German Court Finds Fantec Responsible For GPL Violation On Third-Party Code

ectoman writes "Are firms responsible for GPL violations on code they receive from third parties? A German court thinks so. The Regional Court of Hamburg recently ruled that Fantec, a European media player maker, failed to distribute 'complete corresponding source code' for firmware found in some of its products. Fantec claims its third-party firmware supplier provided the company with appropriate source code, which Fantext made available online. But a hackathon organized by the Free Software Foundation Europe discovered that this source code was incomplete, and programmer Harald Welte filed suit. He won. Mark Radcliffe, an IP expert and senior partner at DLA Piper who specializes in open source licensing issues, has analyzed the case—and argued that it underscores the need for companies to implement internal GPL compliance processes. 'Fantec is a reminder that companies should adopt a formal FOSS use policy which should be integrated into the software development process,' he writes. 'These standards should include an understanding of the FOSS management processes of such third-party suppliers. The development of a network of trusted third-party suppliers is critical part of any FOSS compliance strategy.'"

Premptive STFU to GPL haters

So they got caught violating an oss license? (TBH they were just being lazy by relying on their supplier's word. You've got to know and own the product you sell.)

Imagine how much shit they'd be in if they'd been caught violating copyright on a piece of closed source software. Ask anyone who's dealt with the BSA to comment on how friendly and fair they are.

Re:Premptive STFU to GPL haters

Actually at the core of the issue here is not really the GPL. At the core is that they got the code from another company and relied on that company adhering to the license.

Basically the ruling says that when you got the code from a third party, you cannot rely on the third party acting correctly when determining whether your use of the code complies with the license. If the third party violated the license (in this case, by not providing the complete source code), it doesn't protect you from the responsibility of checking the correct licensing yourself when redistributing the code.

That it was about GPL code is only tangential to the issue (although it's almost certainly the reason why it ended up on Slashdot).

Basically the scheme is the following: A gives code to B under a given license. B then gives the code to C in a way that violates A's license. C relies on B having followed A's license and figures out that redistribution in a certain way would not violate A's license. However since B's analysis rests on the false assumption that B complied, it turns out that C's redistribution of the code also violates A's license. But with a closer inspection, C could have found out that B didn't comply. The court ruling now says that C is responsible for violating the license.

Here A is whoever owns the copyright for the code in question, B is Fantec's firmware supplier, C is Fantec, the license is the GPL, and the violation is not distributing the complete corresponding source code.

Err - what?

[queazocotal]

'A german court thinks so'?
Under very few legal codes is it OK to distribute something that you do not have the appropriate copyright/licence.
Even if you don't investigate properly to find out if you do or don't, that doesn't get you off the hook.
It may alter the penalties, but the fundamental legality isn't really in question, pretty much anywhere.

Raising 'GPL' is a red-herring here - 'Oh - I diddn't realise that machine had an unlicenced copy of windows on it' - is exactly the same case.

FOSS license compliance is difficult for many

[drdread66]

A previous employer of mine really really really wanted to offer FOSS support & products as part of their lineup. In the end, the lawyers won, as they couldn't craft a policy that would allow anyone other than a lawyer to make the decisions. This was mostly for GPLv2 and v3, but they got the dev managers completely wound up about all the license types. Mostly this resulted in the company punting on the FOSS idea.

It's not terribly surprising that some small outfit decided to outsource the responsibility, assuming they were in a similar "analysis paralysis" situation. Too bad they did not understand the intent of the licenses and just "do the right thing."

Re:FOSS license compliance is difficult for many

[HornWumpus]

Compliance is easy. Never even look at GPL code. If it's not under BSD, don't touch it.

Re:FOSS license compliance is difficult for many

[qbast]

But they magically understand proprietary licenses? And somehow fact that every proprietary license is different and may contain different pitfalls is not a problem?

Re:Is this what they really want?

[queazocotal]

This isn't a GPL thing.
This is a general IP thing.

If you are not - as a buisness selling software (even if in embedded hardware) requiring your suppliers to state that all software used is compliant with relevant licences, with appropriate penalty clauses or indemnification if they are not - then your lawyers don't deserve to be employed.

Exactly the same happens if you ship unlicenced windows on your systems.

Re:Bigger Issue

[fuzzyfuzzyfungus]

This isn't going to make it easier to convince companies to adopt the GPL. It's not necessarily accurate, since Fantec clearly didn't exercise due diligence with their third-party software, but that's what a lot of upper management is going to hear.

I don't doubt the theoretical potential for this to be FUDed; but it isn't as though Fantec would have been any better off if their shoddy firmware contractor had been out of compliance with code under any other licence... Somehow, the fact that you can get your ass handed to you for violating software licenses seems to be Super Scary when it's OSS; but just part of doing business when it's proprietary; but it's the same principle at work either way.

Yes, when asked to comply the company lied. German

[raymorris]

It appears that when asked to comply with the license by posting the code they actually used, the company lied and said they weren't using iptables.
Contrast that to when I pointed out to Plesk that they were violating the Apache license. They very quickly apologized and posted the code, putting an end to the issue. All they needed to do is post the code that they compiled in order to come into compliance.

The court opinion is six pages, Im guessing three of those are boilerplate. Are there any fluent speakers of German who can read through it and tell us the facts as expressed by the court?

Re:Premptive STFU to GPL white knighters

[mwvdlee]

They published code, it got used, they're dealing with it.
What's the problem (apart from them not dealing with it in the way you'd prefer)?

Re:Bigger Issue

[gmack]

They didn't adopt the GPL they borrowed code that was GPL so they had to do less work rather than spend tends of thousands of dollars doing the work themselves. It's not the first time I've heard of a company thinking their added code totaling a fraction of a percent of the project is somehow worth more than the rest. It's also not the firs time I've seen willful ignorance on behalf of a device maker.

I few years back I was sourcing some kit for an ISP and discovered the ADSL modems were based on Linux + BusyBox. I asked the manufacturer if I could have the source so we could try some local modifications only to be told "the chipset maker doesn't supply that" and I would have to talk to them (in China) about it. I argued the point but they refused to accept that they had a legal obligation. Fortunately about a year later they entered into a settlement with the gpl-violations.org but by then I was no longer working for that ISP.

Re:This is why they hate us

[jedidiah]

> Shit like this. No wonder everything's going BSD.

You wish.

While it sound like a silly juvenile retort, it really is the case.

Why would anyone with a pathological need to "win in the market" or "be associated with the cool brand" bother with BSD to begin with?

> Did anyone try to work things out with the company?

No. People just like to litigate for fun. They like to waste the money.

Don't be such an idiot. If anything gets in front of a judge it's because one or both sides refused to compromise. The FSF has a long history of quickly dispensing these things by allowing the offending party to come into compliance.

Not just due diligence, lying and covering up

[raymorris]

Not only did they not exercise due diligence to start with, it appears that when asked to comply with the license by posting the code they actually used, the company lied and said they weren't using iptables. Had they simply said "oops, sorry about that, here's the code we compiled" it would have been resolved with just a few minutes of time.

That second scenario is what Plesk did. I pointed out they weren't in compliance and as an Apache copyright holder I insisted that they comply.
They immediately posted the Apache code they were using, ending the matter. The only effect on them is that now a couple of Slashdot readers know that they did the right thing.

I think that's the big takeaway - when you mess up, don't lie and initiate a cover-up, just fix it and move on.

Re:Premptive STFU to GPL white knighters

[AlecC]

So you would make speculative IP creation impossible. Before you created any IP, you would have to establish contact with all possible customers and agree, and contract, a price for the IP you would create. This was the way the system used to work in the 18th century: Dr Johnson had to line up a number of sponsors before he produced his dictionary. The same applied for music: Bach needed a sponsor for his cantatas etc. The invention of copyright then produced an explosion of publishing: because people could retain the IP of their putative great works, they could publish speculatively (possibly with funding from a publisher), and if indeed it turned out they were great works, they would be repaid for their efforts,

Your proposal would, I think, destroy the literature and magazine industries. Yes, magazines have subscribers. But why should I subscribe if I can get a copy as soon as the magazine is published? How can the editor of a magazine get enough readers to contract for something that they will receive free once the first user has received it? How can the writer who /thinks/ he has a great book make a profit from it when the first review copy can be Torrented for free? Why create any new work of literature? Music is slightly different: a live performance is different from a recording, and some groups distribute recordings for free in order to get fans at their concerts. But, in the days of the Kindle etc., an e-copy of a book is approximately as good as a hard copy.

Literature and music are not the same things as burgers and car repairs. The invention of copyright had a massive positive effect on human culture. Very little of the music you listen to and the books and magazines you read would exist without it. Of course, I am not saying that the existing system is perfect - very far from it. Its application to programs and code is very defective. But in throwing the whole thing out, you are losing the good as well as the bad.