Hacker News new | past | comments | ask | show | jobs | submit login
Onyx is violating the Linux kernel's license, refuses to release source code (reddit.com)
326 points by Lammy on July 5, 2020 | hide | past | favorite | 93 comments



This is not unusual, there are many cases of GPL violations out there and if someone puts energy into them they are solved. Harald Welte and gpl-violations.org [1] have been doing good work for many, many years in this regard.

From their about page:

"By June 2006, the project has hit the magic "100 cases finished" mark, at an exciting equal "100% legal success" mark. Every GPL infringement that we started to enforce was resolved in a legal success, either in-court or out of court."

gpl-violations.org is in an extraordinary good position to help when it comes to GPL violations in the Linux kernel, because they work closely with some kernel developers that "[..] have transferred their rights in a fiduciary license agreement to enable the successful gpl-violations.org project [..]"

Their website looks a little bit outdated but from what I understood from a talk that Harald Welte gave last year[2], they are still active. If someone wants to report the Onyx case you can do it at license-violation@gpl-violations.org but be prepared to provide solid information[2].

[1] https://gpl-violations.org

[2] https://www.luga.de/static/LIT-2019/events/84.html

[3] https://gpl-violations.org/helping/.


This was a problem with Creality in the 3d printing world two years back. They used Marlin - a program for the embedded micros used in them - which is licensed under the GNU GPLv3+. Creality refused to release their contributions until they were convinced by Naomi Wu (Sexy Cyborg) that the community would actually refuse to purchase from them unless they did, which they probably would’ve.

https://hackaday.com/2018/08/27/gpl-violations-cost-creality...


I seriously can't believe how short sighted people can be. That's bad business.

I worked at a big bank too, you'd think they would understand about investment? No. They simply leeched off open source in the same way.


It's this actually short sighted though? I feel like the 'companies are exploiting open source' dialogue always ignores how wildly miniscule the risks often are for the company. Creality might have lost a US distributor but is the US their primary market and were they unable to find another distributor?

Don't get me won't, I'm not happy about the state of affairs, but banks are usually pretty risk averse (or more accurately, their risk portfolio is catastrophe averse). If an org like a bank doesn't care it seems like a sign that open source either needs some better teeth or it needs to accept that its role in the ecosystem is changing. We might see some short term success calling out bad actors but if there's enough of them to put on a whole play then it seems more useful to focus on why they're all able to book a theatre so easily.


That's definitely one way of looking at it but when you're a bank with projects in the tens of millions hinging on EmberJS, you'd think you'd be more sensitive to the plight of EmberJS development?

I mean the open source project suddenly being abandoned due to lack of a corporate sponsor would be pretty catastrophic, no?

What struck me the most is that at its heart the bank has these sorts of provisions in its constitution, ie giving back to the community and being in harmony with the environment and being relationship oriented.

It's like the lion not rewarding the mouse in that old fable, due to brand having been subverted by petty bureaucracy and middling management.


> more sensitive to the plight of EmberJS development

I doubt they'd have started using it in the first place if the software looked like it would be abandoned.

If the best 'teeth' open source has is, "we might stop developing this at some point in the future if you don't give us $ for using our work", then as the parent said open source needs better teeth.


Yea I know moralistic arguments lack teeth but on some level computer science is a field founded on the concept of good faith so I like to remain loyal to the spirit of Prometheus when I'm having my liver eaten out each morning by vultures aka my project manager.

And as I mentioned in my parable the lion didn't need the mouse to bite it in order to do the right thing you know what I'm saying?

In other words a 150 year+ institution should just know better and it's a shame to think they've been sucking the world dry for that long without a second thought as to how it might affect their own bottom line.


You can't rely on "they should just know better" otherwise you would face a lot of disappointment. If you want something you better have the teeth or something to force the change.


I worked at a bank too. There is a list of software and libraries approved for usage. GPL cannot make it to the list because the license is the first thing that's verified when requesting to add a new library.

I always wondered what would happen if some developers used some GPL lib and shipped to customers and it was noticed and caused the company to be sued. Would all the developers be fired on the spot and the software undone?


I would guess no unless someone stepped in from above. Unless it ended in the complete source code of all their systems, perhaps.

In a lot of commercial code there is almost literally nothing worth protecting, just sunk-cost. If a finite element package got open sourced, that would be a minor disaster (although even then you're paying for the UX and support not the code) but things like firmware are barely worth the electrons on the drive.

The point being the business impact would probably be fairly minor for most projects.


"A bank" contains multitudes, though. The big banks all have investment arms, which in turn have in-house algorithmic-trading subsidiaries. Now imagine that someone snuck some Affero GPLed code into the trading engine...

(It is at this point that I realize that maybe one of the reason that HFT people like arcane formal-proof languages so much—besides just verifying that they won't lose money—is that the ecosystems of unusual languages are smaller, so it's less likely that any problem has a solution involving third-party code, and therefore there's less concern about IP contamination.)


There are passwords, certificates, API keys, more GPL code, stolen code, commercial libraries (integrated but forgot or stopped to pay the license a while ago), vulnerabilities, ridiculous comments, trade secrets (trading algorithms, credit score calculation, fraud detection), etc...

For any sizable software that has been alive for 10 years. There is no way it's safe to open source the repo.


My understanding is that there's a period of time after receiving a cease-and-desist that you can remove the offending GPL library without opening your codebase. After that, there's no harm to either side:

They don't have to release code and the licensed software's owners don't have their rights violated any further

Of course, IANAL


Monoprice was guilty of this for a number of years... as I suspect Lerdge is as well, they encrypt their firmware and bootloader, and there's just no reaosn for it.


This kind of behavior is one of the things that kills me about grsecurity. They're completely abusing the spirit of the GPLv2 license but are probably following the letter of it.

If you choose to exercise your GPLv2 rights, your contract with them is terminated and you will receive no further security updates (considering this is a security product, it makes it pretty useless to you). You are then blacklisted from doing business with them ever again.


Bruce Perens argues[1] that this is a penalty for exercising your rights under the GPL and therefore violates section 6[2]: "You may not impose any further restrictions on the recipients' exercise of the rights granted herein"

[1] https://perens.com/2017/06/28/warning-grsecurity-potential-c...

[2] https://www.gnu.org/licenses/old-licenses/gpl-2.0.html


Open Source Security (company behind grsecurity) sued him for that post, but the case got dismissed and looks like OSS has to pay his legal fees:

https://www.digitalmunition.me/maker-of-linux-patch-batch-gr...


He argues contributory infringement and breach of contract, but he really only goes into the breach of contract theory.

I'm more curious about the contributory infringement theory. You cannot have contributory infringement without there being a direct infringement by someone else for the contributory infringer to have contributed to. I don't see offhand who would be the direct infringer whose infringement Grsecurity is contributing to.


The way I'm readying it, his point is that a Grsecurity customer, who is not infringing Linux copyright (because they're not distributing kernels) would still be on the hook for contributory infringement because they contributed to Grsecurity's infringement.


https://www.reddit.com/r/netsec/comments/hkg8co/10_years_of_...

Brad goes into this here. Grsecurity has written extensively about this.

Read the links to their site where they go even further into detail.

Grsecurity is not violating any license. There are multiple quotes from authorities on the matter in that link. If they were, so would Redhat, Canonical, etc.


Wow, that post is so ad hominem that it makes him less credible. Is this how he usually responds?


If I had to deal with constantly having my name dragged over something I wasn't doing, I would probably be pretty upset about it as well. Further, the Linux Kernel community tends to have... some negative communication patterns.

But the content is very valid, you should give it a fair read, regardless of how you view Brad's language.


The comment they're replying to is also not exactly smelling of roses. It makes some pretty unsubstantiated claims.

I read Peren's claims, and IMHO they're very thin. It seems to be a classic case of "I don't like this" (which is fair enough) and then trying to find "objective" arguments to support that position. Not impressed.


After you are blacklisted, can't you still get security updates from other grsecurity subscribers? I suppose grsecurity could also blacklist any subscribers sharing to blacklisted people, but how could they possibly enforce this, if your friendly subscriber doesn't tell?


According to the Reddit thread linked in this thread, no one has ever been blacklisted:

> We have in fact never had to terminate a relationship with any customer of ours. We build trusted relationships with our customers, so any talk of "threats" or anything else is simply completely fabricated (as you obviously noted, anyone repeating such claims has no evidence whatsoever for them).


The "obvious solution" would surely be for grsecurity's customers to band together into a cartel to put an end to this pretty unpleasant behaviour?


GPL protects the rights of users. It does not protect the rights of creators.


If someone chooses to exercise those rights does grsecurity comply? Or just terminate the contract and ignore all further communication?


From the reddit thread I linked elsewhere (https://www.reddit.com/r/netsec/comments/hkg8co/10_years_of_...):

> There is no restriction or prohibition, correct. In fact, we are far more lenient than other companies when it comes to our policies. We have in fact never had to terminate a relationship with any customer of ours.

> We're generally only concerned with fraudulent customers who would lie during the quoting process with the intent to cause damage to the business by intentionally reposting all updates received online. Obviously, they have the right under the GPL to do that (the fraudulent representation notwithstanding), but we also obviously have the right to refuse future business with them. As noted by the lawyer in the link above, that right has been repeatedly reaffirmed by the US Supreme Court. It's not controversial whatsoever.


Unfortunately this has been going at least as long as I've been aware of Onyx Boox products. E.g. https://www.mobileread.com/forums/showthread.php?t=277431. It's by no means an isolated incident.


I've said this elsewhere. But I genuinely don't think that they know what the gpl means. Maybe someone could approach them in Chinese preferably directly to the company instead of the forum minion. The forum minion always responds with the same answer to any question that is asked. That person gives the same answer to a quick switch option between the notes and library app.

Usually what happens in the onyx customer forum is that a person asks for something. The forum minion says it's been forwarded and being worked on and then the cycle repeats until one of the customers gets pissed and starts threats.


They know what it means. It means a copyright holder of the Linux kernel would have to sue them in China. Good luck with that.


You can sue them anywhere the devices are available. Obviously the remedy is going to have to be within the jurisdiction of the particular court, but you could block imports or receive damages in any nation to which they ship.


If the software is embedded, they can be sued elsewhere. Like that time BusyBox sued over the GPL and won ... a pile of TVs! http://www.groklaw.net/article.php?story=20100803132055210


Why solve matters with lawyers if you don't need to? If there's a failure of understanding, possibly due to language issues as the previous commenter suggested, then trying to establish a dialogue and trying to explain the matter to them would be a far easier (and cheaper!) option for everyone, regardless of locality.

It doesn't help that the GPL is not an easy document to read by the way :-/


Are you really no naive that you think this is a lack of understanding?


Why would it be impossible? The only time I ever happened to stumble upon a GPL violation (more than 10 years ago) I explained it and they said "oops, sorry, we'll fix that". Worth a try, no? I don't think it's naïve. The cost of explaining is minimal and you lose very little by trying. Even if the odds of success are low, it's still makes sense to try as the cost of a lawsuit is so much higher both in time and money.

It's also just basic common courtesy IMO to assume someone made an honest mistake even when you suspect they didn't (because sometimes your suspicions are incorrect).


Could users of the product also be sued by a Linux contributor?

If you can’t go after them, going after their customers would kill their business.

But this approach seems too cute to be feasible even on the long shot that the GPL would allow it.


In theory yes.

In the early days of internet pirate sites there existed an argument that it was only the people distributing that could get sued for infringement. Similar when streaming happened it was argued that no copy was downloaded, and the users clearly did no distributing. With cable decoders (in countries without anti-drm) it was similar argued that no distribution occurred by the users or the producers of the cards.

Since then a lot of court cases has happened and as far as I know neither of those arguments have held up. There is usually a law or two that get digged up in order to have something to charge people with, and law makers has been quite diligent in address those kind of arguments in new laws.

But there is one major caviat. Those cases has all been by large media owners with both large teams of lawyers and "close" relationships with the legal and political system. A lone developer will have a much more difficult time.


no, since they don't have access to source, they can't modify it and gpl does not apply to them


It's rather that they're not distributing it (either source or binary) so the GPL doesn't apply to them. Not having access to the source doesn't exempt you from the GPL.


But they are getting an unlicensed product. IMNAL, but if they are made aware of the fact and continue to use the product, wouldn't it be willful misconduct?


If the GPL completely doesn't apply then you don't have a license to use the program.


You don’t have a license to copy the program, the gpl does not grant you a license to use the program as you do not need a license to use a program.

If you don’t agree to The gpl normal copyright law applies and you can’t copy the program outside of fair use in your jurisdiction


If I install a pirate copy of a program on your computer, can you use it without a license?


What law would I be breaking in what jurisdiction? I’m not familiar with Somali copyright law, and that’s the main source of pirated, although I did read an increasing number in Nigeria too.


They fear they might be breaching some NDA by fulfilling GPL contractural obligations.

That’s what’s in violators’ minds. NDA and multi million lawsuits like they are doing anything.


>I've said this elsewhere. But I genuinely don't think that they know what the gpl means.

Unless it can be enforced, it means absolutely nothing more than a wish...


I tend to license my stuff MIT. That’s mostly because I don’t want to deal with legal agita. It helps to avoid people suing me because the hammer they stole from me bends their screws.

We basically live in a digital kleptocracy. Everyone steals from everyone. I tend not to, but that’s because I’m a complete control freak, and have a hard time letting go.

I think that decompilers are so good, these days, and the use of intermediate steps like LLVM, mean that people won’t have much difficulty figuring out what’s going on, under the hood. With the financial incentives, it is quite possible to hire top-notch folks to implement, and even improve the work.

Also, I don’t think anything I do is so great that I want to hide how I do it. In fact, I see people do stuff in more clever fashion all the time. My own advantage is in how I do stuff, and it would be great if folks copied it. I don’t think many would. It’s a pain, and is only efficient once it becomes habit.

Go ahead and steal my stuff. Get rich. I doubt my stuff will be the “secret” to your success. My only hope is that, if you do use it, there might be a tiny piece of high-quality software in there. I do feel as if we should all strive to do the best quality work possible, and take some personal pride in our craft.

I don’t mind that going viral, and I don’t think a license will affect that.


It's not about you, it's about the user.


Yup. That's what I said. The user can benefit from my work.

Seriously. Why was what I wrote bad?

I just put enough legal fig leaf on to make sure I don't get sued for anything, do the very best work I can, and put it out there, for all to use.

I literally wrote a post, encouraging people to open-source their software, and I led by example; not decree, which is usually the best way to proceed.

Is the MIT license a bad license? If so, why?

I have found that if I make it GPL, then a lot of folks won't use it. I want people to use my stuff. I think it's good stuff, and can benefit users, by being a high-quality component.

I think I do have one GPL project; an ffmpeg wrapper that uses the GPL H.264 codec. I could probably get away with not licensing it GPL, but why bother? It's not gonna save the world. I suspect no one will have much of a use for it, anyway.


Read up on the 4 freedoms: https://en.wikipedia.org/wiki/The_Free_Software_Definition

A true free(libre) software license protects the _user's freedom._ Releasing under MIT License doesn't do this because of the problems raised in OP. If your MIT work is incorporated into another product and used (hypothetically) by a foreign government to spy on people, then you haven't protected users, you've protected _developers_ ability to benefit from your work for free.


Yeah...I'm not really interested in making any rhetorical points. I appreciate the passion, but I just like to write great code and put it out there.

I'm not a gunsmith. I write small iOS apps and libraries. I'd rather they didn't get used for nefarious purposes, but I am not interested in exerting any kind of control over what happens after I put them out.

I have done some rather more ambitious and socially-relevant stuff, and that is all MIT. We switched to that from GPL a year or two ago, as the GPL was interfering with the willingness of people to use it.

Since the software is actually a lifesaving infrastructure, every non-use could mean lives lost.


The users that can't use the GPL are often commercial in my experience. In that case I'd rather dual license than change to MIT (or similar).

You want it for free, give something back. (Is my thinking)


Fair 'nuff. I support that.

I'm not particularly interested in getting paid. My stuff will never be the "magic beans" that will turn some moribund idea into a unicorn. It's just "window dressing," or simple extensions that will help to improve the quality of the software.

It's mostly "brand reinforcement" and portfolio material. I want people to use it, and am willing to remove any obstacles.

I know that's unusual, but that's how I roll. It's a labor of love.

The infrastructure project that I wrote is designed for as many people as possible to use. We don't care whether or not someone wants to try using it to make money (good luck with that). It saves lives.

But, back to the original topic, if I had released software with a particular coercive license, and some corporation then went and used it against that license, I would probably be pissed. Not sure if I'd be pissed enough to hire an attack lawyer, though. I don't think I'm that dedicated.


I try not to use GPL software out of principle, but it's hard not to use Linux and GNU coreutils. I wish OpenBSD was as popular as Linux.


Well, you have a completely different perspective on software to me then.


Seeing how this is a company in China, how would the legalities work?


https://heathermeeker.com/2018/04/30/first-gpl-case-in-china...

As the link warns, this is a secondhand translation, and my summary is thirdhand. Do your own reading, especially in the original language, if able.

The general point here is that the Chinese legal system declared that the GPL legalese is OK, but that judges have the power to evaluate it in context of the case and retain the authority to override the legalese when it results in inappropriate outcomes.

In this specific ruling, the judges ruled that bundling ('aggregation') of GPLv3 and unlicensed code did not infect the unlicensed code with the GPLv3, resulting in a loss for the defendant.

If Onyx is bundling GPLv3 code with non-GPLv3 code, based on this single case, they are not required to disclose the source of the non-GPLv3 code that is aggregated with the GPLv3 code. If they have also/instead modified GPLv3 code, then they would probably be required to publish the source for the works derived from GPLv3 code.

The usual arguments here are that modifying a bundle of GPLv3 code to include non-GPLv3 code is itself a 'derivative work' of GPLv3 code, or that the GPLv3 specifies that such bundling shall result in the bundled code being forcibly licensed under GPLv3. The Chinese court apparently did not accept this line of reasoning.

YMMV, IANYL


I think you have a few details wrong.

Firstly (a minor detail) I don’t think GPL requires you to “publish” source code per se. Just make sure that every recipient of a binary copy can also receive the source code.

But more importantly, the license doesn’t “infect” things. In no way can you be forced to license your code according GPL. Failure to comply with the GPL simply means the license isn’t applicable and the situation reverts back to normal copyright rules.


>But more importantly, the license doesn’t “infect” things.

[I’m not your lawyer and this is not legal advice.]

It can have that effect. My understanding is that if you include GPL code in your software[1] and distribute it without sharing your source code, you are committing an ongoing contract/copyright violation that can be remedied either by recalling and destroying the offending products, complying with license terms by releasing your source code, or settling with the original copyright owner (effectively, paying a license).

As for a court forcing you to release the code, that is in fact what the GPL contract requires so the court is within its rights to require specific performance instead of monetary damages. Even though common law courts strongly prefer monetary damages, they will turn to specific performance if they think it's appropriate.

All of this is going to turn on some questions about when you can bring copyright infringement vs. contract actions. It's not an area I'm super familiar with, but see my response below about at least one case that suggests you could sustain a contract action for a GPL violation in some circumstances.

[1] In the way that requires you to release your own software under the GPL. Of course, there are ways to use GPL software that don't implicate that. I'm not talking about those.


> they will turn to specific performance if they think it's appropriate

Do you know of any cases with the GPL where a court has in fact done so? I'm not aware of any outcomes where code has been forcefully licensed as a penalty. Absent strange outside circumstances (like a signed contract) I'd instinctively (but without legal training) think that that a court would treat the violator as "acting without a license" rather than "had specifically agreed to the terms of a contract and then broken it".


It was a live issue in the Artifex case. The parties ultimately settled so we don't have a final answer, but the district court was going along with the contract theory. The availability of specific performance remains an open question too. But if you can in fact enforce the GPL as a contract, then it's not a big step to some plaintiff getting specific performance, which is going to turn on case-specific things like the adequacy of monetary damages.

https://www.synopsys.com/blogs/software-security/breach-gpl-... https://www.omm.com/resources/alerts-and-publications/alerts... https://www.natlawreview.com/article/important-open-source-r...


Thanks, this is a great answer! I'll try to look at these links later.


That makes more sense than I was able to make of it, thank you.


That's interesting. The GPL actually includes language specifically permitting aggregation like this:

> A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.


The lesson here is if you want non-severability provision to work, you need to make the licence restrictions also binding for the original author (full reciprocity). Similar cases will also arise in Europe.


What do you mean?


Restrictions like share alike and termination provision should also apply to the original copyright holder.


That is currently not the case, and I don't think it should be.

If I write a piece of software and release it under the GPL, I can sell it as proprietary code as well, dual-licensed. I am in no way obligated to provide updates and changes under the GPL too.


Why is that the lesson? Maybe I'm dumb but I don't understand how that would help anything.


There are principles of arm's length and equal treatment among equals for contracts to be enforceable. Copyright licences are treated like contracts of adhesion in many jurisdictions (though not in USA). By-attribution share-alike , non-severability and non-revocation clauses in a share-alike licence attempt to make the parties equal, but it does not arrive quite in there, still leaving the copyright owner privileged a bit.

IANAL, YMMV


I realize I don't know much about licensing because I didn't understand a word of that.


Possibly via:

Import halt via complaint in appropriate US Customs regulatory regime and / or court, about infringement of intellectual property. This can embargo a company's product nationally in the US, and gets the attention of the producer.

Not quite on topic:

Stopping Infringing Products From China: Section 337 Cases. By Bill Perry - China Law Blog -- August 22, 2016 https://www.chinalawblog.com/2016/08/stopping-infringing-pro...


US Customs halt has had the desired effect in GPL compliance cases before:

https://mjg59.livejournal.com/126865.html https://lwn.net/Articles/404450/ http://mjg59.livejournal.com/132810.html


I believe the wronged party in such cases can ask to have imports banned.


I have just updated their Wikipedia page with a mention of the incident. Let's see how long it will take for someone to take it down https://en.wikipedia.org/w/index.php?title=Onyx_Boox&action=...


It was removed because you apparently didn't quote/provide a reliable source... Looks like you quoted a reddit comment?


I've obliged.


They release their firmware updates on their page, packaged with upx. Someone could enjoy decompressing it https://onyxboox.com/firmware


Their is no source code there. Decompress wont bring it back to soirce code state


Download it, unpack it, patch it to enable ssh, ssh into the machine, monitor internet traffic and see if its doing anything fishy.


While this is certainly a method that could be used to tell if it's doing anything it shouldn't, it still skips over the fact that this is a violation of the GPL. That being said, this is apparently a Chinese company, and I have no idea if the GPL even has teeth in this scenario.


Not sure what Onyx is but my first though was about the System76 system https://system76.com/laptops/oryx

Turns out that one is called Oryx


Onyx makes eInk tablets. I was actually thinking of buying one earlier this year, but not after this.


So, wtf is Onyx and how does it violate GPLv2?


To answer the second part of your question, if you modify code released under GPL, you need a way to provide a machine-readable copy of your modifications to your users.

So, it doesn't need to be publicly available (as in, you and me are not Onyx users, therefore we don't need to have access to it), just to its users. Screenshot shows their user requesting it and being denied the request, hence, GPL violation.

https://www.gnu.org/licenses/gpl-faq.en.html#GPLRequireSourc...


>if you modify code released under GPL

_and distribute it_

Running it server-side is fine. That's what the AGPL addresses.

If you modify GPL code and only use it yourself without distributing it, you never have to give anyone else access to the modifications.


Indeed - I amended the show waves filter in ffmpeg to create square wave forms for, but my C is terrible and I’m far too embarrassed to commit to a public code forum. As the binary goes no further than my own machines there’s no issue.


Onyx is a manufacturer of Android-based e-Ink tablet/e-Reader.


That is where MIT license is largely superior to GPL, you know what you are buying for... ;) GPL put enforcement without the cops to maintain it ;) With MIT, everyone is free to do whatever they want. In a way GPL recreate (unnecessary) bureaucraty, where MIT generate pure liberty.


Ah, the freedom of business to exploit free labor! How do we long for that!


So, in which way is the result any better?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: