SFC reports a successful (L)GPL suit in Germany
Historically, lawsuits have focused on the copyrights licensed under GPL (or the GPL and LGPL together). Steck's lawsuit uniquely focused exclusively on users' rights under the LGPL. Steck's work showed that despite being a "Lesser" license than GPL, LGPLv2.1 still guarantees users the right to repair, modify and reinstall modified versions of the software on their device. There is now no doubt that both GPL and LGPL mandate the device owner's ability to make changes to the software in the flash memory so those changes persist across reboots.
Posted Jan 9, 2025 17:37 UTC (Thu)
by cloehle (subscriber, #128160)
[Link] (10 responses)
Posted Jan 9, 2025 18:05 UTC (Thu)
by burki99 (subscriber, #17149)
[Link] (9 responses)
Posted Jan 9, 2025 18:26 UTC (Thu)
by chris_se (subscriber, #99706)
[Link] (8 responses)
The German legal system doesn't rely on precedent much anyway, so not having an official ruling by the lowest court this can be tried in will not have any detrimental effect on future legal challenges. (Only if this had been appealed up to the highest courts in Germany would this have potentially had any legal impact on future rulings.)
But the fact that the lawyers of a fairly successful German company were of the opinion they'd lose the case here does set an implicit precedent on how other lawyers will advise their clients in the future.
Posted Jan 9, 2025 20:22 UTC (Thu)
by cesarb (subscriber, #6266)
[Link] (7 responses)
But it might instead mean that their lawyers and/or managers considered it a lower effort (and/or lower cost) to comply than to continue the lawsuit, independent of how likely they considered it that they would lose.
Posted Jan 9, 2025 21:05 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link] (6 responses)
Posted Jan 9, 2025 23:09 UTC (Thu)
by pabs (subscriber, #43278)
[Link]
Posted Jan 9, 2025 23:47 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (3 responses)
I think the better scale to consider is not the "why does a company comply" scale, but rather "what is the cost to a user or developer of exercising their rights?".
The issue with "it's cheaper to comply than to fight in court" is that just getting to the point where the company is taking that decision costs me quite a lot of time and money. So the interesting scale is from "I can exercise my rights at low cost" to "I have to get a lawyer involved and pay to establish that I have rights, before eventually being reimbursed in full", through "I'll get my monetary outlay reimbursed, but no payment for the time and effort I put in", up to "I have to put time and money in, and may get nothing out".
That's especially true since the motivations of a company change as the employees change, and a company that was "good FOSS community members" 10 years ago may become "it's cheaper to work upstream" or even "legal says we must comply because it's cheaper to comply upon request than to fight in court", and return to being "good FOSS community members", without anyone particularly noticing. On the other hand, "it's easy and cheap to get compliance" versus "it's hard but cheap" versus "it's hard and expensive" is easy to follow from the outside.
Posted Jan 10, 2025 6:45 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
Indeed, thanks.
Posted Jan 10, 2025 18:40 UTC (Fri)
by ballombe (subscriber, #9523)
[Link]
This completely change the risk profile from the point of view of the offending company.
Posted Jan 10, 2025 16:54 UTC (Fri)
by iabervon (subscriber, #722)
[Link]
I think the fact that Steck was a user (rather than a copyright holder) of the device moves non-compliance from "you might have to pay money" to "an adversary can make you pay them money", which is where companies' lawyers start telling them they need to be in compliance before anyone notices.
Of course, that only gets as far as making it free for users and developers to exercise their rights, and culture matters as to whether the device comes with proprietary userspace software that can be aggregated into new firmware images by the build scripts but can't be modified.
Posted Jan 11, 2025 21:23 UTC (Sat)
by Heretic_Blacksheep (guest, #169992)
[Link]
(*) Mooted cases are cases where the reason for the lawsuit no longer applies, so the case gets dismissed for no longer having a cause of action.
Posted Jan 9, 2025 19:52 UTC (Thu)
by npws (subscriber, #168248)
[Link] (18 responses)
Regarding speculation that they would have lost, maybe, but from what I can tell, the guy was not even a copyright owner, but just wanted to take advantage of the written offer, so this was never a copyright case and he wouldn't have any of the measures of copyright law at his disposable. The costs of the case for AVM should be around 4-6k, so they might just have decided it's not worth fighting it.
Posted Jan 9, 2025 20:16 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (17 responses)
So ANYone who receives a piece of kit with (L)GPL code now has a precedent to go and say "I want the code".
Cheers,
Posted Jan 10, 2025 3:48 UTC (Fri)
by npws (subscriber, #168248)
[Link] (16 responses)
You can sue for any reason you like, you just might lose. Given that nothing at all regarding the validity of his claims was decided by the court, it comes down to "guy asks for code, guy eventually receives some code" (and according to comments here *still* not even the complete one). Something that hasn't happened many times before.
Posted Jan 10, 2025 3:50 UTC (Fri)
by npws (subscriber, #168248)
[Link] (15 responses)
Posted Jan 10, 2025 11:58 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (14 responses)
"Both SFC and Steck remain frustrated that companies like AVM usually ignore user requests under copyleft until a lawsuit is filed. Nevertheless, we are happy to see that the legal process confirmed Steck's rights, and required AVM to pay Steck's legal costs. “I am pleased that this litigation compelled AVM to provide the compilation and reinstallation information in the filings,” Steck said."
Yes it hasn't changed the fact that users always seem to have to go to court. I'm not aware of previous cases that have been won and - in the words of the SFC - "the legal process confirmed Steck's rights".
Cheers,
Posted Jan 12, 2025 2:33 UTC (Sun)
by npws (subscriber, #168248)
[Link] (13 responses)
> Nevertheless, we are happy to see that the legal process confirmed Steck's rights, and required AVM to pay Steck's legal costs.
they say nothing of the sort. AVM had to pay because they have agreed to pay. That's all the court has decided. Why is why I called the statement misleading.
Posted Jan 12, 2025 12:38 UTC (Sun)
by pizza (subscriber, #46)
[Link] (12 responses)
AVM didn't have to agree to pay Steck's costs as part of a settlement. Nevertheless that's what they agreed to do, instead of having the court decide this case on its merits and risking a potentially much more costly loss. (or possibly even a costly *win*)
Even with legal costs factored in, AVM decided it was cheaper to comply with the GPL's requirements than to not comply. That's not nothing, and one would think that this indicates that simply complying up front is even cheaper still, by virtue of preventing further legal costs.
Posted Jan 12, 2025 15:31 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (11 responses)
And coupled with the fact the plaintiff was a USER, not a copyright holder, the risks of finding yourself fighting a deep-pocket plaintiff just went through the roof. THIS is the important takeaway - not the "plaintiff sues and gets paid off" which HAS happened many times before. It's the "winning plaintiff is a USER" that is the new and novel feature here ...
Cheers,
Posted Jan 14, 2025 19:19 UTC (Tue)
by tbird20d (subscriber, #1901)
[Link] (10 responses)
If you believe all future plaintiffs are non-adversarial, this can be seen as a positive thing. However, increasing the
Posted Jan 14, 2025 21:51 UTC (Tue)
by pizza (subscriber, #46)
[Link] (8 responses)
The first thing that came to mind is... "Good riddance."
Or, ya know, they could comply with the license of the software they are incorporating into their products?
After all, they expect _their_ product's license terms to be respected. Why should their suppliers be treated any differently?
Posted Jan 22, 2025 20:27 UTC (Wed)
by tbird20d (subscriber, #1901)
[Link] (7 responses)
Increased legal risk will always be a deterrent to more people getting involved or staying involved with OSS.
Posted Jan 22, 2025 21:16 UTC (Wed)
by pizza (subscriber, #46)
[Link] (6 responses)
Uh... please point us at _any_ "bad actor" going after a "well-behaved OSS community member" that is "following the license" (and by that I mean providing the complete corresponding GPL sources to all binaries they ship without having to threaten them with legal action)
> We know that not everyone who wields the legal system is a good faith actor - witness Patrick McHardy.
All of McHardy's shenanigans could have been avoided if the companies he targeted actually followed the plain-language terms of the software they actively incorporated into their products.
(In other words, his targets were _not_ "well-behaved OSS community members...following the license")
> If Google were sued by a bad actor, should they drop Linux from Android, and just replace it with Fuchsia?
...Google is sued every single day by bad actors. What's one more? Or are you saying they should preemptively shut down their business just in case?
Posted Jan 23, 2025 10:46 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (1 responses)
Except this appears to be a case of going after a "good citizen". Someone I define as "a person who treats others with respect and tries to obey the rules". Otherwise you end up with a police state where there are so many rules it's impossible to be an upright law-abiding citizen and everyone is in fear of being arrested and jailed on pretty much any excuse.
We don't know the details, but I get the impression the full source was available, it's just that AVM's tracking systems couldn't retrieve it correctly. Be careful what you wish for - you don't want lawyers with big guns chasing you for a little slip ... (but that's the American way, sadly).
Cheers,
Posted Jan 23, 2025 14:00 UTC (Thu)
by pizza (subscriber, #46)
[Link]
....Except they *didn't* obey the rules!
(Note that "the rules" here are the terms of the settlement for their _first_ GPL violation -- ie the one their lawyers explicitly signed off on)
> but I get the impression the full source was available, it's just that AVM's tracking systems couldn't retrieve it correctly.
In other words... they couldn't provide the source code they were supposed to.
> Be careful what you wish for - you don't want lawyers with big guns chasing you for a little slip
I'm sorry, but live by the IP sword, you die by the IP sword. None of these companies would accept "a little slip" if it was _their_ property being misappropriated.
Posted Mar 18, 2025 19:41 UTC (Tue)
by tbird20d (subscriber, #1901)
[Link] (3 responses)
Posted Mar 19, 2025 10:35 UTC (Wed)
by paulj (subscriber, #341)
[Link] (2 responses)
1. The open facts of the matter are that:
2. Those who say McHardy's intentions were bad or nefarious; that the violators were acting in good faith, and/or made only trivial violations; refuse to give details, never mind evidence. There are just claims to be in the know, or to know people who know, and that the details must be kept hush-hush, behind the scenes, cause... reasons, which we can't tell you.
So we have the basic, sparse facts that are available - which do NOT of themselves justify anything in 2. Indeed, the reverse.
And then we have 2, which we, the unwashed public out there who just read LWN, are meant to just take on authority, and ignore the only facts available in 1. We are meant to just take it for granted that GPL violators - corporates making money importing and selling products with GPL code - are the poor ickle good guys here, and McHardy is the bad guy for enforcing the licence on code he claims to have helped make (I know there are other questions there, but that's a distinct matter, and can be answered, inc. in court).
That appeal to authority, at odds with the (few) available facts, doesn't quite sit right with at least some of us.
Posted Mar 19, 2025 13:04 UTC (Wed)
by pizza (subscriber, #46)
[Link] (1 responses)
It's also hard to garner sympathy for "victims" [1] whose best argument is "we mistakenly signed an agreement we had no hope of complying with because we didn't know how our own business actually operates". (ie "we're too incompetent to act out of malice")
...Because that's about all one can infer from the few available facts.
[1] Who all had full access to competent legal counsel
Posted Mar 19, 2025 13:18 UTC (Wed)
by paulj (subscriber, #341)
[Link]
One of the organisations pushing the devilling of McHardy is the Linux Foundation. A commercial trade organisation representing a number of large commercial corporates, for whom any enforcement of the GPL appears to embarrassing / inconvenient. (Some of those members of the LF are... GPL violators).
Posted Jan 15, 2025 2:04 UTC (Wed)
by bkuhn (subscriber, #58642)
[Link]
tbird20d wrote: “Legal risk”, in this case, of course means the “risk that we might be
required by law to give our customers the same rights that we have under this license.” But that's always been the “legal risk” of redistribution of copylefted software.
Those who want to make proprietary software know where to find non-copyleft
stuff to build on and always have. Those who are willing to treat their customers reasonably
and give them equal rights are welcome and encouraged to use GCC
and Linux. The root cause of for-profit companies changing away from the copylefted software is that they have begun to slowly realize that they can't just get away consequence-free when they ignore their legal requirements anymore — as they often could in the past. It's similar to factories closing when they can't meet the pollution standards: we all are indeed sad that jobs were lost, but that short-term societal pain is worth living through so we get cleaner air and water. The factories could always have invested in cleaner technologies instead of firing people; they just chose to blame their workers and the regulators rather than their own bad behavior. Sadly, I am not surprised that — in both copyleft and environmental policy — wealthy for-profit companies get away with setting the narrative that the regulation is at fault rather than their refusal to invest in following the regulations. They build well-funded trade associations to spin that message for them.
Posted Jan 9, 2025 23:13 UTC (Thu)
by pabs (subscriber, #43278)
[Link]
Posted Jan 10, 2025 2:24 UTC (Fri)
by stephenjudd (guest, #3227)
[Link]
Posted Jan 10, 2025 7:58 UTC (Fri)
by epa (subscriber, #39769)
[Link] (3 responses)
Posted Jan 10, 2025 11:51 UTC (Fri)
by Karellen (subscriber, #67644)
[Link] (2 responses)
From the fine article: The defendant, Berlin-based AVM, ultimately delivered the necessary information to reinstall modified software on their device. Delivery of this information resolved the lawsuit. The plaintiff was Sebastian Steck, who received a grant from SFC to pursue this work. Steck purchased an AVM router in May 2021 and quickly found that the source code candidate which AVM sent him could not be compiled and reinstalled onto his router. AVM, the largest home router manufacturer in Germany, refused to correct its source code candidate. Steck sued AVM in a Berlin court in July 2023. Months after the lawsuit was filed, AVM finally provided Steck with all remaining source code that Steck requested, including “the scripts used to control … installation of the library”. (Emphasis mine)
Posted Jan 10, 2025 12:05 UTC (Fri)
by epa (subscriber, #39769)
[Link] (1 responses)
I think the former, but I'm missing a more techy blog post where they demonstrate that this thing really works.
Posted Jan 10, 2025 14:34 UTC (Fri)
by ossguy (guest, #82918)
[Link]
There are more details, including other source code candidates Steck received, at https://sfconservancy.org/copyleft-compliance/avm.html .
Posted Jan 10, 2025 12:24 UTC (Fri)
by dezgeg (subscriber, #92243)
[Link] (3 responses)
If that were the case, then I wonder could such a product ever be compliant with the new EU Cyber Resilience Act?
Posted Jan 10, 2025 14:00 UTC (Fri)
by martin.langhoff (guest, #61417)
[Link]
Posted Jan 10, 2025 16:19 UTC (Fri)
by audric (guest, #86999)
[Link]
Posted Jan 10, 2025 19:22 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
Iirc the Cyber Resilience Act has nothing to say on the subject. Indeed, if the user can NOT upgrade the software, it might not be compliant with the CRA.
Like a lot of EU legislation, the primary focus of the CRA is to make it explicit who is responsible for making sure goods work "as designed", and to enforce what good design is.
So if Tommy Atkins buys an AVM/Fritz router, the CRA merely makes it clear what is the design life of the product, what the product is intended to do (including, importantly, "be fit for purpose"), and who is responsible for fixing it if bugs are found / it breaks. So if said Tommy Atkins modifies his own router, it is no longer the product AVM supplied, and they are not responsible. If a cracker modifies it, that should not have been possible (aka not fit for purpose), and AVM are responsible.
Cheers,
Posted Jan 11, 2025 22:41 UTC (Sat)
by snajpa (subscriber, #73467)
[Link]
Posted Jan 12, 2025 16:44 UTC (Sun)
by nettings (subscriber, #429)
[Link] (3 responses)
Posted Jan 12, 2025 19:38 UTC (Sun)
by snajpa (subscriber, #73467)
[Link] (2 responses)
It'd be pretty awesome if AVM fired some shots back for SFC abusing the German legal system to justify their existence when we all see how useless they are.
Posted Jan 13, 2025 10:01 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
How exactly would the SFC go for the contractors who create the problematic firmware to begin with, given that their very identities are kept as commercial secrets by companies like BestBuy, Samsung, JVC, AVM, Humax, Bosch, Zyxel and Vizio (to name only some of the companies that the SFC has assisted with legal action against)?
The only weapon the legal system offers them, by design, is that the SFC and its compatriots can take action against the entity that puts the infringing firmware on the market; those entities, including AVM, may then have a course of action against their contractors for breach of contract, assuming they were smart enough to put terms around legal right to use the code in the contract. This isn't abuse of the legal system - this is the system working as designed.
Posted Jan 23, 2025 22:51 UTC (Thu)
by branden (guest, #7029)
[Link]
Source publication court-ordered?
Source publication court-ordered?
The ruling says "The defendant must bear the costs of the legal dispute because it has agreed to cover the
costs." So the court's decision didn't discuss the LGPL in any way since AVM handed over the complete source code and agreed to pay the costs of the dispute and thus provided everything the complaint requested (1. to surrender to the plaintiff the complete source code / 2. to reimburse the plaintiff for his extrajudicial attorneys' fees)
Source publication court-ordered?
Source publication court-ordered?
Source publication court-ordered?
Source publication court-ordered?
Source publication court-ordered?
Source publication court-ordered?
Source publication court-ordered?
The copyright holder might be a college student, but one of the users might be a large company that enough money to start a lawsuit if they feel that could benefit their business.
Source publication court-ordered?
Source publication court-ordered?
Misleading
Misleading
Wol
Misleading
Misleading
Misleading
Wol
Misleading
Misleading
Misleading
Wol
Misleading
Agreed. This is an interesting development. It's also akin to the 3rd party beneficiary legal theory in the Vizio case (which
has yet to be adjudicated in the U.S.).
legal risk and cost of using the GPL can have a deleterious effect on adoption, even by those who are good actors
in the community. Decreasing adoption can have a long-term negative effect. I know of cases where Linux or gcc
was dropped from a product at least partly due to perceived legal risks, and this ups the ante.
Misleading
was dropped from a product at least partly due to perceived legal risks, and this ups the ante.
Misleading
We know that not everyone who wields the legal system is a good faith actor - witness Patrick McHardy.
Do you think everyone who was sued by Patrick McHardy should just drop OSS, and that would be "good riddance"?
If Google were sued by a bad actor, should they drop Linux from Android, and just replace it with Fuchsia?
Misleading
Misleading
Wol
Misleading
Misleading
Misleading
a) McHardy made settlements with or had sent clear cease-and-desist notices to GPL violators, part of which was to cease their violations or face penalties
b) The violators went on to violate again
c) Thus McHardy went to collect on the penalty clauses of his prior agreement with or warning to said violators
Misleading
Misleading
Also misleading, tbird20
I know of cases where Linux or gcc was dropped from a product at least partly due to perceived legal risks, and this ups the ante.
Libraries
Fritzbox
But can you modify and use it?
But can you modify and use it?
But can you modify and use it?
But can you modify and use it?
Secure boot
Secure boot
Secure boot
Secure boot
Wol
ooooof
AVM user here
So AVM (or at least a sizable subset of people making decisions within AVM) are "getting it". They are not OpenWRT, their business model is different, but if you buy one of their products, you own it, no rip-offs, they enable you to do pretty advanced but still user-friendly shit, not quite on par with OpenWRT, but you feel like your vendor assumes you're a mature, intelligent person. And they have excellent after-sales care (for which there is very little financial incentive other than the odd public praise from a happy customer such as this one). They do not facilitate you modifying the software, but hey...
Coming from this impression, I would speculate that AVM have no intention of challenging or even willfully non-complying with open-source licenses, and their settling out of court was just a way of saying, hey, this seems to be the right thing to do.
The underlying complaint seems to be a bit nit-picky to begin with: company provides sources but doesn't have a real and tested build pipeline for those public sources because of course internally, it's kind of natural to cut corners when it comes to keeping boundaries between proprietary and open-source pipelines (i.e. there is only one, which you can't easily share because it touches proprietary code, so when someone wants to rebuild _just_ the stuff you're legally required to share the source of, it doesn't work).
Advanced free software advocate (not a user, but someone who seems to have acquired a product for the express purpose of suing) complains.
So this is not a SCO level outrage against common decency, but very high-level nit-picking with a company who are (at least in my book) pretty much among the good guys already.
AVM user here
AVM user here
AVM user here