To me this doesn't really look like a clear cut case. Does he own one of these cars? If not, then I think it is very dubious whether he has any standing to request the source code. If he does then included with the car should be an offer for how to access the GPL source code. He should have followed that (or clearly stated that he could not locate it in his email). The requirement for him to enter the VIN to access the source code does not seem unreasonable since they are only required to distribute source code to customers, and he has simply emailed them out of the blue asking them to give him the source without any proof that he's a customer. The statement about BMW being the "sole owner" is probably concerning proprietary parts of the software that may not be subject to GPL at all. It is probably way beyond the skills of some random customer service rep to distinguish the subtleties of those kind of things.
This kind of interaction actually looks to me to be counter to the spirit under which the Free Software Foundation tries to administer the GPL - which is that they work cooperatively to help companies comply rather than try to trick them into legal hot water. I agree with the FSF approach and I don't think this sort of PR ambush type tactic is helpful in promoting the use of free software.
> To me this doesn't really look like a clear cut case. Does he own one of these cars? If not, then I think it is very dubious whether he has any standing to request the source code.
(All section references below are to GPLv2, since that is what the Linux kernel uses)
Section 3 governs distribution of object or executable code. Section 3 gives these requirements:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
BMW is distributing commercially and they did not receive the program in object or executable form, so option "c" is out.
They are not distributing the source code with their cars, so option "a" is out.
That leaves option "b", which requires them to give the code to any third party that requests it, at no more than their cost of performing a source distribution.
I agree the VIN thing is a red herring. Seems to me the bigger problem is this (emphasis mine):
"I have confirmed with our technical department who advised that to access the software download site the BMW Customer must provide the 7 digit VIN and accept the usage rights agreement. Part of the usage rights agreement states that the software is protected by copyright and BMW is the sole owner. So in this case it is not subject to the requirements of a "Public" licence."
They're denying that their software is even GPL and imposing extra restrictions on use. That's a problem, if it does indeed include GPL code.
No, the offer for source must be to anyone -- the supply of a binary may be limited. BMW cannot be the "sole owner" of the copyright -- even if they own the part they wrote, they must still supply source for the GPL parts.
I only tweeted the refusal after several verbal attempts to speak to someone in legal. My preferred approach - as it was when I dealt with Telstra over a similar issues - is to find the right person and sort things out with them.
BMW Australia, however, were quite hostile, refused to let me speak to anyone in legal, and told me verbally that I'd have to sue them in order for them to release the code to their customers.
I'm much less inclined to spend time resolving things smoothly and quietly at that point.
it is very dubious whether he has any standing to request the source code
That may be, but this tidbit is somewhat alarming to me:
[the user must] accept the usage rights agreement. Part of the usage rights agreement states that the software is protected by copyright and BMW is the sole owner
There's two red flags here for me:
- asserting copyright through an EULA
- additional "licensing" requirements for obtaining the source code
I'll take a guess based on the filename "ConnStarter" in the BMW firmware that ConnMann is the primary GPL'd software. As the BMW site says: "The ConnMan project provides a daemon for managing internet connections within embedded devices running the Linux operating system.... ConnMan is available under the terms of the GPL v2."
The linked site may be useful, but where on that site did you find a download link for the specific software version (including modifications) used? All I see is a generic link to ConnMan's project website. I don't think that suffices?
What GPL licensed software are they actually infringing upon? The linked post[1] says they found mentions of systemd, but does the firmware actually contain a linux kernel? I don't see anything that looks like a kernel in the file listing.
Also if the firmware is properly signed delivering it over http shouldn't matter, right?
The specific update here is just a delta update, and doesn't contain the entire firmware. But it does contain shared libraries built for running on a linux system, so it stands to reason there's linux kernel running somewhere there.
(On that note - have someone sent a similar request to Tesla - they've at least semi-officially said they're running Linux)
Frankly: given recent news (hacked jeeps, software used to cheat on emission tests) I think it is time to _require_ _all_ software used on vehicles that transit on public roads to be open sourced and available to the public.
(for independent testing and verification in the name of public safety)
Vehicles aren't the only things running software that might need verifying. Far from it. While I wholeheartedly agree that it would be an amazing step, I also fear the huge backlash from the car and IT industry. Doing this more gradual probably works better, perhaps requiring open source (I'm not talking freedom of modification or redistributing or anything yet, just viewing source code) for software older than x years (like the patent model a bit, 20 years or so).
Of course Windows 10 wouldn't have to be open source just because Windows is older than 20 years, but Windows 95 would be.
Anyway, that is just one of the many possible ways. I just think we should be weary of people stuck in the old ways and not limit the move to just cars.
I think this problem is impossible to solve, and it's the same on faced by electronic voting.
How can you guarantee that the software running in the car is the same one provided by the car manufacturer?
A more detailed explanation:
You can't guarantee that software provided by the manufacturer and the dump you could retrieve from the car – through an API call, or through forceful means – are the same as the one which is running in the car because you can't know what's going on the silicon inside epoxy packaging of the myriad of chips in the board
Even if the hardware is completely open sourced, the manufacturer could use a different/modified microprocessor packaged/labeled/branded just like the one specified in the schematics, so that it could internally store and run the shady code from the manufacturer, while giving you a perfectly legit and signed dump as the one provided by the manufacturer.
Although I do agree that opening the software and hardware to public scrutiny would be a massive improvement on the actual situation.
At this point in time, having the software available would do more harm than good, considering that 90% (or more) of software development in the auto industry seems to be done by electrical or mechanical engineers with little to no training in software development, and even less knowledge about security and vulnerabilities.
The auto industry does have a plethora of coding standards and software processes, but not enough institutional knowledge and foresight to produce secure software for connected devices. The fact that it hasn't been too catastrophic so far is more a testament to the technical limitations of the bus systems and ECUs than real security, but that is rapidly changing with the advanced hardware being put in cars today.
It seems to me less like refusal to comply with the terms of GPL, and more like denial that they use GPLed code.
> I have confirmed with our technical department who
> advised that ... the usage rights agreement states that
> the software is protected by copyright and BMW is the
> sole owner... it is not subject to the requirements of a
> "Public" licence
That may or may not be the case, but to me that doesn't say "yeah we use, na you can't have it".
I'm confused here. Where is the evidence that they've modified GPL'd software, which they are then distributing, and are refusing to distribute the source code for their modifications?
Looking through the user's Github account, they have a history of contacting customer support representatives of companies and threatening to post the transcripts to Hacker News if their specific legal concerns are not addressed:
Additionally, the emails are phrased more like a request than an indication of a legal requirement. I doubt the customer service rep knows what the GPL is, and won't get someone who does know involved until the fact that it's a legal matter is mentioned somewhere.
The fact that there was no further back-and-forth makes me suspect that the guy behind the email just wants to make a spectacle :/
Please correct me if I'm wrong. I thought the GPL only required providing the source code to the purchasers of the product. (Who can then redestribute it if they'd like.) I didn't think it meant that if you use GPL code in your product, then you are obligated to make your code available to everyone.
History has proven over and over again that naming and shaming works miracles. Companies that turned a blind eye and were completely unreachable suddenly turned active and kind just to save their reputation. Going to or even just threatening to go to the media, I know from experience, is indeed productive.
I am really curious where you got the idea that it's counter productive. Asking the conservancy to clean up this dirty work is expensive and takes forever.
Yeah, it's pretty clear the suit has no idea what they're talking about. I don't know if SFC operates in Australia, but probably they could get some attention from the US division of BMW.
Speaking of which, the SFC is currently running a fundraiser. If GPL enforcement is important to you, please consider signing up for a recurring donation. http://sfconservancy.org/
I disagree. The fact is that large companies like this are never open to "civil discourse and cooperative solutions" when it comes to copyright, trademark, or other intellectual property matters. BMW will see no reason to comply with the GPL. The only thing a big company responds to on such issues, other than bona fide legal action, is negative press. I think it'll be difficult to manufacture some over the technicalities of copyright compliance, but can't blame OP for trying and not wasting his time trying to navigate the corporate copyright labyrinth.
Source: I have a C&D from a Fortune 500 alleging that I violated some intangible rights. Their argument is weak, but I don't have the millions of dollars every lawyer I've talked to has said I'll need to see the case through (tens of thousands to even get started). I've spent 6 months trying to navigate their corporate structure and get in front of someone who matters. Everyone just tells me to sod off, with varying degrees of politeness. I have not yet been able to locate someone in the company who actually seems willing to have any discussion, and their law firm is obviously not open to this since their instructions were to shut me down. I'm considering the alternatives I have, and wondering if it's time to try to work the media and attempt to get some movement from them that way (though I don't really think this will work, it's becoming the only option).
I think that argument may have used to make sense in the 90ies when open source was new and was trying to establish itself, mostly with a dream of "Linux on every desktop".
Now it has found its market and the ecosystem as a whole really couldn't give a damn if BMW is kind enough to use OSS or not.
> History has proven over and over again that this kind of public shame and blame approach doesn't help in any way, quite the opposite.
Can you please provide some evidence for this statement?
> Now that the bridges are burning, BMW will be far less open to civil discussion and cooperative solutions. Well done. #sarcasm
Depends on what your goal is. If your goal is to obtain the source code in this specific instance, and if you don't care about the efforts of open source contributors, then I guess it would make sense to privately "discuss" and "cooperate" with BMW.
On the other hand, if you want to scare companies into not stealing other people's work in the future, then I think naming and shaming is a reasonable strategy.
This is a clear case of rationalization about rules not applying to the powerful. Surely you would not expect BMW to care about "burning bridges" and value "cooperation" and "discussion" with you had they caught you stealing their IP.
I don't see any shame and blame yet. The only thing these emails show is the claim by BMW that no software not developed or fully owned by BMW is running on their cars infotainment system.
A shame and blame game would start when one analyzes the software updates, is able to prove that the above statement is a lie, and make a big fuzz about it. This would BMW fear loosing their face and be counter productive, I fully agree.
Harald Welte founded gpl-violations (http://gpl-violations.org/about/) 12 years ago. The have been offline for some time, but it looks like they plan to continue with their activities this year: "Actual GPL enforcement activity is expected to resume at some point in 2016." Maybe they can help sorting this out.
Has anyone ever seen GPL being encorced in any country?
Wont this end with BWM uploading a tar.gz of a kernel found on kernel.org and call it a good working day?
Have seen it happen too many times, and in most countries the user has no claim on the license/copyright.
So unless I contributed/own some copyright found in exact Linux kernel version/other software used by a distributor, and buy their stuff, there is zilch I can do.
Which also means, you are free to sell/and break GPL software/license and as long as you dont upset somebody who owns the copyright to it, you're good to go.
Yes, and actually on BMW home country, Germany. The summary can be read at this old Slashdot submission [1] from 2005 but the gist of it is that
> Harald Welte of the netfilter/iptables core team sought to enjoin Sitecom from distributing its WL-122 router, which used netfilter's GPL'd code, without also providing the source code and a copy of the GPL, as that license requires
and
> The Munich Court granted Welte a preliminary injunction [2] and then upheld that injunction [3][4]
I believe there are other instances of GPL being upheld in courts around the world and this one should be only one of many examples.
GPL is not even necessary in these cases, in the absence of the (GP) license it reverts to the default copyright rules, with all rights of copy and distribution being at the hands of the copyright holders (save for Fair use and other exceptions).
A company that would try to argue that GPL is not a valid license in court would actually be admitting in court that they are distributing the software without a license from the copyright holders all along.
Good. I'm sick of people walking over copyleft licenses generally. It's only because of copyleft that there exists a pro-sharing social norm in the software development community. If you kick down the GPL, the norm will shift back toward proprietary software everywhere. You, young developer, have no idea just how shitty a world that is.
I've gotten the same response from a company when requesting kernel source before. What is the best source for help in dealing this? I reached out to GNU but got no response. I know the kernel isn't their project but didn't know where else to turn.
Is it a violation if they don't modify Linux itself? So if I make a device that runs Linux and my application binary, am I required to make my application code public?
You are not required to make your application public as it is not considered a derivative of the linux kernel. If you distribute the device you are required to provide your customers with the source code to the running linux kernel.
The exact details depend on multiple factors (are you linking to libraries? Are they considered system libraries?) and if you are actually thinking of doing this you should invest some time in investigating this, and probably in consulting a lawyer.
Note that this is all based on my layman's understanding of the law and the license, and I'm definitely not a lawyer.
Misleading title; it looks more like they in fact refuse to acknowledge at all that some of the code is someone else's.
> Part of the usage rights agreement states that the software is protected by copyright and BMW is the sole owner. So in this case it is not subject to the requirements of a "Public" licence [sic]
I.e. "This is all our software; there is no third-party GPL stuff in it, so we need not comply with any such license."
So it is strange for me even if I understand GPL.
Does it means all the network routers running custom linux have to provide sources of entire modification?
I assume if we want companies to make use of linux on a wide level, there should be the ways to overcome this problem(if exists).
[+] [-] zmmmmm|10 years ago|reply
This kind of interaction actually looks to me to be counter to the spirit under which the Free Software Foundation tries to administer the GPL - which is that they work cooperatively to help companies comply rather than try to trick them into legal hot water. I agree with the FSF approach and I don't think this sort of PR ambush type tactic is helpful in promoting the use of free software.
[+] [-] tzs|10 years ago|reply
(All section references below are to GPLv2, since that is what the Linux kernel uses)
Section 3 governs distribution of object or executable code. Section 3 gives these requirements:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
BMW is distributing commercially and they did not receive the program in object or executable form, so option "c" is out.
They are not distributing the source code with their cars, so option "a" is out.
That leaves option "b", which requires them to give the code to any third party that requests it, at no more than their cost of performing a source distribution.
[+] [-] dTal|10 years ago|reply
"I have confirmed with our technical department who advised that to access the software download site the BMW Customer must provide the 7 digit VIN and accept the usage rights agreement. Part of the usage rights agreement states that the software is protected by copyright and BMW is the sole owner. So in this case it is not subject to the requirements of a "Public" licence."
They're denying that their software is even GPL and imposing extra restrictions on use. That's a problem, if it does indeed include GPL code.
[+] [-] ratboy666|10 years ago|reply
[+] [-] duncan_bayne|10 years ago|reply
BMW Australia, however, were quite hostile, refused to let me speak to anyone in legal, and told me verbally that I'd have to sue them in order for them to release the code to their customers.
I'm much less inclined to spend time resolving things smoothly and quietly at that point.
[+] [-] tremon|10 years ago|reply
That may be, but this tidbit is somewhat alarming to me:
[the user must] accept the usage rights agreement. Part of the usage rights agreement states that the software is protected by copyright and BMW is the sole owner
There's two red flags here for me:
- asserting copyright through an EULA
- additional "licensing" requirements for obtaining the source code
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] SyneRyder|10 years ago|reply
BMW Car IT: Open Source http://www.bmw-carit.com/open-source/
I'll take a guess based on the filename "ConnStarter" in the BMW firmware that ConnMann is the primary GPL'd software. As the BMW site says: "The ConnMan project provides a daemon for managing internet connections within embedded devices running the Linux operating system.... ConnMan is available under the terms of the GPL v2."
http://www.bmw-carit.com/open-source/connman.php
You can download the source if you like.
[+] [-] jmiserez|10 years ago|reply
[+] [-] dmm|10 years ago|reply
Also if the firmware is properly signed delivering it over http shouldn't matter, right?
[1] https://shkspr.mobi/blog/2016/02/bmw-are-sending-their-softw...
[+] [-] noselasd|10 years ago|reply
(On that note - have someone sent a similar request to Tesla - they've at least semi-officially said they're running Linux)
[+] [-] Namidairo|10 years ago|reply
However on the other hand there are numerous references of it having Tegra in media too...
[+] [-] lucaspiller|10 years ago|reply
http://rene.rebe.de/2013-03-31/mini-connected-runs-qnx/
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] genericacct|10 years ago|reply
[+] [-] lucb1e|10 years ago|reply
Of course Windows 10 wouldn't have to be open source just because Windows is older than 20 years, but Windows 95 would be.
Anyway, that is just one of the many possible ways. I just think we should be weary of people stuck in the old ways and not limit the move to just cars.
[+] [-] boobsbr|10 years ago|reply
How can you guarantee that the software running in the car is the same one provided by the car manufacturer?
A more detailed explanation:
You can't guarantee that software provided by the manufacturer and the dump you could retrieve from the car – through an API call, or through forceful means – are the same as the one which is running in the car because you can't know what's going on the silicon inside epoxy packaging of the myriad of chips in the board
Even if the hardware is completely open sourced, the manufacturer could use a different/modified microprocessor packaged/labeled/branded just like the one specified in the schematics, so that it could internally store and run the shady code from the manufacturer, while giving you a perfectly legit and signed dump as the one provided by the manufacturer.
Although I do agree that opening the software and hardware to public scrutiny would be a massive improvement on the actual situation.
[+] [-] benwerd|10 years ago|reply
[+] [-] dognotdog|10 years ago|reply
The auto industry does have a plethora of coding standards and software processes, but not enough institutional knowledge and foresight to produce secure software for connected devices. The fact that it hasn't been too catastrophic so far is more a testament to the technical limitations of the bus systems and ECUs than real security, but that is rapidly changing with the advanced hardware being put in cars today.
[+] [-] OJFord|10 years ago|reply
[+] [-] strictnein|10 years ago|reply
[+] [-] rattray|10 years ago|reply
[+] [-] SyneRyder|10 years ago|reply
https://gist.github.com/duncan-bayne/74d6e38c506000982237
[+] [-] Manishearth|10 years ago|reply
The fact that there was no further back-and-forth makes me suspect that the guy behind the email just wants to make a spectacle :/
[+] [-] greydius|10 years ago|reply
[+] [-] jwildeboer|10 years ago|reply
Hand this over to the Free Software Conservancy or the SFLC. And that should have been the first step.
Now that the bridges are burning, BMW will be far less open to civil discussion and cooperative solutions. Well done. #sarcasm
[+] [-] lucb1e|10 years ago|reply
I am really curious where you got the idea that it's counter productive. Asking the conservancy to clean up this dirty work is expensive and takes forever.
[+] [-] coldpie|10 years ago|reply
Speaking of which, the SFC is currently running a fundraiser. If GPL enforcement is important to you, please consider signing up for a recurring donation. http://sfconservancy.org/
[+] [-] cookiecaper|10 years ago|reply
Source: I have a C&D from a Fortune 500 alleging that I violated some intangible rights. Their argument is weak, but I don't have the millions of dollars every lawyer I've talked to has said I'll need to see the case through (tens of thousands to even get started). I've spent 6 months trying to navigate their corporate structure and get in front of someone who matters. Everyone just tells me to sod off, with varying degrees of politeness. I have not yet been able to locate someone in the company who actually seems willing to have any discussion, and their law firm is obviously not open to this since their instructions were to shut me down. I'm considering the alternatives I have, and wondering if it's time to try to work the media and attempt to get some movement from them that way (though I don't really think this will work, it's becoming the only option).
[+] [-] matt4077|10 years ago|reply
Now it has found its market and the ecosystem as a whole really couldn't give a damn if BMW is kind enough to use OSS or not.
[+] [-] jMyles|10 years ago|reply
Is this true?
[+] [-] TelmoMenezes|10 years ago|reply
Can you please provide some evidence for this statement?
> Now that the bridges are burning, BMW will be far less open to civil discussion and cooperative solutions. Well done. #sarcasm
Depends on what your goal is. If your goal is to obtain the source code in this specific instance, and if you don't care about the efforts of open source contributors, then I guess it would make sense to privately "discuss" and "cooperate" with BMW.
On the other hand, if you want to scare companies into not stealing other people's work in the future, then I think naming and shaming is a reasonable strategy.
This is a clear case of rationalization about rules not applying to the powerful. Surely you would not expect BMW to care about "burning bridges" and value "cooperation" and "discussion" with you had they caught you stealing their IP.
[+] [-] cnvogel|10 years ago|reply
A shame and blame game would start when one analyzes the software updates, is able to prove that the above statement is a lie, and make a big fuzz about it. This would BMW fear loosing their face and be counter productive, I fully agree.
[+] [-] fauria|10 years ago|reply
[+] [-] antocv|10 years ago|reply
Wont this end with BWM uploading a tar.gz of a kernel found on kernel.org and call it a good working day?
Have seen it happen too many times, and in most countries the user has no claim on the license/copyright.
So unless I contributed/own some copyright found in exact Linux kernel version/other software used by a distributor, and buy their stuff, there is zilch I can do.
Which also means, you are free to sell/and break GPL software/license and as long as you dont upset somebody who owns the copyright to it, you're good to go.
[+] [-] luso_brazilian|10 years ago|reply
> Harald Welte of the netfilter/iptables core team sought to enjoin Sitecom from distributing its WL-122 router, which used netfilter's GPL'd code, without also providing the source code and a copy of the GPL, as that license requires
and
> The Munich Court granted Welte a preliminary injunction [2] and then upheld that injunction [3][4]
I believe there are other instances of GPL being upheld in courts around the world and this one should be only one of many examples.
GPL is not even necessary in these cases, in the absence of the (GP) license it reverts to the default copyright rules, with all rights of copy and distribution being at the hands of the copyright holders (save for Fair use and other exceptions).
A company that would try to argue that GPL is not a valid license in court would actually be admitting in court that they are distributing the software without a license from the copyright holders all along.
[1] Munich Court Again Enforces GPL: http://news.slashdot.org/story/05/04/14/2024258/munich-court...
[2] Preliminary injunction: http://yro.slashdot.org/article.pl?sid=04/04/15/1649250&tid=...
[3] Injunction upheld: http://yro.slashdot.org/article.pl?sid=04/07/23/1558219&tid=...
[4] Court's decision in English (pdf): http://www.jbb.de/judgment_dc_munich_gpl.pdf
[+] [-] davidgerard|10 years ago|reply
... yes? Lots and lots.
There's a prominent case involving VMware versus Christoph Hellwig on right now: http://laforge.gnumonks.org/blog/20160225-vmware-gpl/
One manufacturer violation ended up with Busybox/SFC awarded a pile of the violating televisions ... http://arstechnica.com/information-technology/2010/08/court-...
[+] [-] realkitkat|10 years ago|reply
[+] [-] y04nn|10 years ago|reply
Direct link to the binary: http://www.bmw.com/_common/shared/owners/bluetooth/bin/UPD07...
[+] [-] rewqfdsa|10 years ago|reply
[+] [-] sargun|10 years ago|reply
[+] [-] stusmall|10 years ago|reply
[+] [-] _Codemonkeyism|10 years ago|reply
[+] [-] sudhirj|10 years ago|reply
[+] [-] throwaway125|10 years ago|reply
The exact details depend on multiple factors (are you linking to libraries? Are they considered system libraries?) and if you are actually thinking of doing this you should invest some time in investigating this, and probably in consulting a lawyer.
Note that this is all based on my layman's understanding of the law and the license, and I'm definitely not a lawyer.
[+] [-] tw04|10 years ago|reply
[+] [-] kazinator|10 years ago|reply
> Part of the usage rights agreement states that the software is protected by copyright and BMW is the sole owner. So in this case it is not subject to the requirements of a "Public" licence [sic]
I.e. "This is all our software; there is no third-party GPL stuff in it, so we need not comply with any such license."
[+] [-] castis|10 years ago|reply
[+] [-] famerr|10 years ago|reply