So this very large company who shall remain nameless distributes a proprietary software development environment that includes a patched version of a certain, well-known open-source debugging tool.
The patch is to make said open-source tool support their products. It’s not even hidden or anything: the binary is sitting right there in the installation directory, it’s called the exact same thing the vanilla debugger is called and when I run it on the command line, it clearly says “patched for xyz”.
The tool in question is distributed under the GPLv2 and I need to modify it for my own project. So I sent an email to the company to request the source code for their modification, but they refuse by playing dumb and pretending they don’t understand the question. They keep telling me the source code to their IDE is not public. I keep telling them I don’t want their IDE but the source for the modified GPL backend tool they bundle with it. But no: they claim it’s part of their product and they won’t release it.
Anybody knows the best course of action to deal with this? It’s the first company I’ve dealt with that explicitly refuses to honor the GPL. I don’t even think it’s malice: I’m fairly sure the L2 support guy handling my ticket was told to deny my request by his clueless supervisor who didn’t bother escalating it. But it’s also a huge company that’s known to be aggressive and litigious, whereas I’m just one guy and I’m not lawyering up over this. I have other hills to die on.
Who should I pass the potato to? The FSF?
Check the FSF’s violations of GNU licenses page. You can also email the FSF’s licensing and compliance lab at licensing@fsf.org and our team would be happy to assist.
Thanks! I’ll do that if my last-ditch effort to knock some sense into them doesn’t work.
Don’t waste time trying to reason them. If you’re not able and willing and sue them to enforce the GPL license, the company won’t care.
You should directly informe one of the organisations mentioned previously, they may have a lawyer and experience fighting this kind of fight.
Best you can do youself is collect evidence that they’re distributing modified GPL software, and write a precise description of the issue, to help these organisations kickstart their investigation into the GPL violation.
And why leave them nameless? Name and shame. You can get multiple people asking at that point and apply more pressure.
Because I’m not interested in being sued for defamation. Even if I’m totally right and they’re totally wrong, they’ll bury me in legal fees. I’m not rich enough to afford the law.
There a simple incantation u can mutter its the same shield the press uses its called “allegedly”. Otherwise talk to the press themselves doesnt matter who even if they are fucking tiny af doesnt matter then post the link to said article everywhere.
Idk if you can say allegedly, when you’re the person doing the allegation 🤔
Not to mention, OP didn’t specify where they live. Who knows defamation law for the whole world?
Then you’d have a great defense right?
A defense you could use if you’ve already been sued?
Glad we have that law but seemingly unavoidably stacked in favor of the wealthy / those with assistants/teams/lawyers. Massive mental cost of getting involved in court for anything, one that isn’t possible to be “repaid” when you win.
(Not to discourage people who know what they’re getting into! Fight the power, if ya can)
Edit: typo
Depending on your jurisdiction, you may have anti-SLAPP laws which render a baseless defamation lawsuit against you into a blessing which you can turn around, counter sue for, and end up with a nice payday.
That entire process still needs lots of cash up front does it not?
Not necessarily cash, but definitely a bit of luck. Some lawyers, if they think a case is guaranteed to go your way, will do the work for free in exchange for receiving a portion of the damages the final judgement will award you. Even rarer, some lawyers care enough about some issues on a personal level that they’ll work for free, or reduced rates, on certain cases.
In this case, I’m not sure there are any damages whatsoever to award to OP - a “win” is forcing the company to abide by the GPL, not pay up money. The EFF and the FSF, as others have brought up, are probably the best bet to find lawyers that would work on this case for the outcome instead of the pay.
This. Sucks we can’t just say shit like it is but it’s just as easy to make it up. I’m not going to verify the claims myself but if OP said it was Vandelay Industries I might make the decision to not do business with them.
It’s a little late now since the accusation has already been made but it’s essentially legal to state verifiable facts without drawing conclusions from those facts. Still, doesn’t mean the company won’t come after you, just that they risk calling attention to the issue. Unfortunately I know of no remedy or repercussions for a company filing a baseless lawsuit.
IANAL BTW.
I’m pretty sure nobody here knows who you are. Say the name, and some of us will just make this company’s life a living he’ll by spamming them to give us the source. Win - win (except for that POS company)and you remain anonymous. What are they going to do, sue your Lemmy handle?
That’s flawed logic. The company would pretty easily know who has been emailing to request the source code for that specific tool in the timeline just before this post. The lemmy profile may be anonymous, but I doubt OP’s emails were.
Why would anyone mention anyone was emailing them? I’m talking about just doing the same without any type of other info.
Well the context was a concern about a defamation suit resulting from this post. If the company never found this post then the anonymity of the poster is irrelevant anyway. The company could easily tell who made this post based on the timing of their already existing email correspondance seeing as this is clearly not a request they receive often.
Oh, I didn’t think about it, but you’re right. That does make sense.
This is why we have journalists - worst case, take this information to some newspaper, who will likely LOVE to poke the bear.
OK, maybe that’s a little idealistic, but at least you can try, eh?
What does it rhyme with?
With Rosehip. But good news: it would appear my ticket finally made its way to the development team and to legal. They sure are taking their own sweet time like a good giant corporation dealing with a pointless single guy, but things seem to be moving in the right direction.
If they refuse again this time, considering they now acknowledged that my ticket is processed where it should be processed, I will contact the FSF, and name and shame. But for now they’re showing good will.
Good on you for doing the right thing.
Opsec
Notify the maintainer of the open source tool - they’re in the best position to push for compliance. They have the power to revoke the company’s license.
Especially talk to FSF if this “well known debugging tool” is a part of the GNU project, as FSF has the power and standing to enforce the copyrights on GNU software.
One of the worst things about the GPL and similar licenses is that they cannot be enforced by the user.
EA is also distributing a modified DOSBox but they only supply the unmodified source. Didn’t have the energy to pursue it.
That’s changeing: in the ongoing SFC vs Vizio, SFC is just a regular user: https://sfconservancy.org/copyleft-compliance/vizio.html
Even FSF updated it’s FAQ, that it’s not true anymore: https://www.fsf.org/news/fsf-to-be-deposed-in-sfc-v-vizio-updates-relevant-faq-entry
Nice!
Yeah, reach the FSF like explained in previous comments. Or maybe contact some attorney if it matters because you may face expensive litigations… Big companies are not friendly. Or maybe contact the SFC (https://sfconservancy.org/).
I’d just email the CEO, media relations, and legal (if you can get all their email addresses), inform them of their non-compliance with the GPL and ask them to resolve this swiftly before it needs to be escalated. Then if you don’t hear back in 2 business days, reply all again CCing someone they might care about: local media to their jurisdiction, the FSF, the EFF, etc.
EFF.org might have something
Ask from a security and compliance perspective of I need to see an SBOM. See if it’s in that report
I recommend contacting Software Freedom Conservancy
Conclusion of this thread:
It took a mightly long time, but the company eventually coughed up the source code. They sent me a big ZIP with an large git repo full of uncommitted changes and a bunch of comments and temp files that really shouldn’t leave the company 🙂 Clearly some engineer just zipped up the local repo on his hard disk without doing any cleanup.
So they complied with the GPL in the end. Just the bare minimum - i.e. providing the source code on request and nothing mode. I wish they put it up in their Github but they don’t want to do that apparently. I’ll clean up the embarrassing files and comments and put it up in mine.
@ExtremeDullard just publish everything, they gave it to you under GPL so you can. Sounds like they deserve all the embarrassment they can get.
Nah… It’s not a matter of embarrassing the company, it’s out of decency for the people who work(ed) there. There’s stuff like “This shit is why Stu was fired - Phil” or “Best leave this out of the repo for now as I don’t want to be included in the next round of downsizing - Tom” this would make Stu, Phil and Tom look bad and possibly hurt their careers. And it would advertise that whoever prepared this ZIP file for me didn’t bother sanitizing company confidential information out of it, possibly putting their job on the line too.
The code is GPL, and I consider the git history part of the code. The rest is inappropriate and potentially hurtful to people who didn’t do anything to deserve grief.
@ExtremeDullard You are too kind and thoughtful, they really don’t deserve you. A company is just a collection of the people who work there. Maybe the reason why they violated GPL in the first place is because Stu, Phil and Tom didn’t care about their work at all. The comments paint a picture of a toxic work environment, and again, that’s just the result of the people working there. Good people need to leave bad companies, it’s the only way to let the bad die without hurting the good.
It’s not kindness 🙂 I only made a GPL claim. All I want is the stuff that the GPL entitles me to have. The rest is off-topic and - as you say - toxic. Nobody needs the off-topic stuff in the Github repo I’ll post the GPL code to: it’s about the code, not the people or whatever drama happened at their workplace.
The thing is that they only need to release the source code to a user of their installer. Also, perhaps they got a special exception from the original author like dynamically linked Linux drivers.
No, not just the installer. Actually the installer doesn’t even matter here as its sole purpose is placing the binary. GPL applies when you make modifications to the program AND you distribute the program. GPL states that you MUST also give the source of the modified binary WHEN requested by those who got the modified program (this is very simplifying it)
I have a solution but it is going to remain unsaid here . Good day to you sir .