Dealing With a GPL Violation?

Sortova writes "For many years now I've been maintaining OpenNMS, a free and open source network management framework published under the GPL. A couple of years ago it came to our attention that a company called Cittio was using OpenNMS as part of their proprietary and commercial network management application. I talked with Jamie Lerner, the Cittio founder, and he assured me that Cittio was abiding by the GPL. However, we were recently contacted by a potential client who was also considering Cittio's Watchtower, and it appears that they are not disclosing that they are using GPL'd code or at least not in the clear and concise fashion required by the GPL, including the offer of source code for all of the code they are including and any changes being made to that code. Since the copyright for OpenNMS is held by a number of commercial companies, the Software Freedom Law Center is not able to help us defend or even investigate a potential violation. I was curious if anyone here on Slashdot had experienced anything similar or has any advice?"

You don't know they are in violation

[QuantumG]

For a start you claim:

When I brought up the fact that parts of Watchtower are based on OpenNMS, the client replied "I could not find one ounce of mention on their website to OpenNMS or any other Open Source code that is running on this product. That really irritates me." So what's all this then?

You also make the claim:

I should also mention that this client is in final negotiations with Cittio (they dropped their initial price considerably) so we're not talking a first contact cold call here - they are ready to close this deal without a single detail concerning their use of open source. Yes, and? They are not required to make any such disclosures. The GPL requires them to provide the source code or an offer to provide the source code when they distribute the software. As they haven't distributed any software yet, they are not required to provide any source code or offers to provide the source code.

FAIL.

Re:You don't know they are in violation

[rsax]

From the linked site

"postgresql-8.0.2.tar.gz ... GNU General Public License (GPL)"

Wrong license. As mentioned on the PostgreSQL site page, the project uses the BSD license.

Re:You don't know they are in violation

[cbhacking]

Very true. A simple Google search for OpenNMS on cittio.com comes up with two pages (one linked in the parent). Each lists, with licenses, the open source projects they use. At the bottom of both pages they have "Contact us" info, one of them (not the one linked above) even has a mailto: link for questions about their open source components.

I'm a little surprised they don't provide links to the projects directly - either by project site or downloadable tarball - but it doesn't exactly look like they're hiding their use of OSS code. Technically just announcing that they use OSS (especially without linking to the projects, let alone any modifications they made) isn't enough for compliance, but the summary gave the impression that Cittio gave no indication that they use any OSS. This is patently false.

Re:You don't know they are in violation

[Azh+Nazg]

question: who defines distribution?

answer: whoever has more money

-- Anonymous Coward

The GPLv3 is much, much more specific about that. Specifically:

c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.

-- GPLv3, section 6

The GPLv3 also defines what 'distribution' is, by using the terms 'conveying' and 'propagating', instead, and then defining those (for some reason, redefining distribution is not kosher, legally speaking). Thus:

To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.

To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.

-- GPLv3, Section 0

Though I wonder why you are apparently anti-GPL, whatever your thoughts on it, I must insist that you at least discuss points relevant to the license itself. Thank you, however, for sharing your thoughts and opinions: if nothing else, you'll provide someone out there something good to think about.

Re:You don't know they are in violation

[mysidia]

This is not entirely true.

For commercial distribution, the source has to either be included with every copy of the binary, OR the GPL requires a written offer which to any third party, including third parties who are not their customers.

If they chose option (b) for distribution of their source code, then they do have to give something to non-customers, in order to avoid violating the GPL.

That way their customers can re-distribute the binaries and pass along the offer to others.

See the GNU General Public license version 2 section 3.b: b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

Re:You don't know they are in violation

[Sortova]

I never claimed to be unaware of Cittio's use of OpenNMS. If you read my post my claim is that potential Cittio "clients", not me, are being kept in the dark about what open source software is being used as part of Watchtower. It is not up to the end user to suddenly find out that the code they are purchasing is based on open source work. The GPL clearly states "you must show them these terms so they know their rights." This is, apparently, not being done.

Re:You don't know they are in violation

[JoelKatz]

This is not the FSF's position, nor is it sane. What the GPL intends, and what makes sense, is that you cannot be refused the source code simply because you aren't the person the offer was originally extended to. That is, the offer must be transferable.

The distribution could include a "coupon" for the source code, so long as the coupon is transferable. That wouldn't mean they'd have to give anyone the source code just because they asked for it.

Re:You don't know they are in violation

[sumdumass]

Wow.. What FSF are you thinking of?

I found this on their site in the faqs about licensing page you can go look too.

What does "written offer valid for any third party" mean in GPLv2? Does that mean everyone in the world can get the source to any GPL'ed program no matter what?

        If you choose to provide source through a written offer, then anybody who requests the source from you is entitled to receive it.

        If you commercially distribute binaries not accompanied with source code, the GPL says you must provide a written offer to distribute the source code later. When users non-commercially redistribute the binaries they received from you, they must pass along a copy of this written offer. This means that people who did not get the binaries directly from you can still receive copies of the source code, along with the written offer.

        The reason we require the offer to be valid for any third party is so that people who receive the binaries indirectly in that way can order the source code from you.


They have attempted to narrow it down a bit, but it still says the same sentiment. Any third party means just that.

Re:You don't know they are in violation

[JoelKatz]

I guess my recollection was in error. The FSF does take a nonsensical position about this. I'll add this to the long list of nonsensical positions the FSF takes.

The clearest way to see that this is nonsense is to ask yourself this question -- without a copy of the written offer and without having directly distributed to how, how could the distributor possibly know exactly what source code to give you?

It only makes sense if they can be required to show you a copy of the written offer.

Thanks for the correction.

Check out the SFLC guidelines.

[Estanislao+Mart�nez]

The SFLC's Legal Issues Primer for Open Source and Free Software Projects covers this. You probably want to give it a read.

Still, if it's really important, ask a lawyer, don't ask Slashdot.

Re:Check out the SFLC guidelines.

[42forty-two42]

They wouldn't dare admit it, for fear of being held liable for it as legal advice.

Do a little digging yourself, get a lawyer

[cbhacking]

First issue: are you SURE they're in violation? This could be as simple as calling their support line and asking how you can get the source code (this assumes you've confirmed that GPLed code is included). If you can't get to the support people without being a customer, search their website for any indications and/or try and get a demo.

Once you're reasonably sure they're in violation, consult a lawyer who knows IP law, preferably one familiar with the GPL in particular. Even on Slashdot, I'm not going to try giving you advice beyond that. It's not cheap, but there's a decent chance of getting legal expenses awarded in court.

Re:Do a little digging yourself, get a lawyer

[cbhacking]

Oh, and document EVERYTHING. Every email, every phone call (you may need to tell the other party if you record the call, I don't know the law in your area), every letter, every step of your research. I'm guessing a single subpoena would get all the evidence you need, but no point taking risks when money is at stake (as it will be if this goes to court).

This is well documented already!!!

[jamesh]

The instructions for what to do if you think you have found a gpl violation are here. There is no mention of posting to slashdot on that page. There is a mention of checking your facts first... some companies get a bit cross (eg they'll take you to court) if you write anything bad about their product which isn't completely true. (i'm not saying it isn't, i'm just saying you don't appear to have done your homework yet).

You've achieved your desired goal

[Bruce+Perens]

You got your concern on the front page of Slashdot. That means that the company will make sure they're doing everything right, because all of their customers are going to ask them about it now.

That said, it's not at all clear that you had anything to complain about. If SFLC won't help you for the reason you gave, that means you don't have any standing in the matter. You can't sue anyone about it. So, there's not much use in complaining.

IMO, you should make real sure that you at least own the copyright of your own work before you contribute any more.

Bruce

Re:You've achieved your desired goal

[Sortova]

The history of OpenNMS is pretty long and convoluted. It was started by a company called Oculan, and I was an employee of theirs when they decided to stop publishing their code under the GPL. I wanted to keep the project alive, and thus I took over maintaining the code in 2002. So all of the original "1.0" code is copyright Oculan (and that IP is now owned by Raritan) while almost all of the other changes are copyright "The OpenNMS Group". Both companies are commercial entities, although OpenNMS is never licensed outside of the GPL. According to Daniel B. Ravicher at the SFLC (who I contacted in 2005): "SFLC unfortunately cannot generally represent for profit entities". The fact that the SFLC won't defend us doesn't mean that we "don't have any standing in the matter". We do own the copyright to our work, but it is a derivative work based on the GPL and it is very unclear how such things can be defended since it is based on the work of other (duly noted in every copyright notice in the OpenNMS code).

As has been said: They don't have to give the code

[Anonymous+Freak]

...out on the web. Nothing in the GPL says that a licensee has to freely offer the code to absolutely anyone free of charge, to anyone that asks, in the manner the asker chooses. It says that they have to offer the code, in a manner of their choosing to anyone that asks.

In a commercial hardware product, that means that the company can insist on only distributing the code by sending it to you as a bunch of floppy disks, for all the GPL cares.

Now, once someone has the code, that person can then re-distribute the GPLed code however they feel.

One example: My Toshiba HD DVD Player (don't laugh, it was a present,) contains GPL code. Toshiba doesn't make this fact obvious. It's buried in the manual for the product. Toshiba doesn't make the code available on their website, because they're not required to. To quote the GPL 2.0 that my Toshiba uses:

b) Accompany it with a written offer, valid for at least three
        years, to give any third party, for a charge no more than your
        cost of physically performing source distribution, a complete
        machine-readable copy of the corresponding source code, to be
        distributed under the terms of Sections 1 and 2 above on a medium
        customarily used for software interchange...

The internet isn't the only medium customarily used for software interchange. And they are allowed to charge a reasonable fee for duplication and distribution. (See GPL section 1.) If they really felt ornery, they would be perfectly within their rights to charge you for the physical cost of a bunch of floppies, and the time (at minimum wage, or even higher,) some flunky had to spend copying onto those floppies.

Re:What's the menu path to that?

[ribman]

Found the answer to my own question ....
It's not under Products - Watchtower
It's at: Technology - Open Source Components, so yes, that's up on the main menu, though sideways from Watchtower.