> I then decided to contact Insulet to get the kernel source code for it, being GPLv2 licensed, they're obligated to provide it.
This is technically not true. It is an oversimplification of the common case, but what actually normally should happen is that:
1. The GPL requires the company to send the user a written offer of source code.
2. The user uses this offer to request the source code from the company.
3. If the user does not receive the source code, the user can sue the company for not honoring its promises, i.e. the offer of source code. This is not a GPL violation; it is a straight contract violation; the contract in this case being the explicit offer of source code, and not the GPL.
Note that all this is completely off the rails if the user does not receive a written offer of source code in the first place. In this case, the user has no right to source code, since the user did not receive an offer for source code.
However, the copyright holders can immediately sue the company for violating the GPL, since the company did not send a written offer of source code to the user. It does not matter if the company does or does not send the source code to the user; the fact that the company did not send a written offer to the user in the first place is by itself a GPL violation.
This is an open legal question, which the Conservancy v Vizio case will hopefully change; in that case, Conservancy is arguing that consumers have the right to enforce the GPL in order to receive source code.
Linus rants that the SFC is wrong and argues that the GPLv2 which the kernel is licensed under does NOT force you to open your hardware. The spirit of the GPLv2 was about contributing software improvements back to the community.
Which brings us to the question: what is this guy going to do with (presumably) the kernel source? Force the Chinese to contribute back their improvements to the kernel? Of which there are likely none. Try and run custom software on his medical device which can likely kill him? More than likely.
The judge's comments on the Vizio case are such that should this guy get his hands on the code, he has no right to modify/reinstall it AND expect it will continue to operate as an insulin pump.
This is about as ridiculous as buying a ticket on an airplane and thinking you are entitled to the source code of the Linux in-seat entertainment system.
If you carefully read what I wrote, you will notice that I never claimed otherwise. Whether or not third parties have standing to sue on a GPL violation is immaterial to my point, none of which is “an open question”.
> The GPL requires the company to send the user a written offer of source code
It should be noted that this is just one of three options that someone who wants to distribute binaries of GPL code can choose from. It's the most commonly chosen one, and one is only available for noncommercial distribution, so the odds are good that this is the option they are using.
The other available option is to accompany the binary with the source code.
That one leads to an interesting possibility where someone could end up with a binary and there is no one obligated to provide source to them. As far as I know this has not actually arisen, but it seems like something that is bound to happen sometime.
Suppose company X decides to make a generic hardware platform that other companies can buy to build their products on. X's platform is basically a small single board computer with WiFi, Bluetooth, dual, USB ports, a couple Ethernet ports, and some GPIO ports. X ports Linux to their hardware.
When X ships a system it comes with an SD card with a Linux distribution installed including their custom kernel. It is configured to boot from the first SD card slot, and then to run a custom login system that looks at the second SD card slot and if there is a card in there it mounts it, looks for an executable on its root name application.exe, and runs that as root. X includes in the box a small thumb drive with a copy of the source code for everything on the SD card.
The idea is that a company Y that wants to make something like a WiFi access point or an air quality monitor can buy these boards from X, put them in a case with whatever peripherals or sensors they need like air quality sensors, write the software for the application, put it on an SD card, and put that in the second SD card slot.
So lets say Y buys 1000 of these systems from X, builds 1000 of their access points or whatever from them, and sells them.
One of their customers asks Y for the source code of the GPL parts. Does Y have to provide it?
I'd say they do not. They are not making copies or derivative works. They are just receiving physical copies from X and passing those on unmodified to their customers. This should fall squarely under the First Sale Doctrine in US copyright law, and similar rules in other jurisdictions.
How about if they ask X for a copy?
X has made copies and derivative works and distributed them. But X satisfied their GPL requirements by including a thumb drive with the source with each board they shipped to Y.
The written offer is part of the licence, as is the need to respond to that offer with the source code offered. It is all part of the same agreement.
A written offer on its own would not normally be directly enforceable in many (most?) jurisdictions, for the same sort of reason that retailers can't be held to incorrectly published prices (in the UK at least, a displayed price is an “invitation to tender”, not a contract or other promise) except where other laws/regulations (anti bait&switch rules for instance), or the desire to avoid fighting in the court of public opinion, come into effect.
But in this instance, the written offer and the response to that offer are part of the wider licence that has been agreed to.
Offer and acceptance are part of how contracts are formed. There is no contract without there first being an offer.
If you accept someones offer, provided it meets the rest of the criteria for a valid contract - congratulations you now have a contract. If the any party violates it, yes this is a breach of contract.
> A written offer is not the same thing as a contract.
An offer is a precondition and component of a contract
The customer spends money to buy the product along with the source code offered. It's part of the transaction. Not honoring part of the transaction is a breach of contract.
I think they're just saying the GPL doesn't really cover consumer/distributor (dis)agreements, it only covers copyright. While the spirit of the GPL is user-first, it still has to be realized within the confines of copyright law. Even though many people might conflate the spiritual goal and the legal agreement, it doesn't grant "users" any extraordinary legal powers.
It's not illegal to not honor written offers, it's illegal to distribute copyrighted material in violation of it's license.
Maybe it’s not technically “breach of contract”, and an offer might or might not be a contract. But if you don’t honor an offer you made, you must surely be guilty of something. Otherwise, all offers would be meaningless and worth nothing.
The written offer with a limited term of three years is just one permitted method of distribution. If an offer was never made then they're not covered by that clause and are bound to comply by other means without the protection of the three year window.
Yes. I did not cover these cases because approximately nobody does that.
I mean, the absolutely simplest, and cheapest, way for companies to comply with the GPL is to ship the source code together with the software. Stick it in a zip file in a directory somewhere. The company can then forget the whole thing and not worry about anyone contacting them and ranting about source code and the GPL. But no company does that.
The other simple way for companies to comply with the GPL is for companies to provide a link to download the source code at the same place that users download the program itself. If the user did not download the source code when they had the chance, that’s the user’s problem. This will also let the company ignore any GPL worries. No company does this, either.
(The GPL provides a third way for individuals and non-profits, which is not relevant here.)
What's the consideration in the written offer? Promises aren't enforceable in court. For a contract to be enforceable, it has to be an exchange of something, not a one sided offer.
Maybe. Who can and cannot sue is irrelevant to my point. But I seriously doubt that anyone can sue for source code. Someone might sue for damages, and the company might offer to settle by offering source code. But IIUC, no company can be sued and forced to give up any source code, unless the company itself chooses to do this instead of paying damages.
Not according to the original reasoning by its creators, but opinions differ wildly. However, this is irrelevant to the point; the written offer, which is separate from the GPL, is what is failing to be honored, not the GPL. If you did not receive such a written offer, the GPL, in itself, makes no guarantee that you have the right to the source code.
Be sure to read the top comment where someone who claims to have worked for the company provides some inside information.
In my experience, this is quite common when the development of hardware is viewed as a cost center and is outsourced to various providers and teams. Those providers and teams churn a lot and nobody who worked on that is likely still involved with the company via contracts or direct employment.
Front line support people aren’t equipped to respond to these requests. If you’re lucky they’ll get bounced around internally while project managers play hot potato with the e-mail until it gets forgotten. You might get lucky if you go the corporate legal route, but more likely is that the lawyers will do the math on the likelihood of you causing them actual legal trouble for anything and decide it’s best to ignore it.
When I worked at a company that had a history of GPL drama one of the first things I did was enforce a rule that every release had a GPL tarball that was archived and backed up. We educated support people on where to forward requests. I handled them myself. 7 out 10 times, the person on the other end was angry because they assumed the GPL entitled them to all of our source code and they were disappointed when they only found GPL code in the tarball. It really opened my eyes to some of the craziness you get exposed to with these requests (though clearly not the polite and informed request in this Reddit thread) which is probably another reason why support staff are uneasy about engaging with these requests.
> 7 out 10 times, the person on the other end was angry because they assumed the GPL entitled them to all of our source code and they were disappointed when they only found GPL code in the tarball.
Well, if your non-GPL code was directly linked to, or closely interoperated with, any GPL code, those users would have been right.
As always, the solution is to contact their legal department, preferably via a lawyer. Engineers and support staff are not going to risk their jobs making legal decisions about giving away company property.
The FSF could help a lot here by publishing demand letter templates outlining the statutory and precedential basis for license enforcement and recovery of damages.
But it's the company's legal department which would evaluate that claim. Because it's a legal claim. Licenses aren't magic spells, they're social agreements and non-executive employees don't want to get in trouble for making executive decisions.
That really depends. A company can still own the copyright to the code that they’ve written, even if it’s licensed with GPL. It’s an asset that is transferred if the company is sold, etc, so yes, it’s actually company property.
The GPL grants rights to use and distribute, but does not grant ownership. It’s not suddenly in the public domain.
I get mad triggered by software license violation discussions.
Please for the love of all that the FSF thinks is holy - just file a damn lawsuit if you are telling me they are violating the law. State your claim and have a court sort it out.
It costs hundreds of dollars. For a medical device? Seems like a good deal.
If the only GPLed component used is the Linux kernel, you probably aren't entitled to any noteworthy source code. It's well established that using the kernel doesn't create a GPL requirement userspace software running on the same device, and the most likely arrangement here is a completely-uncustomized kernel paired with an open-source userspace program that does all the interesting bits.
It's trivial in terms that it will cost them nothing, because it's very likely there are no changes to the kernel, or nothing of value nor commercially-sensitive anyway.
It's not trivial in terms of big company bureaucracy - this request will have to go through so many levels of red tape that they (correctly) decided not complying to random people's requests is more profitable.
I'm sure if you actually sue them then they will comply right away, because at that point paying for some engineer's time to tar up the source tree and send it to you now becomes cheaper than lawyer time.
But their analysis is correct in that nobody will waste time/money suing to get what is effectively a stock kernel they can get from the official source anyway. Which is why these complaints are also a bit stupid - they're not asking for anything of value or using the GPL to advance software freedom by freeing up some valuable code, they're just wasting both theirs and others' time asking for something they can already download directly.
Let me guess. Omnipod. They've had some pretty bad recalls too. Never in a lifetime would I trust my well-being to their p.o.s. hardware / software combo. Apologies that person in this thread that worked there, but I hope you are working for a better company now.
My point is: they could have left it out. There are not that many manufacturers of insulin pumps and there is only one that the title could have conceivably applied to.
Since a company building it themselves hasn't gotten it in the form of a binary from someone else that they're just passing along to you and their use is commercial, they don't satisfy either condition of GPLv2 3(c), but they'd need to satisfy both in order to be able to exercise that option.
Oh well. The whole thing has already been reverse engineered. Look up Loop or Trio or OpenAPS. Diabetic companies like Insulet have been very lax when it’s come to the hacking of their devices. This isn’t really that big a deal. What we need right now is help REing the Omnipod 5
I’m aware of a few people working on REing the Omnipod 5. The furthest issue that I have seen is that when a PDM/Omnipod 5 app signs into your insulet id, it gets a private key from the API which is stored in the keychain (and uses SSL pinning to prevent MiTM retrieval of the private key). When pairing with the pod they exchange public keys and then a derived key from the devices private key+pods public keys, but haven’t been able to get a copy of a private key yet to make further progress.
Anyway to follow the progress? I attended the Nightscout conference and asked around regarding this but no one really knew of any group to follow. Or really knew of the latest developments on this effort.
Not all though, I've been looking at Minimed pump reverse engineering (which would be just reading glucose data, not controlling the pump), and that's not solved yet, at least not for the 780G. But I hope it will be, and perhaps I'll be able to contribute.
I don't work for Medtronic. But it's extremely unlikely that will happen. It's not merely a matter of reverse engineering -- after the original medtronic "hack" / reverse engineer efforts (the ones that lead to the original openAPS system being developed) the FDA put out new guidance on cybersecurity protections for insulin pumps.
The communication between your phone/pump or glucose sensor/pump is encrypted now for all newer devices.
> Diabetic companies like Insulet have been very lax when it’s come to the hacking of their devices
Readit News
This is technically not true. It is an oversimplification of the common case, but what actually normally should happen is that:
1. The GPL requires the company to send the user a written offer of source code.
2. The user uses this offer to request the source code from the company.
3. If the user does not receive the source code, the user can sue the company for not honoring its promises, i.e. the offer of source code. This is not a GPL violation; it is a straight contract violation; the contract in this case being the explicit offer of source code, and not the GPL.
Note that all this is completely off the rails if the user does not receive a written offer of source code in the first place. In this case, the user has no right to source code, since the user did not receive an offer for source code.
However, the copyright holders can immediately sue the company for violating the GPL, since the company did not send a written offer of source code to the user. It does not matter if the company does or does not send the source code to the user; the fact that the company did not send a written offer to the user in the first place is by itself a GPL violation.
(IANAL)
https://social.kernel.org/notice/B1aR6QFuzksLVSyBZQ
Linus rants that the SFC is wrong and argues that the GPLv2 which the kernel is licensed under does NOT force you to open your hardware. The spirit of the GPLv2 was about contributing software improvements back to the community.
Which brings us to the question: what is this guy going to do with (presumably) the kernel source? Force the Chinese to contribute back their improvements to the kernel? Of which there are likely none. Try and run custom software on his medical device which can likely kill him? More than likely.
The judge's comments on the Vizio case are such that should this guy get his hands on the code, he has no right to modify/reinstall it AND expect it will continue to operate as an insulin pump.
This is about as ridiculous as buying a ticket on an airplane and thinking you are entitled to the source code of the Linux in-seat entertainment system.
It should be noted that this is just one of three options that someone who wants to distribute binaries of GPL code can choose from. It's the most commonly chosen one, and one is only available for noncommercial distribution, so the odds are good that this is the option they are using.
The other available option is to accompany the binary with the source code.
That one leads to an interesting possibility where someone could end up with a binary and there is no one obligated to provide source to them. As far as I know this has not actually arisen, but it seems like something that is bound to happen sometime.
Suppose company X decides to make a generic hardware platform that other companies can buy to build their products on. X's platform is basically a small single board computer with WiFi, Bluetooth, dual, USB ports, a couple Ethernet ports, and some GPIO ports. X ports Linux to their hardware.
When X ships a system it comes with an SD card with a Linux distribution installed including their custom kernel. It is configured to boot from the first SD card slot, and then to run a custom login system that looks at the second SD card slot and if there is a card in there it mounts it, looks for an executable on its root name application.exe, and runs that as root. X includes in the box a small thumb drive with a copy of the source code for everything on the SD card.
The idea is that a company Y that wants to make something like a WiFi access point or an air quality monitor can buy these boards from X, put them in a case with whatever peripherals or sensors they need like air quality sensors, write the software for the application, put it on an SD card, and put that in the second SD card slot.
So lets say Y buys 1000 of these systems from X, builds 1000 of their access points or whatever from them, and sells them.
One of their customers asks Y for the source code of the GPL parts. Does Y have to provide it?
I'd say they do not. They are not making copies or derivative works. They are just receiving physical copies from X and passing those on unmodified to their customers. This should fall squarely under the First Sale Doctrine in US copyright law, and similar rules in other jurisdictions.
How about if they ask X for a copy?
X has made copies and derivative works and distributed them. But X satisfied their GPL requirements by including a thumb drive with the source with each board they shipped to Y.
That doesn't sound right to me.
A written offer is not the same thing as a contract.
A written offer on its own would not normally be directly enforceable in many (most?) jurisdictions, for the same sort of reason that retailers can't be held to incorrectly published prices (in the UK at least, a displayed price is an “invitation to tender”, not a contract or other promise) except where other laws/regulations (anti bait&switch rules for instance), or the desire to avoid fighting in the court of public opinion, come into effect.
But in this instance, the written offer and the response to that offer are part of the wider licence that has been agreed to.
If you accept someones offer, provided it meets the rest of the criteria for a valid contract - congratulations you now have a contract. If the any party violates it, yes this is a breach of contract.
> A written offer is not the same thing as a contract.
An offer is a precondition and component of a contract
Deleted Comment
It's not illegal to not honor written offers, it's illegal to distribute copyrighted material in violation of it's license.
I mean, the absolutely simplest, and cheapest, way for companies to comply with the GPL is to ship the source code together with the software. Stick it in a zip file in a directory somewhere. The company can then forget the whole thing and not worry about anyone contacting them and ranting about source code and the GPL. But no company does that.
The other simple way for companies to comply with the GPL is for companies to provide a link to download the source code at the same place that users download the program itself. If the user did not download the source code when they had the chance, that’s the user’s problem. This will also let the company ignore any GPL worries. No company does this, either.
(The GPL provides a third way for individuals and non-profits, which is not relevant here.)
What's the consideration in the written offer? Promises aren't enforceable in court. For a contract to be enforceable, it has to be an exchange of something, not a one sided offer.
https://www.law.cornell.edu/wex/consideration
Deleted Comment
But GPL is a contract
I think the distinction you are pointing would be between a gpl licensor-licensee contract, rather than a licensee-user contract.
(IANAL)
Not according to the original reasoning by its creators, but opinions differ wildly. However, this is irrelevant to the point; the written offer, which is separate from the GPL, is what is failing to be honored, not the GPL. If you did not receive such a written offer, the GPL, in itself, makes no guarantee that you have the right to the source code.
In my experience, this is quite common when the development of hardware is viewed as a cost center and is outsourced to various providers and teams. Those providers and teams churn a lot and nobody who worked on that is likely still involved with the company via contracts or direct employment.
Front line support people aren’t equipped to respond to these requests. If you’re lucky they’ll get bounced around internally while project managers play hot potato with the e-mail until it gets forgotten. You might get lucky if you go the corporate legal route, but more likely is that the lawyers will do the math on the likelihood of you causing them actual legal trouble for anything and decide it’s best to ignore it.
When I worked at a company that had a history of GPL drama one of the first things I did was enforce a rule that every release had a GPL tarball that was archived and backed up. We educated support people on where to forward requests. I handled them myself. 7 out 10 times, the person on the other end was angry because they assumed the GPL entitled them to all of our source code and they were disappointed when they only found GPL code in the tarball. It really opened my eyes to some of the craziness you get exposed to with these requests (though clearly not the polite and informed request in this Reddit thread) which is probably another reason why support staff are uneasy about engaging with these requests.
Well, if your non-GPL code was directly linked to, or closely interoperated with, any GPL code, those users would have been right.
Deleted Comment
The FSF could help a lot here by publishing demand letter templates outlining the statutory and precedential basis for license enforcement and recovery of damages.
The GPL grants rights to use and distribute, but does not grant ownership. It’s not suddenly in the public domain.
Please for the love of all that the FSF thinks is holy - just file a damn lawsuit if you are telling me they are violating the law. State your claim and have a court sort it out.
It costs hundreds of dollars. For a medical device? Seems like a good deal.
Making a blog post about someone elses copyright being violated is even more annoying to me.
https://www.caed.uscourts.gov/caednew/index.cfm/attorney-inf...
Edit:
Courts deal with contract law disputes all the time. It's their bread and butter, everyday, nothing special stuff.
Edit2:
To you below, citation needed
It's not trivial in terms of big company bureaucracy - this request will have to go through so many levels of red tape that they (correctly) decided not complying to random people's requests is more profitable.
I'm sure if you actually sue them then they will comply right away, because at that point paying for some engineer's time to tar up the source tree and send it to you now becomes cheaper than lawyer time.
But their analysis is correct in that nobody will waste time/money suing to get what is effectively a stock kernel they can get from the official source anyway. Which is why these complaints are also a bit stupid - they're not asking for anything of value or using the GPL to advance software freedom by freeing up some valuable code, they're just wasting both theirs and others' time asking for something they can already download directly.
The communication between your phone/pump or glucose sensor/pump is encrypted now for all newer devices.
> Diabetic companies like Insulet have been very lax when it’s come to the hacking of their devices
Absolutely not true, not any more.