Dealing With a GPL Violation?

Sortova writes "For many years now I've been maintaining OpenNMS, a free and open source network management framework published under the GPL. A couple of years ago it came to our attention that a company called Cittio was using OpenNMS as part of their proprietary and commercial network management application. I talked with Jamie Lerner, the Cittio founder, and he assured me that Cittio was abiding by the GPL. However, we were recently contacted by a potential client who was also considering Cittio's Watchtower, and it appears that they are not disclosing that they are using GPL'd code or at least not in the clear and concise fashion required by the GPL, including the offer of source code for all of the code they are including and any changes being made to that code. Since the copyright for OpenNMS is held by a number of commercial companies, the Software Freedom Law Center is not able to help us defend or even investigate a potential violation. I was curious if anyone here on Slashdot had experienced anything similar or has any advice?"

You don't know they are in violation

[QuantumG (50515)]

For a start you claim:

When I brought up the fact that parts of Watchtower are based on OpenNMS, the client replied "I could not find one ounce of mention on their website to OpenNMS or any other Open Source code that is running on this product. That really irritates me."

So what's all this then? [cittio.com]

You also make the claim:

I should also mention that this client is in final negotiations with Cittio (they dropped their initial price considerably) so we're not talking a first contact cold call here - they are ready to close this deal without a single detail concerning their use of open source.

Yes, and? They are not required to make any such disclosures. The GPL requires them to provide the source code or an offer to provide the source code when they distribute the software. As they haven't distributed any software yet, they are not required to provide any source code or offers to provide the source code.

FAIL.

Re:You don't know they are in violation

[LingNoi (1066278)]

Not only that, they only have to provide the source code to the person they're redistributing to under the same license if they changed anything, that doesn't include you, because you're not their customer.

If there's something they've changed in your project then purchase a copy and put the changed code in your version, since any modified GPL code must be re-distributed as GPL code.

Re:

[JoelKatz (46478)]

This is not the FSF's position, nor is it sane. What the GPL intends, and what makes sense, is that you cannot be refused the source code simply because you aren't the person the offer was originally extended to. That is, the offer must be transferable.

The distribution could include a "coupon" for the source code, so long as the coupon is transferable. That wouldn't mean they'd have to give anyone the source code just because they asked for it.

Re:

[sumdumass (711423)]

Wow.. What FSF are you thinking of?

I found this on their site in the faqs about licensing page you can go look too.

What does "written offer valid for any third party" mean in GPLv2? Does that mean everyone in the world can get the source to any GPL'ed program no matter what? [fsf.org]

If you choose to provide source through a written offer, then anybody who requests the source from you is entitled to receive it.

If you commercially distribute binaries not accom

Re:

[JoelKatz (46478)]

I guess my recollection was in error. The FSF does take a nonsensical position about this. I'll add this to the long list of nonsensical positions the FSF takes.

The clearest way to see that this is nonsense is to ask yourself this question -- without a copy of the written offer and without having directly distributed to how, how could the distributor possibly know exactly what source code to give you?

It only makes sense if they can be required to show you a copy of the written offer.

Thanks for the correctio

Re:

[rsax (603351)]

From the linked site [cittio.com]

"postgresql-8.0.2.tar.gz ... GNU General Public License (GPL)"

Wrong license. As mentioned on the PostgreSQL site [postgresql.org] page, the project uses the BSD license.

Re:

[hedwards (940851)]

It looks like an honest oversight. It is an important distinction, but anybody that's going to use the code or binaries really ought to be looking at the license included in the distribution rather than what a third party says the license is.

Re:

[cbhacking (979169)]

Very true. A simple Google search for OpenNMS on cittio.com [google.com] comes up with two pages (one linked in the parent). Each lists, with licenses, the open source projects they use. At the bottom of both pages they have "Contact us" info, one of them (not the one linked above) even has a mailto: link for questions about their open source components.

I'm a little surprised they don't provide links to the projects directly - either by project site or downloadable tarball - but it doesn't exactly look like they're hidi

Re:You don't know they are in violation

[LingNoi (1066278)]

You're not their customer so they don't have to give you anything.

Only Cittio's customers (the ones receiving the product) could ask for the source code, because they're redistributing to them, not you. Cittio's customers could then re-distribute that GPL code however they wished.

Re:

[cbhacking (979169)]

I'm aware of that. I'm just surprised that they bothered to list a bunch of OSS projects they use, but not link to them. I wouldn't expect a commercial entity to redistribute their modifications to non-customers, but I just found it curious. If nothing else, I'm surprised they don't link to the (descriptions of the) licenses themselves.

On a vaguely related note, if it turns out that this company is purely on the straight and level with regard to the GPL and other OSS licenses, I'd like to mention that I'm v

Re:You don't know they are in violation

[mysidia (191772)]

This is not entirely true.

For commercial distribution, the source has to either be included with every copy of the binary, OR the GPL requires a written offer which to any third party, including third parties who are not their customers.

If they chose option (b) for distribution of their source code, then they do have to give something to non-customers, in order to avoid violating the GPL.

That way their customers can re-distribute the binaries and pass along the offer to others.

See the GNU General Public license version 2 section 3.b: b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

You've achieved your desired goal

[Bruce Perens (3872)]

You got your concern on the front page of Slashdot. That means that the company will make sure they're doing everything right, because all of their customers are going to ask them about it now.

That said, it's not at all clear that you had anything to complain about. If SFLC won't help you for the reason you gave, that means you don't have any standing in the matter. You can't sue anyone about it. So, there's not much use in complaining.

IMO, you should make real sure that you at least own the copyright of your own work before you contribute any more.

Bruce

Re:

[QuantumG (50515)]

Dunno why you're replying to me instead of the OP but seeing as you are, I don't think he has no legal standing.. if he has been contributing code and not signing it over, then he owns the copyright on the work, period. The SFLC might not be interested because there are other contributors to the work and they'd have to get everyone together to have a strong case, but I don't think the OP even bothered to contact the SFLC.. everything he's said has the ring of a complete lack of research.. especially seeing

Re:

[Bruce Perens (3872)]

Dunno why you're replying to me instead of the OP

It's slashdot strategy. If late to a discussion, a reply to a high-ranked post will apppear higher than a reply to the article. But yes, it's really a reply to the article.

if he has been contributing code and not signing it over, then he owns the copyright on the work, period.

SFLC appears to have treated him as if he did not have a very significant portion of the program under his own copyright. I know that they have represented other authors who did not ow

Re:

[QuantumG (50515)]

Well, FSF have advised me in the past that any copyright is defensible, no matter how small it is in comparison to the rest of the work. Of course, if I asked them to defend me they would ask if I can assign them the entire copyright for the entire work and when I said no they'd bow out. That's just *their* policy, and one the SFLC has inherited it seems (which means it really was Eben Moglen's policy), but it doesn't mean you *can't* sue. I expect it is a cost saving measure. If you don't have copyrigh

Re:You've achieved your desired goal

[Rary (566291)]

Ya know, for folks like you Bruce there should just be an automatic moderation of +10 "well known and trusted to be insightful and informative" to any post you make...

They should just give him his own personal karma rating.

"Karma: I'm Bruce fucking Perens".

Re:

[Bruce Perens (3872)]

I pointed to your comment only because _after_ more information was made available, it didn't seem so insightful

But it did get the original article author to give us the missing information :-)

The problem with being held very highly by some folks is that if some day they decide they disagree with me, I immediately go to the opposite pole and they consider me to be evil incarnate. Fortunately, most of them grow up eventually. I'd be most happy to be accepted as an often-knowledgable human being with faults.

Re:

[Sortova (922179)]

The history of OpenNMS is pretty long and convoluted. It was started by a company called Oculan, and I was an employee of theirs when they decided to stop publishing their code under the GPL. I wanted to keep the project alive, and thus I took over maintaining the code in 2002. So all of the original "1.0" code is copyright Oculan (and that IP is now owned by Raritan) while almost all of the other changes are copyright "The OpenNMS Group". Both companies are commercial entities, although OpenNMS is never li

Re:

[Ranger Rick (197)]

"So what's all this then? [cittio.com]"

Well, that link says they're running OpenNMS 1.0.2, which, given the questions Cittio employees have asked on the OpenNMS mailing lists in the past, seems very unlikely (although technically possible). If they *are* using 1.0.2, they very likely *have* made modifications, 'cause that code has plenty of bugs that have been fixed in later OpenNMS releases. ;)

One thing that Tarus didn't really mention is that we (The OpenNMS Group) have had a few folks come to us wanting quote

Re:

[LingNoi (1066278)]

Do you seriously not know what distribution and re-distribution means? It has nothing to do with money.

Re:

[Azh Nazg (826118)]

question: who defines distribution?

answer: whoever has more money

-- Anonymous Coward

The GPLv3 is much, much more specific about that. Specifically:

c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license

Re:

[tjstork (137384)]

The GPLv3 is much, much more specific about that. Specifically:

Yeah but what if the work is licensed GPL V2?

Re:

[QuantumG (50515)]

They don't have to provide this information on the website.. they have to provide it to their customers or whoever they actually distribute the software to.

the author states that there may be other files not being listed.

He also states that he is not a customer and hasn't spoken to any customers.

Asked before -- the answer is the same

[whoever57 (658626)]

If you want legal advice, get a lawyer.

Additionally

[einhverfr (238914)]

In addition to getting a lawyer, you also want to get other OpenNMS copyright holders (particularly the commercial companies) in the loop. This helps increase the leverage and the resources available to fight. And they will bring in more lawyers, in all liklihood.

Re:

[creimer (824291)]

The RIAA doesn't know that their lawyers are looking for jobs on Slashdot. :P

Check out the SFLC guidelines.

[Estanislao Martínez (203477)]

The SFLC's Legal Issues Primer for Open Source and Free Software Projects [softwarefreedom.org] covers this. You probably want to give it a read.

Still, if it's really important, ask a lawyer, don't ask Slashdot.

Re:

[Protonk (599901)]

You you really listen to legal advice on slashdot? I wouldn't. I would not listen to advice that came from someone where I had no means of verifying their credentials, no recourse if they were wrong and no good way to show people later that I operated in good faith.

Re:

[Protonk (599901)]

That's a pretty fair response. I didn't even think of it that way. I guess slashdot could be considered a wikipedia type starting point for some more particular questions like that even if it does seem very much based on the luck of the draw.

Re:Check out the SFLC guidelines.

[42forty-two42 (532340)]

They wouldn't dare admit it, for fear of being held liable for it as legal advice.

Re:

[Kjella (173770)]

Oh, I've seen several lawyers here but they always point out that they're not your lawyer and that this is not legal advice. Can't really blame them either, if someone took a fairly unqualified slashdot post and applied that uncritically as legal advice in a specific case I wouldn't want to stand responsible for it either. It'd be like taking a doctor's general advice and applying it as your personal medical diagnosis, what's in general good advice may not be for you.

Bye bye my application

[icepick72 (834363)]

I understand the joy of coding and excitement of creating your own applications for free, but I can never understand how programmers stand to watch their creations being usurped for commercial purposes. Whether it's abiding by the GPL or not, somebody else is making money from your creation. You would think the original programmer would have the wherewithal to market their own creation instead of leaving it for someone else. Even if you don't take the money for yourself, donate it back to the FSF or to another worthwhile cause. Maybe it's a case of lack of resources to start your product running. Maybe we need a group that can fill this niche for open source products. Maybe they already exist. If so I'd like to see discussion about it.

Re:Bye bye my application

[QuantumG (50515)]

Cause selling a solution is just as much, if not more, work than creating one?

And it is something that is done by sales people, not programmers?

Re:

[mOdQuArK! (87332)]

Also, most solutions aren't going to be "perfect" for everyone, and if you're a demonstrably good programmer, you can contract your services at fairly healthy price levels to provide all sorts of custom solutions to the people who really like your open source software, but just want "a few tweaks".

Re:

[Improv (2467)]

So long as they're not making it proprietary, what's the problem? We can both destroy markets and help the world by opening our source, and that's pretty awesome. If someone happens to make some money (maybe consulting, whatever), so be it.

Re:

[theophilosophilus (606876)]

So long as they're not making it proprietary, what's the problem? We can both destroy markets and help the world by opening our source, and that's pretty awesome. If someone happens to make some money (maybe consulting, whatever), so be it.

Why is destroying markets a good goal? I think a better choice of words would be "revolutionize" or "reinvigorate." OSS doesn't destroy a market - it just makes it more competitive. See this post [slashdot.org].

Re:Bye bye my application

[GrahamCox (741991)]

You would think the original programmer would have the wherewithal to market their own creation instead of leaving it for someone else

Why would you think that? People are usually good at some things, not at others. I think it's very likely that a person good at programming and software design wouldn't necessarily be good at (or even interested in) running a business, accounting, marketing, all the legal stuff, etc. It's also very hard to find people to come in with you who are, based only on your software/coding expertise. I speak from experience.

Re:

[cbhacking (979169)]

Considering how many programmers have trouble just covering all the tasks that go into producing a polished product (I'm terrible at user interfaces, for an extremely broad example - I'm far more comfortable with back-end code), I'd be amazed if even 10% of programmers who try to develop and market their own product get anywhere. I suppose there must be exceptions - Irfanview is a great program that AFAIK is backed by only one person (it's distributed for free and source isn't available, however; this proba

Re:

[fr0st0 (1250426)]

I agree [GrahamCox]. Also, the ultimate underlying motivation of the programmers and the GPL, CCL, etc. is to increase information. Open and Free programmers are like anyone else in that they do what they do for a multitude of reasons (social, relative notoriety, etc. [see the first few chapters of 'Wealth of Networks']) but at the end of the day it all serves to expand the knowledge horizon of everyone, indirectly or directly. That combination of selfishness(in that more information benefits you) and

Re:Bye bye my application

[wolf87 (989346)]

I recently developed a small package of statistical tools & made it available under lesser GPL. I made the decision to open-source it for several reasons. First, I wanted to make it easily available to other researchers wrestling with the same problem I was. Second, I wanted to see if anyone could take what I had done and extend it into a better set of tools. Third, having it freely available, code and all, helps to get my name out there and build my reputation. There are plenty of reasons to put out applications without making money from it.

Re:

[jmv (93421)]

So by this reasoning, Linus should be crying night and day because people and companies are making billions from using/selling Linux?

Do a little digging yourself, get a lawyer

[cbhacking (979169)]

First issue: are you SURE they're in violation? This could be as simple as calling their support line and asking how you can get the source code (this assumes you've confirmed that GPLed code is included). If you can't get to the support people without being a customer, search their website for any indications and/or try and get a demo.

Once you're reasonably sure they're in violation, consult a lawyer who knows IP law, preferably one familiar with the GPL in particular. Even on Slashdot, I'm not going to try giving you advice beyond that. It's not cheap, but there's a decent chance of getting legal expenses awarded in court.

Re:Do a little digging yourself, get a lawyer

[cbhacking (979169)]

Oh, and document EVERYTHING. Every email, every phone call (you may need to tell the other party if you record the call, I don't know the law in your area), every letter, every step of your research. I'm guessing a single subpoena would get all the evidence you need, but no point taking risks when money is at stake (as it will be if this goes to court).

Re:Do a little digging yourself, get a lawyer

[QuantumG (50515)]

He's already screwed himself by posting to Slashdot. If he is lucky Cittio will just ignore him. If he's not, they'll probably sue him for libel. His only defense then will be to show that he is right, and that will be pretty hard to do after Cittio have cleaned up any discrepancies they might have had in their distribution.. which they are sure to do before calling the lawyers.

Post it on slashdot!!!

[syousef (465911)]

1. Write GPL software
2. Discover GPL software license has been violated
3. Post all over slashdot asking legal advice
4. Whine about why no lawyer will touch your case with a barge pole
5. ????
6. Profit

If you're in a situation that might need a lawyer, contact one. Asking for help on /. is going to do your case more harm than good.

This is well documented already!!!

[jamesh (87723)]

The instructions for what to do if you think you have found a gpl violation are here [fsf.org]. There is no mention of posting to slashdot on that page. There is a mention of checking your facts first... some companies get a bit cross (eg they'll take you to court) if you write anything bad about their product which isn't completely true. (i'm not saying it isn't, i'm just saying you don't appear to have done your homework yet).

Contrary Opinion

[Brandybuck (704397)]

When you place something into a public commons, other people will take advantage of it without contributing back. That's the nature of reality. There's even an economic term for this: the tragedy of the commons. The core of the FSF's philosophy is that software should not be owned, but that it should be a public common. By using the GPL you are implicitly agreeing with this. That is fine, so long as you know what you are getting into. But to get all pissy after the fact that someone is taking advantage of w

As has been said: They don't have to give the code

[Anonymous Freak (16973)]

...out on the web. Nothing in the GPL says that a licensee has to freely offer the code to absolutely anyone free of charge, to anyone that asks, in the manner the asker chooses. It says that they have to offer the code, in a manner of their choosing to anyone that asks.

In a commercial hardware product, that means that the company can insist on only distributing the code by sending it to you as a bunch of floppy disks, for all the GPL cares.

Now, once someone has the code, that person can then re-distribute the GPLed code however they feel.

One example: My Toshiba HD DVD Player [toshiba.com] (don't laugh, it was a present,) contains GPL code. Toshiba doesn't make this fact obvious. It's buried in the manual for the product. Toshiba doesn't make the code available on their website, because they're not required to. To quote the GPL 2.0 that my Toshiba uses:

b) Accompany it with a written offer, valid for at least three
        years, to give any third party, for a charge no more than your
        cost of physically performing source distribution, a complete
        machine-readable copy of the corresponding source code, to be
        distributed under the terms of Sections 1 and 2 above on a medium
        customarily used for software interchange...

The internet isn't the only medium customarily used for software interchange. And they are allowed to charge a reasonable fee for duplication and distribution. (See GPL section 1.) If they really felt ornery, they would be perfectly within their rights to charge you for the physical cost of a bunch of floppies, and the time (at minimum wage, or even higher,) some flunky had to spend copying onto those floppies.

Re:As has been said: They don't have to give the c

[Bill, Shooter of Bul (629286)]

I think the time for floppies has passed. They are no longer customarily used to distribute software. But they could buy a hard drive and put the code on it and charge you for it.

Re:As has been said: They don't have to give the c

[jamesh (87723)]

In a commercial hardware product, that means that the company can insist on only distributing the code by sending it to you as a bunch of floppy disks, for all the GPL cares.

This goes against the spirit of the GPL.... To take your example to the extreme, suppose that they made the code available via 3of9 barcode in printed format? stone tablet (mailed to you via overnight delivery at your expense)? 8" floppy disks? download via modem @ 300bps at $19.95/minute? Maybe stone tablets aren't machine readable but