An especially novel aspect of this lawsuit, quoting the press release:
> This approach makes it the first legal case that focuses on the rights of individual consumers as third-party beneficiaries of the GPL.
> “That’s what makes this litigation unique and historic in terms of defending consumer rights,” says Karen M. Sandler, the organization’s executive director.
In the past, GPL enforcement has been a cause of action brought by the copyright holder. This suit is on behalf of users, as beneficiaries of the GPL. If this suit is successful, it'll no longer be necessary to prove sufficient standing as a copyright holder of GPLed code in order to enforce the license; it'll suffice to show that you're a user who wishes to make use of the rights provided under the license.
Gplv2 violations are widespread, we need much much more enforcement and more copyleft software, and this could be a huge win. Free software's main purpose should not be to be proprietarized, too much of it now is a group effort among companies to more efficiently lure users to trade their freedom for functionality.
Not just nice, it would be a huge accomplishment. Imagine being able to resurrect (as in saving from a landfill) old tablets, phones and even smart TVs, or making new ones more usable and trustworthy by flashing a lighter OS that doesn't contain adware and spyware, and can be patched to solve bugs or implement new functions (including codecs) to give the product a longer life.
Hardware manufacturers would absolutely hate such a scenario, which is why I'm pessimistic about that.
I think you're overestimating developer ability/willingness. There's a lot of hardware out there which could in theory have third-party firmware built for it, but which hasn't because it's just too niche for anyone to have bothered, or because there's insufficient public documentation.
Most smart TVs, for example, fall into both categories. There are simply too many models for a third-party firmware effort to take off, and documentation on the hardware used in these TVs is usually nonexistent. (And the hardware is often already stretched to its limits on the stock firmware -- implementing "new functions, including codecs" is likely to be impossible.)
There are many models of smart TVs, but they reuse components and software a lot. I remember rooting my Samsung TV with a universal exploit that worked across something like several years of models.
I think you're underestimating the tenacity of hobbyists. Some people hack every device they own, then release the software they wrote to do so; it only takes one or two of these people to write the drivers for a few dozen devices, and then they all run Debian.
Isn’t that the idea of the “TiVoisation” clause in the GPLv3? Basically, TiVo released their Linux derivative code, but you couldn’t actually flash your version. The problem is that Linus is staunchly against the GPLv3
> The problem is that Linus is staunchly against the GPLv3
No he isn't. He is unable to relicense the kernel. Whenever he's interviewed on the subject it is always in relation to kernel development. He doesn't control the copyright on the entire codebase and there are too many contributors, some dead, for anyone to get copyright assignment sorted out.
You are right that he can't unilaterally relicense the kernel and that it will likely never happen, but Linus is in fact against the GPLv3, see debconf 14 Q&A: https://youtu.be/5PmHRSeA2c8?t=2840
At risk of making a gross oversimplification, sfconservancy seems to be pursuing the angle that GPLv2 _ALSO_ was intended to prevent tivoization. see e.g., https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... which refers heavily to pre-GPLv3 discussions about the topic.
"In GPL enforcement actions at the time, during our “complete, corresponding source (CCS) checks”, we verified that the source code was not only complete, but that it corresponded to the binaries on the vendors' devices, and that we could install modified versions of the software. This was a standard part of any check to verify GPLv2 compliance. Passing this check was required, then and now, by FSF and Conservancy before distribution rights are restored after a violation."
"That position was not controversial when I, along with then FSF counsel (Daniel Ravicher), taught it to lawyers in 2003 and 2004 on FSF's behalf. Nevertheless, today, many act as if this interpretation and intent of GPLv2§3¶2 is a recent and novel phenomena, rather than a long standing position held by all copyleft activists for at least 18 years. Today, most companies and lawyers argue (incorrectly, IMO) that users have no rights to reinstall their GPLv2'd software."
This would be an absolutely crazy outcome if this turned out to be a result.
I think Vizio (who I have no love for) would get a HUGE number of opens source folks behind them.
We need to look at what developers believed GPLv2 required and what it did not.
The whole Tivo issue came about because GPLv2 does NOT require that a developer ALSO make it so that others can use HARDWARE they create any way they want. Linus (who is a major GPLv2 user) also was clear, he wanted folks to have to share software, but didn't want or care what they did with it - they could put it in a car (that was locked down from modification), they could put it in a motor controller (also locked to manage duty cycles), they could put it in a pacemaker (also locked for regulatory and safety reasons).
> The whole Tivo issue came about because GPLv2 does NOT require that a developer ALSO make it so that others can use HARDWARE they create any way they want.
This also used to be my understanding, but it is simply wrong. If you read the article posted by GP, from the lawyer who actually pursued the FSF's case against TiVo, the facts are different. TiVo started by bot providing source code at all, and then had some limitations in their published scripts showing how to install modified sources onto their device. This part was remediated by TiVo during these discussions - TiVo devices then and now allow you to install and run any Linux you want on them.
The one thing they also do that angered Stallman and was clearly not prohibited by the GPLv2 is that TiVo's proprietary userspace software uses hardware support to check whether the running kernel is cryptographically signed by themselves, and refuses to start if it is not. The OSS keeps running and has full access to the hardware.
Its interesting to note that the GPLv3 allows what TiVo did too, even though RMS didn't want that. Also interesting OTOH is that the LGPL seems to imply that a combined proprietary+LGPL work should continue to work after replacing the LGPL part.
It’s not at all clear-cut to me. (IANAL.) If a cryptographic key is required, it’s not clear to me that that is either “source code” nor “script used to control compilation/installation”.
If you asked developers “is a certificate source code?”, I think most would say “No”. If you asked them “is a certificate a script?”, I think almost all would say “No”. If it’s not either of those things, I don’t know how the license terms (not the preamble) of GPLv2 would apply to prevent TiVo-isation.
Further, if it does apply, how has no one successfully sued TiVo over it?
What TiVo did (disabling proprietary software when GPL software was modified) is allowed by GPLv2 and GPLv3 according to Bradley Kuhn of Software Freedom Conservancy.
To me “our code can’t run on TiVos” is basically a political statement along the lines of “it can’t be used for evil, or for nuclear weapons” and so on.
It’s certainly an option to license it that way but I think GPL 3 was mostly a mistake.
The “script used to control compilation/installation” needs to actually work. If it can't work without a certificate, then it doesn't work without a certificate.
Isn't the problem that the code would work fine on a piece of hardware that doesn't perform the signature check, it's just you'd have to make that piece of hardware yourself?
This is apparently not how the license had historically been interpreted by everyone, at least before GPLv3 appeared.
The intended and historical interpretation seems to have been that as long as you're distributing a device running GPL software, you have to provide the source code for that GPL software along with working instructions about how to build, install and run those sources on the device.
This even goes back to the original motivation for creating the GPL in the first place: the desire to repair faulty software in a printer at MIT.
I have no idea if this provision has ever been tested in court.
Perma-locked bootloaders can be made illegal, if they prevent you, the owner of the device, from patching a security hole in your device. In essence, it's a backdoor mechanism installed by the vendor.
If this strategy becomes validated by this case, it means that any organisation can bring GPL compliance lawsuits. Hopefully that leads to companies noting their increased potential for liability by multiple less scrupulous actors than SFC and spontaneously coming into compliance.
>"If this suit is successful, it'll no longer be necessary to prove sufficient standing as a copyright holder of GPLed code in order to enforce the license;"
Would such a decision have any usefulness outside of California? This specific lawsuit is filed in a California state court, against a California defendant.
The Software Freedom Conservancy is a business which can do business in many states and be subject to the jurisdiction of courts in all of them, unlike an individual, who can be resident in only one state. (And even then, an individual could also sue in California if the event being sued over - like a purchase or an accident - occurred in California)
Presumably the suit is federal because it’s a copyright case. So, yeah, it would have some significance within the 9th circuit until the appeals shake out.
> not only do multiple copies of the Linux kernel appear in the firmware, other GPL’d and LGPL’d programs were found, including U-Boot, bash, gawk, tar, glibc, and ffmpeg.
The copyright for bash, gawk, tar, and glibc is owned by the Free Software Foundation. The FSF requires copyright assignment on contributions specifically so that they can enforce the GPL. So, if the FSF is unwilling to participate in the case, then that would say something very bad about the state of the FSF (or the state of their relationship with Conservancy--perhaps the FSF would prefer to mount their own case separately?). However, I don't believe that to be the case.
It is my understanding that Conservancy holds the copyright on parts of the Linux kernel, and is authorized to represent several other copyright holders of the kernel. They should be able to enforce the GPL for the kernel without getting anyone else involved.
So to me, this reads as Conservancy intentionally avoiding involving the copyright holders and going for a different strategy, in order to establish precedent and strengthen the GPL. And if that fails, then they could presumably fall back to filing a second lawsuit from the traditional copyright holder perspective. But I would have liked to see this called out and explained explicitly in the press materials, because I'm having to read between the lines here.
I'd be surprised if Conservancy holds kernel copyrights directly, but I agree they can represent holders, as I think they have with e.g. Christoph Hellwig vs. VMWare.
Oh, I may have misunderstood you there, apologies if so. Conservancy can handle compliance and enforcement activities on behalf of more than a dozen Linux copyright holders, but I don't actually know if they hold the copyrights. Sorry if I misunderstood.
> but I don't actually know if they hold the copyrights
According to the page you linked, they do:
> In addition, some developers have directly assigned their copyrights on Linux to Conservancy, so Conservancy also enforces the GPL on Linux via its own copyrights in Linux.
Generally speaking, GPL can't be enforced by users due to selftermination clause. And when GPL terminates itself, you can't enforce it. For user enforcement we need a license that doesn't terminate itself.
---
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
Note that for quite a while Conservancy has (and more recently[1] many other copyright holders have) publicly documented that they extend GPLv3's cure provision to their otherwise-GPLv2-licensed code.
There are kernel copyright holders who have not consented to this and when you violate the GPL your license to the parts of the code that they own is terminated per the vanilla GPLv2. But the copyrights which Conservancy represents have the cure provision.
It means anyone can sue for breach of contract if they are a beneficiary in some way, even if they aren't one of the parties of the contract. If you make a deal with the government to provide free school meals and then they underpay you so you stop providing the meals, now every parent can sue you. Doesn't sound quite right.
I think it would be better to fix this by having the GPL explicitly grant standing to anyone receiving it. Not a lawyer though so no idea if you can just do that. Maybe not.
> It means anyone can sue for breach of contract if they are a beneficiary in some way, even if they aren't one of the parties of the contract. If you make a deal with the government to provide free school meals and then they underpay you so you stop providing the meals, now every parent can sue you. Doesn't sound quite right.
If you stop providing the meals due to the government's breach of contract, it seems pretty obvious to me that the court would either dismiss the case (possibly with prejudice) and direct the plaintiff to sue the appropriate party, or that the case would be suspended until you and/or the government are done suing each other pending the outcome(s) of the other case(s).
> This approach makes it the first legal case that focuses on the rights of individual consumers as third-party beneficiaries of the GPL.
> “That’s what makes this litigation unique and historic in terms of defending consumer rights,” says Karen M. Sandler, the organization’s executive director.
In the past, GPL enforcement has been a cause of action brought by the copyright holder. This suit is on behalf of users, as beneficiaries of the GPL. If this suit is successful, it'll no longer be necessary to prove sufficient standing as a copyright holder of GPLed code in order to enforce the license; it'll suffice to show that you're a user who wishes to make use of the rights provided under the license.