Defender of the Linux faith

Linux kernel developer Harald Welte talks about the challenges of single-handedly tackling companies that violate the GPL
Written by Ingrid Marson, Contributor

Earlier this week, open source developer Harald Welte personally handed over warning letters to 13 technology companies at the CeBIT technology show in Hannover, Germany, including telecoms giant Motorola and PC manufacturer Acer.

Welte is one of the core developers of the Linux kernel firewall engine Netfilter/iptables and the maintainer of the packet filter subsystem in the Linux kernel. In 2004 set up gpl-violations.org, which aims to prevent companies from contravening the rules set down in the GNU General Public License.

Since setting up the project, Welte has made 25 agreements with companies that were violating the GPL, as well as setting up two preliminary injunctions and one court order. Each of these companies used GPL code in products they distributed without making the source code available, as is required by the licence.

ZDNet UK spoke to Welte about tracking down those companies that violate the GPL and how he persuades them to comply.

Q: Why is it important to stop people from violating the GPL?
A: You can use all the code out there for free, but if you do modifications you have to give them back to the community — it's a fairness thing. If we allowed violations to become common, the system would be out of equilibrium. This would result in fewer contributions and it would have a large negative impact on the motivation of developers.

How do you find out whether companies have used GPL licensed code?
It's quite hard without having the source code. All you can do is look at the firmware with a hex editor. You can often spot error messages or function names from GPL-licensed code. For example, there is an error message in the Netfilter code that says, "Rusty needs more caffeine." If someone writes a firewall they are very unlikely to come up with the same error message.

If somebody wants to obfuscate the fact that they have used the [GPL-licensed] source code, they can write a program to automatically change the error messages or strings. But if they try to hide it, it's a wilful copyright violation, which is a more serious legal offence.

What happens when you tell companies that they are violating the GPL?
Lots of companies that we are going after are resellers, so even if the device is sold as Fujitsu Siemens, it's not made by them, but is an OEM device. With resellers it's easier as we simply tell them, and they then put pressure on their upstream vendors.

In some cases we got an out-of-court agreement and the company agreed to stop distributing software that doesn't comply with the GPL license, but then did it again. This happened with Belkin and Netgear — half a year after signing the agreement, they introduced new products that came without any indication of source code availability. This has now been sorted out and they are fully compliant.

In general, we haven't had trouble persuading companies to comply, apart from [PC connectivity company] Sitecom.

What happened with Sitecom?
When we found out about Sitecom's GPL violation, my lawyer asked them to sign a declaration to stop distributing software that didn't comply with the GPL license. We didn't receive their signed declaration within the deadline, so we applied for a preliminary injunction. After they received the injunction they filed an appeal. The court ruled that it will uphold the preliminary injunction.

[More information on the Sitecom case can be found here]

Even though you have won every case so far, surely there's potential cost involved in pursuing these cases?
There is a cost of €10,000 per case, although the party who loses the case pays all the legal fees. It's not that I have that amount of money spare, but it's worth the risk.

What do companies need to do to make sure their software is GPL compliant?
The only thing you need to do to comply with the GPL license is to release the source code. GPL offers two possible ways — you can either include the source code when you distribute the binary program, or you can provide a written offer to provide the source code, which must then be provided to all third parties that request it. If companies are only using GPL-licensed software internally, they only need to distribute the source code to their employees.

What source code do companies need to release?
The free software parts that they have used and anything that is derived from that. If they write additional programs, for example, a front end that is not derived from GPL licensed code, they do not need to release the code for that.

What gives you the legal right to pursue the GPL violations?
Most of the violations we're seeing are happening in the embedded market. They are running the Linux kernel and I have copyright on parts of the Linux kernel. In the cases that went to court, it was me as an individual copyright holder [against the company in question].

Everyone who writes code holds the copyright, unless they work for a company. Alan Cox is employed by Red Hat, so the copyright of the code he writes while at Red Hat is held by Red Hat.

You say on your Web site that you are hoping to get other free software enthusiasts involved, how is this going?
It's hard to find people who want to get involved in the project. Most developers don't mind reverse engineering code to show a lawyer that there has been GPL violation. But dealing with lawyers is something that most developers are not keen on. I myself don't like dealing with legal issues as it keeps me from writing code.

What is the future of the project — will you keep running it independently or will you try get the help of other organisations?
I'm still evaluating the options. I've been talking to my lawyer and to Free Software Foundation (FSF) representatives about this. There are two options — to do it within the FSF Europe, or to fund a separate not-for-profit organisation.

Whatever organisation it might be, if it gets involved legally it will need to draw up an agreement with the copyright holder. Some developers might not want to sign an agreement with the FSF. I personally don't have any problems with the FSF, but some people think it's too religious. Some people wrongly think the FSF equals Richard Stallman [President of the FSF], and some people have an issue with Richard.

Some people have criticised the GPL for being business-unfriendly, what do you think?
I totally disagree.

How do you think the GPL compares with other licenses?
It's a philosophical question. The BSD licence allows you to integrate and modify without giving back modifications, while GPL expects you to give back modifications. These are two philosophies of how you develop software. Which you chose depends on the project, for example, if you have a new standard and want it to spread quickly, it's better to use the BSD licence, rather than the GPL.

Editorial standards