Slashdot Mirror

I was thinking the same thing, but I'm not afraid to name names. I have reported bug after bug and all they ever did was use the bug report as a "support case" and count it against my support allotment then close the case with no resolution. Some issues have been solved after a year or more, but support is unresponsive at best. I can name quite a few known problems, some of which could be potentially exploited for buffer overflows or denial of service attacks.

Just to name a few problems and bugs:
-ssl-vpn prompts the user to upgrade when new software is loaded on the firewall but if a user clicks no it disconnects them. If they click yes it uninstalls the software and fails to rienstall due to permission issues with the teefer driver if the user does not have administrative rights. It cannot be upgraded easily through group policy or windows update local publishing. It is an exe container so group policy is out and publising via local update publisher causes the system to hang at shutdown due to problems related to the driver removal/installation.

-services that use certificate checking fail if dpi is enabled and there is no reasonable workaround (examples: webex, apple itunes and app store). Implementing a realtime host lookup would easily resolve this problem but they only offer a one time hostname lookup which adds the ip to the policy (problematic for just about everything.... yes let's unblock all of akamai, that makes sense!!!)

-sso manager has a memory leak uses huge amounts of resources and eventually stops updating the list of authenticated users until the service is restarted if you have more than 2 domain controllers. We had to schedule a restart of the service every morning to mitigate this and it still uses an insane amount of processor time.

-Version 11.9.1 broke multi-wan pptp so not only is ssl-vpn broken (don't get me started on their poor ipsec support) but now the less secure backup option won't connect...

-expiring or rejecting a ca certificate causes all sites reliant on that certificate to fail to load even if a new certificate is present if dpi is enabled

-email quarantine generates a certificate with the server's ip as the name but links send the user to the hostname thus causing a certificate warning

-a wan connection with a ping monitor will not resume functioning once ping is restored in a multi-wan overflow configuration causing a temporary loss of connectivity to become a permanent one.

-ssl-vpn will not connect over udp in a multi-wan environment

I could go on... but I'll end with a non-bug:
-They clearly run modified versions of open source software but fail to release their code changes to customers or distribute the gpl with their software. This is clear simply from the log files and debugging information and has been complained about as far back as 2005: http://lists.gpl-violations.or...

The issue is that "directly derived work" means "anything that includes any insignificant spec of GPL gets completely tarnished with it".

I'd never visited this site before, in fact only just now found it by clicking on the top google result. However, consider the latest "GPL violation": http://gpl-violations.org/news...

So, this is a result for user freedom? A big media player project was found guilty of a GPL violation for including iptables - and not even an intentional one because their suppliers had included it in some outsource work. Now, iptables isn't related to the core product, in fact there's no good reason for the media player to even need it in the first place. There's no point having a firewall on a device where there should only be a couple of ports open in the first place. Calling the entire media player a derivative work is totally disingenuous as it doesn't define the product. The inclusion of iptables has no tangible benefit to the user, the media player itself does.

Sure, they violated the GPL. And they (or rather their suppliers) really shouldn't have done that - they were making a commercial product and should have known the GPL wasn't compatible with this aim. But the lesson to be learned from this is "don't allow your company to touch GPL software with a bargepole". More than that, it underscores exactly how the GPL isn't free.

http://gpl-violations.org/

And if a lazy programmer at a commercial company puts your code in their product, how will you find out and how will you prove it? There are plenty of cases (see http://www.gpl-violations.org/about.html#history ) of companies taking code and not giving credit. Those companies can benefit from your 'unlicensed' code. But companies and groups who take licences seriously (redhat, debian, apache, google, apple etc) can't use your code. Is that what you want?

I can't really comment on that. I did get the address wrong too - it's http://gpl-violations.org/. Anyway, they claim to have a 100% success rate, with over 100 cases tried (against companies as large as D-Link, TomTom, Fujitsu-Siemens, and Gigabyte). I'd call that pretty effective.

Due to the truly amazing amount of information in your post that is inaccurate, I assume that you are either
1) a troll, or
2) 13 years old ...nevertheless, I'll provide some answers. Maybe it will be helpful for the OP.

Did the guy mention that he copyrighted his work? If he put it out there with nothing indicating that, there's an argument that he put it into the public domain,

If you don't trust me, how about the US Copyright Office?

Q: Do I have to register with your office to be protected?
A: No. In general, registration is voluntary. Copyright exists from the moment the work is created. You will have to register, however, if you wish to bring a lawsuit for infringement of a U.S. work. See Circular 1, Copyright Basics, section “Copyright Registration.”

You go on...

If someone is violating the GPL license and selling a modified version of his work, I'd recommend he contact the Electronic Frontier Foundation, who can help defend him, most likely free of charge.

While the EFF are a bunch of hoopy froods who protect our rights in cyberspace, they are certainly not the first people I'd contact about a GPL infringement. They're not even the 4th or 5th on my list.

Here's my list:
1) GPL-Violations.org - Volunteers, knowledgeable folks who will answer your questions pretty quickly
2) The SFLC (Software Freedom Law Center) - Volunteer lawyers (much slower to respond due to demand, but they know their stuff)
3) The Software Freedom Conservancy (if you want to align your FOSS project with a "non-profit home and infrastructure for FLOSS projects.")
4) The Free Software Foundation, if you have a specific question about some of their GPLed software
5) Bradley Kuhn, Harald Welte, etc..

Jesus... It's amazing what crap a first poster can say.

Have you even read the text of the GPL(v2) ?

No, you can not sell GPLed software you didn't write, though you may charge a distribution fee, and you must provide a way to access the source code you're distributing. If some a-hole is charging $50-ish bucks for your software, take him down.

Here's an exact quote from the on the FSF's website:

Does the GPL allow me to sell copies of the program for money? (#DoesTheGPLAllowMoney)

Yes, the GPL allows everyone to do this. The right to sell copies is part of the definition of free software. Except in one special situation, there is no limit on what price you can charge. (The one exception is the required written offer to provide source code that must accompany binary-only release.)

When you mention a "distribution fee," I believe that you're talking about clause 3(b) of the source requirement of the GPLv2 (relevant section italicized):

b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

Section 3(b) is talking about a requirement to provide source code to people you've already given binaries. You can still charge them a bunch of money up front for initial access to the program.

It's not always easy to understand parts of the GPL, and the GPLv3 made the whole darn thing a bunch

Because you were not so clear: Selling GPLv2 software is explicitly allowed to whatever price one wishes, you just have to ship the source (and the license information) with it. If you want that any user of a web application may have cost-free access to the source code, you should have licensed your work under the Affero GPL.
The infringement here is the false claim that the module was written by them. If they removed all license information from your software that would be an infringement as well (even if they attribute you as the author) because the GPL also demands that the license is shipped with the product.

As for dealing with infringement, I'm no expert, sorry. You should probably contact GPL Violations. They might help you.

http://lists.gpl-violations.org/pipermail/legal/2010-March/001936.html

http://lists.gpl-violations.org/pipermail/legal/2010-March/001872.html

Harald Welte started http://gpl-violations.org/ for protecting his rights and the general public license in 2003. Maybe you can get help from that project, at least they have experience in that kind of lawsuits.

Get one.

if you are honestly interested in claiming your copyrights this is the best (and arguable only) way to enforce the license. when you are "only" trying to get this known in the community you could describe the issue at the mailing list of gpl violations.

DLink has a history of GPL violation in the past. I am frankly not one bit surprised...

Writing a license and knowing exactly how a court of law will interpret that license are two entirely different things. We now may know the intent of the license, but until it's tested in court, that intent means nothing.

Here, let me fix that for you ...

http://yro.slashdot.org/story/09/09/24/1316220/GPL-Wins-In-French-Court-Case

"An appeals court in Paris has upheld the ruling from a lower court, which found that the French firm Edu4 had violated the GNU General Public License (GPL). The plaintiff was the French Organisation Association francaise pour la Formation Professionnelle des Adultes (AFPA), an umbrella organization for adult education."

http://www.linuxplanet.com/linuxplanet/reports/7145/1/

In December 2009, the Software Freedom Conservancy filed lawsuits against 14 consumer electronics vendors alleging that they were not in compliance with the GPL license. Of those 14 vendors, 13 have now either settled amicably or are in productive discussions toward a settlement.

In one case, consumer electronics vendor Westinghouse failed to comply, and a U.S. District Court has now ruled in a default judgment against it.

http://gpl-violations.org/news/20060922-dlink-judgement_frankfurt.html

gpl-violations.org project prevails in court case on GPL violation by D-Link

FOR IMMEDIATE RELEASE

DISTRICT COURT OF FRANKFURT ISSUES VERDICT ON GPL VIOLATION OF D-LINK

BERLIN, Germany - September 22, 2006 -- The gpl-violations.org project prevails
in court litigation against D-Link Germany GmbH regarding D-Link's alleged
inappropriate and copyright infringing use of parts of the Linux Operating
System Kernel.
...
On September 6, 2006 the district court issued its judgement, confirming the
claims by gpl-violations.org, specifically its rights on the subject-matter
source code, the violation of the GNU GPL by D-Link, the validity of the GPL
under German law, and D-Links obligation to reimburse gpl-violations.org for
legal expenses, test purchase and cost of re-engineering.

http://www.fsf.org/news/wallace-vs-fsf

The GPL tested in US courts - Wallace Vs FSF.
by Matt Lee — last modified March 23, 2006 18:34

The GNU General Public License stands firm.
On Monday March 20, 2006 US Federal Judge John Daniel Tinder, dismissed the Sherman Act antitrust claims brought against the Free Software Foundation. The claims made by Plaintiff Daniel Wallace included: that the General Public License (GPL) constituted a contract, combination or conspiracy; that it created an unreasonable restraint of trade; and that the FSF conspired with IBM, Red Hat Inc., Novell and other individuals to pool and cross-license their copyrighted intellectual property in a predatory price fixing schem

The rest? Well without digging thru their documentation, web sites, and "about screens" I can't be sure there isn't a written notice somewhere, and have to take the authors word that he did an exhaustive search. I have no doubt some are ignorant of this requirement.

The written notice has to be shipped in the same package as the device, and it has to be, well, *written*. As in, on paper. A notice in the back of the manual, or on the inevitable sticker inside the device's battery compartment (or whereever the manufacturer normally puts stuff like serial numbers, copyright notices, etc), would be the normal approach. Something buried in the manufacturer's web site is not enough. Either the source or the offer to provide the source must be shipped with the device.

Also, the offer must include the option of having the source shipped on physical media, a "download only" option is not sufficient (at least for GPLv2; I think this may have changed in v3, but the Linux kernel is licensed under v2 only).

See: http://gpl-violations.org/faq/vendor-faq.html

Which is why you can use this: http://gpl-violations.org/
Report them.

http://gpl-violations.org/ - If there is no source code then report it.

Uses modified Debian, source nowhere to be found.

Asking by e-mail several questions consistently ignored my request for the sourcecode until all other questions where resolved then I got completely ignored.

Time to load Harald Welte (http://gpl-violations.org/) onto the trebuchet and open fire at them.

I don't understand why the FSF would not pursue this with full vigor.

Typically, the FSF does not hold copyrights to the code that is distributed on embedded devices. Most devices ship with some variant of Linux+BusyBox, where the copyright rests with the individual authors. It might be helpful to contact Harald Welte's gpl-violations project, who might be able to provide contact to people with actual rights to the code in question.

Those would actually qualify as install scripts, see GPL Violations Source Code Release FAQ, specifically this section:

What are "scripts used to control installation"?

        After having translated software from its source code form into
        executable format, the program quite often needs to be installed into
        the system. The process of installation is often automatized by
        installation scripts. Exactly those scripts are referred to by the
        GPL.

        Please note that this is of special practical importance in the case of
        embedded devices, since the executable program(s) need to be somehow
        installed onto the device. If the user is not given a way to install
        his own (modified) versions of the program, he has no way of exercising
        his freedom to run modified versions of the program.

        Sometimes, the process of installation is not facilitated by scripts, but
        by some other means (such as executable programs). The GPL text only
        mentions the word "scripts". But when reading and interpreting the license,
        it is clearly understood that the license doesn't specifically only mean
        "scripts", but any kind of software programs that are required to install
        a (modified) version of the compiled program.

"Pirating something as opposed to not buying it effects a business how? Why should people abide by rules they do not agree with if to do otherwise has zero effect on anyone else?"

Tell that to the FSF.

For years Harald Welte has been the only serious chaser I know of. These two have been keeping their work a secret, I guess. More power to them if they're actually tracking down GPL violators, whoever they are. This task is thankless and unappreciated. Most authors can't be bothered.

Yes, really, and it is not really a secret. The gpl-violations.org website says (if you click on 'Who?'):

The "core team" consists of Harald Welte and Armijn Hemel.

For years Harald Welte has been the only serious chaser I know of.

As you can read on the About page, one of the authors of this article, Armijn Hemel, is actually the other half of the gpl-violations.org core team.

For years Harald Welte has been the only serious chaser I know of.

As you can read on the About page, one of the authors of this article, Armijn Hemel, is actually the other half of the gpl-violations.org core team.

For years Harald Welte has been the only serious chaser I know of. These two have been keeping their work a secret, I guess. More power to them if they're actually tracking down GPL violators, whoever they are. This task is thankless and unappreciated. Most authors can't be bothered.

Report them anonymously to GPL violations.

http://gpl-violations.org/

G++ was started as a proprietary fork of GCC, and could be liberated because of the GPL. Qt has grown and flourished under the GPL for years, enabling Trolltech to give us a great product for free and make serious money. KDE is mostly GPL too, so is MPlayer and almost two-thirds of projects on Sourceforge. And there is that Linux thingy, that happens to overshadow any *BSD, and has massive support from industry partners.

[The GPL] doesn't protect code from suddently [sic] becoming non-free because 1) corporations can't [probably meant "can"] do that anyway

Really? There is a nice website to make sure they do play by the rules. It seems to be working.

companies that do use non-GPL code tend to give back their improvements anyway

You either live in a fantasy world or you need to give me the name of your company so I can send them my CV. Are you serious? Have you got any idea of how many PHB's would freak out if you sent out company IP without being obliged to do that? At the very least, there is a small hill of paperwork to fill in; if you are on bad terms with some higher-up, it might even be used as an excuse for firing you. It is perfectly possible that a boss with programming experience understands that there is no point in maintaining a separate proprietary fork of a BSD project to fix a few bugs, but there is no way in hell he's going to allow you to contribute anything that required a significant amount of company time and effort.

The sad truth is, the actual value of the GPL is a lot less than everybody thinks.

The sad (for BSD) truth is another: without Stallman and the GPL there would be no Linux, no KDE, no Gnome, no GCC, no Free Software. Corporations are there to make money, not to gather "good karma": you either force them at legal gunpoint, or they will run away with the loot. And if they didn't, their shareholders could sue them for that.

AFAIK, the GPL has never lost in court. Every case I'm aware of has settled (because the violator realized they could not win); oh here's one that went to court: http://www.jbb.de/judgment_dc_frankfurt_gpl.pdf

http://www.open-mag.com/features/Vol_66/GNU/GNU.htm
"We handled approximately 50 violations last year. We expect to handle about 5-10% more this year. With staffing levels, this is basically what we can handle. There are many more out there that we could pursue. ... I would estimate that 90% or more of violations are simply confusions that can be cleared up by friendly negotiation and explanation. We start every case assuming that it is simply a confusion to be cleared up.

Of the other 10%, almost all are disregard, which requires careful diplomacy to move violators to a point where they take their obligations seriously. So far, we've been able to do it. A very small number of violations are actual willful, concealed infringements. These tend to be the "big cases" that take a long time to resolve.

Because we've been careful not to publicly admonish GPL violators, many people don't realize how often we have enforced the GPL successfully. ...

We have the right to sue for copyright infringement if we need to. We rarely need to threaten a lawsuit, and we've never had to file one. Most companies realize that what we ask for is not onerous and is easily done. Most companies that find copyright infringement sue for huge sums of money; the most money we ever ask for is reimbursement of our cost in doing that enforcement effort."

http://gpl-violations.org/news/20041004-majorupdate.html
"The netfilter/iptables project did not announce every individual case, but has so far settled in more than 10 cases out of court. Among the vendors are major companies such as Siemens, Fujitsu-Siemens, Asus and Belkin."

we should turn around such violations so developers would become happy if someone try to do it again. Go and complain to http://gpl-violations.org/ or similar. I suspect they know how to deal with it, how to win the case and make some money possible.

Are we suggesting making contributions manditory in order to get free software?

Read again the GPL. It's *already* mandatory.
For any modification that you make on GPL code that you distribute, it is mandatory that you contribute. Either send a patch upstream, or publish the modified source locally or sent them along the distributed code.
That's the main point of flamewar between BSD and GPL.

So to take again the article's example :
- Cisco's product in the Linksys line rely on Linux (GPL lisence).
If Cisco doesn't publish the modification they made on the Linux fitted into the Linksys, they aren't just unfair leeches because they don't contribute.
They are *violating* the GPL's requirement and have to either comply, or abandon distribution of Linux.

Thankfully, Cisco happens to publish the source code of opensource parts of Linksys' fimware.
But other don't. Hence websites such as GPL Violations.

The article's second example :
- Amazong relying on Eclipse (EPL lisence, a weaker copyleft license)
Well, um... sorry guys. But that's the whole point of strong vs weak copyleft license (GPL vs BSD, or in this case GPL vs. EPL).
Every user of GPL software is allowed to do pretty much what he/she wants, as long as he/she transmits the *same* freedom to the next user in the distribution chain.
Every user of BSD software is allowed to do pretty much what he/she wants. End of story, no conditions attached.

If they are unhappy with the situation, they should have tought about it before and they should have moved to a strong copyleft license like in the first place.

For the rest :
The article didn't mention, but there are also some whine boys complaining about some companies deploying GPL software and not doing much.
Well, that's life, that's how the GPL works. Nobody is required to pay the developers, otherwise it wouldn't be free software. And probably the software wouldn't be as popular if it wasn't freely accessible and customizable in the first place.
Don't despair, though :
On the other hand, such "free loading" companies will some day some custom job done. And then
- either they will pay the original developers for the new features they need. (and thus the developer will get something)
- or they will develop the new feature in-house, and by GPL's magic *will* be required to contribute or publish this modifications, if they want to distribute the new modified version.

TomTom were found to be a gpl violator in '04, sued Garmin in '07 and Toyota in '08 for infringing TomTom patents, and have a very restrictive EULA.

These are the same bunch of wankers that:

1) hardcoded stratum1 time servers into their consumer routers,
http://yro.slashdot.org/article.pl?sid=06/04/07/130209
2) opined that "we do not consider the GPL as legally binding"
http://gpl-violations.org/news/20060922-dlink-judgement_frankfurt.html

If you want cheap, go Linksys or LevelOne

See also

http://lists.gpl-violations.org/pipermail/legal/2008-September/001402.html

Whenever you see a violation of the GPL you should report it to http://gpl-violations.org/ and get legal advice.

Personally, I would say that hiring Harald Welte is a better indication of VIA's intentions than the release of documentation. Nobody in their right mind is going to hire the owner of GPL-Violations.org unless they are absolutely serious about Free Software.

Welte eats vendors for breakfast. Hiring him grants VIA instant credibility. If VIA drops the ball it is very likely to get crucified. Unless the executives at VIA have the intellect of fence posts this indicates a sea change for Free Software support from VIA.

You could notify the authors (and copyright holders) of BusyBox.

Unlike Linus, they are pretty strict on companies infringing on the GPL, and have sued (and won) several times.

Take a look at gpl-violations.org or google "busybox gpl violation" for more information.

http://www.gpl-violations.org/

might be a good place to start.

Maybe the guys at http://gpl-violations.org/ can help.

GPL Violations is allowed (with author's permission) to break into the boxes of all GPL violators. *That* could be interesting.

And confirmed by Harald Welte, of http://www.gpl-violations.org/ at his blog: http://laforge.gnumonks.org/weblog/2008/05/08/#20080508-olg_muenchen-skype

You are right of course, but GP said "the entire work of someone", and GP is not correct.

Also, what you write is true only when one uses the GPL code on purpose, and this is well documented in the license, no surprises. It's easy to avoid too, simply by not using code that the author only makes available under this condition. In case you meant that inadvertent use of GPL'ed code can lead to these consequences: this is pure FUD, it has never happened in practice and not judge will likely ever rule that way.

Generally, GPL violations are resolved amicably, and never by a judge order to open unproportional amounts of code. Look, e.g., at the case history here.

You obviously misunderstood my earlier post.

In this case we have serious concerns about the behavior of a particular company, Cittio. Perhaps these concerns are unfounded, but my question was to ask for advice concerning how to go about, perhaps, getting rid of these concerns. The GPL is a license based on copyright law, and thus doesn't even take affect until a "copy" is distributed, so of course Cittio is under no legal obligation to reveal how they are using OpenNMS until they actually provide the code.

Now, I should note that they have configured a demo system for this client to use on the client's hardware. While I am most definitely not a lawyer, that could be construed as "distribution", although it could be argued that no ownership has changed hands. In any case, the fact that their use of OpenNMS was not clearly disclosed (as is recommended by the GPL Violations Vendor FAQ) was enough to cause us some concern. If there is nothing to hide, why not be up front about it?

This happened right after we received a query from a Cittio software engineer looking to compile one of our GPL'd libraries. Now, if they are truly using OpenNMS in an unmodified fashion, why the question? Can't they just use OpenNMS as distributed? Again, there is probably a simple answer, but I am at a loss as to how to get it.

It seems that your recommendation (along with many others) is to just forget about it or to hire a lawyer. Neither is very useful to me.

Well, if you want anecdotal evidence, try visiting GPL violations.

he's fighting against a culture where most people have no idea what OSS is, and where all the social mechanisms the Linux/BSD community has developed don't exist

Why yes, because linux and bsd code have never been ripped off. That's never happened. No. Not at all. What utter nonsense. Nor does the author talk about taking the software closed source; if you read the article he talks about distributing part of the project as a binary, the bits that people can easily use to just change the copyright messages, the installer and other small bits. The removal of the current source is a stopgap until he decides which option to take.

But hey, lets not let facts get in the way of a good Microsoft bash. Where you went wrong is you said Windows instead of Windoze, and forgot to use Micro$oft. Then you may have been marked insightful.

Remember the license requires you make source available to your customers with the product or to include a written offer. Putting a zip of the relevant sources on the Documentation CDis a great way to do this.

As much as I love my n800/770 I do remember that early on Nokia needed a very firm reminder (more so than they may admit) that they had to release kernel source of the actual kernel not just the source they started from.
Once they (Asus) fall in line, the community can then get behind them and make that rock really roll!

That's the way the gpl-violations.org people usually work:

http://www.gpl-violations.org/

They have approached companies like D-Link, Edimax, Gigabyte, Longshine, Sitecom for alleged GPL infringements. Most cases have been finally settled out of court.

Main target is to educate these companies, to explain them what GPL means, eventually to show them how easy it is to be a good citizen of the community world, in order to let them find out by themselves later how rewarding it might turn out to be as well.

The community world is a culture different from the company world and culture, and very much so.

"I do. RMS himself stated that, were there no copyright, there would simply be no need for GPL."

There would still be a need for the GPL. Companies could still take the source, make additions, and release the binaries with no copyright laws. The end user could copy the binary with no legal implications, but they would not be able to learn from the source. Isn't this the point of the GPL? to learn? and even if there were no copyright laws, commercial software vendors would move their products online (software as a service).

"Selling air would be more viable too if people were "honest" and would buy it even though they could get it for free. But they don't, and it's not. It's not any more bad or unfair than the fact that water is wet."

All companies violating the GPL are fair too then..right? I say it's not a viable license anymore because I can just close the source and release it without giving back to the community. However, The zealots disagree with me. I don't think we should protect it in the US court system. Why protect a dying licensing model?