a row where I didn't find time to
write a single line of code, merge any contributed patches, squash any bugzilla
entry. Not even to speak of paid-for work.
</p>
<p>
While I used to spend about 30% of my time with GPL enforcement related work,
it now peaks at about 70% for the last two weeks. This is not a good sign.
</p>
<p>
So apart from talking to lawyers, proof reading legal paperwork, negotiating
with allegedly infringing companies and the like, I now also start having
trouble doing test purchases. Not only refuse some retailers to take orders
from me, but also if I actually place an order it raises new problems.
</p>
<p>
The last web store I ordered a test purchase from now asked me for a complete,
readable copy of both sides of my ID card. WTF ?!? This is totally against any
data protection laws. There is absolutely no requirement for them to know my
passport photograph, id card number, size or eye colour. So as a follow-up I
had to write an official complaint with the Berlin data protection agency - as
if I didn't have any other work to do.
</p>
<p>
Also, for the last months, I find myself giving about EUR 10k in 0% interest
loans to GPL infringing companies. That's the amount of money spent for test
purchases that I had to do to confirm GPL violations but which hasn't yet been
reimbursed. </p>
<p>
About the only positive thing in the course of my work day was producing the <a href="http://www.chaosradio.de/">Chaosradio</a> Express issue on
gpl-violations, which Tim and I did earlier this evening.
</p>
<p>
Oh, and the best thing that happened today in general, is that the German
Federal Constitutional Court has invalidated a recent law that allowed the government
to order the military to shoot a passenger plane which was abducted by terrorists.
At least some people still have a sane view on human rights.
</p>More TI AR7 related GPL violationshttps://laforge.gnumonks.org/blog/20060214-tiar7-violations/2006-02-14T03:00:00+01:002006-02-14T03:00:00+01:00Harald Welte<p>
Out of all the embedded network devices that had GPL issues, the Texas
Instruments AR7 based devices probably have the worst GPL compliance history
I've ever seen. The time has come to properly rant about this.
</p>
<p>
It's yet unclear whether this is TI's own fault, or just the fault of their
OEM/ODM manufacturers. But I'm more than determined to find out.
</p>
<p>
Anyway, the list of problems with TI AR7 based devices is so incredibly long,
that I don't even know where to start.
</p>
<p>
First of all, re-engineering their devices (for GPL compliance audits and legal
action following up to such an audit) is incredibly difficult because they've
added LZMA compression to both the kernel image (vmlinux) and squashfs.
</p>
<p>
Now what's so difficult about this? You might argue that the LZMA algorithm is
(L)GPL licensed and publicly available. As is the original kernel source code,
and the squashfs code. Also, you might know that numerous individuals have already released
patches to add LZMA to kernel boot, initrd and squashfs.
</p>
<p>
However, there are various methods (with/without LZMA header, with/without
p7zip header, etc.), and there simply is no standard on how to build a system from the algorithm.
</p>
<p>
Getting to the actual infringements. So far I've seen devices that
</p><ul>
<li>remove the "(C) Netfilter Core Team" message that is usually printed during boot-up</li>
<li>modify existing netfilter/iptables code, like add HTTP reply support to ipt_REJECT</li>
<li>add binary-only new netfilter/iptables targets, like ipt_PNAT</li>
<li>add new binary kernel modules that have "MODULE_LICENSE(GPL)" without providing source code</li>
</ul>
<p>
There are many other potential issues, on whose GPL compatibility (or lack thereof) I do not want to
comment at this time, such as their binary only drivers for the DSL chipset, the WLAN driver.
</p>
<p>
Interestingly, all of the Vendors of TI AR7 based devices with whom I had
contact on the GPL issues showed equally little interest into bringing their
products into compliance. Now this could all just be a coincidence. But my
personal guess is that they just forward whatever questionable policy they get
from their upstream chipset and reference software development kit provider:
TI.
</p>
<p>
You might wander about the device manufacturers in question? I'm still a bit
hesitant in disclosing names. One of the first companies running into GPL
trouble with TI AR7 was D-Link. Another company with anything but the cleanest
GPL history on TI AR7 based devices is AVM, who produce the overly popular and
widely branded FritzBox devices.
</p>
<p>
There is another brand that is sold in significant quantities, at least in the
German market. We're on the brink of applying for the next gpl-violations.org
preliminary injunction, so I won't be able to say any names.
</p>
<p>
[and now, after some five hours of gpl-violations related device re-engineering
before getting up, I'll finally try to find some time go get some breakfast.]
</p>Austrian Health Card System now GPL complianthttps://laforge.gnumonks.org/blog/20060210-ecard/2006-02-10T03:00:00+01:002006-02-10T03:00:00+01:00Harald Welte<p>
It's already been at some point at the End of 2005, but now I finally got
around writing a press release on this subject:
</p>
<p>
gpl-violations.org has enforced yet another high-profile (at least in the
German speaking continental European world) case of a GPL violation. Instead of repeating myself, you might want to read <a href="http://gpl-violations.org/news/20060210-svc-gesundheitskarte.html">this release</a> or <a href="http://gpl-violations.org/news/20060210-svc-gesundheitskarte-de.html">the German version</a>.
</p>
<p>
My real problem is a lack of time, and it's more than a pity that
gpl-violations.org didn't have a press release for nine months - even though
those were full of successful enforcement work. I hereby promise to improve my
public relations work.
</p>First GPLv3 drafthttps://laforge.gnumonks.org/blog/20060121-gplv3/2006-01-21T03:00:00+01:002006-01-21T03:00:00+01:00Harald Welte<p>
As almost every reader of this journal will know, the first <a href="http://gplv3.fsf.org/">GPLv3</a> draft has been published, and
everyone is invited to comment on it.
</p>
<p>
I obviously already left some comments, though I still want to write up a
somewhat larger article on my thoughts on it. This journal entry is not that article ;)
</p>
<p>
In general, I'm quite relieved. I had somewhat mixed expectations - but
almost everything looks quite fine, and there are hardly any issues. I obviously
like the DRM countermeasures.
</p>
<p>
From a gpl enforcement point of view, it is very good to see that the "complete
corresponding source code" has been specified in more detail. This should save
us from the hassle of ever again starting the discussion (nit-picking) on
whether "scripts to control compilation and installation" (GPLv2) really only
means scripts, or whether it also covers other methods controlling compilation and
installation.
</p>
<p>
What is a real problem, and I hope this can still be resolved, is the new "60
days" grace period that was introduced. With GPLv2, the right to distribute
the software was automatically revoked in the case non-conformant distribution
has happened. In the v3 draft, there is a grace period where the rights _may_
be terminated, and only 60 days after being notified by one of the copyright
holders.
</p>
<p>
The intention of it is to take care of "inadvertent violation". As harmless
and reasonable as this sounds, this change has the potential to render most of
the current enforcement success of gpl-violations.org impossible in the future.
</p>
<p>
From all the 60+ cases that we've enforced, I cannot tell you one case where
the defendant would not claim that the violation was inadvertent. So in
reality, inadvertent basically means "we didn't care". However, the whole
point of the gpl enforcement exercise is to raise awareness and make them care
before it is too late.
</p>
<p>
The 60 days grace period is not acceptable. On the one hand, we (in Germany)
basically loose the ability to apply for preliminary injunctions. PI's are
only granted in case of urgency, which translates (depending on the court) to
something like 30 days. So if I know for more than 30 days that somebody is
infringing on my copyright (and don't get the matter resolved with him in that
period of time), then I can't consider this matter as urgent.
</p>
<p>
The 60 days grace period is also not acceptable, because it would basically
reduce the motivation to comply with the license in the first place. So for
EvilCorp Inc. it is perfectly possible to design a product using GPL licensed
software, not comply with the license, ship the product, wait for a copyright
holder to send a notice, make sure that I ship all the remaining in-stock
products that do not contain a written offer, GPL text and/or source code in
the 60 remaining days, and then start behaving GPL compliant. If such behaviour has
no consequences at all, why would anyone behave different in the first place?
</p>Today marks the first discovery of a ulogd GPL violationhttps://laforge.gnumonks.org/blog/20060109-ulogd/2006-01-09T03:00:00+01:002006-01-09T03:00:00+01:00Harald Welte<p>
It's actually not really all that important, but today I found the first
product that distributes my ulogd program in a GPL incompliant way.
</p>
<p>
To my biggest surprise, it's not a Firewall/Router/WLAN device, but rather a
NAS. Still have to figure out where, how and why they use ulogd on it, but it's there (and no source code [offer]).
</p>Have to turn down invitation on GPLv3 conferencehttps://laforge.gnumonks.org/blog/20060104-gplv3-conference/2006-01-04T03:00:00+01:002006-01-04T03:00:00+01:00Harald Welte<p>
As you might know, the GNU GPL is currently under review and version 3 is
underway. With regard to the GPLv3 process, the FSF will be holding a
conference later this January to which I had the honour to be invited.
</p>
<p>
Since many people have already been wondering why I will not participate:
It is not because of the conference or because of the FSF. My previous
contacts with the FSF have been very forthcoming and productive, and I would
very much like to share my GPL enforcement experience at the GPLv3 conference.
</p>
<p>
Unfortunately though, the conference will be held in the USA, a country to
which I'm not going to travel anymore because I don't want to hand over (and
leave) my biometric information (aka fingerprints) in a country that basically
has non-existing data protection rights, esp. when it comes to government
agencies and foreigners.
</p>
<p>
In addition to the biometrics issue, there are numerous dangers from the
software patent and the DMCA front for people like me who indulge in quite a
bit of reverse engineering. In the end, the US just don't sound like a place
where I would feel comfortable and/or safe and/or secure in any way.
</p>
<p>
My best wishes to the GPLv3 conference, I hope they'll have a productive meeting
for the future of free software.
</p>Increasing number of GPL violationshttps://laforge.gnumonks.org/blog/20051124-rt-filling/2005-11-24T03:00:00+01:002005-11-24T03:00:00+01:00Harald Welte<p>
As the frequent reader of this blog will know: In order to keep track about all
the alleged/confirmed gpl violations, and the progress in their resolval, we're now using RT (request tracker).
</p>
<p>
Since the request tracker was introduced about one month ago, we've received an
incredible amount of reports. Today I opened ticket number 64 (!).
</p>
<p>
I don't really have those kind of automatic statistics on the number of
reported violations before, but it was certainly less than that number...
</p>More cases seem to be coming up, test purchases dropping inhttps://laforge.gnumonks.org/blog/20051123-testpurchases/2005-11-23T03:00:00+01:002005-11-23T03:00:00+01:00Harald Welte<p>
Sometimes I really think that I'm insane. In the last week alone, I've spent
some 7000 EUR in test purchases to prove GPL violations. Yes, I'll get
reimbursed once those cases are over, but somehow I feel like giving loans to
those companies who don't obey the license. If I'd put that money into a
bank, I'd at least get some (crappy) interest rate.
</p>
<p>
There are so many cases that I would like to write/talk about, but cannot
because they're still not over yet. *sigh*. Let's hope I can publish some
news before I leave for my 11 day trip to Bangalore for <a href="http://foss.in/">FOSS.in</a>.
</p>
<p>
When I'm back, I can be sure that there's a stockpile of devices to analyze.
Wish I could spend that time with something more productive, though.
</p>Four more gpl enforcement caseshttps://laforge.gnumonks.org/blog/20051114-four_more/2005-11-14T03:00:00+01:002005-11-14T03:00:00+01:00Harald Welte<p>
Today I've finalized my preparations (paperwork, etc) for passing four more gpl
violation cases off to my lawyer. As usual, I don't state the names of the
vendors/products at this time.
</p>
<p>
There has been quite some amount of backlog piling up, as I've been busy with
other (more interesting, to be honest) stuff in the netfilter, openmrtd and
OpenEZX world. Luckily we're now using RequestTracker and hopefully don't
loose any reports of violating products.
</p>Sony Root-kit allegedly is an LGPL license violationhttps://laforge.gnumonks.org/blog/20051111-sony-rootkit-lame/2005-11-11T03:00:00+01:002005-11-11T03:00:00+01:00Harald Welte<p>
Some of you might have already read it, Sony distributes a 'root kit' with their
DRM-encumbered 'copy protected' Cd's. This basically allows Sony to control your computer, once you've installed the software contained on on of their audio Cd's.
</p>
<p>
While this in itself is already a security nightmare (especially since they don't inform and/or warn the user about this), it gets even worse: According to a number of <a href="http://games.slashdot.org/comments.pl?sid=167537&cid=13969095">sources</a>, this software even contains a statically linked version of the LGPL licensed <a href="http://lame.sourceforge.net/">liblame</a> homepage.
</p>
<p>
I guess this gives a really strong measure: In order to protect our valuable
copyright on proprietary music, we don't give anything about the copyright of
others, such as authors of free software.
</p>Insurance against GPL violationshttps://laforge.gnumonks.org/blog/20051101-gplviolation-insurance/2005-11-01T03:00:00+01:002005-11-01T03:00:00+01:00Harald Welte<p>
According to <a href="http://news.zdnet.com/2100-3513_22-5924112.html">this
zdnet.com article</a>, there is now an insurance against legal risks from
violating Free Software Licenses.
</p>
<p>
Strangely, that article claims the insurance is about "the risk of using open
source software". This is misleading, since there is no risk involved in
_using_ the software. There is, like with any other software, a risk when you
violate the license.
</p>
<p>
One wonders when we'll get such an insurance for "the risks of using proprietary software [without obtaining a license]".
</p>FreeDOS project uncovers GPL violations in DR-DOS 8.1https://laforge.gnumonks.org/blog/20051025-drdos/2005-10-25T03:00:00+02:002005-10-25T03:00:00+02:00Harald Welte<p>
The <a href="http://www.freedos.org/">FreeDOS</a> project has <a href="http://www.freedos.org/freedos/news/bits/drdos81.html">discovered
multiple GPL violations</a> in the commercial and proprietary <a href="http://www.drdos.com/">DR-DOS 8.1</a> product.
</p>Brian about a possible GPL violationhttps://laforge.gnumonks.org/blog/20051023-barracuda/2005-10-23T03:00:00+02:002005-10-23T03:00:00+02:00Harald Welte<p>
In his <a href="http://rignesnet.tzo.com/archives/2005-09-24T12_40_22.html">blog</a>,
Brian points out that the Barracuda Spam Firewall 300 seems to be violating
the GPL.
</p>
<p>
It's not yet clear what kind of software they actually include, but if a
customer (who has received a binary copy of the GPL licensed Linux kernel)
calls them up and explicitly asks for the source and then gets fishy answers
like those pointed out in Brian's blog, then there's certainly something wrong.
</p>Installing a Request-Tracker for gpl-violations.orghttps://laforge.gnumonks.org/blog/20051021-rt/2005-10-21T03:00:00+02:002005-10-21T03:00:00+02:00Harald Welte<p>
Since a number of issues were already lost on the legal@lists.gpl-violations.org list, and there's
now actually more people getting involved in the project (mainly Armijn), I've installed <a href="http://bestpractical.com/">Request Tracker</a> for the project.
</p>
<p>
Anyone who has new gpl violations to report, please contact
license-violation@gpl-violations.org instead of the new mailing list.
</p>
<p>
Please do not report any old cases (that have been posted to the list) to the
request tracker, I've already added all those old cases as tickets to the new
system.
</p>Bringing ftp.gpl-devices.org livehttps://laforge.gnumonks.org/blog/20050930-ftp_gpldevices/2005-09-30T03:00:00+02:002005-09-30T03:00:00+02:00Harald Welte<p>
<a href="ftp://ftp.gpl-devices.org/">ftp.gpl-devices.org</a> has been up and
running for a number of months now. As usual, I never really had the time to
take care of it (i.e. feed it with all the vendor-released and 3rd party source
code for embedded devices running GPL licensed software).
</p>
<p>
Luckily, Imre Kaloz was interested in helping me out. He's now in charge of at least putting all the TI AR7 related source tar-balls on the ftp site.
</p>
<p>
I've already dedicated a 300GB hard disk for the source code, which should be fairly sufficient for some time. At this point, I have no more than 40GB of vendor-supplied source code images at home.. ftp.gpl-devices.org has only some 3GB as of now.
</p>
<p>
Thanks go to <a href="http://noris.net/">noris.net</a>, the innternet provider where like for almost all of my projects, the server ftp.gpl-devices.org is colocated.
</p>Donating 7000 EUR from GPL enforcement to FoeBud e.V.https://laforge.gnumonks.org/blog/20050831-donatin-foebud/2005-08-31T03:00:00+02:002005-08-31T03:00:00+02:00Harald Welte<p>
Sometimes as part of my GPL enforcement work, vendors will make donations
in order to settle things like a grace period, i.e. a time where they can still
sell their stock of already-produced gpl incompliant devices.
</p>
<p>
Recently, as part of such a settlement, I was able to get EUR7000 which have
been donated to <a href="http://www.foebud.org">FoeBud e.V.</a>, a registered
German charity fighting against privacy-invading technology use such as RFID,
and video surveillance. They hold the annual "Big Brother Awards" which give a
"prize" to those individuals and organizations that hurt privacy and data
protection most in that year.
</p>iRiver hands over source code CD-ROMhttps://laforge.gnumonks.org/blog/20050810-iriver-sourcecode/2005-08-10T03:00:00+02:002005-08-10T03:00:00+02:00Harald Welte<p>
Some time ago, I ran into GPL issues with the iRiver PMP-1xx series. For some
reason, the Korean company chose to cease distributing their products in
Germany, rather than making them GPL compliant.
</p>
<p>
Despite that, they've now sent me a CD-R with the source code. I've made it
available to interested parties at <a href="ftp://ftp.gpl-devices.org/pub/vendors/iRiver/PMP-1xx/">ftp.gpl-devices.org</a>.
I did not yet have the time to do a full-scale analysis whether it is complete
(as per gpl definition of "complete corresponding source code"). However, at least from a first quick look it seems fine (and even documented!).
</p>RMS visits ASUS: Free Software beyond their notice ?!?https://laforge.gnumonks.org/blog/20050723-rms-asus/2005-07-23T03:00:00+02:002005-07-23T03:00:00+02:00Harald Welte<p>
In <a href="http://www.fsf.org/blogs/rms/entry-20050712.html">his blog</a>,
Richard Stallman writes that he had a very unpleasant experience visiting ASUS
in Taiwan.
</p>
<p>
This is outrageous, considering they are using Linux and other free software
programs in their products and making business from it.
</p>
<p>
Their WL500g routers are using Linux, and did not comply with the GPL. So in
2004, I used my copyright to enforce the license. I have obtained a declaration
to cease and desist from ASUS Headquarters in Taiwan, and they modified their
product promptly to bring it into GPL compliance. See <a href="http://www.netfilter.org/news/2004-03-25-asus-gpl.html">this news item</a> on the netfilter.org project homepage.
</p>
<p>
Even today, ASUS seems to be using Free Software in a number of their latest devices, as I indicated <a href="http://gnumonks.org/~laforge/weblog/2005/07/11#20050711-asus-again">in this blog entry</a>.
</p>Almost all vendors of console servers GPL incomplianthttps://laforge.gnumonks.org/blog/20050712-console-servers/2005-07-12T03:00:00+02:002005-07-12T03:00:00+02:00Harald Welte<p>
According to <a href="http://drwetter.org/konsolen-server.html#Copyleft">this
German article</a> (by Dr. Dirk Wetter), out of seven tested console servers
(all Linux-based) of various vendors, only two even mentioned that GPL licensed
software was used in the product. The majority of the devices did neither
mention the GPL, nor make any source code offer.
</p>
<p>
The vendors have been contacted by the author of the article, and almost all
promised to make their devices GPL compliant in the future. It has yet to be
seen whether they actually fulfill that promise. I will ask each of them for a copy of the full corresponding source code, since the offer implicitly has to exist [the devices didn't ship with the source code, so 3a GPL is no longer possible].
</p>
<p>
It's really disappointing to see this happen again and again. Everybody seems
to not care at all about the copyright of the code involved.
</p>ASUS has a whole line of new gpl violating deviceshttps://laforge.gnumonks.org/blog/20050711-asus-again/2005-07-11T03:00:00+02:002005-07-11T03:00:00+02:00Harald Welte<p>
Apparently, the AAM6020VI, AAM6020BI, AAM6030VI and AAM5030BI devices all
contain Linux (including netfilter/iptables) -based firmware images, but no source code is made available.
</p>
<p>
None of the devices is sold here in Germany, so I can't go after ASUS Germany.
</p>Heather J. Meeker spreads false claims about gpl-violations.org.https://laforge.gnumonks.org/blog/20050702-meeker-article/2005-07-02T03:00:00+02:002005-07-02T03:00:00+02:00Harald Welte<p>
In an <a href="http://www.linuxinsider.com/rsstory/43996.html">article</a> on
<a href="http://www.linuxinsider.com/">linuxinsider.com</a>, <a href="http://www.gtlaw.com/biographies/biography.asp?id=5523">Heather J.
Meeker</a> of Greenbar Traurig LLP (don't miss the background info at <a href="http://wiki.ffii.org/HeatherMeekerEn">FFII Wiki</a>) makes false claims
about the gpl-violations project and myself.
</p>
<p>
I've pointed out her mistakes in the following letter:
</p>
<p>
Dear Ms. Meeker,
</p>
<p>
it has come to my attention that you have authored an article entitled "Open Source and the Legend of Linksys", published at linuxinsider.com, in which you make false statements in order to discredit the gpl-violations.org project and myself.
</p>
<p>
There is nothing wrong with press articles and commentaries about the GPL, the gpl-violations.org project or myself, no matter how critical they are - as long as they are based on facts. Spreading lies is however not acceptable to me.
</p>
<p>
The most obviously wrong statement is <i>"But, it so happened, that AOpen was actually compliant, having offered the source code on a German Web site, as Welte later noted in his blog. Never mind.".</i>
</p>
<p>
The truth is: AOpen Germany offered the _object_ code of the GPL licensed software on their German FTP-server, without complying to the GPL license terms. My blog clearly states "Firmware" (which is by definition object code, not source code). This means that in fact they are even legally responsible, since they distributed GPL licensed software without adhering to the license conditions.
</p>
<p>
Two other quotes from your article:
<i>
"The problem is that Welte apparently does not hold the copyright to the code that is the subject of these letters."
</i>
</p>
<p>
<i>
"Some of Welte's targets have complied voluntarily, but one suspects that is because they were simply unaware of the problem. Welte apparently has no authority to enforce these copyrights."
</i>
</p>
<p>
This is again wrong. I have never enforced any copyright that I don't own. What has happened is that some other Linux kernel developers have transferred their copyright to me, so I can take action in cases where my own copyright is not involved. [which by the way is also a good indication that gpl-violations.org is not some lone lunatic but backed by the development community].
</p>
<p>
Obviously I reserve the right to inform any organization about illegal
copyright infringement they might be committing, even if I'm not the copyright
holder. This must not be confused with legal GPL enforcement by an actual
copyright holder through in or out-of-court legal action.
</p>
<p>
Specifically, regarding to the "CeBIT letter action", I could have started legal proceedings in all those cases. In fact, my legal team an I were planning to personally hand over a preliminary injunction at one of the CeBIT booths. Rather than doing so, I thought I could save the respective infringing companies the trouble of legal charges and legal expenses by first writing them an informal letter.
</p>
<p>
At this point in time, I do not know the legal situation of such easily-to-be-proven false statements in the US. In Germany we have laws that force the press to publish "correction statements" written by the person or entity that was subject of those false statements. I will consult my legal advise about this matter.
</p>
<p>
I would like to ask you to clarify those issues. Since it is an on-line
article, it should be possible to amend it. If that is not possible, I'm sure there is some other way to let the readers know about those two "mistakes" in the article.
</p>
<p>
Sincerely,
Harald Welte
</p>
<p>
I've posted some additional comments in the talkback section of the article. They yet have to be approved by the publisher.
</p>More and more Media Players running Linux but don't offer source codehttps://laforge.gnumonks.org/blog/20050629-mediaplayers/2005-06-29T03:00:00+02:002005-06-29T03:00:00+02:00Harald Welte<p>
There's a recent uprise in the availability of handheld media player devices.
Most of them come with a 240x320 / 16bit colour screen, FBAS output, USB, 20GB
hard drive, etc.
</p>
<p>
A big part of them seems to be running based on Linux and other free software,
which is great. However, the vendors once again forget about their obligations
under the GNU GPL and do not tell their users about the GPL or make the source
code available.
</p>
<p>
The first device I ran into was the iRiver PMP-120/140, on which I have
reported earlier in this blog. It was based on a TI DSP with embedded
synthesized ARM core.
</p>
<p>
Now we're seeing similar devices from <a href="http://www.istation.co.kr/">iStation</a>,
<a href="http://www.iubi.co.kr/">iUbi</a>, <a href="http://www.sitecom.com/">Sitecom</a> and some other vendors hitting the
marketplace. They are all based on the <a href="http://www.sigmadesigns.com">SigmaDesigns</a> <a href="https://laforge.gnumonks.org/blog/20050629-mediaplayers/www.sigmadesigns.com/products/em8510.htm">EM8511</a> chipset. Rumors
have spread that Sigma actually tries to bind their customers under an NDA not
to release the GPL licensed source code, which they would obviously have no
right to. Please keep in mind that that's rumours, and I don't have any
confirmation about this yet.
</p>Cisco GPL violationhttps://laforge.gnumonks.org/blog/20050621-cisco/2005-06-21T03:00:00+02:002005-06-21T03:00:00+02:00Harald Welte<p>
I've just confirmed yet another GPL Violation of Cisco Systems. This time it's
not a consumer class product sold under the Linksys label, but an
enterprise-class "Cisco" product.
</p>
<p>
More details will follow as soon as Cisco has been informed. I regularly don't
make any details public before the respective opponent has received the first
letter from my lawyers.
</p>Sitecom did it againhttps://laforge.gnumonks.org/blog/20050621-sitecom-again/2005-06-21T03:00:00+02:002005-06-21T03:00:00+02:00Harald Welte<p>
Sitecom apparently _again_ violates the GPL. This is now the third product in
little more than a year.
</p>
<p>
Again, more details will follow soon, stay tuned.
</p>Oops, Linksys did it again...https://laforge.gnumonks.org/blog/20050613-linksys-adsl2mue/2005-06-13T03:00:00+02:002005-06-13T03:00:00+02:00Harald Welte<p>
For the third time, Linksys (now only a brand of Cisco) seems to be selling
devices in a GPL-incompliant fashion. Following up the WRT54 case in early
2003, and the less-known WMA11B issues last year, they've now started to sell
the ADSL2MUE.
</p>
<p>
I did a test purchase. It clearly contains the Linux kernel and other GPL
licensed software. There is no mentioning of the GPL, no GPL license text, no
source code, and no written offer anywhere in the package, manual or on the
included CD-ROM.
</p>
<p>
I really don't get it. How could this happen again? Rumours say that the
device was OEM'ed from somewhere else. Even in that case, Linksys should have
enough GPL experience to include a statement like "if the product contains GPL
or other copyleft-licensed software, the full corresponding source code has to
be delivered" into their contracts with the upstream vendor.
</p>
<p>
Shortly after the warning notice had been sent by my legal team, some source
code appeared on <a href="http://www.linksys.com/support/gpl.asp">http://www.linksys.com/support/gpl.asp</a>.
I have not yet conformed that it is complete, but it looks like they even
included the Texas Instruments' LZMA (de)compression bits, which no other
vendor using TI's AR7 platform has been provided, even though they are a clear
modification of the existing GPL licensed Linux kernel source code.
</p>
<p>
Linksys (Germany) officials have invited me to meet them. Due to restrictions
of my travel schedule, the meeting will only happen in late July. I'm looking
forward to that meeting and will remain curious about their interest in such a
meeting :)
</p>NaviFLASH, yet another personal navigation systemhttps://laforge.gnumonks.org/blog/20050602-naviflash/2005-06-02T03:00:00+02:002005-06-02T03:00:00+02:00Harald Welte<p>
Following-up to TomTom (who have ever since our "GPL issue" been very friendly,
helpful and cooperative) more than half a year ago, we've now discovered that
the <a href="http://www.naviflash.de/">NaviFLASH</a> personal car navigation
system also runs Linux (and is not distributed GPL compliant).
</p>
<p>
As it seems, the same or a very similar device from <a href="http://www.thb.de/">THB Bury</a> might be installed in Bugatti cars.
Obviously we have no way to tell whether those cars were sold with a copy of
the GPL or not. Anyone wants to do a test purchase? ;)
</p>
<p>
NaviFLASH have been contacted, let's see how they will respond.
</p>Peppercon remote KVM solutionshttps://laforge.gnumonks.org/blog/20050602-peppercon/2005-06-02T03:00:00+02:002005-06-02T03:00:00+02:00Harald Welte<p>
<a href="http://www.peppercon.de/">Peppercon</a> "LARA eco" and probably other
devices run Linux and other Free Software and do not ship GPL compliant. </p>
<p>
Apparently they've been at <a href="http://chemnitzer.linux-tage.de/">Chemnitzer Linux Tage</a>, where I've
also given presentations for a number of years (including the subject of GPL
violations).
</p>
<p>
It's a pity that a company involved with the Linux community still has license
issues nevertheless :(
</p>Buying "gpl violations" at the local supermarkethttps://laforge.gnumonks.org/blog/20050601-lidl-targa-notebook/2005-06-01T03:00:00+02:002005-06-01T03:00:00+02:00Harald Welte<p>
Yes, it has come that far. I just wen to <a href="http://www.lidl.de/">LIDL</a> earlier today, making a test purchase of
their latest notebook model, the Targa Traveller 826T MT23. It's a nice piece
of hardware, no doubt. 1.8GHz AMD64 with 1GB RAM...
</p>
<p>
For those who don't know who LIDL is: It's one of Germany's largest budget
retail stores (comparable to Walmart, although not in size of the enterprise).
</p>
<p>
However, I didn't buy the device because it was nice hardware, but because
several people had informed me that this might be yet another incarnation of
the ever-so-popular "Instant-On Media" devices. The idea is that you avoid
booting into Windows by pre-installing a small custom-tailored Linux
distribution with a media player (sometimes mplayer or xine, sometimes
proprietary).
</p>
<p>
And obviously Targa is now the third notebook vendor offering such a feature
without being GPL license compliant. I've recently figured that the Medion
MD95500 and MD95800 (sold at <a href="http://www.aldi.de/">ALDI</a>, LIDL's
biggest competitor) had the same issue. As had devices from one of the largest
international notebook vendor, whose Name I shall not disclose at this time.
</p>
<p>
I cannot tell you how sick I am of all of this. Why doesn't anybody care to
read the license? On a side note, I once asked an audience of lawyers if they
had ever read the full MS EULA. Almost none of them did. Not even the
lawyers(!).
</p>Fortinet Source code has arrivedhttps://laforge.gnumonks.org/blog/20050522-fortinet-sourcecode/2005-05-22T03:00:00+02:002005-05-22T03:00:00+02:00Harald Welte<p>
The (still incomplete) Fortinet source code has finally arrived.
For those of you who're curious, I've made it available at <a href="http://ftp.gpl-devices.org/pub/vendors/Fortinet/20050514/">ftp.gpl-devices.org</a>.
I'm planning to publish all "GPL code releases" by various vendors on that ftp
site in the close future. This way you can avoid the hassle (and cost) to
order a physical media via snail-mail.
</p>
<p>
The Fortinet Linux kernel seems quite a bit modified, especially looking at the
network stack. No time to comment on that right now. If you're interested,
RTFS :)
</p>The first three Buffalo Source Cd's arrivehttps://laforge.gnumonks.org/blog/20050512-buffalo-cds-arrived/2005-05-12T03:00:00+02:002005-05-12T03:00:00+02:00Harald Welte<p>
As it was to be expected from the previous performance of Buffalo, those three
CD-R's contain anything but the "complete corresponding source code" for the
requested product firmware versions.
</p>
<p>
I'm going to consult my legal advise on how to proceed.
</p>Adaptec will be offering source code onlinehttps://laforge.gnumonks.org/blog/20050511-adaptec-download/2005-05-11T03:00:00+02:002005-05-11T03:00:00+02:00Harald Welte<p>
Adaptec is willing to offer the full corresponding source code of the GPL
licensed components of the iSA1500 (and probably other products) online instead
of requiring their users to send letters to their legal department.
</p>
<p>
I'm very happy about this step, since it makes it easier for the users to
exercise their right for source code access.
</p>
<p>
Making it available on the net is not required by the GPL [since it predates
todays Internet], so Adaptec actually plans to go beyond what is the absolute
minimum requirement. Great!
</p>Both Acer and iRiver still have issueshttps://laforge.gnumonks.org/blog/20050504-acer-iriver/2005-05-04T03:00:00+02:002005-05-04T03:00:00+02:00Harald Welte<p>
Acer has now put up a mirror of all 2.4.x kernel versions on their support
website. Clearly they do not understand what the GPL is about, despite our
efforts. I fail to understand what is so difficult to grasp while reading a
phrase like "complete corresponding source code, including scripts used to
control compilation and installation".
</p>
<p>
Clearly, Acer's Aspire 1800 and 2000 series notebook don't only come with some unconfigured vanilla Linux kernel preinstalled, but with a custom-tailored Linux distribution containing lots of other GPL licensed software.
</p>
<p>
iRiver seems to claim that they're no longer selling the product in Germany,
and therefore don't need to release the source code. AFAICT, there are dozens
of online stores who still sell PMP-1xx devices, and even iRiver Germany's
homepage still advertises this series of players on it's front page (!).
</p>
<p>
What is this to tell us? They are not taking the issue of GPL licensing
serious. Even after receiving warning notices and having signed declarations
to cease and desist.
</p>
<p>
I'm going to make more and more open statements about such embarrassing
details, which I didn't do in the past. Apparently it only helps to put the
maximum amount of pressure onto those companies. Sad, very sad. I have no
intentions of harming their business...
</p>gpl-violations.org related press interviewshttps://laforge.gnumonks.org/blog/20050504-press-interviews/2005-05-04T03:00:00+02:002005-05-04T03:00:00+02:00Harald Welte<p>
The spike of press coverage continues, which is good. There have been
interviews and articles in magazines such as <a href="http://www.infoweek.ch/">Infoweek</a> and <a href="http://www.computerwoche.de/">Computerwoche</a>. This actually leads to
people from outside the Linux / FOSS community recognizing the efforts of the
project, and the licensing issues that many companies have when using GPL
licensed software.
</p>
<p>
The FOSS community itself knows about the GPL and it's rules. We need to get
this into the heads of product managers and the like. As soon as this happens,
we'll probably be at a point where we'll see more GPL compliant products
entering the market.
</p>
<p>
This press coverage has already triggered some interesting replies, on which I do not want to disclose more details at this point.
</p>More news on AOpenhttps://laforge.gnumonks.org/blog/20050504-aopen-update/2005-05-04T03:00:00+02:002005-05-04T03:00:00+02:00Harald Welte<p>
Following up to my post two days ago, the news has now made it to <a href="http://golem.de/0505/37872.html">golem.de</a>.
</p>
<p>
AOpen wasn't quite happy about the bad press, so I was immediately contacted
again. They're now working closely with their Taiwanese mother company to
become GPL compliant ASAP. I'm eager to see the results, and hope that this
issue can be put behind us soon.
</p>
<p>
However, I now re-discovered that the firmware image is actually download-able
from <a href="ftp://ftp.aopen.de/pub/driver/net/aoi-906/general-gw_upg_2.55.bin">ftp.aopen.de</a>,
a domain registered to the German subsidiary. So while the product might not have been sold in Germany, the firmware was actively distributed by Aopen Germany GmbH.
</p>AOpen finally respondshttps://laforge.gnumonks.org/blog/20050502-aopen/2005-05-02T03:00:00+02:002005-05-02T03:00:00+02:00Harald Welte<p>
AOpen was one of the companies to whom I tried to hand over a friendly letter
on GPL licensing at the CeBIT trade show earlier this year.
</p>
<p>
One of their high ranking managers refused to accept my letter there, asking me
to send it to the German subsidiary via postal services. I did so immediately
after the trade show, which was in march.
</p>
<p>
Now (it's May!) they have decided to respond with a phone call. They told me
that I should have directed that letter to their Taiwanese mother company,
since the products that I claim are in violation of the GPL are not sold in Germany.
</p>
<p>
They don't get it. Its _THEIR_ problem if they don't comply with the license.
Its _THEM_ who are liable for copyright infringement. I don't care which
particular subsidiary of a multinational corporation is responsible. It is in
the best mutual interest of any subsidiary to assure that they comply with
license conditions.
</p>
<p>
The best I could get was to make them agree to talk to their German management
whether they would actually forward the letter to their .tw mother company.
</p>Belkin still not in full GPL compliancehttps://laforge.gnumonks.org/blog/20050427-belkin-noendofstory/2005-04-27T03:00:00+02:002005-04-27T03:00:00+02:00Harald Welte<p>
Belkin seems to be one of the hardest cases we've had so far. It always seems
like they're now in compliance, but then something else happens or a new fact
appears, and the whole story starts all over again.
</p>
<p>
Their firmware is compiled with a modified version of gcc-3.2.3 ("Broadcom
modifications"). Thus, they need to ship that modified version of the gcc,
which is what Belkin now does. However, gcc itself is again GPL licensed, and they need to provide the full corresponding source code of gcc, including any 'Broadcom modifications', too.
</p>
<p>
It's not really our job to look for every piece of code they release and check it thoroughly for license compliance. It's their job.
</p>
<p>
Btw, Linksys seems to have similar issues, too.
</p>
<p>
When will they ever get it?
</p>Adaptec violating the GPLhttps://laforge.gnumonks.org/blog/20050426-adaptec-gpl/2005-04-26T03:00:00+02:002005-04-26T03:00:00+02:00Harald Welte<p>
Adaptec is shipping a number of products in an GPL in-compliant way. We've
already enforced the first infringing product that I learned about, the Adaptec
iSA1500, an iSCSI storage array.
</p>
<p>
Instead of showing the community their support and at least providing the full
corresponding source code on their download page, they now require you to send
a written letter to their legal department to a US postal address in order to
get the source code for a specific product.
</p>
<p>
This really looks like they're trying to make it as hard as possible for anyone
to get the sources, while still staying withing the boundaries of the GPL.
</p>
<p>
I don't really know what they gain by that.
</p>Fortinet woes continuehttps://laforge.gnumonks.org/blog/20050420-fortinet-response/2005-04-20T03:00:00+02:002005-04-20T03:00:00+02:00Harald Welte<p>
Fortinet has sent out some information to their partners on the preliminary
injunction.
</p>
<p>
They make the following wrong statements:
</p>
<ul>
<li><b>The GPL open software project</b>. There is no "open software" and no "GPL open software" project. It's the gpl-violations.org project, and it's about "free software"</li>
<li><b>GPL is targeting pro-actively many leading firms</b>. The
gpl-violations.org project is not targeting anyone. It just wants to bring
commercial users of free software into compliance with copyright and the
license terms.</li>
<li><b>a very small piece of FortiOS contains GPL software</b>. That is ridiculous. The FortiOS is based on a full Linux kernel, therefore the most important and largest piece of FortiOS is the GPL-licensed Linux kernel.</li>
<li><b>We recently [...] have [...] been diligently working with him to resolve
this matter [...] and [were] surprised that Mr. Welte pursued a preliminary
injunction.</b> Fortinet has not signed a declaration to cease and desist
<em>even until today</em>. They were very well informed and warned multiple
times that we would seek injunctive relief if they didn't sign such a
declaration within a four-week deadline.</li>
</ul>
<p>
As you can see, they're trying to hide the extent of GPL licensed code they
use, and they make wrong statements about the gpl-violations.org projects and
it's actions.
</p>Managed to obtain a preliminary injunction against Fortinethttps://laforge.gnumonks.org/blog/20050414-fortinet-injunction/2005-04-14T03:00:00+02:002005-04-14T03:00:00+02:00Harald Welte<p>
Yesterday, the Munich district court granted a preliminary injunction against
Fortinet's GPL in-compliant use of Free Software.
</p><p>
<a href="http://www.fortinet.com/">Fortinet</a> is shipping a series of
Firewall products (FortiGate and FortiWiFi) running on Linux without complying
to the GPL.
</p>
<p>
Legal action was made possible via the "initrd" code, on which <a href="http://www.almesberger.net/">Werner Almesberger</a> signed me his rights
a couple of months ago.
</p>
<p>
To the best of my knowledge, Fortinet is not using any of the
iptables/ip_conntrack/... code, but something different. We'll see how that is integrated into the kernel network stack as soon as they release the full corresponding source code in accordance with the GPL.
</p>
<p>
I'd like to thank my lawyer Dr. Till Jaeger from <a href="http://www.jbb.de/">JBB Rechtsanwälte</a> and Jürgen
Lüters from <a href="http://www.intranet-engineering.de/">Intranet
Engineering</a>, the technical expert in this case.
</p>
<p>
Obtaining (better: Applying) for a preliminary injunction is a tremendous
amount of work, so this really is the last possible option if all other options
have failed.
</p>
<p>
Also, making this issue public with a press release was a very well-thought
action. Fortinet did not even sign a declaration to cease and desist within
four weeks after receiving the warning notice. They apparently didn't want to
believe that this is a serious issue. Maybe the public pressure will help
getting them back to negotiations.
</p>Overwhelming Response to CeBIThttps://laforge.gnumonks.org/blog/20050319-overwhelming-response/2005-03-19T03:00:00+01:002005-03-19T03:00:00+01:00Harald Welte<p>
Since the CeBIT letter action, I've received a surprisingly big press coverage, ranging from <a href="http://www.heise.de/newsticker/meldung/57489">heise.de</a> over <a href="http://news.zdnet.co.uk/software/linuxunix/0,39020390,39191532,00.htm">zdnet.co.uk</a>, <a href="http://news.zdnet.com/2100-3513_22-5625667.html">zdnet.com</a> to <a href="http://news.com.com/Defender+of+the+Linux+faith/2100-7344_3-5625667.html">news.com</a>.
</p>
<p>
That press coverage, together with the slashdotting on Tuesday last week have
triggered an enormous amount of feedback, mostly from individual users
reporting a myriad more of alleged gpl violations.
</p>
<p>
I'm sad that the number really grows that fast, but on the other hand happy
that we now have the chance to collect all this information.
</p>
<p>
Last, but not least, a number of people have volunteered to help the project,
e.g. with it's public database interface, as well as homepage XSL corrections
for full XHTML validation.
</p>
<p>
If you have sent me mail regarding GPL violations and didn't receive a response
so far, please be patient, I'm just not through all of them yet. Give me
another week, thanks.
</p>The gpl-violations.org homepage has been slashdottedhttps://laforge.gnumonks.org/blog/20050315-slashdotted/2005-03-15T03:00:00+01:002005-03-15T03:00:00+01:00Harald Welte<p>
The news about the CeBIT letter action yesterday has made it to <a href="http://slashdot.org/">slashdot</a>.
</p>
<p>
While this is good news (since more people learn about my project), it also
has the disadvantage that my SDSL line was fully filled. Now I moved the site
to vishnu.netfilter.org, the main web-server of the <a href="http://netfilter.org/">netfilter.org</a> project.
</p>
<p>
Also, I really regret that the amount of information at gpl-violations.org is
still quite limited, especially the database of documented gpl violations and
enforcement cases is still not there :(
</p>
<p>
The best source of information is probably my blog, and the <a href="http://svn.gnumonks.org/trunk/presentation">slides of my various presentations</a>.
</p>Aftermath of CeBIT letter actionhttps://laforge.gnumonks.org/blog/20050314-cebit-letter-aftermath/2005-03-14T03:00:00+01:002005-03-14T03:00:00+01:00Harald Welte<p>
So today I've personally handed over some 13 letters at the CeBIT trade fair in
Hannover.
</p>
<p>
My experience varies from case to case. A number of the respective recipients
simply received the letter and told me they would forward it to the respective
department.
</p>
<p>
The best experience so far was X-Micro, where I met the Vice President and had
some discussion with him about what this all was about. Apparently he was
quite happy to hear that it is not about license fees and neither about patent
infringement ;) Anyway, we'll have to see what kind of practical results we will see in the upcoming weeks.
</p>CeBIT letter actionhttps://laforge.gnumonks.org/blog/20050313-cebit/2005-03-13T03:00:00+01:002005-03-13T03:00:00+01:00Harald Welte<p>
Please note the official <a href="http://gpl-violations.org/news/20050314-cebit-letter-action.html">gpl-violations.org CeBIT letter action</a> press release.
</p>