Excellent
Way to go, Sebastian and another victory for the GPL.
Sebastian Steck, a software developer based in Germany, has obtained the source code and library installation scripts for his AVM FRITZ!Box 4020 router, thanks to a lawsuit funded by the Software Freedom Conservancy (SFC). According to an English translation [PDF] of the July 2023 German complaint [PDF] filed in a Berlin court …
"There is now no doubt that both GPL and LGPL mandate the device owner's ability to make changes to the software in the flash memory so those changes persist across reboots,"
I don't see that appearing in the GPL/LGPL terms, only the usual about publishing the derived source code which of course often includes the build scripts too.
They seem to be making this all about right to repair vs ensuring open source code remains open source, and stretched their personal interpretation of GPL/LGPL to fit.
The litigation might have ensured they got access to the derivative source code but I don't see it comes close to doing what they say it does. Reality seems to be much more a classic enforcement of the basic source license terms plus a defendant deciding that doing a tidied repo dump was cheap.
It's great having access to the full stack and to be able to properly fiddle with the systems *but* I really can't see where the GPL/LGPL itself is responsible for granting the level of rights implied here.
Indeed the 'mandated ability' is total nonsense in the context (for example) of a system with a secured bootloader; you can be fully license compliant for all the code and make all the modifications available to the community, but that goes nowhere to getting something persistently running from the flash; that's something altogether different and outside the GPL/LGPL scope.
Also be interesting to see where they think the right to repair becomes the right to arbitrarily modify as that's never been quite the same thing and only muddies the waters towards achieving the former.
Well that depends, decompiling and reverse engineering are a thing and not all compiled apps are difficult to decompile. Java and C# applications for example are usually quite easy to decompile. Router firmware bins and bootloaders are usually quite easy to decompile as well...I do it regularly. You'd be surprised how often the bootloader is used to store goodies like encryption keys. Decompiling bootloaders is a nightmare scenario for a lot of folks...because it is there last bastion of "odds based" security..."yeah it's not perfect, but what are the odds that someone is actually going to do that though?"...sorry guys, the odds are pretty high...*spins binwalk around his finger and puts it back in the holster*
It's not the best way to be able to get source though, because decompiled code is usually not identical to the actual code used to compile the binaries...i.e. it won't have any comments in it, it won't be formatted nicely and won't have any of the human written nice variables names etc etc but it can be modified and recompiled...that said, AI has made it a lot easier to convert decompiled code into something much easier to work with...you don't hear about that very often though because most people seem to using AI to write Javascript and so on...but it is happening.
At some point, could be quite a way off or could be close...who knows, it won't matter if you can protect your source code or hide behind licenses, obfuscation or encryption...AI will be able to either replicate it easily or decompile it then re-factor quickly.
I suspect we will enter a time where software (most of it, probably not all of it) won't be as valuable as it is now...the threat isn't that AI might take coding jobs, the threat is that AI makes coding jobs basically worthless and at the same time make all the various licenses and protections out there basically worthless as well...it already is to a small subset of software engineers...I haven't cared about license restrictions, timebombs and activation mechanisms for a long time...if I want in to some firmware, I get in...if I want the functionality of a given product, I just grab the firmware, decompile it and take the bits I want...given that most hardware these days is derivative, it's not outlandishly difficult to mix and match features from things and get it running on a different hardware platform.
For example, take the Wifi Pineapple...the underlying hardware is pretty basic stuff, there are no custom chips there...it's a specialist bit of kit, because of the software, but not specialist hardware...as long as you have a platform that has a similar CPU, their binaries will run on it and they have two builds. MIPS and ARM...you can find plenty of used MIPS and ARM kit out there with loads of radios that will run the binaries...like dirt cheap used Meraki kit.
It's great having access to the full stack and to be able to properly fiddle with the systems *but* I really can't see where the GPL/LGPL itself is responsible for granting the level of rights implied here.
Had AVM written code themselves to do whatever uClibc does (without violating uClibc's copyright), then Herr Steck would have had no standing to request AVM's code.
But because AVM advantaged themselves of someone else's work licensed under LGPL, they were obligated to adhere to its terms.
The LGPL might mean the manufacturer have to publish their modifications to the source code but that's still not "mandate the device owner's ability to make changes to the software in the flash memory so those changes persist across reboots"
The GPL license doesn't even come close to what's claimed there, especially what's very specifically described.
They apparently claim a right to be able to reflash a device and the GPL has nothing to do with that. An implemented right to repair may grant that in various forms (often in reality very limited by other legislative concerns) but the GPL is about the 'source code' only and nothing more.
I can only hope something has got lost in translation from German and they didn't actually say anything about a mandate at all.
I think you're conflating two different things.
The plaintiff (don't know what it's called in what'd be a US equivalent German civil courts) was missing required components so that they could update that LGPL-covered code to do what they wanted with that component's logging. Whether those changes were persistent across reboots or entered in manually via CLI after reboot doesn't have any bearing here.
The concern here was that uclibc's license requires where it is statically linked to an application, that that application be provided at a minimum as an object, so that, in the author's own words, "[t]his will (in theory) allow your customers to apply uClibc bug fixes to your application." [0]
Also, I am presuming that AVM statically linked the library in their application, since uclibc's license states, "[y]ou can distribute a closed source application which is linked with an unmodified uClibc shared library. In this case, you do not need to give away any source code for your application." [0]
As I stated previously - it was the prior decisions made by AVM here that forced their own hands before the Court, not the plaintiff.
[0] - https://uclibc.org/FAQ.html#licensing
The GPL means I need to be given everything necessary to replace the original software.
In case of an iOS app I need to have everything th hand the software to apple to put it on the AppStore. If it crashes and apple stops it, my problem. Definitely not going into the iPhones flash memory.
In case of router software, the original software is in flash memory and gets loaded at startup into RAM. I must be able to do the same thing with replacement software.
>In case of an iOS app I need to have everything th hand the software to apple to put it on the AppStore.
Apple totally forbids free software from their cr...apple iOS "store", as they don't want the users to have freedom - they require that any distributed software is under a certain kind of proprietary license.
If apple finds out that someone has published GPLv2 or GPLv3 software, rather than respect the users freedom and follow the license terms, they choose to option of license termination and cease distribution of the software; https://www.fsf.org/blogs/licensing/more-about-the-app-store-gpl-enforcement
>They apparently claim a right to be able to reflash a device and the GPL has nothing to do with that.
Ah yes, yet another one who has never read the GPLv2 or LGPLv2.1 before deciding to comment on them.
Please read them;
https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html
https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html
>the GPL is about the 'source code' only and nothing more.
The GNU family of licenses is about the users freedom to exercise the 4 freedoms, not merely half of freedom 1; https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms
As per section 3 of the GPLv2;
"The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and ***installation*** of the ***executable***."
This wording was very specifically chosen to to mean that the user must be provided scripts that will actually compile and install a working executable, so they have all 4 freedoms with the software.
The GPLv3 is actually weaker in this sense, as it permits not providing the key for or instructions to break digital handcuffs for commercial-only hardware.
The LGPLv2.1 is a lot more complicated and has more text than can be reasonably quoted here, but requires that the user is provided everything they need to replace the library with their modified version.
Even then, in the absence of digital handcuffs and with a available working UART interface, provided the actual source code, any reasonably skilled programmer that also knows how to run tftp or externally flash a SPI flash chip will be able to install modified versions of the software, although won't be able to if provided anything less than the complete corresponding source code.
"a right to be able to reflash a device"
Sure, but to date I've never seen a device that actively tries to prevent a ROM chip being reflashed...it's not easy, I'll grant you, but it's not impossible.
I think when it comes to "right to repair" there is often confusion between something being deliberately impossible to fix and just being technically quite difficult. I think it's important that deliberate attempts to reduce repairability be stopped dead in their tracks, but making things easier for the sake of it might not be a great idea...it could lead to crappier quality, less robust tech. For example, a completely sealed unit isn't necessarily a bad thing if you require your device to be waterproof / splash proof...that increases the difficulty of a repair, but doesn't make it impossible to repair...covering the board in resin and blacking out identifiers off chips makes the board basically impossible to fix, intentionally so...that is no bueno.
In short, the right to repair has more to do with the intentions a manufacturer may have, rather than the difficulty of a repair. A lot of people seem to think "right to repair" is synonymous with "easy to repair"...they're not the same thing.
I firmly believe that tech firms should be forced into allowing devices to be repairable...but not necessarily to make those repairs easy...there are often compromises that need to be made in order for a repair to become easy that being tech becoming chunkier and less robust or just more expensive in order to socket everything etc...but no compromises need to be made to enforce a general "right to repair" on the side of the consumer, that only emphasises that certain practices be banned...resin coating, blacked out chips, restricting access to parts, proprietary connectors, proprietary tools etc etc.
>I've never seen a device that actively tries to prevent a ROM chip being reflashed
A Read Only Memory chip is impossible to reflash.
Many laptops actively prevent you from reflashing the SPI chip by apply a write restriction, with flashing only permitted with the manufacturer's proprietary flasher (that often only flashes signed images), which appears to enter an undocumented write-unlock mode - although you can just externally reflash.
I've seen devices with an undocumented internal read/write method for the SPI flash chip, with incompetent wiring of the chip, meaning the only way to dump or flash it is to power on the device and hold it in reset in some way, or desolder the flash chip.
You're thinking of a "right to replace individual components", as individual resin or ceramic sealed SMT components are next to impossible to repair.
>there are often compromises that need to be made in order for a repair to become easy
In my experience, decent construction techniques that result in quality hardware also make repair easier.
There are several sections of the LGPL that are relevant. One states that the "data and utilities" necessary to reproduce the "combined work" must be provided. The combined work is the application code and library code, with the latter being the LGPL portion. A later section says the end user must be able to replace the library with a modified version by relinking it regardless of whether the application is statically or dynamically linked. I'm assuming from the wording that the modified library is API compatible for dynamic linking so the application code does not need to be provided in that case, but the license talks about the application code being provided if the application was provided in a statically linked form.
I'm surprised someone hasn't provided this answer yet, but the important part is LGPL 2.1. You are right that the typical GPL and LGPL version 2 does not require that you be able to install modified software on hardware that ran the original. This meant that lots of people made embedded Linux devices where you couldn't replace it, and the FSF hated that. Around 2006, they decided to change it, so they added provisions requiring that you can do that to version 3.0 of the GPL and 2.1 of the LGPL. The debate went under the term "tivoization", named after a company, TiVo, that had an embedded Linux box. Since Linux remains GPL 2 only, you can still do that, but you aren't supposed to do it with GPL3 or LGPL2.1 components. People do it all the time, but they can lose in court.
Here is some of the relevant text from the GPL. The LGPL refers to the GPL for a lot of this and says you have to use it, so I have to quote from the GPL to demonstrate:
“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).
>that the typical GPL and LGPL version 2 does not require that you be able to install modified software on hardware that ran the original.
The GPLv2 does require that the user is able to install modified software;
As per section 3 of the GPLv2;
"The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and ***installation*** of the ***executable***."
It's just too much a pain in the ass and too risky to get a judge in court to understand that an executable is object code that actually executes, thus the FSF wrote a new version that made the requirements crystal clear (the GPLv3) and at the same time fixed other found freedom bugs and even went so far to permit handcuffing of those who actually want to be handcuffed for some reason (some commercial users).
Your reading is not correct. Scripts needed to install the software is not the same as access to the environment where the software is installed. The part in the GPL v2 means that I can't provide you some mangled source and tell you that I run a script to assemble this to something useful so it runs but I won't give you that. It was a loophole that they considered at the time, but they either did not consider or didn't object to unreplaceable embedded software. I have a feeling that it was that they didn't think about it back in 1991. However, following the addition of those terms in version 3.0, there are some who do not approve of that term and opt to license their software under V2 alone. Such people include Linus, who could not have relicensed Linux unilaterally but could have supported a change (he expressed support for V2 only), the people who make Busybox (who are no traitors to open source as they've probably sued more license violators than almost any other project), and plenty of others.
>Your reading is not correct. Scripts needed to install the software is not the same as access to the environment where the software is installed.
My reading is the correct one; https://sfconservancy.org/blog/2021/jul/23/tivoization-and-the-gpl-right-to-install/
"the executable" was very carefully chosen to mean into the place where the software is installed for usage.
The manufacturer can sabotage their aggregated proprietary software and make them no longer run (to make the exercise of the freedoms have a cost and to prevent them from writing free replacements to that software) and there's no wording in the GPLv2 that legally can do anything about that.
>I have a feeling that it was that they didn't think about it back in 1991.
rms thought about it when he was writing it and he meant what he wrote;
"The intent of the GPLv2 is clear and always has been: to allow reinstallation of modified versions of the GPL'd software into the same place where the binaries were installed when you got the computer in the first place, and to reap the benefits of that change. It's ludicrous to suggest Stallman meant anything other than that when he wrote GPLv2."
>Such people include Linus, who could not have relicensed Linux unilaterally but could have supported a change (he expressed support for V2 only)
Linus left it ambiguous whether he licensed GPLv2-or-later or GPLv2-only until 2000, where he finally noted that the license is GPLv2-only.
Once Linus saw GPLv3, he didn't like how it defended the users freedom effectively and so he did absolutely everything he could to prevent the possibility of a license upgrade.
Many Linux developers only seem to actually enforce their license against freedom (free software kernel module that respects the users freedom licensed under GPLv3-or-later? I'll enforce my license. Proprietary software derivative work? That's alright - I'll maintain it too.).
>the people who make Busybox (who are no traitors to open source
Every "open source" supporter who knows what free software is and what "open source" is and intentionally bootlicks corporates by writing "open source" where free software belongs are traitors.
BusyBox was previously licensed GPLv2-or-later and then some traitors who wanted to prevent enhanced user freedom re-licensed it to GPLv2-only.
There are thankfully few projects licensed GPLv2-only - many projects are GPLv2-or-later, although many projects have sloppy licensing and it's unclear if they're -only or -or-later.
We have different opinions on most of the things where the issue is an opinion. We also appear to have different opinions on some parts that are more factual. I'm not sure we will get anywhere by debating it, but I would suggest that your reading of the facts is not what courts have decided, and my reading of the facts does correspond to what courts have allowed and forbidden. That includes the statements in the article you linked. That may mean that courts are generally stupid; I've seen evidence to assume so now and again, but it also determines what I expect to happen if I try to assert rights that don't appear to be there.
If we read things into a license based on an assumption of what the writer must have put there, using the logic that they wanted it, so surely they wrote it, we expose ourselves to risk. Contracts are a lot like programs. The program doesn't care what you wanted. The program only cares what you said. Also like programs, contracts are exposed to attack from people who will find gaps in what was written so they can do things that they want. By all means argue about what you think they should say, although I caution you that attacking people who disagree with the vehemence you have is unlikely to convince people and may annoy those who already agree with you, but be careful that your desire for them to do something doesn't cause you to believe that they already do. If it turns out you're wrong, you've shot your own goals in the foot because, if you had realized what they didn't do, you could have made one that does do those things.
It can happen in most countries, it just requires cooperation of the copyright holder(s) and a willingness to face the cost and risk of suing.
There are also other options than litigation - any substantial copyright holder can permanently terminate their infringed license and in the case that such devices get shipped between countries, request that customs of the relevant countries seize the products that infringe their copyright.
I'm pretty certain that the list is European Union members (list of 27). That doesn't make it right. German court decisions do not automatically apply in other EU states. EU-wide courts did not consider this matter. It probably will work in those other states, as well as many other countries, for the reason that the license isn't exactly unclear about having to do this. It mostly comes down to how much you're willing to argue for it. Cases affirming the GPL and LGPL are not new and not unique to Germany or Europe. There are probably some corner cases for when some company has come up with a new technical or legal loophole and they're trying that, but most people who violate those licenses take the "just do it and see if anyone actually sues us" plan.
In this case a German developer went though German courts to get redress from a German company. Not all software access claims will be so easy in relation to local law where the manufacturer operates. However, for consumer electronics containing free software with enforceable licenses, these apply to distributors also, and effective cease and desist demands against distributors until conditions are met will force the manufacturers hand if distributors decline to distribute the offending product otherwise.
> Perhaps they have seen the light as they didn't appeal.
We can hope. The acid test will be whether they continue to use (L)GPL-licensed code in their products, or move to using building blocks licensed under more commercially-permissive terms. Fingers crossed that they don't draw from this experience the lesson that "GPL is too onerous" :(
>the BSD licence
Which BSD license?
There is the 4-clause, 3-clause, 2-clause, 1-clause & 0-clause and also many other special modifications.
Businesses don't like 4-clause, but they go gladly go ahead and infringe the terms of the 3-clause with glee and nothing ever happens to them, as it seems those who write proprietary software totally gratis actually want freedom to be taken from them (a bad idea, although you should be free to hurt yourself) and also others (a very bad thing to happen that should not happen).
Please reconsider writing "FOSS" - people assume that means gratis, source-available software (as there is no good short explanation as to why it doesn't meant that) - if you intend to be neutral between freedom (free software) and bootlicking corporates who don't like to hear about the users having freedom ("open source"), please write "FLOSS"; https://www.gnu.org/philosophy/floss-and-foss.en.html
Personally I am not neutral - I demand nothing less than freedom and I'm not afraid to say it.
>"do unto others and be nice"
No GNU copyleft free software license requires that you be nice to anyone - you are not required to help the users with modifying or sharing or running the software - all they require is the bare minimum of not trampling on the users freedom.
Companies who act as I want them to act will find me as a customer for life. Customers who don't will find me an expensive adversary. Example, I used to be a rather rabid fan of GM automobiles. When I needed a car, I headed to a GM dealer without even looking at other makes. Then, they screwed me over on a couple of new cars by denying warranty claims for known issues. That wasn't just at the dealer level either, that was after appeals to corporate. End result, the last new cars I bought were not GM products, costing them around 75,000 dollars in sales overall. I also know for a fact that I've caused 12 people to change their minds on buying a new GM, so that's about 500,000 in sales they lost due to pissing me off. I seriously doubt I'll ever buy another new one, but as a known car guy I know I'll have the chance to divert more sales away from GM in the future. If I do ever need another new one, I'll most likely buy a Mercedes sedan or either a Dodge or Japanese pickup truck.
Companies that make it easy for me to own, use and repair what I buy from them get my return business and recommendations to others, companies that don't, don't. We all need to be like this, until companies get it through their heads that the customer, not the shareholder, comes first. A happy customer is a repeat customer, and a repeat customer ensures shareholder profits.
>costing them around 75,000 dollars in sales overall
>500,000 in sales they lost due to pissing me off
You don't cost them anything.
They just certainly didn't get sales that they probably wouldn't have gotten anyway.
Corporates would love it if people had no choice but to give them more money, but that isn't the case outside of proprietary software, where unless you bust out another thousand and hand it to the proprietary master, the software stops working (oh wait, it regularly stops working even if you are paying and you have to hope re-logging in works) and there are enough digital handcuffs to make it difficult and costly to even choose another master (you can instead choose to go with free software instead, but that requires putting in the hard work to resolve proprietary sabotage and only then do the costs massively drop).
Of course they're working on the proprietary software in cars to try to make it hard to simply go with another brand - many are already very good at making it hard to choose to go to a different mechanic for services and also there was per brand proprietary electric car charge connectors with handshaking with proprietary software until some standardization was forced.
Mercedes and BMW, somewhere in 201x, decided to focus on making more profit and the quality of both dropped to rock bottom level.
Not only that, the price of spare parts rose to sky high at the same time. BMW has always had expensive spare parts but now they doubled on that.
Here in EU Merc is (or at least was, in 2014) giving guarantee for 100k km or 5 years, whichever comes first. If your airbag sensor breaks after 6 years (but under 100k), it's too bad, pay it yourself. Which it did.
~1000 euros for 50€ sensor as they won't sell you the sensor alone, you need to buy whole seat cushion. And another 1k € for replacing the seat cushion at the dealer, 30 minute job, because it's 'airbag related' job.
Eventually I replaced it myself, with a used sensor (~65€) and sold the car and though that no Mercs for me .... unless they're vintage models, the Good Ones(tm).
I have had a Fritz!Box 7360 for ten years and I think it's great.
When the phone and broadband come in on the same wire, the same device should handle them both (router and cordless phone and answering machine combined), which Fritz!Box does. It sends me an email whenever there's an incoming call, so I can pick up messages when I'm out. It has more diagnostics than I understand.
It could be even better if its operating system were fully open-sourced, so that people could improve it.
But I hope this legal action doesn't harm the company or their product
I'm a happy AVM DSL router user but I cringe at the fact that this company is paying lip service to the GPL and other open-source licenses. Their use of open-source software is very much a one-way street and that irks me a lot.
I would recommend AVM develop their own microkernel operating system and all device drivers and upper layer software so they can do whatever they please with it. But stop taking advantage of open-source software without even caring to abide by the license.
>FRITZ!OS is simply a modified version of Linux, licensed under the GNU General Public License, Version 2
>but several of its libraries – uClibc, libblkid, libexif, and libosip2 – are licensed under the Lesser General Public License, version 2.1
That's not simply a modified version of the kernel, Linux, licensed under GPLv2-only is it?
>not every company concedes as AVM did.
I don't see how ceasing to carry out intentional copyright infringement is to make a concession.
>Gingerich said that if the SFC prevails in the Vizio case, scheduled for trial in September, 2025
It's quite sad that such an open and shut case of intentional copyright infringement has been drawn out for so long.
>who failed to provide the software right to repair and modify that was given to them when they made the device
I don't know why the SFC writes about "right to repair", instead the users right to freedom and furthers the confusion that there is only one Lesser GPL version and one GPL version.
jxself wrote quite a nice legitimate criticism to the SFC for doing so, but the SFC demanded he censor himself and unfortunately he did so?; https://techrights.org/n/2024/12/05/Software_Freedom_Conservancy_SFC_Has_Asked_a_Blogger_to_Delete_.shtml
>With examples of copyleft compliance like the OpenWrt One and ThinkPenguin routers, companies know what they need to do to comply.
The "OpenWRT One" is not compliant - the proprietary derivative work of Linux that runs on the Wi-Fi card infringes the GPLv2 ("For an executable work, complete source code means all the source code for all modules it contains") - but of course the SFC permits that kind of copyright infringement.
Meanwhile, ThinkPenguin, who does care about the users freedom, does indeed comply with the GPLv2.