To me this doesn't really look like a clear cut case. Does he own one of these cars? If not, then I think it is very dubious whether he has any standing to request the source code. If he does then included with the car should be an offer for how to access the GPL source code. He should have followed that (or clearly stated that he could not locate it in his email). The requirement for him to enter the VIN to access the source code does not seem unreasonable since they are only required to distribute source code to customers, and he has simply emailed them out of the blue asking them to give him the source without any proof that he's a customer. The statement about BMW being the "sole owner" is probably concerning proprietary parts of the software that may not be subject to GPL at all. It is probably way beyond the skills of some random customer service rep to distinguish the subtleties of those kind of things.
This kind of interaction actually looks to me to be counter to the spirit under which the Free Software Foundation tries to administer the GPL - which is that they work cooperatively to help companies comply rather than try to trick them into legal hot water. I agree with the FSF approach and I don't think this sort of PR ambush type tactic is helpful in promoting the use of free software.
> To me this doesn't really look like a clear cut case. Does he own one of these cars? If not, then I think it is very dubious whether he has any standing to request the source code.
(All section references below are to GPLv2, since that is what the Linux kernel uses)
Section 3 governs distribution of object or executable code. Section 3 gives these requirements:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
BMW is distributing commercially and they did not receive the program in object or executable form, so option "c" is out.
They are not distributing the source code with their cars, so option "a" is out.
That leaves option "b", which requires them to give the code to any third party that requests it, at no more than their cost of performing a source distribution.
The requirement is NOT that you have to give out source code to anyone who asks. It is that the written offer you give out can be used by anyone. Did BMW hand out a written offer with the car that says how to get source code? If so, then it is fine if that offer requires you to enter a piece of information like a VIN.
BMW is under no obligation to hand out written offers to random strangers. You'll have to find someone who bought a car to get an offer.
Now why would BMW set things up this way? Well it is unlikely that all cars have the same exact source code. So without the VIN, BMW doesn't even know which copy to give you! So what are they going to do when someone shows up, is rude, clearly doesn't have the offer in hand, and then demands source code? Apparently they are going to tell him that he needs a VIN.
Let D be the distributor, C be their customer, and T be a third party. The language of 3(b) says that D must give C a written offer to distribute the source to any T. I don't see anything in it that says T has to have a copy of the offer.
It says "any third party", and unless there is something in the license that restricts this I'd expect a court to go with the normal meanings of "any" any "third party".
The GPL FAQ agrees with my reading, saying that "If you choose to provide source through a written offer, then anybody who requests the source from you is entitled to receive it" [1].
I'd say that requiring the VIN number in order to identify which software to provide source for is reasonable and would be allowed by the license.
The scenario I outlined does not require possession of the written offer to get source code. Possession of the knowledge in it, yes. But not possession of the offer. In particular it is reasonable to require you to know that you have to provide a VIN number to get the software. It is also reasonable for you to know what number to call, or address to send, or fee to pay, or even what to say to get to someone knowledgeable enough to have a chance of answering your questions.
In fact this email thread said that there is a website where you can enter the VIN and get the source code. I doubt it validates that you are who you say you are. If that website is world readable, I'd say that the GPL is satisfied.
(The email thread also made it clear that the people who responded from BMW Australia didn't themselves understand the license. But that is no surprise for an odd request of random people in a big company.)
> That leaves option "b", which requires them to give the code to any third party that requests it,
That's very interesting wording that I wasn't aware of. It still seems to me like it is a reasonable interpretation that only the customer could request it (the "offer" is to the customer, the distribution is to the third party). So, having bought the car, I could say "Please send the source code to my friend Fred". However my understanding is that the long held general interpretation of the GPL has always been that you only get standing to request the source code if you actually received the GPL code yourself.
"They are not distributing the source code with their cars, so option "a" is out"
I disagree. BMW currently offers the source code as a download on their website if a customer provides his 7-digit VIN, so this is them fulfilling the requirement that they must "accompany [the car] with the complete corresponding machine-readable source code". It is all in the meaning of "accompany it": giving the source code physically along with the keys when you purchase the car, or offering a source code download link. I would argue that either option is compliant with the GPL, so to me it seems BMW is in the right.
Yes, VIN numbers are 17-characters long, but only the last 7 characters are unique, called "sequential number".[1] The first 10 characters are composed of make, model, year etc.
I agree the VIN thing is a red herring. Seems to me the bigger problem is this (emphasis mine):
"I have confirmed with our technical department who advised that to access the software download site the BMW Customer must provide the 7 digit VIN and accept the usage rights agreement. Part of the usage rights agreement states that the software is protected by copyright and BMW is the sole owner. So in this case it is not subject to the requirements of a "Public" licence."
They're denying that their software is even GPL and imposing extra restrictions on use. That's a problem, if it does indeed include GPL code.
No, the offer for source must be to anyone -- the supply of a binary may be limited. BMW cannot be the "sole owner" of the copyright -- even if they own the part they wrote, they must still supply source for the GPL parts.
Which sounds like if you didn't provide the source with the program up front then you're required to give it to anyone that asks since they may have received the program indirectly.
I only tweeted the refusal after several verbal attempts to speak to someone in legal. My preferred approach - as it was when I dealt with Telstra over a similar issues - is to find the right person and sort things out with them.
BMW Australia, however, were quite hostile, refused to let me speak to anyone in legal, and told me verbally that I'd have to sue them in order for them to release the code to their customers.
I'm much less inclined to spend time resolving things smoothly and quietly at that point.
it is very dubious whether he has any standing to request the source code
That may be, but this tidbit is somewhat alarming to me:
[the user must] accept the usage rights agreement. Part of the usage rights agreement states that the software is protected by copyright and BMW is the sole owner
There's two red flags here for me:
- asserting copyright through an EULA
- additional "licensing" requirements for obtaining the source code
I'll take a guess based on the filename "ConnStarter" in the BMW firmware that ConnMann is the primary GPL'd software. As the BMW site says: "The ConnMan project provides a daemon for managing internet connections within embedded devices running the Linux operating system.... ConnMan is available under the terms of the GPL v2."
The linked site may be useful, but where on that site did you find a download link for the specific software version (including modifications) used? All I see is a generic link to ConnMan's project website. I don't think that suffices?
I think BMW would argue that contributing their modifications directly to the ConnMan Git repository for others to use would suffice. You can find a list of BMW's commits to the ConnMan project here (Daniel Wagner seems to be the main developer from BMW Car IT working on it):
BMW would be wrong to argue that. They are required to provide corresponding source code, which means the exact version they put in the cars, with any patch files and build scripts needed to build it.
In the era of distributed source control, it seems reasonable to me if "provide" meant, "link to a repo with our changes". I can see why that's not in the letter of the GPL (e.g., what if github ceases to exist ten years from now, and you want to tinker on your car), but for now it seems reasonable.
The actual relevant text of GPLv3 is in section 6d:
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
In GPLv2, this reads a bit differently:
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
GPLv3 here seems a bit clearer to me. This in fact is one of the better reasons for GPLv3. It gives more modern options for distributing source code, since internet distribution became a lot more popular by the time GPLv3 was written.
The code is licensed under GPL 2, but I agree the GPL 3 is actually much clearer & seems to suggest they're in compliance. (At least in respect to ConnMan.)
Either way, if people are genuinely concerned and want a specific version of the source code for their car, it seems Daniel Wagner is a contact at BMW to ask. There's an email address in the git repository commits.
Yes, but that is just the ConnMan development repository. Correct me if I'm wrong, but I think BMW would need to redistribute the exact version of ConnMan that they used, including any modifications made. At least a deep link to a branch or tag would be nice.
What GPL licensed software are they actually infringing upon? The linked post[1] says they found mentions of systemd, but does the firmware actually contain a linux kernel? I don't see anything that looks like a kernel in the file listing.
Also if the firmware is properly signed delivering it over http shouldn't matter, right?
The specific update here is just a delta update, and doesn't contain the entire firmware. But it does contain shared libraries built for running on a linux system, so it stands to reason there's linux kernel running somewhere there.
(On that note - have someone sent a similar request to Tesla - they've at least semi-officially said they're running Linux)
I suspect that modern BMWs have a multitude of interconnected computers potentially running different kernels. It wouldn't surprise me if different systems are running entirely different architectures.
It's indeed a Linux system, and probably one of the first that BMW brought into market. It might also use GENIVI software components, which is an alliance for automotive linux software.
The carmakers are typically developing multiple systems in parallel by different suppliers. And even if they look similar from a customer perspective they might have been developed completely seperatly.
The payload can be delivered unencrypted, as long as the public key used to check the authenticity of the payload was provided throught a safe channel.
> You can also modify the checksum to match the payload.
FTFY. :)
I don't know yet if these files are signed or even checksum'd. If I get to the bottom of this discussion without finding that someone has downloaded the .bin and checked, I'll hang my head and get back to the day job.
Frankly: given recent news (hacked jeeps, software used to cheat on emission tests) I think it is time to _require_ _all_ software used on vehicles that transit on public roads to be open sourced and available to the public.
(for independent testing and verification in the name of public safety)
Vehicles aren't the only things running software that might need verifying. Far from it. While I wholeheartedly agree that it would be an amazing step, I also fear the huge backlash from the car and IT industry. Doing this more gradual probably works better, perhaps requiring open source (I'm not talking freedom of modification or redistributing or anything yet, just viewing source code) for software older than x years (like the patent model a bit, 20 years or so).
Of course Windows 10 wouldn't have to be open source just because Windows is older than 20 years, but Windows 95 would be.
Anyway, that is just one of the many possible ways. I just think we should be weary of people stuck in the old ways and not limit the move to just cars.
> Doing this more gradual probably works better, perhaps requiring open source (I'm not talking freedom of modification or redistributing or anything yet, just viewing source code) for software older than x years (like the patent model a bit, 20 years or so).
In that case, the car software is still proprietary software so you've gained very little from making the source code public. If a vulnerability is found, you can't write a patch for it and you have to wait for BMW to "get around to you". Car software should be free software upfront.
Yes! Just like medical implants (and the server-side counterparts that control them), and my password manager, and actually any software that is in between me and my password manager (OS, drivers, perhaps a browser), and private stuff like my email client/server, and instant messaging client/server, and things that track my vitals like those smart watch-like wristbands, and any non-domestically developed software the government uses, etc.
Except few people aside from a few "open source radicals" will think like that. For every person I know who will fully support this motion, I know five who will object and another one or two who aren't really sure, and I already have a biased social circle because I do believe in this cause.
As it stands, we never get to peek under the hood. A system like this would at least make people aware that "gosh, if we implement this cheating now (or whatever), we have to make sure to cover it up before we have to go public with it. Better document extensively where it's implemented so we can remove it thoroughly". Which is a bigger step than just one manager going "do it". And we would be able to see trends over the past years and reflect necessary changes in new policy. Perhaps two decades too late by then, but as it stands, we have naught.
Then once people get used to the idea that in 20 years, when the software is commercially useless anyway, perhaps we can open source it sooner. Or more companies will go "look at us, we publish after 5 years for transparency without loosing our cutting edge!" A bit of wishful thinking perhaps, but I'm sure some will, and everyone would be forced after a certain time anyway.
But once again, this is just one way of doing it. There are almost certainly better ways I didn't think of yet. We should just be thinking about it in the first place.
"Perhaps requiring open source (I'm not talking freedom of modification or redistributing or anything yet, just viewing source code)"
The term you're looking for is "source-available", which means precisely that the source code is available for viewing, and does not imply anything about conditions or lack of.
I think this problem is impossible to solve, and it's the same on faced by electronic voting.
How can you guarantee that the software running in the car is the same one provided by the car manufacturer?
A more detailed explanation:
You can't guarantee that software provided by the manufacturer and the dump you could retrieve from the car – through an API call, or through forceful means – are the same as the one which is running in the car because you can't know what's going on the silicon inside epoxy packaging of the myriad of chips in the board
Even if the hardware is completely open sourced, the manufacturer could use a different/modified microprocessor packaged/labeled/branded just like the one specified in the schematics, so that it could internally store and run the shady code from the manufacturer, while giving you a perfectly legit and signed dump as the one provided by the manufacturer.
Although I do agree that opening the software and hardware to public scrutiny would be a massive improvement on the actual situation.
> it could internally store and run the shady code from the manufacturer, while giving you a perfectly legit and signed dump as the one provided by the manufacturer.
If you had the right to replace it with your own copy, you could make it blink lights in morse code at various points in the software to prove it was executing your code. Of course they could still do sneaky things, but it would be harder.
I don't think it's impossible. Manufacturers should provide the software for audit and assessment. Car tinkerers[1] can usually quite easily pull various firmwares directly off chip, and if the two diverge in a significant way the car company will have a LOT of explaining to do.
At this point in time, having the software available would do more harm than good, considering that 90% (or more) of software development in the auto industry seems to be done by electrical or mechanical engineers with little to no training in software development, and even less knowledge about security and vulnerabilities.
The auto industry does have a plethora of coding standards and software processes, but not enough institutional knowledge and foresight to produce secure software for connected devices. The fact that it hasn't been too catastrophic so far is more a testament to the technical limitations of the bus systems and ECUs than real security, but that is rapidly changing with the advanced hardware being put in cars today.
It seems to me less like refusal to comply with the terms of GPL, and more like denial that they use GPLed code.
> I have confirmed with our technical department who
> advised that ... the usage rights agreement states that
> the software is protected by copyright and BMW is the
> sole owner... it is not subject to the requirements of a
> "Public" licence
That may or may not be the case, but to me that doesn't say "yeah we use, na you can't have it".
I'm confused here. Where is the evidence that they've modified GPL'd software, which they are then distributing, and are refusing to distribute the source code for their modifications?
> Where is the evidence that they've modified GPL'd software
There's a Linux kernel and systemd in the 'i3'. See the links in the first few sentences of the article.
> which they are then distributing
BMW is a Bayerische Motor Work, a car company that distributes cars
> and are refusing to distribute the source code for their modifications?
The letters from BMW to the people asking for a copy of the source, stating they are refusing to distribute the source code for their modifications, linked to in the article.
I read that, but isn't this is the lowest type of "violation" there is? People are just wanting them to host the source code that is already available in about a billion locations then?
My question still stands, is there evidence that they're modifying GPL'd code and then not distributing that code?
I think if they're running unmodified code, they could just say "we are running X version Y with no modifications" and link to the upstream and be done with it. Which could be the case.
Or they have modified it and are refusing to release the source with their modifications. But they haven't stated the former.
Technically they don't need to give you the code unless you own that model of car. There's no requirement in the GPL that the code has to be shared to the whole world/everyone. It only needs to be provided to the person that has bought the vehicle which includes said software in compiled form.
This is not correct. They need to provide the offer for source to anyone they provide the binaries to (e.g. customers) but the offer has to be valid for anyone that gets a hold of it[1].
I think I didn't expand my comment enough. In this context (of software running a car), the manufacturer needs to provide a way of getting the GPL'd source code to anyone that owns a vehicle with the relevant binary running in the car.
Basically you don't lose your GPL software right if you've bought the car from someone else other than the manufacturer.
I'm pretty certain they don't distribute source code with cars though, so seeing as the author didn't say "I don't own the car" - and they didn't ask - I think that's moot.
This is only allowed under GPLv3, iiuc. Under GPLv2, you are obliged to distribute (host) the sources yourself even if it's an unmodified upstream version.
A very important part of the obligations under the GPL is to make the recipient aware that they have a right to the source code and that they are allowed to modify it and redistribute it, whether you have modified it or not.
evidence that they've modified, not afaict. But refusing to give up the GPL'd code, even if stock, is a violation. And there are no sizes to license violations.
I'd say it's about the highest form of violation. if someone says your copylefted code now belongs to them, and you don't sue them for relief, it becomes their property under law, and you lose your claim to copyleft in the first place.
You do not need to modify a copyrighted work in order to create a derivative. A music video for often use unmodified songs, but the combination of music and moving images still counts as a derivative work that require additional permissions from the copyright holder.
If not, I'm not certain that waivers their obligation to distribute the source code, at least when requested. In which case they could just link to Linux' own website.
If I understand correctly, all you have to do is add gplCode + yourCode, no modification to gplCode, and that obligates you to a) distribute your source, and b) license your source as gpl.
If you need to link your code against some GPL code, then your code is GPL. But in most cases, a program that runs in a Linux environment doesn't need to link against any GPL libraries.
Because of this, libraries are frequently licensed under the Lesser GPL instead, which does permit linking without causing the resultant work from becoming GPL'ed itself:
Looking through the user's Github account, they have a history of contacting customer support representatives of companies and threatening to post the transcripts to Hacker News if their specific legal concerns are not addressed:
Generally speaking, they will definitely read them (and occasionally take action), but only respond if they have some legal obligation to do so. Any reply they make to an inquiry or accusation of this type can be used against them, but a lack of response cannot (unless that lack of response violates some requirement of the law).
This is why it's good to have a bilateral contract with them prior to your contact, so that they have a legal obligation to reply. When they dont reply to your offer of renegotiation or relief, you're safe to use their silence as acquiescence or dishonor, depending on circumstance.
Additionally, the emails are phrased more like a request than an indication of a legal requirement. I doubt the customer service rep knows what the GPL is, and won't get someone who does know involved until the fact that it's a legal matter is mentioned somewhere.
The fact that there was no further back-and-forth makes me suspect that the guy behind the email just wants to make a spectacle :/
Please correct me if I'm wrong. I thought the GPL only required providing the source code to the purchasers of the product. (Who can then redestribute it if they'd like.) I didn't think it meant that if you use GPL code in your product, then you are obligated to make your code available to everyone.
You are required to distribute the source code to anyone you distribute binaries to. So if for instance their binaries were available to the public then they would also have to make their source code available to the public. It seems in this case they released a patch to their software and made the patch available to the public.
If I sell some device with an upgradable firmware (which contains GPLed materials), I can allow users to download upgrades from my site without putting them through hoops to prove that they own the hardware. Yet if they ask for the source code, then I can put them through the hoops: convince me that you're actually one of my users, then you can have it.
And it's not because users who don't have my hardware cannot use the firmware. In fact, users of hardware which is not mine could potentially be users of the firmware. If a competitor clones my hardware, so that the firmware runs on it, the users of that cloned hardware can benefit from the upgrades that I provide, because I don't validate that they are using the genuine hardware.
I don't have to provide the cloned firmware with free upgrades and all to the users of the competing hardware, and in fact, I am not offering those upgrades to the users of that hardware. It just so happens that they are able to help themselves to it because it accessible (for the sake of the utmost convenience to genuine users). That is not the same thing as it being distributed to the entire public.
Just because something is accessible to the public doesn't mean that it's being offered to the public. Distribution requires some kind of offer. An accidental leak is not distribution, for example.
If I sell a computer with Linux on it, and I bundle on my own application that's compiled to run on Linux, am I required to make the source code for that application available?
In this case, if they just have an unmodified copy of Linux to provide the run-time environment for their nav system or whatever, and the nav system itself is an application on top of it, I don't know if it follows that they need to release the source for their nav system.
If it's "mere aggregation" then you're not required to provide the source for that application. You would still be required to provide the source for the particular version of Linux you distributed though.
It's funny there's so much debate over the correct answer to this. This is literally Android, Kindle (old e-ink non-Android ones), Chromebook etc. In fact I can't think of a single commercial Linux product that doesn't use this model.
"If I sell a computer with Linux on it, and I bundle on my own application that's compiled to run on Linux, am I required to make the source code for that application available?"
Are you using GPL code in your application? If so, then yes.
If it's an application, no, but if it's a kernel module (e.g. drivers to talk to their devices), then yes. They still have to offer a copy of the kernel source, even if they haven't modified it.
>If it's an application, no, but if it's a kernel module (e.g. drivers to talk to their devices), then yes.
There is debate about this, but there are certainly cases of compliant non-GPL modules. It doesn't strictly follow. (Consider Ndiswrapper, for example.)
> They still have to offer a copy of the kernel source, even if they haven't modified it.
I don't really think the license implies technical minutae like this. The source must simply be made available "on a medium customarily used for software interchange". Whether you point to a tag on kernel.org or host it own your own web servers (both cases including the Kconfig) is irrelevant.
There is debate about this, but there are certainly cases of compliant non-GPL modules. It doesn't strictly follow. (Consider Ndiswrapper, for example.)
Ndiswrapper is GPL-licensed. The resulting modules are probably not, but they are usually not distributed anyway.
I don't really think the license implies technical minutae like this. The source must simply be made available "on a medium customarily used for software interchange". Whether you point to a tag on kernel.org or host it own your own web servers (both cases including the Kconfig) is irrelevant.
If you distribute GPL source code with your product, then that is correct. You do not have to give the code to people who have not purchased your product, but your purchasers can give away the code.
If you distribute GPL object or executable code with your product, then, briefly, you have to either distribute the source code with the product, or if you have to make the source available for three years to anyone who requests it for no more than your cost of distributing the source.
So, as two people said, you have to give source to who you give binaries to.
But it's stronger than that. You either have to ship them source accompanying the binary, put the source next to a place that has the binaries, or make a written offer.
Since they haven't done #1, they probably have to make a written offer. I don't see one :)
If I am the author of the GPL'd product you're using, I do not have to purchase your product to compel you to release the source code. I can revoke your right to use the product (including your modifications to it) should you not honor the terms.
You are required to distribute the source code to anyone you distribute binaries to. So if for instance their binaries were available to the public then they would also have to make their source code available to the public.
Well, two things: first, they have to provide source to everyone (regardless of whether they bought the product or not) if they are releasing the product at all. Secondly, if they are statically linking with GPL-licensed code, or otherwise make modifications to the code, the additional code must also be released under the same license, and the code for that must therefore also be made available.
"3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)"
That is not true. As long as they choose option A, they only have to distribute it to customers.
History has proven over and over again that naming and shaming works miracles. Companies that turned a blind eye and were completely unreachable suddenly turned active and kind just to save their reputation. Going to or even just threatening to go to the media, I know from experience, is indeed productive.
I am really curious where you got the idea that it's counter productive. Asking the conservancy to clean up this dirty work is expensive and takes forever.
The problem is when random people from the internet start unwarranted attacks over GPL violations when the problem can be dealt with constructively.
The example that pops into my head is the time when some kid start working on a mod to the Quake 3D engine that was possibly in violation of a free software license. Instead of just reporting it to the copyright holder (id Software), they engaged in a campaign of harassment until John Carmack himself came out and told them to stop. It was some seriously shameful shit.
Public shaming should be one of the last steps to take. Maybe before starting a lawsuit, or maybe after, that's up for debate, but certainly after other avenues have been exhausted.
I see your point but would say there is a difference between a kid and a multinational. The same law rules both but an individual doing this by accident vs. a company doing it due to ignorance (in the best case) is different. The multinational has enough money to defend itself in court, any individual is bound to have less, especially a kid (in your example).
What does this person realistically expect to gain by contacting Tier 1 customer service about an issue with -the source code and licensing of an in car entertainment computer-?
Now in theory, CS should be "empowered" or able to escalate, but this is juvenile, to me, the very briefest of exchanges and then off to HN and elsewhere with "time for a lawsuit!".
The customer service rep might be spreading misinformation, true, but without attention or legal actions, odds are high we'd never know. Better put some pressure on them to actually give a true answer than assume they violate the license and quietly let them continue.
Yeah, it's pretty clear the suit has no idea what they're talking about. I don't know if SFC operates in Australia, but probably they could get some attention from the US division of BMW.
Speaking of which, the SFC is currently running a fundraiser. If GPL enforcement is important to you, please consider signing up for a recurring donation. http://sfconservancy.org/
Are there any organizations that pursue GPL violations that would stick to clear-cut cases of GPL violations where there is strong concensus among OSS developers that violations have occurred like the BMW case?
For full disclosure, I am one of the ZoL developers. I believe that ZoL can prevent certain types of storage related failures that other production solutions do not, including those on systems intended to keep people alive. My desire to see that has required that I make an effort to understand what the GPL permits and what it restricts. So far, my talks with lawyers have suggested that my (and others') work in ZoL is legally alright under copyright law.
The SFC considers easy access to ZoL binaries to complicate their arguments in certain GPL enforcement cases and rather than accept that reality to the benefit of the wider community, the SFC has opted to claim that ZoL binaries as distributed by Canonical are themselves a GPL violation. While I want to see the BMW case litigated, wanting to see GPL violations litigated and contributing to an organization that calls any use of OSS a GPL violation whenever it perceives the possibility of a court agreeing that claim to make litigation of certain cases of actual violations slightly easier are two different things.
I haven't followed the ZFS stuff much at all, but SFC's news post about it the other day did make me wonder why they were doing it. I think it's important to enforce the GPL and other copy-left licenses when they are being blatantly violated, even if the original authors no longer care about the project. But if it's an unintentional license incompatibility, where the spirit of the licenses are roughly aligned, who really cares? Who is benefiting by bothering Canonical or the ZFS-on-Linux developers with these license concerns?
In my case, SFC is pro-bono council for the Wine project, from which I derive my income. So even if I don't always completely understand what they do, I feel I should pitch in because they contribute to my livelihood. I'm not a legal guy, I don't pay super close attention to this stuff, I trust them to do something not far from "the right thing."
It might help if you wrote to them telling them how you feel. I will not think badly of you whatever you decide to do going forward. I realize that this is an awkward situation and if I were you, I would probably have made the same decisions.
The unfortunate situation aside, thank you for your work on Wine. Wine has been helpful to me on multiple occasions. :)
I disagree. The fact is that large companies like this are never open to "civil discourse and cooperative solutions" when it comes to copyright, trademark, or other intellectual property matters. BMW will see no reason to comply with the GPL. The only thing a big company responds to on such issues, other than bona fide legal action, is negative press. I think it'll be difficult to manufacture some over the technicalities of copyright compliance, but can't blame OP for trying and not wasting his time trying to navigate the corporate copyright labyrinth.
Source: I have a C&D from a Fortune 500 alleging that I violated some intangible rights. Their argument is weak, but I don't have the millions of dollars every lawyer I've talked to has said I'll need to see the case through (tens of thousands to even get started). I've spent 6 months trying to navigate their corporate structure and get in front of someone who matters. Everyone just tells me to sod off, with varying degrees of politeness. I have not yet been able to locate someone in the company who actually seems willing to have any discussion, and their law firm is obviously not open to this since their instructions were to shut me down. I'm considering the alternatives I have, and wondering if it's time to try to work the media and attempt to get some movement from them that way (though I don't really think this will work, it's becoming the only option).
I think that argument may have used to make sense in the 90ies when open source was new and was trying to establish itself, mostly with a dream of "Linux on every desktop".
Now it has found its market and the ecosystem as a whole really couldn't give a damn if BMW is kind enough to use OSS or not.
Respectfully, I don't think this is about 'kindness.' This is about BMW, a commercial entity, respecting the legal rights of the property creators as owners. The license agreement is clear, and certain actions must take place if BMW chooses to benefit from use of the software. BMW is free to NOT use the software if they feel these restrictions are too severe.
I think they were trying to say that the OSS community at this point in time doesn't need BMW to be "kind" and use OSS to help OSS gain popularity. Especially not if they can't be bothered to comply with licenses.
I don't really look at GPL too closely, since I do not code for a living, or make commercial products, but I have to say my superficial understanding of opensource and GPL was piqued by the statement from @jackhat above with the 'legal rights of the property creators as owners.' If I take this statement to mean that GPL is the mirror-image of proprietary license agreements in that it is not free to use, since the stipulation is that you must publish your source code as the cost, would my understanding be correct? I just tend towards MIT or BSD licensed software to avoid any potential issues or problems with my future endeavors.
The GPL is essentially pay-it-forward; any rights you receive must be passed along to anyone who gets a copy of the work (or of a derivative).
That means it's perfectly fine to take a GPL work and modify it without giving the source to anyone, as long as you also don't give binaries to anyone. And if you're distributing binaries privately with just a few people/companies, you also don't need to publish the source publicly, only to those few who got the binaries.
EDIT: Of course, you can't prevent those few from redistributing it publicly themselves.
This brings up an interesting point; which BMW might try to make if this ever goes to court.
There have been times when device manufacturers (and car manufacturers) attempt to prevent device owners from modifying the code on their own devices. I think once folks tried to drag the DMCA into it. There's a lot of muddling up of the ownership waters there.
This may mean that the ownership of the binaries can be similarly challenged. Somehow. A point can be made that a binary living inside a phone (or car) I have bought has not been "given" to me (and thus the source code need not be given to me either).
Granted, it's rather convoluted logic, but then again, this isn't the first time stuff like this has happened.
Would be interesting to see how such an argument actually pans out.
Using GPL'd source as the basis of your work (this is, creating a derivate of a work licensed under the GPL), and then distributing that modified work, saddles the author with the responsibility of handing over the code upon user request. The GPL also prevents changing the license if you're not the original author.
If you own all of the copyright over a work, or if the license explicitly allows sublicensing (BSD and MIT), you can change the license of a work (or a fork of the work).
If I take this statement to mean that GPL is the mirror-image of proprietary license agreements in that it is not free to use, since the stipulation is that you must publish your source code as the cost, would my understanding be correct?
No. Your latter assertion is correct: GPL code is not free as in beer. How you contort that into a "mirror-image of proprietary license" is your own interpretation, and requires a lot more elaboration on your part.
To put it in the most simplest terms: the GPL is mainly concerned with the freedom of the source code, not the freedom of the developer.
the way I read its is that no, BMW is NOT legally required to release it as it is in a proprietary piece of HW, and releasing the code could thus cause harm to their business. and while they ARE using it for 'gain', no one can prove that they were HARMED or had a loss of income or even IP (outside of copyright) by their (BMW's) use of such as it is essentially 'free' in that no money or barter items were exchanged. They MAY have a copyright claim at best, but again, I am not a lawyer. That's just how I see it.
Is there a precedent to enforce GNU licensing outside of copyright infringement?
That's not how the GPL works. If it would be inconvenient for BMW to incorporate GPL software and properly comply with the license by providing source, then their only alternative is not to incorporate the GPL software. Full stop. Harm or proprietary hardware has no bearing on the rights granted by the GPL.
That is true in the real world if and only if there is someone willing to sue BMW and see it through to the end. Absent someone doing that I don't see how the GPL is actually enforceable. In some ways it is similar to what we have with surveillance and the NSA in US. While they are probably breaking the law the courts have been unwilling to force them to stop.
》 That is true in the real world if and only if there is someone willing to sue BMW and see it through to the end. Absent someone doing that I don't see how the GPL is actually enforceable.
So... just like every other contract, ever? You can't have an enforceable agreement between civilians without courts. Anyone willfully making a derivative of GPL software explicitly agrees to that contract and as usual, courts are the arbiters. Yes someone needs to go to court.
"the way I read its is that no, BMW is NOT legally required to release it as it is in a proprietary piece of HW, and releasing the code could thus cause harm to their business."
When in the hell did the "Release sources, unless it would do harm to your business" clause get added to the GPL?
"no one can prove that they were HARMED or had a loss of income or even IP"
Sure they can. It's their IP, and if BMW wanted to use it, they had to follow the license, or negotiate for a private license. They did neither, which very much would constitute harm.
"is essentially 'free' in that no money or barter items were exchanged."
The barter is that you would "pay it forward". BMW has not upheld their side of the bargain.
"They MAY have a copyright claim at best"
They're the ones who wrote the software; they're the ones who decide how it gets licensed. If that license is broken, then their copyright was violated.
"Is there a precedent to enforce GNU licensing outside of copyright infringement?"
Your reading is incorrect. BMW is distributing hardware and software, and is possibly in violation of the license agreement that allows them to use that software.
Their only possible defense is to assert that they are not using GPL'd software.
If you are talking in practice - can someone sue BMW and force them to release the modified versions - I think you're right, but one can still get an injunction preventing them from distributing any more copies of the work. Which means no more cars with that firmware; not a happy prospect for BMW!
> History has proven over and over again that this kind of public shame and blame approach doesn't help in any way, quite the opposite.
Can you please provide some evidence for this statement?
> Now that the bridges are burning, BMW will be far less open to civil discussion and cooperative solutions. Well done. #sarcasm
Depends on what your goal is. If your goal is to obtain the source code in this specific instance, and if you don't care about the efforts of open source contributors, then I guess it would make sense to privately "discuss" and "cooperate" with BMW.
On the other hand, if you want to scare companies into not stealing other people's work in the future, then I think naming and shaming is a reasonable strategy.
This is a clear case of rationalization about rules not applying to the powerful. Surely you would not expect BMW to care about "burning bridges" and value "cooperation" and "discussion" with you had they caught you stealing their IP.
I don't see any shame and blame yet. The only thing these emails show is the claim by BMW that no software not developed or fully owned by BMW is running on their cars infotainment system.
A shame and blame game would start when one analyzes the software updates, is able to prove that the above statement is a lie, and make a big fuzz about it. This would BMW fear loosing their face and be counter productive, I fully agree.
Harald Welte founded gpl-violations (http://gpl-violations.org/about/) 12 years ago. The have been offline for some time, but it looks like they plan to continue with their activities this year: "Actual GPL enforcement activity is expected to resume at some point in 2016." Maybe they can help sorting this out.
Has anyone ever seen GPL being encorced in any country?
Wont this end with BWM uploading a tar.gz of a kernel found on kernel.org and call it a good working day?
Have seen it happen too many times, and in most countries the user has no claim on the license/copyright.
So unless I contributed/own some copyright found in exact Linux kernel version/other software used by a distributor, and buy their stuff, there is zilch I can do.
Which also means, you are free to sell/and break GPL software/license and as long as you dont upset somebody who owns the copyright to it, you're good to go.
Yes, and actually on BMW home country, Germany. The summary can be read at this old Slashdot submission [1] from 2005 but the gist of it is that
> Harald Welte of the netfilter/iptables core team sought to enjoin Sitecom from distributing its WL-122 router, which used netfilter's GPL'd code, without also providing the source code and a copy of the GPL, as that license requires
and
> The Munich Court granted Welte a preliminary injunction [2] and then upheld that injunction [3][4]
I believe there are other instances of GPL being upheld in courts around the world and this one should be only one of many examples.
GPL is not even necessary in these cases, in the absence of the (GP) license it reverts to the default copyright rules, with all rights of copy and distribution being at the hands of the copyright holders (save for Fair use and other exceptions).
A company that would try to argue that GPL is not a valid license in court would actually be admitting in court that they are distributing the software without a license from the copyright holders all along.
Yup, I can remember several companies settling and being forced to comply for violations of busybox GPL'd code in the US off the top of my head - Verizon, Extreme Networks and Xterasys. There are likely quite a few other examples of GPL being successfully enforced.
Good. I'm sick of people walking over copyleft licenses generally. It's only because of copyleft that there exists a pro-sharing social norm in the software development community. If you kick down the GPL, the norm will shift back toward proprietary software everywhere. You, young developer, have no idea just how shitty a world that is.
I've gotten the same response from a company when requesting kernel source before. What is the best source for help in dealing this? I reached out to GNU but got no response. I know the kernel isn't their project but didn't know where else to turn.
Is it a violation if they don't modify Linux itself? So if I make a device that runs Linux and my application binary, am I required to make my application code public?
You are not required to make your application public as it is not considered a derivative of the linux kernel. If you distribute the device you are required to provide your customers with the source code to the running linux kernel.
The exact details depend on multiple factors (are you linking to libraries? Are they considered system libraries?) and if you are actually thinking of doing this you should invest some time in investigating this, and probably in consulting a lawyer.
Note that this is all based on my layman's understanding of the law and the license, and I'm definitely not a lawyer.
And it won't be. But cut their public relations staff some slack. They can't tell Richard Stallman from Gregory Rasputin, and before saying or doing anything they're going to be bringing themselves up to speed on what the GPL is. No need to get rage-y just yet.
It's their obligation to forward what they don't understand. If I work for a mobile network carrier and say something that indicates we don't follow some privacy law, it's my fault for not asking my boss how we handle certain things. (And my boss might ask his/hers, etc.)
Yes, it actually is. People saying it isn't haven't read the license. :)
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
You're not required to make the application code public if it doesn't link against any GPL code. If it's just the equivalent of a Docker image containing a distro + your app, then all you have to do is distribute the source for the Linux parts of the image.
It is if they don't redist the kernel code they're using - if it's GPL'd, and you redistribute the binaries, you acquire the responsibility to redist the source.
Misleading title; it looks more like they in fact refuse to acknowledge at all that some of the code is someone else's.
> Part of the usage rights agreement states that the software is protected by copyright and BMW is the sole owner. So in this case it is not subject to the requirements of a "Public" licence [sic]
I.e. "This is all our software; there is no third-party GPL stuff in it, so we need not comply with any such license."
Worst case scenario is that a court issues an injunction halting distribution of the infringing product. This has happened in the past: https://news.ycombinator.com/item?id=11217620
I'm not a lawyer but I'd expect that if they lose in court they stand to be liable for damages that will far exceed compliance costs. It's in their best interest to just work toward compliance now.
The point isn't that it may cause you a problem. The point is that the license is the structure by which people understand how they can use things, and the lack of a license is generally taken as "don't touch this" by the larger community. It's essentially opting out of the larger pool of contribution, which is of course totally valid and your right.
It depends on whose copyright you infringed upon. If it's a company, you can bet your ass they'll sue you if they find out. If it was an individual, then probably nothing will happen. But that doesn't mean you shouldn't use a free software license for your software. Many people will refuse to use it, because they cannot be sure they are legally allowed to do so.
If it's a company which cares about copyright I'm sure they will put a license on it. The scenario we're talking about is where people put up code without bothering putting a license on it. I have a hard time seeing anyone would be sued for using that since the author clearly don't care.
That's not how the Berne Convention works. Copyright is applied automatically. You can't just assume people who publish works without a license "don't care". Maybe they don't want to give you a license and want to retain all of their rights under copyright law.
I always put licenses on all of my works (including presentations, blog posts, images, as well as code obviously). All of them are licenses which make it clear that I wish to provide people more freedom than granted by default under copyright law (in counties that follow the Berne Convention).
A license is permission to use rights reserved under copyright. Someone who cares about copyright but doesn't intend to give any permissions will not provide a license.
Refusing to put a licence on your code does stop people from using it.
If you really don't care, just slap a MIT license on it and be done with it, no one will bother you afterwards.
So it is strange for me even if I understand GPL.
Does it means all the network routers running custom linux have to provide sources of entire modification?
I assume if we want companies to make use of linux on a wide level, there should be the ways to overcome this problem(if exists).
No. There is a boundary between the "kernel" which is strictly GPL and the "user" operating system which is (in its interaction with the kernel) based on LGPL and weaker libraries. So these routers have to distribute changes they make to the kernel, yes, but not any and everything that runs on the router.
> Does it means all the network routers running custom linux have to provide sources of entire modification?
Yes.
> I assume if we want companies to make use of linux on a wide level, there should be the ways to overcome this problem(if exists)
What problem? Making the source code of the programs you distribute to your clients available is not a problem - it's an obligation you agreed with when you used the GPL'ed program as a basis for your own.
First is security, if current asset based on linux is vulnerable and you make it public consequences are obvious. Or even your system is vulnerable itself because of modifications. Or 0day that will reveal afterwards. And your product is based on embedded systems.
I understand it's your choice, but it holds the development.
Second is competitive advantage. If you have to release modified system, that you use in your product on day 0, when you started, it interfere your business.
Again it's your choice, but it could hold the development.
So reasonable alternative would be good.
If you choose to use code that is under the GPL or similar copyleft licenses, then you have to play by the rules and provide people you distribute your software to a way to get the source code.
This is ridiculous. So now, any John Doe can contact customer support of any company, then publicly shame them for not getting the response they want? Aren't there organizations with the sole purpose of investigating Free Software license violations, with access to actual lawyers? Where's the email thread of such correspondence?
This sounds like a child crying mommy. Oh, and while I usually approve attempts at breaking the way-too-serious corporate speak, smileys seem to detract from the gravity of the issue being discussed.
Can we get responsible people to handle this, please? Like the Free Software Foundation? Not a flash mob on the internet. This is counter-productive.
It seems to me that they're not distributing any software (i.e., the product is a car, not software), which means licensing doesn't come into play. It would be akin to someone finding out that I'm privately using (and maybe modifying) GPL software, and then demand that I make the source code available to them. Only in GPLv3, the issue of selling a product that uses GPL software internally is addressed. The situation changes of course once they make the software itself accessible to third parties, in which case they'd also have to supply the source code.
If that were the case, you could get around the GPL by claiming to sell CDs, thumbdrives, or zip files. Including software in your hardware product is undeniably distributing that software, IMO.
I disagree. If you sell me a CD with software on it, I have the software. If you sell me a car that runs a software internally, I have a car, but not the software. The car, unlike the CD, is not a container for the software. In fact, there is no trivial or intended way to get the software out of the car. As I said, GPLv3 addresses this explicitly, but with GPLv2 the license just doesn't apply. Then again, lots of people strongly dislike GPLv3, possibly exactly for this reason.
Incidentally, if you send me a USB stick with some GPL software on it, I can demand that you give me the source code of that software. However, I can not demand that you also give me the source code for the firmware of the USB stick, even if the source code for that firmware is under GPL (v2)
Duncan here. I'm the one who contacted BMW to ask about source code availability. I don't own one of the BMWs in question, but the chap who wrote the original article investigating the update contents did.
I've since been contacted by someone clueful from BMW Germany, and have put him in touch with the car owner. They are working together to determine what needs to be done for BMW to be compliant.
tl;dr: It looks like it's all going to be sorted out amicably.
This kind of interaction actually looks to me to be counter to the spirit under which the Free Software Foundation tries to administer the GPL - which is that they work cooperatively to help companies comply rather than try to trick them into legal hot water. I agree with the FSF approach and I don't think this sort of PR ambush type tactic is helpful in promoting the use of free software.