this post was submitted on 10 Jun 2024
260 points (99.6% liked)

Open Source

31029 readers
916 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

So this very large company who shall remain nameless distributes a proprietary software development environment that includes a patched version of a certain, well-known open-source debugging tool.

The patch is to make said open-source tool support their products. It's not even hidden or anything: the binary is sitting right there in the installation directory, it's called the exact same thing the vanilla debugger is called and when I run it on the command line, it clearly says "patched for xyz".

The tool in question is distributed under the GPLv2 and I need to modify it for my own project. So I sent an email to the company to request the source code for their modification, but they refuse by playing dumb and pretending they don't understand the question. They keep telling me the source code to their IDE is not public. I keep telling them I don't want their IDE but the source for the modified GPL backend tool they bundle with it. But no: they claim it's part of their product and they won't release it.

Anybody knows the best course of action to deal with this? It's the first company I've dealt with that explicitly refuses to honor the GPL. I don't even think it's malice: I'm fairly sure the L2 support guy handling my ticket was told to deny my request by his clueless supervisor who didn't bother escalating it. But it's also a huge company that's known to be aggressive and litigious, whereas I'm just one guy and I'm not lawyering up over this. I have other hills to die on.

Who should I pass the potato to? The FSF?

all 40 comments
sorted by: hot top controversial new old
[–] [email protected] 191 points 4 months ago (1 children)

Check the FSF's violations of GNU licenses page. You can also email the FSF's licensing and compliance lab at [email protected] and our team would be happy to assist.

[–] [email protected] 46 points 4 months ago (1 children)

Thanks! I'll do that if my last-ditch effort to knock some sense into them doesn't work.

[–] [email protected] 26 points 4 months ago* (last edited 4 months ago)

Don't waste time trying to reason them. If you're not able and willing and sue them to enforce the GPL license, the company won't care.

You should directly informe one of the organisations mentioned previously, they may have a lawyer and experience fighting this kind of fight.

Best you can do youself is collect evidence that they're distributing modified GPL software, and write a precise description of the issue, to help these organisations kickstart their investigation into the GPL violation.

[–] [email protected] 125 points 4 months ago (1 children)

And why leave them nameless? Name and shame. You can get multiple people asking at that point and apply more pressure.

[–] [email protected] 83 points 4 months ago* (last edited 4 months ago) (6 children)

Because I'm not interested in being sued for defamation. Even if I'm totally right and they're totally wrong, they'll bury me in legal fees. I'm not rich enough to afford the law.

[–] [email protected] 40 points 4 months ago (2 children)

There a simple incantation u can mutter its the same shield the press uses its called "allegedly". Otherwise talk to the press themselves doesnt matter who even if they are fucking tiny af doesnt matter then post the link to said article everywhere.

[–] [email protected] 19 points 4 months ago (1 children)

Idk if you can say allegedly, when you're the person doing the allegation 🤔

[–] [email protected] 10 points 4 months ago

Not to mention, OP didn't specify where they live. Who knows defamation law for the whole world?

[–] [email protected] 3 points 4 months ago* (last edited 4 months ago)

Then you’d have a great defense right?

A defense you could use if you’ve already been sued?

Glad we have that law but seemingly unavoidably stacked in favor of the wealthy / those with assistants/teams/lawyers. Massive mental cost of getting involved in court for anything, one that isn’t possible to be “repaid” when you win.

(Not to discourage people who know what they’re getting into! Fight the power, if ya can)

Edit: typo

[–] [email protected] 27 points 4 months ago (1 children)

Depending on your jurisdiction, you may have anti-SLAPP laws which render a baseless defamation lawsuit against you into a blessing which you can turn around, counter sue for, and end up with a nice payday.

[–] [email protected] 12 points 4 months ago (1 children)

That entire process still needs lots of cash up front does it not?

[–] [email protected] 8 points 4 months ago

Not necessarily cash, but definitely a bit of luck. Some lawyers, if they think a case is guaranteed to go your way, will do the work for free in exchange for receiving a portion of the damages the final judgement will award you. Even rarer, some lawyers care enough about some issues on a personal level that they'll work for free, or reduced rates, on certain cases.

In this case, I'm not sure there are any damages whatsoever to award to OP - a "win" is forcing the company to abide by the GPL, not pay up money. The EFF and the FSF, as others have brought up, are probably the best bet to find lawyers that would work on this case for the outcome instead of the pay.

[–] [email protected] 15 points 4 months ago* (last edited 4 months ago)

This. Sucks we can't just say shit like it is but it's just as easy to make it up. I'm not going to verify the claims myself but if OP said it was Vandelay Industries I might make the decision to not do business with them.

It's a little late now since the accusation has already been made but it's essentially legal to state verifiable facts without drawing conclusions from those facts. Still, doesn't mean the company won't come after you, just that they risk calling attention to the issue. Unfortunately I know of no remedy or repercussions for a company filing a baseless lawsuit.

IANAL BTW.

[–] [email protected] 5 points 4 months ago (1 children)

I'm pretty sure nobody here knows who you are. Say the name, and some of us will just make this company's life a living he'll by spamming them to give us the source. Win - win (except for that POS company)and you remain anonymous. What are they going to do, sue your Lemmy handle?

[–] [email protected] 22 points 4 months ago (1 children)

That's flawed logic. The company would pretty easily know who has been emailing to request the source code for that specific tool in the timeline just before this post. The lemmy profile may be anonymous, but I doubt OP's emails were.

[–] [email protected] 1 points 4 months ago (1 children)

Why would anyone mention anyone was emailing them? I'm talking about just doing the same without any type of other info.

[–] [email protected] 6 points 4 months ago* (last edited 4 months ago) (1 children)

Well the context was a concern about a defamation suit resulting from this post. If the company never found this post then the anonymity of the poster is irrelevant anyway. The company could easily tell who made this post based on the timing of their already existing email correspondance seeing as this is clearly not a request they receive often.

[–] [email protected] 2 points 4 months ago

Oh, I didn't think about it, but you're right. That does make sense.

[–] [email protected] 4 points 4 months ago

This is why we have journalists - worst case, take this information to some newspaper, who will likely LOVE to poke the bear.

OK, maybe that's a little idealistic, but at least you can try, eh?

[–] [email protected] 2 points 4 months ago (1 children)
[–] [email protected] 4 points 4 months ago (1 children)

With Rosehip. But good news: it would appear my ticket finally made its way to the development team and to legal. They sure are taking their own sweet time like a good giant corporation dealing with a pointless single guy, but things seem to be moving in the right direction.

If they refuse again this time, considering they now acknowledged that my ticket is processed where it should be processed, I will contact the FSF, and name and shame. But for now they're showing good will.

[–] [email protected] 2 points 4 months ago

Good on you for doing the right thing.

[–] [email protected] 105 points 4 months ago (1 children)

Notify the maintainer of the open source tool - they're in the best position to push for compliance. They have the power to revoke the company's license.

[–] [email protected] 71 points 4 months ago

Especially talk to FSF if this "well known debugging tool" is a part of the GNU project, as FSF has the power and standing to enforce the copyrights on GNU software.

[–] [email protected] 55 points 4 months ago (1 children)

One of the worst things about the GPL and similar licenses is that they cannot be enforced by the user.

EA is also distributing a modified DOSBox but they only supply the unmodified source. Didn't have the energy to pursue it.

[–] [email protected] 65 points 4 months ago (1 children)

That's changeing: in the ongoing SFC vs Vizio, SFC is just a regular user: https://sfconservancy.org/copyleft-compliance/vizio.html

Even FSF updated it's FAQ, that it's not true anymore: https://www.fsf.org/news/fsf-to-be-deposed-in-sfc-v-vizio-updates-relevant-faq-entry

[–] [email protected] 22 points 4 months ago
[–] [email protected] 34 points 4 months ago

Yeah, reach the FSF like explained in previous comments. Or maybe contact some attorney if it matters because you may face expensive litigations… Big companies are not friendly. Or maybe contact the SFC (https://sfconservancy.org/).

[–] [email protected] 32 points 4 months ago* (last edited 4 months ago)

I'd just email the CEO, media relations, and legal (if you can get all their email addresses), inform them of their non-compliance with the GPL and ask them to resolve this swiftly before it needs to be escalated. Then if you don't hear back in 2 business days, reply all again CCing someone they might care about: local media to their jurisdiction, the FSF, the EFF, etc.

[–] [email protected] 16 points 4 months ago

Ask from a security and compliance perspective of I need to see an SBOM. See if it’s in that report

[–] [email protected] 16 points 4 months ago
[–] [email protected] 3 points 4 months ago (1 children)

Conclusion of this thread:

It took a mightly long time, but the company eventually coughed up the source code. They sent me a big ZIP with an large git repo full of uncommitted changes and a bunch of comments and temp files that really shouldn't leave the company 🙂 Clearly some engineer just zipped up the local repo on his hard disk without doing any cleanup.

So they complied with the GPL in the end. Just the bare minimum - i.e. providing the source code on request and nothing mode. I wish they put it up in their Github but they don't want to do that apparently. I'll clean up the embarrassing files and comments and put it up in mine.

[–] [email protected] 0 points 4 months ago (1 children)

@ExtremeDullard just publish everything, they gave it to you under GPL so you can. Sounds like they deserve all the embarrassment they can get.

[–] [email protected] 3 points 4 months ago (1 children)

Nah... It's not a matter of embarrassing the company, it's out of decency for the people who work(ed) there. There's stuff like "This shit is why Stu was fired - Phil" or "Best leave this out of the repo for now as I don't want to be included in the next round of downsizing - Tom" this would make Stu, Phil and Tom look bad and possibly hurt their careers. And it would advertise that whoever prepared this ZIP file for me didn't bother sanitizing company confidential information out of it, possibly putting their job on the line too.

The code is GPL, and I consider the git history part of the code. The rest is inappropriate and potentially hurtful to people who didn't do anything to deserve grief.

[–] [email protected] 0 points 4 months ago (1 children)

@ExtremeDullard You are too kind and thoughtful, they really don't deserve you. A company is just a collection of the people who work there. Maybe the reason why they violated GPL in the first place is because Stu, Phil and Tom didn't care about their work at all. The comments paint a picture of a toxic work environment, and again, that's just the result of the people working there. Good people need to leave bad companies, it's the only way to let the bad die without hurting the good.

[–] [email protected] 1 points 4 months ago

It's not kindness 🙂 I only made a GPL claim. All I want is the stuff that the GPL entitles me to have. The rest is off-topic and - as you say - toxic. Nobody needs the off-topic stuff in the Github repo I'll post the GPL code to: it's about the code, not the people or whatever drama happened at their workplace.

[–] [email protected] 2 points 4 months ago (1 children)

The thing is that they only need to release the source code to a user of their installer. Also, perhaps they got a special exception from the original author like dynamically linked Linux drivers.

[–] [email protected] 15 points 4 months ago

No, not just the installer. Actually the installer doesn't even matter here as its sole purpose is placing the binary. GPL applies when you make modifications to the program AND you distribute the program. GPL states that you MUST also give the source of the modified binary WHEN requested by those who got the modified program (this is very simplifying it)