I'm puzzled that there is apparently a whole cottage industry that can protect the rights of indie photographers [0] but we cannot do the same for free software. The closest we come is like the SFLC, and they are really quite soft on infringers in most cases.
I imagine that some of the puzzle is because DMCA is cheap and effective against websites moreso than against hardware manufacturers. Even so, Ubiquity Networks provides web downloads of their firmwares [1] so surely DMCA notices could at least impair their update distribution, which would annoy customers and put pressure on them that way. Meanwhile there is plenty of "purely web" software license violations.
I know that many projects don't get the copyright registered, which puts them at some legal disadvantage. But it's cheap to do, it's something that developers can be educated about, and it is economical for lawyers to take those cases (if facts and registration are strong) on contingency.
So I don't understand why there's not a little cottage industry for it like there is for the photographers.
In part because the "cottage industry" for photographers rights is based on getting people to pay, while most free software authors aren't actually interested in being paid for it, they are just interested in keeping it free. When the focus is on getting paid, a cottage industry can form that is based off the revenue from extracting royalties, but getting injunctions that apply until someone comes in compliance with a license is expensive due to lawyers fees and court costs, without any revenue to offset it.
Which makes me wonder, perhaps in next iterations the GPL should include provisions stating that intentional infringement (perhaps defined as failure to comply after 1 year from date of the complaint) results in financial penalties, thus allowing a cottage industry to form.
It could be argued that this would have a chilling effect on the adoption rate of FOSS software in corporations, but I would argue we may have already reached a critical mass where it's more costly to develop your own solution and I would point out that this only applies to modifications that you make to the source code before distributing the result. Anyone can still download and use the software without worry.
You don't need an explicit penalty: if you violate the license, it terminates.
Here's the text of the relevant section of the GPLv3 (the GPLv2 only has an equivalent to the first paragraph):
You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11).
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
So, on a second violation of the GPLv3, or on a first violation if it takes longer than 30 days, the rightsholder can already say "You need to pay me if you want your rights reinstated."
Conservancy has been using a variant of this tactic: they get a friendly, clear rightsholder for something like Busybox (which has relatively few authors), inform a company that they're violating the GPL and revoking the Busybox license, and demand GPL compliance for all software, including stuff like Linux which has so many authors that getting a clear rightsholder involved is harder, before reinstating the Busybox license.
Willfull infringement is already a tort; the damages are set by statute at $150,000 (if properly registered etc). You do not need to add any provision to the GPL to go after US violators.
To the extent that doesn't happen means that copyright holders (developers) don't do it. Either because they don't know how, they didn't register in a timely fashion, they don't want to bother, or they don't want money.
Not only is that unnecessary, as laid out in a sibling comment, it would likely be ineffective legally, as you can't simply invent penalties and apply them through a license like that.
But those are not mutually exclusive; they are complementary. It is not very effective to say "Um, stop being a violator pls." It is much more effective to say "Here is your invoice for being a violator, and don't let me catch you again."
FWIW, that's a proposed solution to getting free software funded (and, by extension, not funding proprietary stuff), but it isn't a solution directly related to stopping GPL violation.
AFAIK there isn't a cottage industry taking on non-compliance with free licenses used for photography, eg CC-BY-SA.
OTOH I've heard there is a small part of the software industry (I don't know that it is serviced by intermediaries) that uses the GPL to gain users and putative non-compliance to covert some of them to proprietary licensees.
The common difference is between those largely want compliance with their licenses (when they can be bothered at all) and those who largely want a payday, making their efforts must self-financing.
Personally I would enjoy a cottage industry around self-financing (ie payday oriented) enforcement of free licenses. It'd either increase the apparent trend toward non-copyleft licenses (ie much less to comply with), particularly public domain, or increase the appeal of copyleft licenses, perhaps both.
I contacted support@ubnt.com and info@ubnt.com about the issue and received a quick reply:
Unfortunately we no longer offer support for our SDK, and I'm not able to divulge in the specific differences between airOS and openwrt. Also, we don't share u-boot GPL source. We used to in the past but not any more. This decision was taken keeping the security of the users in mind. I hope you understand.
However, you can find the GPL archive for our devices from here:
It is funny... I get the feeling that they still give this response, because everyone who's gotten it doesn't know how to respond, it's so obviously wrong.
They use a lot of open source software and make firmware updates and controller software readily available, so how could they not know that
* The GPL's legal requirements come before your products needs, your users security or whatever. If you can't use GPL'd software, then don't.
* open source software has always proven to be more secure, because relatively serious and obvious security bugs linger in closed source software for a long time. How can we know that your closed source software is better than history suggests (unless you release the source...)
ridiculous. I kinda hope some of their engineers notice this on HN and can use evidence of "public" (engineer) sentiment to pressure the management
Worth remembering: under many other popular licenses, there would be no possibility whatsoever of legal action that leads to Ubiquiti releasing the full/proper source for what runs on their devices.
I don't think this is correct, but I'm also a little unsure what you're trying to say.
For why I don't think is correct: if you violate a license, you are legally liable for copyright infringement, just as if there was no license on it in the first place. Every license other than CC-0, Unlicense, and other PD-equivalents requires something of you. If you use a piece of BSD-licensed software without attribution, you are liable for copyright infringement. (In at least the US, if the use was commercial, this is probably criminal copyright infringement.) The rightsholder can sue, and offer to settle out of court by having you release source instead of paying damages. It would be unusual but possible.
For why I'm confused by this comment: isn't it intentional, on the part of almost all other popular licenses, to permit commercial reuse without requiring the release of source? Wouldn't one only use the Apache License, the BSD license, etc. if one wanted Ubiquiti to be able to use it without being compelled to release source?
Is your claim that people are bad at understanding what licenses mean, and are unintentionally choosing weak copylefts when they want strong copylefts? I could believe that, but I haven't seen much evidence of that.
I suspect the point is that people often say, in discussions about the GPL, that they expect commercial users of their BSD/MIT/etc licensed software to /usually/ contribute their changes back even though they're not obligated.
My anecdotal experience with this, having done many contracts providing commercial modifications of OSS, is that the companies that contribute their changes back is a tiny tip on the iceberg of use and modification.
That's not to say this is bad, if it's what one intends. But it's frustrating to watch people denigrate the GPL, sometimes, because of their wishful thinking about other licenses.
Thank you for reinforcing my point (elsewhere) about how the "gratuitous negativity" rule will never be used to do anything but reinforce the HN zeitgeist. I knew I wouldn't have to wait long for an example I could point to.
I personally consider the new rule an exhortation to down-vote more aggressively whatever gratneg we come across. As I like to say, there's a button for that!
To respond to your original point, I don't get it. If you choose to release under a license which doesn't require releasing source of any mods, that's a perfectly reasonable choice. Why should there be a "possibility of legal action" against something which is explicitly allowed by the license?
I can't (as an interlocutor), and I can see that nobody else has either. The prediction seems to have survived at least this one test.
"If you choose to release under a license which doesn't require releasing source of any mods"
...and there's nothing wrong with that. I'm not saying non-copyleft licenses are bad. I don't believe that. Even if I did, I don't have time for another round of that debate. I'm just pointing out what the practical difference is. People who care about the security aspect of Ubiquiti's behavior, or about the lost potential to install an alternate OS on their hardware, should be aware that permissive licenses give them zero leverage toward affecting a remedy. Those people might want to consider software licensing as part of their router purchase decision, even if they don't like GPL for their own code.
Perhaps I could have worded my response in a nicer way, but I stand by the point I was making. You're pretty much stating the obvious here; I don't see what it adds to the discussion.
(I generally try to avoid meta-discussion, so this is all I'll say on this topic.)
Yup. Only with GPL do sloppy development practices (lack of automated builds, sloppy version tracking, ...) tend to directly result in legal liability.
Other licenses just don't make those sorts of demands.
Think of a license that limits you to X deployments per unit of time, and forbids any additional deployments.
If your automated deployment system performs X+Y deployments (where Y > 0) in a unit of time, then you're in violation of your contract and legally liable for your actions.
Is this contrived? A little. But, realistically:
1) The GPL isn't the only license that you can violate with sloppy dev practices.
2) In the overwhelming majority of GPL violation cases, the remedy is for the violator to simply comply with the code's license and ship the code covered by the GPL.
1) Sibling post mentioned forgetting to include notices in the documentation. Which is a valid counterpoint, but I would assume requires more of a one-time effort than a permanent change (improvement) in work procedures.
> I would assume [remembering to put copyright notices in documentation] requires more of a one-time effort than a permanent change (improvement) in work procedures.
You assume wrong. There is always another project, or another library.
People with sloppy development practices could easily forget to include all the required copyright notices. All popular license require that the copyright notice is included in distribution, and forgetting to do so puts one under legal liability.
Hm, maybe. OTOH, I'd think (hope) that not adding a note to the documentation when you add the code (ie, while it's still fresh in your mind) would require at least slightly more sloppiness than succumbing to poor dev practices over the longer term would require.
Looking at games, they normally add third-party licenses as part of the credits. Where the note goes and how it will reach the consumer seem as a non-trivial problems to solve. I know that some software used to ship individual mit/bsd notices in the box for each individual third-party library. If you depend on a large number of projects, say 20-30 which seems common in AAA games, that is a lot of notices, paper, and management in order to follow all the licenses correctly.
But I would not try to guess how sloppy someone need to be to do it incorrectly.
Similar shennanigans have happened with just about every router, AP and modem manufacturer. They just don't care. I'm not sure why u-boot always seems to be the sticking point but heaven forbid if you actually want to try bringing your board up from scratch.
The article doesn't mention if they've contacted the FSF about the violation. Looks like they may be able to provide some assistance, particularly if any of the code is directly copyrighted to the FSF.
The problem is almost certainly internal disorganization: the person who put together the shipping firmware either isn't hearing about the requests for source code, or has moved on to another company.
Yes, but it changes the strategy for getting them to rectify the error. Rather than asking for source code directly, you should be asking for help getting in touch with the developer who has it.
I'm not sure what you're angling for with your anti-GPL comments in this thread, but all software licenses have requirements that are burdensome to one degree or another.
Frankly, the paperwork required to keep track of installed instances of -say- volume licensed MSFT software is a fair bit more burdensome than procedures to handle source code requests for GPL'd code.
Hell, you can automate both processes, but -in places that are like the dev shops that I've worked in- you're far more likely to automate the GPL compliance procedure. :)
Mostly just thinking out loud (congratulations, you're a rubber duck).
I think I heard something a while back, about Microsoft changing how they did volume licensing. Because it really was too much of a PITA, and they wanted to simplify things.
I suppose one different would be what's required to get back into compliance one you inevitably stuff things up. In the one case, you have to probably pay (money is fungible) and/or remove things you have installed. In the other case, you have to find something you might not know where it is (if it even still exists) and provide it to the public (and be sure that doesn't violate an other licenses you have). ...I think I might be moving the goal posts a bit here, but that's what you get for being a rubber duck. ;)
If you follow what's generally considered good development practices (automated builds, everything in version control, etc), GPL compliance should be dead simple. So congrats, it sounds like you work for people who don't have their heads up their asses.
...hey, maybe that would be a good basis if we ever did turn into a proper profession: version tracking and automated builds.
People screw up all sorts of compliance issues. All but a tiny handful of software licenses out there can be violated by sloppy practices or mistakes of one kind or another. The GPL is not unique in this regard.
You should try your attempts to paint a different picture in another forum: all but the greenest programmer has far too much experience to be convinced by your argument.
Really? I haven't used Ubiquiti hardware in a few years, but my recollection was that their stuff was inexpensive, easy to set up, and very powerful. We used their Bullet and Nanostation line of products.
The rule we developed at a previous job for doing upgrades on their products is to reboot twice to avoid bricking it. Yes, twice. Sometimes once isn't enough for an unknown reason.
Also their web interface has terrible memory leaks which causes loads of other issues.
Don't forget the management network interface that just stops being able to be pinged until you reboot. Have seen this on everything up to AirFibers.
Yeah, I like the hardware well enough, but the software is atrocious. It is ugly, slow, counterintuitive with settings in all sorts of strange places, and makes me feel insecure about my own wireless network. The hardware is alright, but it feels like really shoddy software engineering work whenever you need to interact with it.
They certainly do have quality issues. A friend of mine had to mod an M2 to make it work with PoE over long cables.
http://hofmeyr.de/PoE%20power%20fix%20for%20NanoStationM2/
The manufacturer obviously didn't test the hardware with 100m cable length.
That really does not sound like a quality issue at all. Or do they encourage providing power via their PoE-like solution over such long distances? Ethernet is specified for 100 meters, I think, but proprietary powering over the same cable not necessarily so.
The page says that a u-boot copyright holder asked for source and got nothing. Perhaps they could bring this case to the Software Freedom Conservancy and file a lawsuit if necessary?
Can the copyright holder take them to small claims court? He/she ought to be able to file one without needing a lawyer and for minimal costs. At the very least the court may force them to release the source code.
He/she probably could. However this isn't some small claim - it's probably a very large claim, given UBNT's size. If they get wind of a single developer or a one man army lawyer launching these lawsuits, they will put up a fight and hope they will either settle or quit before they run out of money. Suing someone is expensive, even if your case is a winner from the outset.
If there is one reason I'd ever consider becoming a lawyer w/my CS background, this would be it. I would set up some kind of a subscription model to which lone developers/copyright holders would pay my firm an ongoing subscription for as long as they wish, and in response get legal representation.
"If there is one reason I'd ever consider becoming a lawyer w/my CS background, this would be it."
I am both and I have investigated this, and discussed partnering with firms etc. - I have looked at this seriously, and from many angles. There is no way this can be made viable. How much will an OS/single developer pay for this? 10$/month, max, the most motivated ones? OK great, after one year, they've paid for 30 mins hour of legal representation, not enough to read the first 2 emails that lay out the first issue they have (and those who pay 10$/month will find issues, they'll make a sport out of finding anything that remotely looks like they could get their money's worth).
Furthermore, the added value of a CS background in the legal profession is tiny - as in 'worthless for all practical purposes'. At best, you'll be the Word and Excel wizard in the office - which is basically a career-limiter, rather than propellant. I can count on the fingers of one hand (even if I would have had a serious wood-chopping accident involving that hand) the top people in the legal profession (in my market) who get a real value from their technical background (the one I do know has been blogging for going on 20 years on the intersection of law and technology, so even there the advantage is indirect).
I am not a lawyer, but I do know that in US law statutory damages are $750 to $30,000 at the discretion of the court. Per infringement. Willful infringement increases that maximum limit, up to a max of $150,000.
Multiply by the number of infringements here, and the history of not complying with the license despite many opportunities to do so, and there is no way that this belongs in a court whose maximum potential penalty is $10,000.
Ding ding ding... all the uboot copyright owner needs is a desire to to sue and a lawyer that would take the case on a contingency basis. The company does about 600 million in revenue... so there's a lot of money there.
It's a crazy amount of liability. If a company doesn't comply with the GPL them they don't have a license to the code, and without permission from the copyright owner they're at risk of being found to be infringing. And worse, this risk doesn't go away if the company corrects the behavior (i.e. the period of time where they weren't in compliance with the GPL doesn't just disappear because they are _now_ in compliance).
This might actually work. Even though the potential monetary loss for the offender is munite, the fact of legal loss may cause the change in internal policy. Any public shaming would help as well.
You could take their customers to small claims court one by one, they'd each be on the hook for the purchase price of their access points. This would go a long way toward generating publicity and forcing compliance.
Firstly, the customers aren't distributing the software so I don't see how they could be liable. Secondly, the customers are the ones who are actually being wronged here, because they've purchased devices based on GPL software--for which they are entitled to the actual source code.
If anything, the customers should be the ones bringing suit.
Besides not being practical, it sounds to me like this would mostly garner animosity towards the group bringing the lawsuit, not Ubiquity. I own Ubiquity hardware and (legality aside) if someone sued me or my company over this I'd view them as a copyright troll. I think public attention and shaming from sources like this article will produce much better results.
edit: all of the above is incorrect and I retract this.
If Ubiquiti is in breach of the GPL then their customers cannot receive a license to the infringing work by Ubiquiti distributing it to them, so they're infringing too.
I don't think this has been done before. It would definitely chill the acceptance of GPL software in general.
edit: all of the above is incorrect and I retract this.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
As I read that, as long as you don't further redistribute, you should be good.
The issue is, however, that the parties (customers) haven't received any copies or rights under the GPL2 as due to ubiquiti's license violation, ubiquiti didn't (and does not) possess the any right to the original software (including redistribution).
Think about the licensing issue as a licensing chain / tree with each version having a separate license (instance).
And that's exactly what that paragraph avoids. It stops the revocation of the license tree at the first party who either correctly ships the full corresponding source, or doesn't redistribute the work at all. Basically those parties get a license directly from the copyright holder.
Mounting a legal offense is expensive. The current system favors battles between corporate giants. It's not often that a lone software engineer wins in court.
I'm of the opinion their firmware is real swiss-cheese'd, and they're not allowed to disclose the firmware and source modifications under EO12333 or other nonsense.
Hence, if you had a ubiquity contract, and demanded GPL compliance, you could sue for quite a bit of money for selling you pirated software (GPL license is revoked when source is not provided), and they would settle, rather than violate national security.
Phillips too, with their smart TVs running Linux and other FOSS.
They just provide some vanilla random .tar.gz of "gpl source CODE" and thats it, not really the version thats running on the device or that was distributed by them.
The actual binary, firmware, is encrypted too.
0 fucking freedom for a normal user in age of FOS software all around us.
It would have been better with proprietary software. Then I wouldnt have gotten pissed.
Franklin Wireless U770. Running a telnet daemon, I managed to get root through modding an update. FWIW, the default root password is 'frk770' and it appears to listen on the WAN interface in the default config. No idea what modifications the kernel has - I'm not too interested in customizing software running on pwnt Qualcomm chips, I just wanted a prompt.
Sierra Wireless 803s - running Linux as far as I can tell (nmap -O, update files, GPL license text in manual). Once again there's not even really a website for the device, nevermind some token source tar. Haven't yet broken into this device, I'm assuming there's a JTAG on its 60 pin debug connector, but I need to try the easier route of hacking an update first.
The theory goes that manufacturers should realize that obscuring their systems gives them no benefit (especially since they're able to put different copyrights on the parts they actually write eg the webuis), while opening them should give goodwill, but this has not played out in practice. Manufacturers clearly care about some aspects of licensing, given that they'll include license texts/notices/etc in the manual. We need a way of making the two line up.
But the unfortunate reality is that we're on shaky ground. The rise of embedded devices with baked-in binaries has shifted the landscape. In this environment, BSD-style licenses fail Freedom 1 (https://www.gnu.org/philosophy/free-sw.html).
The Linux kernel is the main item that is infringed upon (presumably because its too complex for eg Google to reimplement as BSD like they did with the Android userland). And its developers have stubbornly stuck with the broken GPL2, making it so that even with perfect enforcement (which they also don't seem interested in), make && make install is not an achievable goal.
I imagine that some of the puzzle is because DMCA is cheap and effective against websites moreso than against hardware manufacturers. Even so, Ubiquity Networks provides web downloads of their firmwares [1] so surely DMCA notices could at least impair their update distribution, which would annoy customers and put pressure on them that way. Meanwhile there is plenty of "purely web" software license violations.
I know that many projects don't get the copyright registered, which puts them at some legal disadvantage. But it's cheap to do, it's something that developers can be educated about, and it is economical for lawyers to take those cases (if facts and registration are strong) on contingency.
So I don't understand why there's not a little cottage industry for it like there is for the photographers.
[0] https://www.imagerights.com
[1] https://www.ubnt.com/download/