An update on Yoggie GPL compliance
Nearly a month and a half has gone by since we looked at the Yoggie Pico laptop firewall. At the time, we promised an update on a request for information about the availability of source code for Linux and other GPL software. Unfortunately, after several email exchanges with the firm that does PR for Yoggie, the code is still unavailable. A release of code was promised for the end of June, but did not materialize. A further query, early this week, produced the following information:
Hopefully, they really mean it this time.
Posted Jul 11, 2007 1:25 UTC (Wed)
by tuxchick (guest, #42009)
[Link] (2 responses)
Posted Jul 11, 2007 13:49 UTC (Wed)
by sbergman27 (guest, #10767)
[Link]
I'm not sure what to do about that. But as the popularity of OSS increases, no amount of policing is going to prevent violations unless the companies themselves see compliance with the license as being in their own, enlightened self-interest.
Posted Jun 10, 2008 12:34 UTC (Tue)
by Yoggie (guest, #52475)
[Link]
Posted Jul 11, 2007 3:26 UTC (Wed)
by jwb (guest, #15467)
[Link] (3 responses)
Posted Jul 11, 2007 6:05 UTC (Wed)
by drag (guest, #31333)
[Link]
It's in everybody's best interest that these Yoggie folks be as successfull as possible, it's right to give them the benifit of the doubt and give them time to figure all this stuff out. They may be new to it.
If they refuse to cooperate, then I figure in a year or so people will probably start taking them to court.
Posted Jul 11, 2007 6:30 UTC (Wed)
by ringerc (subscriber, #3071)
[Link] (1 responses)
Posted Jul 11, 2007 6:59 UTC (Wed)
by ringerc (subscriber, #3071)
[Link]
Whoops. That's what preview is there for.
Posted Jul 11, 2007 13:23 UTC (Wed)
by moxfyre (guest, #13847)
[Link] (4 responses)
The good news is that in nearly all cases, the companies involved eventually do release all the source code that the GPL obliges them to... thanks to the legal weight of the GPL.
The thing that irks me is that there are always these significant delays in getting the code. It seems to be a major sign of disrespect for the open-source projects on which these companies build their products. Releasing GPL code is always an afterthought compared to getting their products out the door. I don't recall anything in the GPL text that says "it's okay to twiddle your thumbs for a couple months and blame the Legal Department before releasing the source code."
It seems to me that, under the GPL, source code needs to be available as soon as binaries are distributed. Not a month later after a lot of foot-dragging and wasting people's time. Companies that distribute products with modified GPL code could probably gain a lot of goodwill with the open-source community by having source code ready for distribution the moment their products roll out the door.
Posted Jul 11, 2007 14:48 UTC (Wed)
by sepreece (guest, #19270)
[Link] (1 responses)
I suspect there's a good opportunity for somebody who'd like to set up a business providing source-access service to manufacturers, so they don't have to think about it. Especially for small companies that don't have in-house counsel and product support organizations. Such a company could offer training, review companies' internal processes, validate the source code against the shipped product, and give the companies a simple operational checklist for meeting their responsibilities as well as providing a web site where people could download or request the code. [I'm sure there are a bunch of consultants already providing this kind of service.]
Note, though, that all the GPL requires is an offer to provide the source on request; it says nothing about timing. I'm sure that lawyers could characterize timely vs non-timely performance and argue what scope the license gives by not making any timeliness requirements.
Posted Jul 13, 2007 20:21 UTC (Fri)
by moxfyre (guest, #13847)
[Link]
This is a pretty great idea!
Unfortunately, in the current climate, companies using GPL software seem to often see it as simply a form of "free as in beer" software. They use GPL'ed software because it's cheap (which is not a bad reason!!) and then they don't want to spend any money or time on fulfilling their obligations under the GPL.
Posted Jul 11, 2007 15:15 UTC (Wed)
by justme (guest, #19967)
[Link]
Does anyone think that the time lags involved here are enough to win that game?
Posted Jul 11, 2007 16:11 UTC (Wed)
by madscientist (subscriber, #16861)
[Link]
And, it should be remembered that some companies are far-flung and have complex and not-completely-coordinated divisions, and sometimes educating one division doesn't mean that all the others are following along.
If a company repeatedly needs prodding to do the right thing THEN the community should definitely take stronger action.
Posted Jul 11, 2007 13:51 UTC (Wed)
by utoddl (guest, #1232)
[Link] (9 responses)
Not to put to fine a point on it, but Yoggie isn't obligated to make their modified GPL source available to me and (probably) you, or even to the iptables maintainers. They are only obligated to make it available to those to whom they have distributed products based on GPL code. That point seems to often be lost in these otherwise enlightened discussions.
Posted Jul 11, 2007 14:02 UTC (Wed)
by charlieb (guest, #23340)
[Link] (8 responses)
Please re-read the GPL. If they do not ship source *with* their product, then they are in fact required to make their GPL source available to me and you. And "any third party".
Posted Jul 11, 2007 15:27 UTC (Wed)
by utoddl (guest, #1232)
[Link]
Posted Jul 12, 2007 1:34 UTC (Thu)
by JesseW (subscriber, #41816)
[Link] (6 responses)
Hm. AFAIK, the FSF has always been intentionally leery of requiring public distribution in the GPL. They are insistent that no-one with object code is ever unable to get the source, but I think they try to avoid requiring unlimited distribution.
Let's look at the relevant text from GPLv2:
"You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following"
"a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, "
"b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,"
"c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)"
That's all the options in version 2 of the GPL. As I hope I showed above, none of them require public distribution. It's about the freedom -- including the freedom to refuse to distribute. (as long as you don't try and give people software they can't use in freedom).
Now, in version 3 of the GPL, things are (slightly) different. There's two new options, for one thing.
"You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:" "a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange." "b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge." Other changes from v2 include the extension of the validity period -- if you keep supporting a product, the offers automatically stay valid, and the option to offer download instead of directly providing a copy. Note that "access to copy" does not need to be given to anyone, just to someone who you have to distribute to under this paragraph.
"c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b." "d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements." "e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d." And that's all the options listed in version 3 of the GPL. Again, no requirement of public or upstream distribution. Please read more carefully before making such claims again.
(This comment also published at my website)
Posted Jul 12, 2007 2:57 UTC (Thu)
by sepreece (guest, #19270)
[Link] (3 responses)
Given the ambiguity, I'm pretty sure most corporate lawyers would avoid risk by assuming the broader reading...
Posted Jul 12, 2007 3:23 UTC (Thu)
by dlang (guest, #313)
[Link] (1 responses)
this would imply that as the upstream provider you aren't required to provide source to people who get the binaries from someone else, that someone else must provide them.
if you are going to be picky about the requirements then you need to be evenly picky otherwise you're just reading it to favor your point of view.
Posted Jul 12, 2007 8:21 UTC (Thu)
by dark (guest, #8483)
[Link]
For example, if you redistribute binaries from the Debian archives, then
That's different from the case under discussion, where the distributor is
Posted Jul 12, 2007 5:52 UTC (Thu)
by JesseW (subscriber, #41816)
[Link]
Does the GPL require that source code of modified versions be posted to the public? says: "But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program's users, under the GPL." supporting the "users-only" view.
And, If I know someone has a copy of a GPL-covered program, can I demand he give me a copy? says: "No. The GPL gives him permission to make and redistribute copies of the program if he chooses to do so. He also has the right not to redistribute the program, if that is what he chooses." (italics in original) which firmly squashes any claims of required public distribution if there are no object code issues.
But, What does this "written offer valid for any third party" mean? Does that mean everyone in the world can get the source to any GPL'ed program no matter what? says: "If you choose to provide source through a written offer, then anybody who requests the source from you is entitled to receive it." which clearly supports the "public distribution" view. Fuzz.
Then there's My friend got a GPL-covered binary with an offer to supply source, and made a copy for me. Can I use the offer myself to obtain the source? which says: "Yes, you can. The offer must be open to everyone who has a copy of the binary that it accompanies." which sounds like it supports the "users-only" view, but isn't conclusive, since maybe "the offer" actually has to be even wider (as the previous question seems to imply).
The question I just found out that a company has a copy of a GPL'ed program, and it costs money to get it. Aren't they violating the GPL by not making it available on the Internet? lays out the FSF's position, but it's a bit vague in a critical area. It says: "It also does not require anyone in particular to redistribute the program. And (outside of one special case), even if someone does decide to redistribute the program sometimes, the GPL doesn't say he has to distribute a copy to you in particular, or any other person in particular." What's the special case? The "written offer"? Or something else?
In total, I agree with you, the GPL FAQ is quite ambiguous and unsure about whether the "written offer" must only apply to people with a copy of it, or to anyone, with or without a copy of it. But a number of things seem to imply the FSF intends the former. Hopefully some FSF staffer is reading this, and can update the FAQ to clarify it.
Posted Jul 12, 2007 8:54 UTC (Thu)
by dark (guest, #8483)
[Link] (1 responses)
The GPLv3 is too new for me to comment on, since I haven't studied it
thoroughly, but I'd like to focus on the wording of clause 3(b) of the
GPLv2:
Accompany it with a written offer [...] to give any third
party ...
Notice that it's not just an offer that is valid for any third
party.
It must be an offer to supply the source to any third party. If I
get such
an offer, and then they refuse to supply the source to any third party,
then they didn't honor the offer they made to me.
As a reminder, I'd like to point out that such an offer doesn't have to
be a
physical token. It must be "written", but it could be written on a web
page or inside an iso9660 image. This is
illlustrated by clause 3(c),
which says:
Accompany it with the information you received as to the
offer ...
So, it doesn't talk about passing on the offer or making copies of the
offer. Information
about the offer is sufficient. This makes sense if the original
offer was already to supply source to any third party. Then knowing about
the offer is just as good as having a "copy", whatever that means exactly.
One detail that's always amused me is that the GPLv2 does not actually say
that you have to honor these offers :) It's not clear to me who would have
standing to sue if you don't.
Posted Jul 12, 2007 15:44 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link]
The copyright holder has standing because you didn't obey the terms of the license to their copyrighted work.
You can say "I don't accept your license", but that means you're admitting to copyright infringement, which is usually a criminal offense, and certainly enough reason for the court to order you to cease distribution.
The immediate recipient of the offer probably has standing because the GPL terms are an implicit component of any contract between you and them for the supply of this software. In particular if money changed hands then I feel pretty sure they'd have standing.
If a third party is trying to use the offer, they probably have standing but they'll need a really good lawyer because they need to make it perfectly clear why this obligation exists between two parties that have no direct relationship. It's definitely possible, there are famous cases where this sort of argument was made, but it's a lot harder than the copyright holder example.
In summary, probably lots of people have standing to sue.
Posted Jun 10, 2008 12:33 UTC (Tue)
by Yoggie (guest, #52475)
[Link]
And how many times does Lucy get to pull the football away? how many chances?
The problem, as I see it, is that companies perceive releasing their modifications as an obligation and not as an opportunity. Their perception of the advantages of OSS stops with the use of the existing code, and does not extend to the advantages afforded them by having the code available to the community for review and improvement.how many chances?
Update:how many chances?
A good few months ago already Yoggie has published a detailed online licensing page that details the OS components and versions it is using as well as patch files of all the OS code that was modified.
Yoggie's online licensing page
If this were commercial software the injured party would have enjoined these people 100 different ways by now. Why don't the iptables maintainers get a big fat injunction against these jokers?An update on Yoggie GPL compliance
Probably because they want their cooperation, not their failure. There is no need for a example to be made of these people.An update on Yoggie GPL compliance
Injunctions can be expensive and lead to significant. Such legal processes also take time. Sometimes it's best to be tolerant and give people time to understand what they need to do - and convince their lawyers of it too.An update on Yoggie GPL compliance
... significant [costs].An update on Yoggie GPL compliance
This kind of thing seems to happen way too often... e.g. with SWSoft's Parallels product, Linksys's Linux-based routers, etc.Same old, same old
As more companies become familiar with what the licenses actually mean, and as they accumulate more engineers who have been through OSS-based development before, the processes involved in compliance will get to be more routine. Same old, same old
I suspect there's a good opportunity for somebody who'd like to set up a business providing source-access service to manufacturers, so they don't have to think about it. Especially for small companies that don't have in-house counsel and product support organizations. Such a company could offer training, review companies' internal processes, validate the source code against the shipped product, and give the companies a simple operational checklist for meeting their responsibilities as well as providing a web site where people could download or request the code. [I'm sure there are a bunch of consultants already providing this kind of service.]Same old, same old
It leaves me wondering if this is a way to game the license: build your product on GPL code, leave it closed, and then hold on, hoping that the market or pricing advantage gained by secrecy takes hold before someone forces your code open.Same old, same old
The question is, are the delays repeated by the same company? If it can be shown that once a company is "educated" on the requirements and has complied with them in one product/release, that they then do so voluntarily and expeditiously for subsequent products/releases, then I have no problem with it. The GPL is a completely foreign legal and social environment than companies are used to operating in and I'm fine with giving them time to get their footing in it... as long as once they've done so they participate as expected.Same old, same old
While I agree Yoggie should get their GPL compliance act together, I wonder how many of those folks voicing concern have actually bought products from them.An update on Yoggie GPL compliance
> Yoggie isn't obligated to make their modified GPL source availableAn update on Yoggie GPL compliance
> to me and (probably) you, or even to the iptables maintainers.
I did re-read it, and you are right. I stand corrected.An update on Yoggie GPL compliance
object code distribution requirements in GPLv2 and GPLv3
OK, so these are the ways you have to distribute source code...
This certainly doesn't require distribution to anyone but customers, i.e. not the public, not upstream.
Now, this is the tricky one. Clearly, this requires distribution to anyone with a copy of the offer (while it is valid). The question is, does it require distribution to someone who does not have a copy of the offer? Effectively, is the offer just an announcement that source is available, or is it proof of eligibility for access to the source? In my view, because of the use of the term "offer", rather than, say, "announcement", having a copy of the offer is required. So, while the distribution mandated by this option is wider than the previous one (since copies of the offer are still valid (see below) the total required distribution is theoretically unlimited), it still doesn't require distribution to the public, or to upstream.
This is the "cheap shortcut" option. It doesn't require any distribution of source code by the Licensee, only that the Licensee distribute copies of the offer they got, so it certainly doesn't require public or upstream distribution.
Slightly different phrasing, but the intent and effect is the same.
This is more specific than in v2; it only applies if you actually sell or give away a physical object (like a disk, or in Yoggie's case, a USB key); but the distribution effect is the same -- the requirement only applies to customers.
This is helpfully much more explicit; it states who the Licensee has to distribute to right there: "anyone who possesses the object code". Not anyone at all, but only anyone who already has the object code. This nicely sidesteps around the ambiguity (which is still present) about whether a copy of the "offer" is required in order for distribution to be mandated. Even if the view is taken that the "offer" is really just an announcement, unlimited distribution is still not required.
This is identical in intent and effect to this option in version 2.
This is one of the two new options, the "download" option. Note that it specifically leaves open the choice of charging for access to the server. No distribution is required, only making sure that the source remains available, and it only needs to be available to the people who download the object code via Licensee's server(s). No public or upstream distribution required here!
This option, while it doesn't directly require the Licensee to provide free public access to the source, cannot be used unless somebody is providing such access. But such access is not required of the Licensee.
I believe the previous notes were reading the ambiguous option (b) of GPLv2 the other way than you did. The wording in GPLv3 suggests that the FSF probably intended your reading (I wouldn't have expected them to make the requirement narrower). Curiously, though, the FSF's GPL FAQ question on this point (which is still based on the GPLv2 text) disagrees and says it means you have to provide source to anyone (though it never discusses the question of whether you can require proof of possession of the written offer). However, to add a little further fuzz, that answer also cites the rationale as being to make sure the source is available to people who got the binaries indirectly, which implies the condition from GPLv3.object code distribution requirements in GPLv2 and GPLv3
according to the FSF if you provide GPL software to a third party that you got from someone else, _you_ are the one responsible for providing the source code, you can't just point at the upstream provider.object code distribution requirements in GPLv2 and GPLv3
Do you have a reference to where the FSF said that? I suspect they're object code distribution requirements in GPLv2 and GPLv3
talking about something else, namely that you cannot pass along a 3(b)
offer if you didn't get one in the first place.
you cannot simply tell people they can get the sources from the Debian
archives themselves, because Debian is using option 3(a) and it never made
any promise to keep the sources there for 3 years.
using option 3(b) to distribute binaries without accompanying source code.
Thanks for bringing up the GPL FAQ. It certainly does have it's share of ambiguities and fuzz.
GPL FAQ
object code distribution requirements in GPLv2 and GPLv3
The word 'offer' is a technical term in law, a contract has two phases, offer and acceptance. "I'll take you to Dover for forty quid", "Here's forty quid" is the formation of a trivial contract. If you choose clause 3(b) of the GNU GPL you must make an offer to everyone. Anyone in the world might accept it. That's such a dangerous thing (think Carbolic smoke ball) to do that I'm surprised any company chooses 3(b) now that 3(a) is so cheap to comply with. object code distribution requirements in GPLv2 and GPLv3
Update:An update on Yoggie GPL compliance
A good few months ago already Yoggie has published a detailed online licensing page that details the OS components and versions it is using as well as patch files of all the OS code that was modified.
Yoggie's online licensing page