Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
GNU is Not Unix Open Source Your Rights Online

German Court Finds Fantec Responsible For GPL Violation On Third-Party Code 228

ectoman writes "Are firms responsible for GPL violations on code they receive from third parties? A German court thinks so. The Regional Court of Hamburg recently ruled that Fantec, a European media player maker, failed to distribute 'complete corresponding source code' for firmware found in some of its products. Fantec claims its third-party firmware supplier provided the company with appropriate source code, which Fantext made available online. But a hackathon organized by the Free Software Foundation Europe discovered that this source code was incomplete, and programmer Harald Welte filed suit. He won. Mark Radcliffe, an IP expert and senior partner at DLA Piper who specializes in open source licensing issues, has analyzed the case—and argued that it underscores the need for companies to implement internal GPL compliance processes. 'Fantec is a reminder that companies should adopt a formal FOSS use policy which should be integrated into the software development process,' he writes. 'These standards should include an understanding of the FOSS management processes of such third-party suppliers. The development of a network of trusted third-party suppliers is critical part of any FOSS compliance strategy.'"
This discussion has been archived. No new comments can be posted.

German Court Finds Fantec Responsible For GPL Violation On Third-Party Code

Comments Filter:
  • by Anonymous Coward on Tuesday July 30, 2013 @11:14AM (#44424691)

    So they got caught violating an oss license? (TBH they were just being lazy by relying on their supplier's word. You've got to know and own the product you sell.)

    Imagine how much shit they'd be in if they'd been caught violating copyright on a piece of closed source software. Ask anyone who's dealt with the BSA to comment on how friendly and fair they are.

    • by datajack ( 17285 )

      I was going to say pretty much the same thing. I would imagine that Fantec are now looking to sue whoever supplied those components to them.

    • by Anonymous Coward on Tuesday July 30, 2013 @11:40AM (#44425111)

      Actually at the core of the issue here is not really the GPL. At the core is that they got the code from another company and relied on that company adhering to the license.

      Basically the ruling says that when you got the code from a third party, you cannot rely on the third party acting correctly when determining whether your use of the code complies with the license. If the third party violated the license (in this case, by not providing the complete source code), it doesn't protect you from the responsibility of checking the correct licensing yourself when redistributing the code.

      That it was about GPL code is only tangential to the issue (although it's almost certainly the reason why it ended up on Slashdot).

      Basically the scheme is the following: A gives code to B under a given license. B then gives the code to C in a way that violates A's license. C relies on B having followed A's license and figures out that redistribution in a certain way would not violate A's license. However since B's analysis rests on the false assumption that B complied, it turns out that C's redistribution of the code also violates A's license. But with a closer inspection, C could have found out that B didn't comply. The court ruling now says that C is responsible for violating the license.

      Here A is whoever owns the copyright for the code in question, B is Fantec's firmware supplier, C is Fantec, the license is the GPL, and the violation is not distributing the complete corresponding source code.

      • Basically the scheme is the following: A gives code to B under a given license. B then gives the code to C in a way that violates A's license. C relies on B having followed A's license and figures out that redistribution in a certain way would not violate A's license. However since B's analysis rests on the false assumption that B complied, it turns out that C's redistribution of the code also violates A's license. But with a closer inspection, C could have found out that B didn't comply. The court ruling n

      • Also the issue that this ruling will have no weight in other countries. It may not even be used consistently in other German states.

      • Do you ever sold a car? a microwave? a cellphone? a watch?

        All of them contain software, I damn well hope you obtained all the sourcecode for their software
        and had it fully checked for all license compliance, as otherwise you are responsible in exactly
        the same way. The people who SOLD the non-complant software ORIGINALLY should be
        responsible, however thats not whats being done here.

        THAT is why this is bad, for everyone.
        In fact the GPL doesnt even require you to sell it, is lending your car to someone distrib

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      While I agree with what you're saying and I think the decision is correct, the problem is that when companies read articles such as this, all they see is, "If we use open source, we could get sued and screwed for something a third party did."

      It makes the use of GPL licensed software appear unpredictably dangerous. And there's no getting around that.

      • It also gives GPL fanatics an incentive to sneak GPLed code into stuff they supply other developers, then tipping off the original licensor.

      • by amorsen ( 7485 )

        Using code at all is unpredictably dangerous. In most cases, it is impossible for someone to prove that a particular piece of software does not incorporate any unlicensed third party code. Software patents make it all even murkier. Such is life with "intellectual property".

        If you compile the software yourself from source, you have at least some chance at finding violations yourself. On the other hand, if you get handed a binary blob to redistribute, you better have a very trustworthy supplier.

      • by tlhIngan ( 30335 )

        While I agree with what you're saying and I think the decision is correct, the problem is that when companies read articles such as this, all they see is, "If we use open source, we could get sued and screwed for something a third party did."

        It makes the use of GPL licensed software appear unpredictably dangerous. And there's no getting around that.

        To be honest, businesses should be putting open source under the same scrutiny they have for commercially licensed software as well.

        Some actually have, imposing

    • Re: (Score:2, Informative)

      by Anonymous Coward

      How did this get modded insightful?

      Yes, they should follow the license for all code they use.
      No, this would not have been an issue if they had used code under BSD.
      Yes, if I had a company that was producing code based on OSS, I'd be making sure I was using BSD licensed (or one of the other more liberal licenses).

      It's a simple matter of risk, BSD licensed code is less risky for companies to use. That's not good or bad, it just is.

      • Yes, they should follow the license for all code they use.
        No, this would not have been an issue if they had used code under BSD.

        The problem is that Fantec received code from a third party. If the third party told them correctly what license applied, and Fantec acted accordingly, they would have been fine. If the license had been BSD but the third party lied and Fantec acted accordingly, they would have been fine most likely. If the license was GPL (as it was in this case) or proprietary, the supplier lied, and Fantec acted on the false information (which they did), obviously there was trouble.

        But the problem isn't GPL; the problem is not being told which license applied and acting wrongly because of that false information.

      • Yes with BSD you would have end up in exactly the same case: you still need to comply on third party code licensing terms. What, but trolling, makes you think otherwise?

    • Re: (Score:3, Interesting)

      Comment removed based on user account deletion
      • What I personally don't get when it comes to these cases is...why? Why would you bother taking the risk of using GPL code when you aren't a FOSS company and risk possible lawsuits like this? If you don't want to be a FOSS company there is BSD and there is plenty of proprietary solutions so there is really no damned point in taking the risk when your company isn't a FOSS based company.

        They are not in electronics manufacturing business, they are in relabeling Chinese crap business. They dont care about licenses shmihences until you poke them with a very sharp stick. Chinese also dont care about licenses and WOULD provide all the source code (they already do to their own Chinese partners) if that was the requirement.

      • It probably wouldn't have cost them as much as most likely it would have been settled out of court without the need for lawyers and court fees, the BSA just wants to get paid after all and will negotiate,whereas with the GPL there is NO negotiation nor compromise because like it or not that is the way RMS designed the license.

        Nonsense. With the BSA it would have cost thousands in licensing fees as they dug into the entire company. The vast majority of GPL-related incidents are resolved out of court.

        What I p

      • by sjames ( 1099 ) on Tuesday July 30, 2013 @01:47PM (#44426827) Homepage Journal

        Why would you take the risk of using proprietary code? Most proprietary vendors have lawyers on retainer and tend to be less forgiving of violations.

        If you read TFA you'll see that this is not their first time violating the GPL on the plaintiff's code. The first time, they were allowed to correct the error and sign an agreement that they wouldn't let it happen again. There was a monetary penalty attached to further violations. They did, in fact, violate the licence on the same software AGAIN. They were offered the opportunity to correct the error, pay the agreed upon penalty and call it good, but they refused. Then and only then did they get sued.

        How often do you get one for free when violating a proprietary license?

        The fact is, most of the time GPL authors will be satisfied if you simply correct the error that they point out. Particularly if it looks like it was simply an error.

      • by amorsen ( 7485 )

        It probably wouldn't have cost them as much as most likely it would have been settled out of court without the need for lawyers and court fees, the BSA just wants to get paid after all and will negotiate,whereas with the GPL there is NO negotiation nor compromise because like it or not that is the way RMS designed the license.

        The vast majority of GPL violations get handled out of court. Anecdotal evidence seems to suggest that the payment in most cases is zero.

        Most actual court cases around GPL software seem to be brought by Harald Welte, and he in particular settles almost all cases outside court.

      • by tibit ( 1762298 )

        There is zero risk if you comply with terms of the license. Is that so hard to understand?

    • In some businesses being forced to open your code could be much more damaging that even the largest copyright settlements.

  • Err - what? (Score:5, Insightful)

    by queazocotal ( 915608 ) on Tuesday July 30, 2013 @11:17AM (#44424731)

    'A german court thinks so'?
    Under very few legal codes is it OK to distribute something that you do not have the appropriate copyright/licence.
    Even if you don't investigate properly to find out if you do or don't, that doesn't get you off the hook.
    It may alter the penalties, but the fundamental legality isn't really in question, pretty much anywhere.

    Raising 'GPL' is a red-herring here - 'Oh - I diddn't realise that machine had an unlicenced copy of windows on it' - is exactly the same case.

    • I seem to recall a German court doing the same thing with MP3 licencing and Microsoft about 10 years ago. They licenced it from someone who did not have the rights, and MS got fined, not the supplier. At least they're consistent.

    • by Bogtha ( 906264 )

      Under very few legal codes is it OK to distribute something that you do not have the appropriate copyright/licence.

      Distribution is fine. It's copying that is restricted by copyright.

      For example, I can go and buy a game in a box from a shop. I then give you that game. I'm distributing the game, but I am not copying it. Copyright doesn't stop me because copyright is for copying, not distribution.

      Why does that matter? Well consider this: what happens when I buy a machine with GPL software preinst

  • by drdread66 ( 1063396 ) on Tuesday July 30, 2013 @11:18AM (#44424761)

    A previous employer of mine really really really wanted to offer FOSS support & products as part of their lineup. In the end, the lawyers won, as they couldn't craft a policy that would allow anyone other than a lawyer to make the decisions. This was mostly for GPLv2 and v3, but they got the dev managers completely wound up about all the license types. Mostly this resulted in the company punting on the FOSS idea.

    It's not terribly surprising that some small outfit decided to outsource the responsibility, assuming they were in a similar "analysis paralysis" situation. Too bad they did not understand the intent of the licenses and just "do the right thing."

    • by HornWumpus ( 783565 ) on Tuesday July 30, 2013 @11:35AM (#44425049)

      Compliance is easy. Never even look at GPL code. If it's not under BSD, don't touch it.

      • Compliance is easy. Never even look at GPL code. If it's not under BSD, don't touch it.

        I'll stick with my Linux instances, running GCC compiled code thanks very much. If you want to make your job harder and more expensive, feel free and I'll try to poach your customers.

      • Compliance is easy. Never even look at GPL code. If it's not under BSD, don't touch it.

        That is completely idiotic in this context. The problem wasn't that the company used GPL code and didn't comply with the license. The problem is that they bought code from another company, they believed that they had all the copyrights, and the company that sold the code cheated on them.

        That can happen with proprietary code as well, as Microsoft found out when a company sold them lots of video code that they had originally written for Apple, and to which Apple had the copyrights.

        • No. They bought code from another company, knowing it was GPL. The source the other company supplied was incomplete.

          Had they bought code, knowing it was BSD this would never have been an issue.

          • Had they bought code, knowing it was BSD this would never have been an issue.

            But how do you know what is in the code if you don't examine it? It could still contain GPL-ed code, or code copied from a competitor by an industrial spy.

          • No. They bought code from another company, knowing it was GPL. The source the other company supplied was incomplete.

            And had Fantec dealt with the issue properly when it was first brought to their attention, this would not have gone to court.

            Fantec had the opportunity to do the right thing but decided instead to risk the court ruling against them.

          • by sjames ( 1099 )

            Or if they had appropriately specified a deliverable in source form that they then ran make on to produce the binary firmware.

            So you're saying that if they had told the same 3rd party that delivered mis-matched source and binary for some reason to stick to BSD they would have magically become competent and not included any GPL or proprietary code anyway?

      • It's not that easy. You have to make sure that the BSD code is not taken from a GPL project, which is essentially what happened in this case (although it was proprietary code taken from a GPL project). You have to audit the code to make sure the person who gave it to you is telling the truth (even if they are honest, they might not realize where code was given to them).
        • In the real world it works the opposite.

          The BSD code is quite legally incorporated into a GPL project.

          Later a GPL zealot finds the code in a commercial project and runs around like a chicken with it's head cut-off. Later still it's explained to them what happened and they disappear, never to apologize. Rinse, repeat.

          • Later a GPL zealot finds the code in a commercial project and runs around like a chicken with it's head cut-off. Later still it's explained to them what happened and they disappear, never to apologize. Rinse, repeat.

            If this happens so often you'd have an actual, concrete example of this happening, right?

      • by Belial6 ( 794905 )
        Don't forget to hire a sooth sayer to vet all of your code, as the foundation of this case is that Fantec did not check what license the code was under. If they had, they wouldn't have been in violation.
    • by qbast ( 1265706 ) on Tuesday July 30, 2013 @11:35AM (#44425051)
      But they magically understand proprietary licenses? And somehow fact that every proprietary license is different and may contain different pitfalls is not a problem?
      • by suutar ( 1860506 )
        no, but proprietary licenses are already in a "lawyer must make decision" state and everyone's used to it.
        • by MobyDisk ( 75490 )

          It is not a common practice to have lawyers involved in software tool decisions. Having worked as a software engineer and consultant for companies ranging from 3 employees to Fortune 500s. None of them ever had lawyers review software licenses.

          At my most recent job at a Fortune 500, I reported 2 cases where we were completely ignoring licenses: one was a click-through that said I agree to allow the company logo to be used in their marketing. Naturally, I have no such authority and putting that in a click

      • I remember reading that that the GNU GPL is a license, not a contract [lwn.net], and that most proprietary software is accompanied by both. My vague understanding is that lawyers aren't familiar enough working with the GNU GPL's 'bare license' situation.
        • I remember reading that that the GNU GPL is a license, not a contract, and that most proprietary software is accompanied by both. My vague understanding is that lawyers aren't familiar enough working with the GNU GPL's 'bare license' situation.

          That's very unlikely. Legally, it is quite trivial: GPL allows you to do certain things. So you check: Is your use allowed either by copyright law, or by the GPL. If yes, then you're fine. If not, don't use it.

          The GPL says roughly "you may do X if you do Y". Because it's no contract, it means if you do X without doing Y then you have copyright infringement. Without the GPL license, doing X would be copyright infringement, whether you do Y or not. If it was a contract, the copyright holder could force you

      • Ssshhhh!! The lawyers concluded that more lawyers would be required. Looks like it backfired on them.

    • The outsourcing is what got them into trouble in the first place. They got both a binary and sources from their supplier and assumed that those two matched, without verifying that by doing the build themselves.

    • by sjames ( 1099 )

      If you think FOSS licensing is confusing, try a proprietary license where even just using the software internally can lead to liability and they're not going to let you go if you say you're sorry and won't do it again.

  • by Anonymous Coward

    Shit like this. No wonder everything's going BSD.

    Did anyone try to work things out with the company?

    All stuff like this does is make people afraid of open source.

    And why does it seem that all these troublemakers are from Germany?

    • by raymorris ( 2726007 ) on Tuesday July 30, 2013 @11:31AM (#44424981) Journal
      It appears that when asked to comply with the license by posting the code they actually used, the company lied and said they weren't using iptables.
      Contrast that to when I pointed out to Plesk that they were violating the Apache license. They very quickly apologized and posted the code, putting an end to the issue. All they needed to do is post the code that they compiled in order to come into compliance.

      The court opinion is six pages, Im guessing three of those are boilerplate. Are there any fluent speakers of German who can read through it and tell us the facts as expressed by the court?
      • by Kjella ( 173770 )

        The court opinion is six pages, Im guessing three of those are boilerplate. Are there any fluent speakers of German who can read through it and tell us the facts as expressed by the court?

        The court didn't really go into much of anything, in short it concluded that the source was incomplete which means no rights were granted by the GPLv2 which means their distribution was a copyright violation. That they didn't know about it seems entirely irrelevant to the ruling. In fact it's so totally absent that going by this ruling you might think that if your copyright is violated, you can sue every mirror and every one of them would be guilty, no matter how much good faith belief they might have it's

    • by jedidiah ( 1196 ) on Tuesday July 30, 2013 @11:35AM (#44425037) Homepage

      > Shit like this. No wonder everything's going BSD.

      You wish.

      While it sound like a silly juvenile retort, it really is the case.

      Why would anyone with a pathological need to "win in the market" or "be associated with the cool brand" bother with BSD to begin with?

      > Did anyone try to work things out with the company?

      No. People just like to litigate for fun. They like to waste the money.

      Don't be such an idiot. If anything gets in front of a judge it's because one or both sides refused to compromise. The FSF has a long history of quickly dispensing these things by allowing the offending party to come into compliance.

    • Yes, Fantec was approached in an effort to work it out.
      Their initial reaction was to deny everything.
      When confronted with undeniable proof, they simply blamed a contractor and said that they were not responsible.
      ...at least, that's what the articles I read reported.
      At that point, what options are left?
    • Shit like this. No wonder everything's going BSD.

      so insightful, all those millions and millions of BSD based smartphones.

    • by sjames ( 1099 )

      Did you even try to read TFA?

      If you had, you'd know that this is the second time they have violated the license on that code and that the first time they were allowed to simoply correct the error and sign an agreement not to do it again with a penalty to be paid if they did. You would also know that they DID do it again and were offered an out of court settlement where they (again) correct their error and pay the agreed upon penalty. You would finally know that they refused that offer and then (and only the

  • A third-party firmware supplier could also supply you something that included copyrighted code under some other license (doesn't have to be a free software/open source one) without meeting the requirements of the license. And you would distribute that infringing on the copyright.

    Of course if the source code isn't supplied it's harder for the copyright holder to find out.

  • It looks like there is an attempt to make an example of this company when perhaps mediation would have been a more suitable approach give they attempted to comply but failed procedurally rather than pursued a policy of wilfully evasion.

    • Probably. This isn't the first time this has happened. They aren't the first company to fail to audit code their suppliers provided. At some point you have to stop and say "OK, by this point everybody ought to know what they need to do. It's been in the news enough that nobody can claim it's not well-known. So from here on out, no more excuses. No more passing the buck. You know what you need to do, do it or accept the consequences.". If you don't, the failures won't be addressed.

  • Shouldn't any company including any third-party code in their products already have a process in place to make sure that code's all properly licensed and they're in compliance? This isn't about GPL or FOSS code. If one of your suppliers includes proprietary code in the firmware they supply to you that isn't properly licensed or you aren't following the license terms don't you have the same problem?

  • 3rd party code is a fucking disaster no matter where you get it, who wrote it, or who sold it to you. When my company needed a supplemental CRM utility, I wrote it. It works perfectly and is still on version 1.0.0. Our current CRM software is so poorly laid out and coded that they people responsible would get a D if they're lucky in my 2-year technical college advanced programming course. I got the only perfect 105% score in that class in the college's history. What's the difference? In labor hours, i
  • 'Fantec is a reminder that companies should adopt a formal FOSS use policy which should be integrated into the software development process,' he writes. 'These standards should include an understanding of the FOSS management processes of such third-party suppliers. The development of a network of trusted third-party suppliers is critical part of any FOSS compliance strategy.'

    Or, they could just say "that's too much hassle, let's stop being involved in FOSS development".

  • If they were given the code that was under the GPL under conditions that diverged from the GPL, then they are only in violation of the GPL if they further distribute it under different conditions from the GPL.

    One analogy that I'm particularly fond of in this matter is that if you receive a counterfeit bill and you somehow become aware that it is counterfeit, if you still try to spend it knowing that it is counterfeit, you are actually breaking the law. If you don't know that it's counterfeit, you aren't

  • Being ignorant about what the code you're building a product from is no one's fault but the vendor's. I agree 100% with the ruling.

    Too many people like to try to play the "I didn't know" card. You're responsible for knowing what you're distributing, especially when you're charging for a product.

    I recently worked for a company that had to completely rework a piece of their product line because one developer decided he liked a GPL'd library better than a more-free-for-commercial-use library. It cost t

  • Is a risk for a company to do. Even after posting all the code they have online for free access, they get sued.

    If it was all proprietary, no one would be in court now. Lawyers wouldn't be getting rich.

    • I see the liars are out in force today.

      Is a risk for a company to do.

      As much of a risk as any copyright violation is.

      Even after posting all the code they have online for free access, they get sued.

      Are you illiterate? They got in trouble precisely because they failed to comply with the license by blindly posting something that didn't actually work i.e. it was missing code.

      If it was all proprietary, no one would be in court now.

      Or they would be in court for violating someone else's license.

You know you've landed gear-up when it takes full power to taxi.

Working...