My insulin pump controller uses the Linux kernel. It also violates the GPL

384 pointsposted 12 hours ago
by davisr
(old.reddit.com)

165 Comments

teddyh

11 hours ago

> I then decided to contact Insulet to get the kernel source code for it, being GPLv2 licensed, they're obligated to provide it.

This is technically not true. It is an oversimplification of the common case, but what actually normally should happen is that:

1. The GPL requires the company to send the user a written offer of source code.

2. The user uses this offer to request the source code from the company.

3. If the user does not receive the source code, the user can sue the company for not honoring its promises, i.e. the offer of source code. This is not a GPL violation; it is a straight contract violation; the contract in this case being the explicit offer of source code, and not the GPL.

Note that all this is completely off the rails if the user does not receive a written offer of source code in the first place. In this case, the user has no right to source code, since the user did not receive an offer for source code.

However, the copyright holders can immediately sue the company for violating the GPL, since the company did not send a written offer of source code to the user. It does not matter if the company does or does not send the source code to the user; the fact that the company did not send a written offer to the user in the first place is by itself a GPL violation.

(IANAL)

JoshTriplett

9 hours ago

This is an open legal question, which the Conservancy v Vizio case will hopefully change; in that case, Conservancy is arguing that consumers have the right to enforce the GPL in order to receive source code.

schmuckonwheels

8 hours ago

This got buried on HN a few days ago which is a shame:

https://social.kernel.org/notice/B1aR6QFuzksLVSyBZQ

Linus rants that the SFC is wrong and argues that the GPLv2 which the kernel is licensed under does NOT force you to open your hardware. The spirit of the GPLv2 was about contributing software improvements back to the community.

Which brings us to the question: what is this guy going to do with (presumably) the kernel source? Force the Chinese to contribute back their improvements to the kernel? Of which there are likely none. Try and run custom software on his medical device which can likely kill him? More than likely.

The judge's comments on the Vizio case are such that should this guy get his hands on the code, he has no right to modify/reinstall it AND expect it will continue to operate as an insulin pump.

This is about as ridiculous as buying a ticket on an airplane and thinking you are entitled to the source code of the Linux in-seat entertainment system.

jacquesm

7 hours ago

There are a lot of people hacking on insulin pumps and they are lightyears ahead of commerce. If you want a very interesting rabbit hole to dive into try 'artificial pancreas hacking' as google feed.

One interesting link:

https://www.drugtopics.com/view/hacking-diabetes-the-diy-bio...

I would trust the people that hack on these systems to be even more motivated than the manufacturers to make sure they don't fuck up, it's the equivalent of flying a plane you built yourself.

bitmasher9

6 hours ago

> it's the equivalent of flying a plane you built yourself

A great analogy because people die that way. I personally would never push code to another person’s insulin pump (or advertise code as being used for an insulin pump) because I couldn’t live with the guilt if my bug got someone else killed.

jacquesm

6 hours ago

I know people die that way (GA). But someone is working for the companies that make insulin pumps and they are not as a rule equally motivated so I would expect them to do worse, not better.

And to the best of my knowledge none of the closed-loop people have died as a result of their work and they are very good at peer reviewing each others work to make sure it stays that way. And I'd trust my life to open source in such a setting long before I'd do it to closed source. At least I'd have a chance to see what the quality of the code is, which in the embedded space ranges from 'wow' all the way to 'no way they did that'.

chii

4 hours ago

> I would expect them to do worse, not better.

which is why lots of systems and processes (sometimes called red tape) exist to try and prevent the undesired outcome, and dont rely on the competency of a single person as the weak link!

firtoz

2 hours ago

There are more financial reasons to violate and cheat the red tape than there are incompetent open source hackers in the world.

horsawlarway

6 hours ago

And yet someone IS pushing code to these devices. Every single one.

So the question really becomes - Are these people working on their own pumps with open source more or less invested than the random programmers hired by a company that pretty clearly can't get details right around licensing, and is operating with a profit motive?

More reckless as well? Perhaps. But at least motivated by the correct incentives.

dullcrisp

5 hours ago

So flying in a plane you built yourself is in fact safer than flying commercial because the motivations line up. Got it.

AnthonyMouse

5 hours ago

You, an engineer at a major aircraft manufacturer that isn't Boeing, have been working after hours with some of your colleagues on a hobby project to add some modern safety features to an older model of small private plane, because you regard it as unsafe even though it still has a government certification and you got into this field because you want to save lives.

Your "prototype" is a plane from the original manufacturer with no physical modifications but a software patch to use data from sensors the plane already had to prevent the computer from getting confused under high wind conditions in a way that has already caused two fatal crashes.

Now you have to fly somewhere and your options for a plane are the one with the history of fatal crashes or the same one with your modifications, and it's windy today. Which plane are you getting on?

sarusso

4 hours ago

This example is so right. Including the parallel with what happened with those two aircrafts.

amrocha

4 hours ago

Definitely not the untested code I wrote myself!

Are you kidding me? How many times have you unwillingly introduced bugs into a code base you didn’t fully understand? That’s basically table stakes for software engineering.

AnthonyMouse

4 hours ago

> Definitely not the untested code I wrote myself!

Nobody said it was untested.

> How many times have you unwillingly introduced bugs into a code base you didn’t fully understand? That’s basically table stakes for software engineering.

Which applies just the same to the people the company hired to do it, and now we're back to "the people with a stronger incentive to get it right are the people who die if it goes wrong".

tstrimple

an hour ago

Tested how? With 100% "unit test" coverage? I can certainly see how a random person on the internet might be highly motivated and actually talented enough to contribute to these sorts of projects. But they don't have the budget and resources that commercial entities have. They don't have the same due diligence requirements. They don't have the same liability. If I use a commercial device unaltered, it's the company's fault if the device fucks up or is defective and causes harm. If I install random internet software on my medical device and it fucks up and causes harm, it's my fault.

I say this as someone who might modify my own medical devices because I'm so fucking jaded over the capitalist march towards enshitification and maximizing profit over human lives. There is simply no way random folks on the internet can test these types of systems to any reliable degree. It requires rigorous testing across hundreds to thousands of test cases. They at best can give you the recipe that works well for them and the few people that have voluntarily tried their version. That doesn't scale and certainly isn't any safer than corporate solutions.

mindslight

5 hours ago

Flying in a plane you built yourself is likely safer than flying in the same model of plane built by a company that assembled it for you using lowest-bid labor while making you sign a twenty page lawyer barf disclaiming liability.

habinero

19 minutes ago

Are you really comparing an amateur skillset to designs from paid engineers made on a company assembly line with QC?

Why on earth would you think an experimental aircraft made by a hobbyist would be safer?

amrocha

4 hours ago

You can’t honestly believe that or you wouldn’t be able to function in society.

array_key_first

23 minutes ago

You can believe it and simultaneously function in society.

We aren't all building our own planes because it's worse, but because it's time consuming. I don't have 20,000 hours to burn learning about how planes work to make my own.

If we magically beamed the knowledge straight into people's heads and also had a matter fabricator, I'd imagine yes - everyone would build their own plane. And it might be safer, I don't know.

Point is, the ideas are not mutually exclusive. You can believe both and still resolve it internally and with the world

habinero

6 minutes ago

Not the original poster, but that was snark and not meant literally.

Also, building your own plane is absolutely worse, even if you do have expert-level knowledge. That's true for any complex design. Aircraft design, material sourcing, fabrication, assembly and quality control are all very different skill sets, but the real kicker is experience.

The reason why commercial aircraft are so safe is a lot of work goes into investigating and understanding the root causes of accidents, and even more work goes into implementing design fixes and crew training.

mindslight

3 hours ago

My comment rests on the fact that the types of planes you can build yourself are completely different models than the fully assembled models from the likes of Boeing etc. I do agree that a kit 737, if such a thing existed, would be less safe than one off the line.

socalgal2

3 hours ago

> I would trust the people that hack on these systems to be even more motivated than the manufacturers to make sure they don't fuck up

I would think it's the opposite. People that hack on this only risk their own life. Companies risk many people's lives and will get sued. Of course the person doing the hacking doesn't want to die but they're also willing to take the risk.

array_key_first

21 minutes ago

Right, but getting sued is basically the least risky activity ever. Okay, a little dramatic but: you won't go to jail, and if you're rich and become less rich you're still better off than most people. In pure absolutionist terms, being a business owner is basically always less risky than being labor.

wpm

3 hours ago

> People that hack on this only risk their own life.

Provided they do not risk anyone elses, that is entirely their right.

cxr

4 hours ago

> The spirit of the GPLv2 was about contributing software improvements back to the community.

It may be the case that when all is settled, the courts determine that the letter of the license means others' obligations are limited to what the judge in the Vizio case wrote. And Linus can speak authoritatively about his intent when he agreed to license kernel under GPL.

But I think that it's pretty clear—including and especially the very wordy Preamble—not to mention the motivating circumstances that led to the establishment of GNU and the FSF, the type of advocacy they engage in that led up to the drafting/publication of the license, and everything since, that the spirit of the GPL is very much in line with exactly the sort of activism the SFC has undertaken against vendors restricting the owners of their devices from using them how they want.

ryandrake

8 hours ago

Why is it ridiculous? If the license says you have the right to obtain the source code to software that was distributed to you, then you have the right to obtain the source code. It doesn't matter what your intended use of it is.

teddyh

7 hours ago

Rather crucially, the license itself does not say that you have the right to the source code. It is only the separate written offer which gives you that right. If you did not receive such an offer, you don’t have any right to it. But then, the company has already, unquestionably, violated the GPL, and the company can be sued immediately. Specifically, you don’t have to first ask the company for the source code! The lack of a written offer is in itself a clear violation.

schmuckonwheels

7 hours ago

> But then, the company has already, unquestionably, violated the GPL, and the company can be sued immediately.

You were right up to this point. Medical devices requiring a prescription must be obtained via specialized suppliers, like a pharmacy for hardware. These appliances are not sold directly to end users because they can be dangerous if misused. This includes even CPAP machines.

In theory, that written offer only needs to go to the device suppliers. Who almost universally have no interest in source code. When the device is transferred or resold to you, it need not be accompanied by the offer of source.

If that was true, anyone reselling an Android phone could open themselves up to legal liability. Imagine your average eBayer forgetting to include an Open Source Software Notice along with some fingerprint-encrusted phone.

teddyh

7 hours ago

> If that was true, anyone reselling an Android phone could open themselves up to legal liability.

That’s only an appeal to ridicule. If those are valid, here’s an opposing one:

If this is not true, then any company can violate the GPL all it likes just by funneling all its products through a second company, like a reseller.

gpm

7 hours ago

Here's an appeal to the law, the doctrine of copyright exhaustion (also known as the first sale doctrine) dictates that copyright is exhausted upon the first sale of the device (i.e. to the distributor) and they have no rights to control or prevent further sales.

That the GPL potentially fails to achieve what it intends to is neither a legal argument, nor particularly surprising.

AnthonyMouse

6 hours ago

Wouldn't that imply that end-user license agreements are all unenforceable because the software was sold through a retailer, and even if it wasn't you could just a get a secondhand copy?

gpm

6 hours ago

By my understanding EULAs are based on contract law and having a clickwrap agreement that requires you agree to it before using the software, not copyright law. Except perhaps to the extent that copyright law would prevent you from creating a derivative work that doesn't require you to agree to that clickwrap agreement prior to using the software.

AnthonyMouse

6 hours ago

How does that solve it? Alice buys the software, clicks "agree" so that it runs and then sells it to Bob who uses it without ever agreeing.

verall

4 hours ago

Somewhere deep in the legalese Alice agreed she would not do that, i.e. "non transferable license".

AnthonyMouse

4 hours ago

Isn't that the part that would violate the first sale doctrine?

gpm

2 hours ago

No, not if the same itself was unlawful because Alice signed a contract to not sell it like that.

The GPL notably allows for the sale, it was legal here.

conartist6

2 hours ago

So too is the GPL a contract, or at least nobody has proven that it is not a contract and the SFC will fight to prove that it is

gpm

2 hours ago

Sure, maybe anyways but let's assume it is, the parties to that contract are the manufacturer and the copyright holder. The contract allows the manufacturer to distribute it to the distributor without requiring the distributor to agree to the terms and itself become a party. The distributor can then sell the device with the software on it on without acquiring a license and becoming a party to the contract because the copyright has been exhausted (first sale doctrine).

EULA's get around this by forcing the end user to become a party to the contract via a click wrap agreement. There is usually no such click wrap agreement binding the distributor in the case of the GPL. And the GPL doesn't require the creation or maintenance of such a click wrap agreement so the manufacturer would be free to remove it even if the original software had one.

mr_toad

5 hours ago

> first sale doctrine) dictates that copyright is exhausted upon the first sale of the device (i.e. to the distributor).

The copyright doesn’t go away when copies are sold to a distributor. Someone (probably the manufacturer) still has legal obligations to the copyright holder.

gpm

2 hours ago

With regards to further distribution of the copy sold to the distributor, it does go away.

chii

4 hours ago

copyright doesn't give you the kind of rights that a GPL license does - which is not based on copyright, but on contract law (ala, it's in the name - licenses).

A sale of an object does not transfer those licenses (but those licenses are still valid on the seller - a manufacturer selling widgets will have to obey the GPL clauses. If an end user of this widget wants the source code, they have to go back all the way to the manufacturer, rather than any of the middle-men presumably).

JoshTriplett

6 hours ago

> When the device is transferred or resold to you, it need not be accompanied by the offer of source.

This is false. The person transferring the device must either pass along the offer they received (GPLv2 clause 3(c), and only if performing non-commercial redistribution), or pass along the source code (GPLv2 clause 3(a)).

gpm

6 hours ago

By my understanding under US law first sale doctrine means that 3 (both (a) and (c)) doesn't apply, copyright has been exhausted and the intermediate party here doesn't need a license at all to sell the device on. Even if you want to argue the GPL is a contract and not just a license the intermediate owner has never been required to become a party to it. Even if for some reason they agreed to the contract - and somehow it was a binding contract despite the complete lack of consideration - it seems unlikely that the courts would interpret 3 to apply because reselling a device isn't "distributing" within the meaning of copyright law because of first sale doctrine.

Y_Y

6 hours ago

My Android phone does come with an explicit written offer of source. It's in Settings>About>Legal.

mr_toad

5 hours ago

> In theory, that written offer only needs to go to the device suppliers.

The GPL clearly specifies recipients, it doesn’t say anything about suppliers.

schmuckonwheels

8 hours ago

It's a medical device that requires a prescription. You can't buy it off the shelf. They're not distributing software to you either. You must go through a medical equipment supplier who transfers the device to you after insurance has paid for some or all of it.

For the same reason you can't find an airplane entertainment system in the trash and call up the company and demand source code.

kevin_thibedeau

7 hours ago

It doesn't matter what form it takes. Compiled binaries of GPL code are being distributed. The recipients of that binary are entitled to the source of the GPL portions in a usable form:

  "The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
The GPL here doesn't extend beyond the kernel boundary. Userland is isolated unless they have GPL code linked in there as well. If they were careless about the linkage boundaries then that's on them.

schmuckonwheels

7 hours ago

The recipient of that object code is the medical device supplier, not the end-user.

It's subsequently transferred to you after presenting a prescription, without any accompanying offer of source code.

In other words, assume you are the second owner in all cases when it comes to certified medical equipment.

AFAIK if you find an Android phone in the trash, you are not entitled to source either since you never received the offer of source during a purchase transaction. You know that little slip of paper you toss as soon as you open some new electronics that says "Open Source Software Notice".

RHSeeger

7 hours ago

> In other words, assume you are the second owner in all cases when it comes to certified medical equipment.

By that logic, _any_ company can effectively ignore the GPL constraints by just selling it to a reseller, first; one that they have a contract with to _not_ offer the source code when they re-sell it.

It is my understanding that, if I use GPL in my code, and I distribute it to someone that then re-distributes it to someone else... the GPL is still binding. I don't see why that wouldn't be the case with hardware using GPL'd software.

mr_toad

4 hours ago

> purchase transaction

The licensee has to offer code to users (more precisely, to any third party). It doesn’t say they have to purchase anything to be a legitimate user.

kevin_thibedeau

6 hours ago

So when I buy a product with GPL code via Amazon, Amazon is the one with the rights to receive the source? That medical supplier is getting paid via the medical coverage the end user is paying for.

isodev

7 hours ago

> what is this guy going to do with (presumably) the kernel source? Force the Chinese to contribute back their improvements to the kernel?

As the original Reddit comment explains, Insulet is an American company.

jonway

6 hours ago

Big disagree, if they distribute the code they’re on the hook for the gpl source, too!

That’s about as ridiculous as buying a plane and knowing you’re entitled to the gpl sources used.

JoshTriplett

7 hours ago

> Linus rants

Linus is arguing against a strawman that Conservancy never actually argued. See https://sfconservancy.org/news/2025/dec/24/vizio-msa-irrelev... for details.

> Which brings us to the question: what is this guy going to do with (presumably) the kernel source?

https://openaps.org/

schmuckonwheels

7 hours ago

If you have a pacemaker implanted, do you believe you have the right to modify and update the software that operates it? Separately, do you think it's remotely a good idea?

JoshTriplett

5 hours ago

> If you have a pacemaker implanted, do you believe you have the right to modify and update the software that operates it?

Yes, of course. It is abhorrent that people have devices implanted into their bodies and are in any way prevented from obtaining every last detail about how those devices operate.

> Separately, do you think it's remotely a good idea?

In rare circumstances, yes. See, by way of example, Karen Sandler's talk on her implanted pacemaker and its bugs, for specific details on why one might want to do so.

iinnPP

6 hours ago

Not that person, but yes. You have entirely missed the ability to simply view and understand what's inside your own body.

Where your interpretation means someone else needs to follow your whim for their own problem, despite the legalese stating otherwise.

I think that is an absurd position and I am sorry to feel the need to have to be blunt about it.

brendyn

6 hours ago

Obviously yes to the first question. How could you possibly not have the right to operating your own heart. Naturally it would generally not be a good idea.

singpolyma3

8 hours ago

The argument here is that, if there is an offer, they already do under standard contract law.

teddyh

7 hours ago

If you carefully read what I wrote, you will notice that I never claimed otherwise. Whether or not third parties have standing to sue on a GPL violation is immaterial to my point, none of which is “an open question”.

jstanley

10 hours ago

Are you saying that in the general case if you send someone a written offer for something and then don't honour it, you are in breach of contract?

That doesn't sound right to me.

A written offer is not the same thing as a contract.

dspillett

10 hours ago

The written offer is part of the licence, as is the need to respond to that offer with the source code offered. It is all part of the same agreement.

A written offer on its own would not normally be directly enforceable in many (most?) jurisdictions, for the same sort of reason that retailers can't be held to incorrectly published prices (in the UK at least, a displayed price is an “invitation to tender”, not a contract or other promise) except where other laws/regulations (anti bait&switch rules for instance), or the desire to avoid fighting in the court of public opinion, come into effect.

But in this instance, the written offer and the response to that offer are part of the wider licence that has been agreed to.

Joker_vD

6 hours ago

> the same sort of reason that retailers can't be held to incorrectly published prices (in the UK at least, a displayed price is an “invitation to tender”, not a contract or other promise)

The hell? Over here, the price tags are a sort of public contract, to which the seller pre-commits. The seller forgot to change the tags? That's not the buyer's problem.

ivell

2 hours ago

Since money has not exchanged hands, you could always decide not to buy at the counter. So atleast in the countries I have been, it is not legally binding.

teddyh

10 hours ago

I don’t think so; I can’t recall any support for such a connection between the written offer and the GPL itself written into the GPL license text.

abdullahkhalids

9 hours ago

From section 4 [1]

> If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.

Similar clauses in Sec 6.

[1] https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html

teddyh

9 hours ago

That section (and similar in section 6d) is not about the written offer of source code. The written offer of source code is instead covered in section 6c.

abdullahkhalids

9 hours ago

Ah.. Thanks

> c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.

immibis

8 hours ago

So according to the legal theory expressed in this thread so far, nobody can sue anybody and there's no obligation to provide source code. The copyright holder couldn't sue because the license was followed (an offer was provided) and the end user couldn't sue because the offer doesn't have to be followed up on.

Or, instead of theorycrafting reasons why it shouldn't work, you could "just" sue them and see if the judge agrees.

ww520

8 hours ago

The customer spends money to buy the product along with the source code offered. It's part of the transaction. Not honoring part of the transaction is a breach of contract.

teddyh

10 hours ago

Maybe it’s not technically “breach of contract”, and an offer might or might not be a contract. But if you don’t honor an offer you made, you must surely be guilty of something. Otherwise, all offers would be meaningless and worth nothing.

phlummox

2 hours ago

> you must surely be guilty of something. Otherwise, all offers would be meaningless and worth nothing.

You don't have to be "guilty" of anything to be liable in civil law (which contract law is a part of). "Guilt" is a concept from criminal law. It isn't required for contracts to be enforceable.

In general (there are exceptions) offers alone aren't enforceable and don't result in a contract. You need other elements (agreement by the parties, plus something done in return for what's offered) for a contract to be formed - and then it's enforceable.

jstanley

10 hours ago

I don't think you're guilty of anything for failing to honour an offer in most cases.

Retric

9 hours ago

An offer is legally binding in that when someone acts based on that offer you can be liable for damages.

This does not force you to honor the original offer though.

kkjjjjw

9 hours ago

Such offer is as legally binding as any tender. Of course a contract dispute could go either way.

woah

8 hours ago

And what are the damages?

kgwxd

9 hours ago

I think they're just saying the GPL doesn't really cover consumer/distributor (dis)agreements, it only covers copyright. While the spirit of the GPL is user-first, it still has to be realized within the confines of copyright law. Even though many people might conflate the spiritual goal and the legal agreement, it doesn't grant "users" any extraordinary legal powers.

It's not illegal to not honor written offers, it's illegal to distribute copyrighted material in violation of it's license.

cxr

8 hours ago

That's not what they're saying.

On the shelves are three insulin pumps: one with a 5-year warranty, one at a bargain barrel price that comes with no warranty, and one accompanied by a written offer allowing you to obtain the source code (and, subject to the terms of the GPL, prepare your own derivative works) at no additional charge any time within the next three years.

Weighing your options, you go with pump #3. You write to the company asking for the GPL source. They say "nix". They're in breach.

schmuckonwheels

7 hours ago

The GPLv2 under which Linux is licensed does not prohibit that insulin pump from bricking itself if you tried to install "your own derivative work" that wasn't signed by the manufacturer.

This is not only possible but also prudent for a device which can also kill you.

fn-mote

7 hours ago

Possibly true, but irrelevant to the post to which you are replying.

The argument is over providing you the source code.

TZubiri

8 hours ago

So gpl is a licensor-licensee contract, if code and license is not shared to the user, then there is no contract to which the user is a party, rather the user is a beneficiary.

The offer of source code seems to be a way to facilitate the conveyance of source code through opt-in means separately from the object code rather than some legal trickery to create a user-licensee contract.

While the offer may indeed convey a licensee-user obligation, a compliant distribution would attach a license anyway, converting the user into a licensee and licensor to licensee in a recursive fashion

I wonder if lawyers specialize in this, it sounds very cool and not at all standard law, but somehow compatible with contract law

IANAL

faidit

2 hours ago

Doesn't seem incorrect if, extra steps aside, the company is ultimately obligated to provide the source code by the terms of the GPL.

mkehrt

4 hours ago

IANAL, but this is my understanding.

What's the consideration in the written offer? Promises aren't enforceable in court. For a contract to be enforceable, it has to be an exchange of something, not a one sided offer.

https://www.law.cornell.edu/wex/consideration

tzs

4 hours ago

There are substitutes for consideration. Search for "detrimental reliance" and "promissory estoppel" if you want to go down that rabbit hole.

kevin_thibedeau

7 hours ago

The written offer with a limited term of three years is just one permitted method of distribution. If an offer was never made then they're not covered by that clause and are bound to comply by other means without the protection of the three year window.

teddyh

7 hours ago

Yes. I did not cover these cases because approximately nobody does that.

I mean, the absolutely simplest, and cheapest, way for companies to comply with the GPL is to ship the source code together with the software. Stick it in a zip file in a directory somewhere. The company can then forget the whole thing and not worry about anyone contacting them and ranting about source code and the GPL. But no company does that.

The other simple way for companies to comply with the GPL is for companies to provide a link to download the source code at the same place that users download the program itself. If the user did not download the source code when they had the chance, that’s the user’s problem. This will also let the company ignore any GPL worries. No company does this, either.

(The GPL provides a third way for individuals and non-profits, which is not relevant here.)

tzs

2 hours ago

> The GPL requires the company to send the user a written offer of source code

It should be noted that this is just one of three options that someone who wants to distribute binaries of GPL code can choose from. It's the most commonly chosen one, and one is only available for noncommercial distribution, so the odds are good that this is the option they are using.

The other available option is to accompany the binary with the source code.

That one leads to an interesting possibility where someone could end up with a binary and there is no one obligated to provide source to them. As far as I know this has not actually arisen, but it seems like something that is bound to happen sometime.

Suppose company X decides to make a generic hardware platform that other companies can buy to build their products on. X's platform is basically a small single board computer with WiFi, Bluetooth, dual, USB ports, a couple Ethernet ports, and some GPIO ports. X ports Linux to their hardware.

When X ships a system it comes with an SD card with a Linux distribution installed including their custom kernel. It is configured to boot from the first SD card slot, and then to run a custom login system that looks at the second SD card slot and if there is a card in there it mounts it, looks for an executable on its root name application.exe, and runs that as root. X includes in the box a small thumb drive with a copy of the source code for everything on the SD card.

The idea is that a company Y that wants to make something like a WiFi access point or an air quality monitor can buy these boards from X, put them in a case with whatever peripherals or sensors they need like air quality sensors, write the software for the application, put it on an SD card, and put that in the second SD card slot.

So lets say Y buys 1000 of these systems from X, builds 1000 of their access points or whatever from them, and sells them.

One of their customers asks Y for the source code of the GPL parts. Does Y have to provide it?

I'd say they do not. They are not making copies or derivative works. They are just receiving physical copies from X and passing those on unmodified to their customers. This should fall squarely under the First Sale Doctrine in US copyright law, and similar rules in other jurisdictions.

How about if they ask X for a copy?

X has made copies and derivative works and distributed them. But X satisfied their GPL requirements by including a thumb drive with the source with each board they shipped to Y.

immibis

8 hours ago

In America, maybe this is the case. In Germany, it seems an end user can sue them directly for source code.

TZubiri

9 hours ago

> This is not a GPL violation; it is a straight contract violation

But GPL is a contract

I think the distinction you are pointing would be between a gpl licensor-licensee contract, rather than a licensee-user contract.

(IANAL)

teddyh

7 hours ago

> But GPL is a contract

Not according to the original reasoning by its creators, but opinions differ wildly. However, this is irrelevant to the point; the written offer, which is separate from the GPL, is what is failing to be honored, not the GPL. If you did not receive such a written offer, the GPL, in itself, makes no guarantee that you have the right to the source code.

indymike

2 hours ago

> If you did not receive such a written offer, the GPL, in itself, makes no guarantee that you have the right to the source code

Wrong. The requirement to provide source code under the GPL is primarily governed by Section 3 of the GNU General Public License v2 and Section 1 of the GNU General Public License v3. The whole point of the the GPL is to make it so users of software could get source code to the software.

Aurornis

10 hours ago

Be sure to read the top comment where someone who claims to have worked for the company provides some inside information.

In my experience, this is quite common when the development of hardware is viewed as a cost center and is outsourced to various providers and teams. Those providers and teams churn a lot and nobody who worked on that is likely still involved with the company via contracts or direct employment.

Front line support people aren’t equipped to respond to these requests. If you’re lucky they’ll get bounced around internally while project managers play hot potato with the e-mail until it gets forgotten. You might get lucky if you go the corporate legal route, but more likely is that the lawyers will do the math on the likelihood of you causing them actual legal trouble for anything and decide it’s best to ignore it.

When I worked at a company that had a history of GPL drama one of the first things I did was enforce a rule that every release had a GPL tarball that was archived and backed up. We educated support people on where to forward requests. I handled them myself. 7 out 10 times, the person on the other end was angry because they assumed the GPL entitled them to all of our source code and they were disappointed when they only found GPL code in the tarball. It really opened my eyes to some of the craziness you get exposed to with these requests (though clearly not the polite and informed request in this Reddit thread) which is probably another reason why support staff are uneasy about engaging with these requests.

teddyh

10 hours ago

> 7 out 10 times, the person on the other end was angry because they assumed the GPL entitled them to all of our source code and they were disappointed when they only found GPL code in the tarball.

Well, if your non-GPL code was directly linked to, or closely interoperated with, any GPL code, those users would have been right.

juped

9 hours ago

Richard Stallman is wrong about linking.

teddyh

9 hours ago

As far as I understand it, Richard Stallman has gotten his view about linking from FSF’s lawyers, who has advised the FSF about what does and does not count as a “derived work”, in the sense of US copyright law.

If you want to argue that the FSF’s lawyers are wrong, please provide more detailed, and hopefully referenced, arguments (as opposed to plain assertions).

abigail95

9 hours ago

FSF has opinions but not case law - anyone else's opinion is as valid, there's no citation because no court has ruled that dynamic linking is or isn't a derivative work.

You have to construct your own view based on existing statute and vaguely related cases.

Google LLC v. Oracle America, Inc., 593 U.S. 1 (2021) is not a pro-FSF opinion.

Whether linking (dynamic or not) is a derivative work is defined by things like incorporation, similarity, and creative expression.

I think the FSF view is unreasonably confident in its public opinions where the current law is that each potential infraction is going to be decided on a case by case basis. Read 17 USC 101 for yourself and square that with FSF/Stallman opinions.

There's too much nuance to have a stance about what happens when you link a program. "It depends" is the only thing you can say.

immibis

8 hours ago

until you actually sue them, all you have are guesses, and you miss all shots you don't take

SpicyLemonZest

9 hours ago

I would point towards Oracle v. Rimini, where the Ninth Circuit has specifically ruled (inside a complex and yet-unresolved case) that a system built to interoperate with a copyrighted program does not constitute a derivative work of that program. (https://cdn.ca9.uscourts.gov/datastore/opinions/2024/12/16/2...)

They reference a less on point but better known case (https://en.wikipedia.org/wiki/Lewis_Galoob_Toys,_Inc._v._Nin...., for some reason you have to manually add the period at the end of the link) about whether NES cheat cartridges were copyright infringement. If a work that directly links to and interoperates with a program is a derivative work of that program, the Game Genie really was illegal after all. To me that doesn't seem right, and given the FSF's general opinion on console restrictions (https://www.fsf.org/bulletin/2025/winter/new-nintendo-drm-ba...) I kinda feel like they'd have to agree.

abigail95

8 hours ago

Galoob is terrible for the FSF because it provides for a program that only exists to enhance another.

That doesn't fit into the dynamic linking absolutists worldview at all.

SpicyLemonZest

7 hours ago

Ehh, I'm not sure it's fair to call the FSF dynamic linking absolutists. They only care about any of this because they've boxed themselves into a corner. They want to prevent people from writing proprietary wrappers around copyleft programs, but they don't want a license so restrictive that proprietary and copyleft programs are forbidden from interacting, and Freedom 0 means they can't explicitly prohibit a copyleft program from being used for suchandsuch purpose.

m463

4 hours ago

Not the kernel, but LGPL libraries do have relevant carveouts. And if you've ever heard RMS speak, he is extremely particular and does understand the nuances of all this.

anigbrowl

11 hours ago

As always, the solution is to contact their legal department, preferably via a lawyer. Engineers and support staff are not going to risk their jobs making legal decisions about giving away company property.

The FSF could help a lot here by publishing demand letter templates outlining the statutory and precedential basis for license enforcement and recovery of damages.

whatshisface

11 hours ago

It is not company property.

anigbrowl

10 hours ago

But it's the company's legal department which would evaluate that claim. Because it's a legal claim. Licenses aren't magic spells, they're social agreements and non-executive employees don't want to get in trouble for making executive decisions.

treesknees

9 hours ago

That really depends. A company can still own the copyright to the code that they’ve written, even if it’s licensed with GPL. It’s an asset that is transferred if the company is sold, etc, so yes, it’s actually company property.

The GPL grants rights to use and distribute, but does not grant ownership. It’s not suddenly in the public domain.

Aurornis

10 hours ago

Support staff or even engineers are not in a position to be making that call. It’s a legal department decision, even if it seems obvious to you.

ozim

9 hours ago

This should be the most upvoted answer.

Yeah there are are startups where head guys don’t know that and developers jump the gun because they feel like they’re ones that have the best understanding of the issue at hand.

But of course that’s legal territory.

opello

8 hours ago

I agree that a front-line CSR or even engineer is not likely the right person, but surely then the responsible action is to redirect the request to the responsible department or person?

SpicyLemonZest

7 hours ago

Absolutely, and companies that routinely get requests like this train customer service agents on specific trigger words like "license" or "GDPR" that must be redirected. Without that training, it's not obvious why "it's GPLv2 licensed" is more compelling than the last customer's argument that the device warranty obligates you to drop everything and immediately fix the minor UI bug they reported.

abigail95

10 hours ago

Derivative works are owned by those who create them. What copyright says you can do with them depends on the specifics, but the general case is true.

jimrandomh

9 hours ago

If the only GPLed component used is the Linux kernel, you probably aren't entitled to any noteworthy source code. It's well established that using the kernel doesn't create a GPL requirement userspace software running on the same device, and the most likely arrangement here is a completely-uncustomized kernel paired with an open-source userspace program that does all the interesting bits.

dilyevsky

8 hours ago

It also doesn’t apply to driver modules if you use gpl shim (eg nvidia drivers and many others) so i dont get why author thinks they violate anything

kkjjjjw

9 hours ago

Then it should be trivial for them to provide the source code.

Nextgrid

6 hours ago

It's trivial in terms that it will cost them nothing, because it's very likely there are no changes to the kernel, or nothing of value nor commercially-sensitive anyway.

It's not trivial in terms of big company bureaucracy - this request will have to go through so many levels of red tape that they (correctly) decided not complying to random people's requests is more profitable.

I'm sure if you actually sue them then they will comply right away, because at that point paying for some engineer's time to tar up the source tree and send it to you now becomes cheaper than lawyer time.

But their analysis is correct in that nobody will waste time/money suing to get what is effectively a stock kernel they can get from the official source anyway. Which is why these complaints are also a bit stupid - they're not asking for anything of value or using the GPL to advance software freedom by freeing up some valuable code, they're just wasting both theirs and others' time asking for something they can already download directly.

abigail95

10 hours ago

I get mad triggered by software license violation discussions.

Please for the love of all that the FSF thinks is holy - just file a damn lawsuit if you are telling me they are violating the law. State your claim and have a court sort it out.

It costs hundreds of dollars. For a medical device? Seems like a good deal.

austhrow743

9 hours ago

The OP almost certainly isn’t a copyright holder for the Linux kernel. They probably would have said if they were.

abigail95

8 hours ago

Then why are they trying to enforce copyright/contract law without standing?

Making a blog post about someone elses copyright being violated is even more annoying to me.

austhrow743

8 hours ago

Huh, they’re not. You’re the one saying they should.

abigail95

8 hours ago

What's their basis for sending the emails then? If not one of legal standing in copyright/contract law?

Edit: My point is this is just another one of many annoying people you have to deal with who will email you alleging all sorts of legal violations, who don't themselves understand anything about the claims they are making.

austhrow743

8 hours ago

Basis? You mean reason?

They want the Linux kernel source code.

cj

6 hours ago

No, he means basis, not reason. There's a difference and I'm genuinely curious in your answer.

austhrow743

6 hours ago

Sure, I understand that there's a difference. That's why I sought clarification.

My understanding of the concept of "basis" does not fit the context of sending an email, and "reason" is the closest I can find that fits.

Basis being concerned with rules or authority. The assumption being when asking "what is the basis for X?" that there was a bar that needed to be met beyond the doers motivations. That there needed to be more than they wanted to. Which of course, does not apply to sending an email. I could email you right now asking you what your favourite type of fish is or seeing if you want to play a game of chess, no basis needed. I'd just need a reason to.

cj

6 hours ago

That’s a very intricate and convoluted way of saying they have no basis for making a demand.

But sounds like we agree, they have no real basis for making a demand.

austhrow743

6 hours ago

Poorly explained maybe but it covers not just that there is no basis but that no basis is needed and draws attention to the odd request for a basis where none is needed.

Just "there is no basis" as a response would be like saying "yes" or "no" to "have you stopped beating your wife?"

cj

5 hours ago

Aren’t we talking about enforcing/exercising a legal right?

Whether you have a reason to make a claim is much different than whether you have a legal basis for your claim.

austhrow743

5 hours ago

We're talking about Lost-Entrepreneur439 on Reddit emailing a company to ask for some of their code.

You can just do that. No GPL, open source, enforcement, demands, etc language needed. Just "I'm trying to do X, can I see the code for Y?". I receive and send them at work pretty frequently.

They've mentioned the GPL as a way to try to increase the chances of getting sent the code. A support person for a medical device company might not know anything about software licences or linux or GPL. If the company has some sort of "send GPL code to askers" policy and Lost-Entrepreneur439 just asks for the linux kernel, the support person might not know that the GPL policy applies and just say no. If you include it in your message then it increases the chances of them typing "GPL" in to whatever internal knowledge bank they have and seeing "for GPL requests, forward the enquiry to jeff@ourcompany.com" or something like that.

The GPL isn't between Lost-Entrepreneur439 and the company so I don't think "enforcement/exercising a legal right" is an accurate way to describe what we're talking about. That would be if the copyright holders to the linux kernel get involved.

EDIT: Although that seems like largely just a semantics thing. Like if a judge orders a company to pay you some money and you say "give it to austhrow743" is it valid to say that I have a right to that money? Or is it that you have the right that I get that money? If someone wants to phrase "linux kernel copyright holders have a right to demand users of their code share it with anyone who asks" as "anyone who asks has a right to that code" then I don't really have a problem with that.

I just see a big difference between making a request and making a claim. I don't need to think I'm legally entitled to something to ask for it. I don't even need to think that getting it is likely. Whereas Abigail appears to be treating sending and receiving requests by emails as equivalent to a court summons.

robomartin

9 hours ago

In what planet does a lawsuit cost hundreds of dollars?

abigail95

9 hours ago

This one. That's what the filing fees are for a lawsuit like this. There's no rule saying you have to pay a lawyer to write a statement of claim.

Edit:

Courts deal with contract law disputes all the time. It's their bread and butter, everyday, nothing special stuff.

Edit2:

To you below, citation needed

lucb1e

9 hours ago

Is that also what it costs when you lose and the court makes you pay their lawyer time?

abigail95

8 hours ago

Use the CCB then?

Edit: I'm somewhat mad that there's all these tools out there to solve the screeching about GPL violations and nobody seems to want to use them.

apublicfrog

8 hours ago

For reference for non Americans/non legal people:

> The Copyright Claims Board (CCB) is available to resolve copyright disputes of a relatively low economic value and provides an efficient, less expensive alternative to federal court.

https://ccb.gov/

pvtmert

9 hours ago

If they built the kernel directly from tree, just pointing out the correct https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin... should be enough...

cxr

8 hours ago

Since a company building it themselves hasn't gotten it in the form of a binary from someone else that they're just passing along to you and their use is commercial, they don't satisfy either condition of GPLv2 3(c), but they'd need to satisfy both in order to be able to exercise that option.

jacquesm

10 hours ago

Let me guess. Omnipod. They've had some pretty bad recalls too. Never in a lifetime would I trust my well-being to their p.o.s. hardware / software combo. Apologies that person in this thread that worked there, but I hope you are working for a better company now.

Group_B

11 hours ago

Oh well. The whole thing has already been reverse engineered. Look up Loop or Trio or OpenAPS. Diabetic companies like Insulet have been very lax when it’s come to the hacking of their devices. This isn’t really that big a deal. What we need right now is help REing the Omnipod 5

duban

10 hours ago

I’m aware of a few people working on REing the Omnipod 5. The furthest issue that I have seen is that when a PDM/Omnipod 5 app signs into your insulet id, it gets a private key from the API which is stored in the keychain (and uses SSL pinning to prevent MiTM retrieval of the private key). When pairing with the pod they exchange public keys and then a derived key from the devices private key+pods public keys, but haven’t been able to get a copy of a private key yet to make further progress.

fyhn

10 hours ago

Not all though, I've been looking at Minimed pump reverse engineering (which would be just reading glucose data, not controlling the pump), and that's not solved yet, at least not for the 780G. But I hope it will be, and perhaps I'll be able to contribute.

mlsu

9 hours ago

I don't work for Medtronic. But it's extremely unlikely that will happen. It's not merely a matter of reverse engineering -- after the original medtronic "hack" / reverse engineer efforts (the ones that lead to the original openAPS system being developed) the FDA put out new guidance on cybersecurity protections for insulin pumps.

The communication between your phone/pump or glucose sensor/pump is encrypted now for all newer devices.

> Diabetic companies like Insulet have been very lax when it’s come to the hacking of their devices

Absolutely not true, not any more.

Group_B

an hour ago

No it's true. Companies like Insulet and Dexcom could send out lawsuits to all the open source projects out there that involved REing. Dexcom's glucose share API was REed years ago, and Dexcom hasn't even tried updating or stopping the use of unofficial APIs. All I'm saying is that the companies really don't care at all.

lacoolj

9 hours ago

So can someone tell me - a non-insulin-dependent individual - why would an insulin pump need to be (controlled by?) a phone (in this case, the Nuu phone referenced)?

Surely there is a way to cheaply obtain bluetooth and a controller without saying "we'll just use this already existing hardware - that happens to be a whole-ass phone - because it's $5 from China"?

Kinda feels like that just screams data-stealing, regardless of where it was made.

martin_bech

9 hours ago

Security… The PDM is walled off completely, it cant install apps, its not on wifi, you cant change any settings. The issue is that a PDM technically could easily kill you, by giving you a lethal dose of insulin.

Funny thing is that the newer Omnipod 5 from the same company works with regular phones now, but only in th US.

mlsu

9 hours ago

Until recently, if you offered a pump that _could_ be controlled by another device (such as a phone) you would have to offer your own "controller" device, even if 99.9% of your customers have a phone already.

So, this companion device is kind of a thing that Insulet had to release. You'll see this with CGM's too -- there's a small companion device sold with the Dexcom G7 (the "controller"), even though everyone just uses their phone.

This is kind of a regulatory quirk; basically from the FDA's point of view you had to have a complete standalone system, that did not include the phone, in order to be able to prescribe it. I think they do not require companion devices any more, it's OK to release something that requires the user to have a phone.

lacoolj

9 hours ago

So essentially, it's like this?

"we plan on users having a phone to connect to it and use primarily. FDA requires a primary/backup. well it's already phone-controlled, go find a phone that works with it. needs to be cheap, cuz no one will really use it anyway"

That makes a little more sense. I was imagining the development process involving both devices, rather than one device first, then determining what the second would be later.

Thanks for the insight!

martin_bech

9 hours ago

Its also for security.. outside the US, you still cant use a regular phone with the omnipod.

ianburrell

2 hours ago

One thing is that you need to tell the insulin pump when you eat food so it can deliver insulin to cover the food. I bet that is a lot easier in an app than some separate controller device.

Insulin pumps are paired with glucose monitor. I bet it is handy to check glucose levels to make things are stable and correct if off.

billforsternz

3 hours ago

I recall idly looking through the manual of our Bosch dishwasher when it was delivered and seeing that they offered to share GPL'ed source code from the machine's embedded guts. I thought to myself, "that's kind of interesting, I'll take them up on that". So I emailed the address they provided for this purpose. I got an auto email back saying, effectively, "No. You're not an authorised person, we don't recognise your email address, we don't know who you are, we're not going to talk to you."

Oh well. Big Corp doing what Big Corps do. Paying lip service to legal requirements, but reluctantly and with barriers that would no doubt take a lot of time and money to even try and break down.

billforsternz

an hour ago

I was troubled by my own comment. How exactly did Bosch handle this? I went back and checked and in fact the rejection email came from their email server, it was an "access denied" type email that I originally misinterpreted as a "you don't have access" type message leaving me annoyed but really I took away and remembered a wrong impression. Looking more carefully, the message doesn't mean anything subtle, it just means the email address (oss-request@bshg.com for the record) doesn't exist. Which is bad, but not nearly as bad as I portrayed it above. Apologies (for the record) to Bosch.

mijoharas

11 hours ago

Out of interest is there a process to petition the FSF to take up something like this?

How do they triage and decide what to pursue?

LukeShu

10 hours ago

TL;DR: Not the FSF, but SFC; email compliance@sfconservancy.org

The dominant legal theory is that the GPL can only be enforced by the party holding the copyright. SFC's lawsuit against Vizio is strategically trying to establish precedent changing that; establishing that end-users are "third party beneficiaries" under the GPL, so others can enforce the GPL; but for now the copyright holder is the only one who can enforce it.

So the FSF could only take it up if the violation is on projects that do copyright-assignment to the FSF (i.e.: most GNU stuff). If you do find a violation of GNU stuff, the process is "email license-violation@gnu.org". I do not know what process Craig and Krzysztof use when triaging reports and deciding what to pursue.

Many Linux-kernel contributors (also, SFC member projects such as OpenWrt, Git, Qemu) have assigned their copyright to SFC or named SFC as their legal representative (also, SFC member projects; so SFC can take up something like this. Similarly, you can report violations to them by emailing compliance@sfconservancy.org (see https://sfconservancy.org/copyleft-compliance/help.html for more info).

Now, SFC is aware of more violations than they could ever possibly pursue, so they're strategic about pursuing ones that are high-impact. I'm not sure how they decide that. But I can say that medical devices are near-and-dear to them, between executive-director Karen Sandler's implanted defibrillator and policy-fellow Bradley Kühn's blood glucose monitor.

kalterdev

an hour ago

> This honestly disgusts me. GPL violations are already bad on their own, but on a medical device? That me, and thousands of people rely on to stay alive?

Disgusting is not respecting the producers who put together the device that wouldn’t exist otherwise, leaving thousands of people in pain or death.

raverbashing

11 hours ago

Good luck trying to enforce the GPL against a Chinese company

caminanteblanco

11 hours ago

Well it looks like insulet is the primary offender here, and Nuu (the Chinese company) is just the hardware manafacturer

themafia

10 hours ago

An actual good use case for tariffs.

HackerThemAll

8 hours ago

Is linking to the "old" reddit a sign of being superior to those who use the current version of reddit? I've spotted that numerous times over past few weeks here.

GaryBluto

8 hours ago

Why would you come to that conclusion instead of the obvious one being that the kind of people to use Hacker News are the same kind to prefer old Reddit?

RobotToaster

8 hours ago

Some of us just prefer the old version, so when we copy the link from our URL bar it's to the old version.