Earlier this week, open source developer Harald Welte personally handed over warning letters to 13 technology companies at the CeBIT technology show in Hannover, Germany, including telecoms giant Motorola and PC manufacturer Acer.
Welte is one of the core developers of the Linux kernel firewall engine Netfilter/iptables and the maintainer of the packet filter subsystem in the Linux kernel. In 2004 set up gpl-violations.org, which aims to prevent companies from contravening the rules set down in the GNU General Public License.
Since setting up the project, Welte has made 25 agreements with companies that were violating the GPL, as well as setting up two preliminary injunctions and one court order. Each of these companies used GPL code in products they distributed without making the source code available, as is required by the licence.
ZDNet UK spoke to Welte about tracking down those companies that violate the GPL and how he persuades them to comply.
Q: Why is it important to stop people from violating the GPL?
A: You can use all the code out there for free, but if you do modifications you have to give them back to the community — it's a fairness thing. If we allowed violations to become common, the system would be out of equilibrium. This would result in fewer contributions and it would have a large negative impact on the motivation of developers.
How do you find out whether companies have used GPL licensed code?
It's quite hard without having the source code. All you can do is look at the firmware with a hex editor. You can often spot error messages or function names from GPL-licensed code. For example, there is an error message in the Netfilter code that says, "Rusty needs more caffeine." If someone writes a firewall they are very unlikely to come up with the same error message.
If somebody wants to obfuscate the fact that they have used the [GPL-licensed] source code, they can write a program to automatically change the error messages or strings. But if they try to hide it, it's a wilful copyright violation, which is a more serious legal offence.
What happens when you tell companies that they are violating the GPL?
Lots of companies that we are going after are resellers, so even if the device is sold as Fujitsu Siemens, it's not made by them, but is an OEM device. With resellers it's easier as we simply tell them, and they then put pressure on their upstream vendors.
In some cases we got an out-of-court agreement and the company agreed to stop distributing software that doesn't comply with the GPL license, but then did it again. This happened with Belkin and Netgear — half a year after signing the agreement, they introduced new products that came without any indication of source code availability. This has now been sorted out and they are fully compliant.
In general, we haven't had trouble persuading companies to comply, apart from [PC connectivity company] Sitecom.
What happened with Sitecom?
When we found out about Sitecom's GPL violation, my lawyer asked them to sign a declaration to stop distributing software that didn't comply with the GPL license. We didn't receive their signed declaration within the deadline, so we applied for a preliminary injunction. After they received the injunction they filed an appeal. The court ruled that it will uphold the preliminary injunction.
[More information on the Sitecom case can be found here]
Even though you have won every case so far, surely there's potential cost involved in pursuing these cases?
There is a cost of €10,000 per case, although the party who loses the case pays all the legal fees. It's not that I have that amount of money spare, but it's worth the risk.