11

According to an answer on Methods for obtaining source code from an uncooperative company:

You're probably out of luck. The company distributing this firmware has an obligation to provide you the source code, but this obligation is to the copyright holder. You are not the copyright holder. The copyright holder would have to sue them for license compliance.

Does this change for someone who wrote some of the code and the copyright of that portion is under their name? For example, would someone like Ulrich Drepper (the author of several components of the Linux kernel) be in a different situation than the OP of that question with regards to having rights to the source code if other copyright holders (like SFC) don't sue?

forest
  • 998
  • 11
  • 24

2 Answers2

13

It depends on the license the code comes under and whether theres a copyright-assignment requirement for that project.

In the case of the Linux kernel, the license is the GPLv2, and there is no copyright assignment requirement - so anyone who can prove ownership of code within the shipped binary (important caveat there - the Linux kernel is configurable, so parts of it can be excluded from the binary) can pursue a claim of copyright infringement if the source code is not distributed according to the license.

With the case of things like GCC (until the most recent version), while the project uses the GPL (v3), it also required copyright assignment to the FSF, meaning the original authors do not hold the copyright and thus have no standing to sue (authors rights not-with-standing). They have now dropped this requirement in the latest GCC version, but it stands for older versions.

As copyright holder, you have no ability to actually force the binary distributor to comply with the terms of the license - you can merely threaten them with, and pursue, a claim of copyright infringement. In court, you can sue to stop them from infringing further and to pay punitive and actual damages.

You may be able to get them to agree to conform with the license terms, but its highly doubtful that a court would agree to force them to conform with the license terms (there has yet to be a copyright-infringement case orientated around open source software that has resulted in a court forcing the infringing company to GPL their own code they were trying to protect by non-compliance).

So, to answer your question, theres no actual avenue here which results in you obtaining the source code you have copyright ownership of - the legal actions you can take are ones of stopping infringement and claiming damages. You might be able to come to an out-of-court settlement or a voluntary agreement to provide the code, but court actions will be about stopping the infringement and damages.

  • And to stop infringement (or have the threat of stopping the infringement be sufficient for them to willingly publish the source without a court order), I have to have contributed code as a copyright holder, right? Does this require having an explicit copyright line in the source code header? – forest Jun 08 '21 at 01:51
  • The only standing you have to sue is the copyright ownership, so yes, you have to have contributed code and retained the copyright so you can have standing. No, you do not need an explicit copyright line in the source code header, merely being able to point to a line of code and then to the source-control commit(s) that is unequivocally yours where you added the code is enough to establish ownership. Then being able to say "there is no copyright assignment for this project, so I retain copyright and allow the project the use of it under the same license the defendant enjoys" is enough. –  Jun 08 '21 at 02:00
  • So if I added even one line to kernel/fork.c (a source file that's always included regardless of configuration) and could establish ownership, I would have standing to sue a company which refuses to abide by the GPL and force them to either discontinue releasing the binaries (or use that as leverage to get them to release the source code)? – forest Jun 08 '21 at 02:05
  • 1
    @forest yes, that is correct. (Couldnt just say "yes" because of the comment length limit.) –  Jun 08 '21 at 02:09
  • 2
    Agree that a court will not order specific performance (i.e. make them comply with a licence) when monetary damages are adequate compensation (which copyright law says they are). – Dale M Jun 08 '21 at 05:06
  • @DaleM I imagine most companies would prefer to release the code (especially if they haven't done any serious modifications to it and have no intellectual property tied up in it) than to be forced to discontinue releasing the binaries. – forest Jun 08 '21 at 05:52
  • @forest you'd be surprised - there is a tool called BusyBox, which is basically all of the standard Unix commands bundled into one small executable (ls, cp, mv, cd etc). Its popular because it vastly reduces the size of these individual tools (bundling allows reuse of code across all the tools). BusyBox is very active in pursuing copyright violations of its license - and in many cases the copyright action forces the infringers to use a different product, which often means they switch to something BSD licensed etc rather than release their own code. –  Jun 08 '21 at 06:24
  • @Moo I'm aware. Lots of companies moved to ToyBox or whatever it's called. But a company using the Linux kernel for their "smart security alarms" or something isn't going to be able to switch to another kernel without wasting a lot more money. – forest Jun 08 '21 at 06:33
  • @forest that really depends on what exactly they are using the kernel for - a lot of the stuff that Arlo etc does is userspace code, so switching to FreeBSD is actually fairly easy. –  Jun 08 '21 at 06:58
  • @Moo I'm sure it's fairly easy, but you have to remember how resistant many of these companies are to change. Even suggesting changing the kernel is enough to make most managers turn white. – forest Jun 08 '21 at 07:07
  • @forest if the discussion is between “we change X and get to retain our IP” or “we give up some/most of our IP for free”, I can tell you now the follow up question is going to be “how long does X take and what does it cost?” Had similar discussions myself (not around copyright infringement, just exorbitant license fees). –  Jun 08 '21 at 07:16
  • @forest, it is correct if we agree what you mean by "force". You can give a company the choice of conforming to the GPL license or to see you in court for copyright infringement. If you (likely) win, there will be a fine they have to pay, and you can give the company the choice once more of conforming to the GPL license and paying your cost, or not conforming to the license and paying the fine. If they are happy to pay the fine, you can't force them to do anything (in the USA, where GPL is a license)... – gnasher729 Jun 08 '21 at 07:20
  • ... So if Microsoft was caught and a judge ordered them to pay you a million dollars, they can easily pay the million and not publish anything. If I was caught and had the choice of losing my home or publishing, I would be forced to publish the source. – gnasher729 Jun 08 '21 at 07:22
  • @forest: "Does this require having an explicit copyright line". No. Anything that convinces a court that you have a copyright. Like git logs, or a witness. But note that having the copyright on 3 lines of code won't do much. A court will give them a fine that is appropriate for copying 3 lines of code, not the 999,997 lines written by others who are not in court. And a company can easily replace three lines of code and not infringe on your copyright anymore. – gnasher729 Jun 08 '21 at 07:28
  • @gnasher729 actually, its a real threat when the license is the GPL, because if you violate the GPL then your entire rights under it for the work evaporate - so successfully pursuing a claim based on 3 lines of code revokes the GPL for the other 999,997 lines as well, until all copyright holders agree to reinstate it. –  Jun 08 '21 at 08:25
  • @Moo, the authors of the other 999,997 lines of code could have sued the company anyway; they always had that right. And a court ruling "pay the owners of 999,997 lines of code $100 per line" is let's say much more likely to convince a company to do the right thing than a court ruling "pay the owner of these 3 lines of code $100 per line". – gnasher729 Jun 08 '21 at 09:47
  • Are you sure authors lose ownership. My gut feeling telling me that authors retain copiright, just assign all rights to FSF as well. @gnasher729, the point is that company may not have the rights to distribute the software anymore. But also they may replace part of the code to get away. – akostadinov Jun 08 '21 at 10:59
  • @gnasher729 once the license is revoked, any distribution after that fact would be slam dunk in a court of law, so damages should be much easier to come by. So its not as simple as replacing 3 lines of code any more, and someone like the EFF or FSF would step in to pay for subsequent court cases. –  Jun 08 '21 at 11:38
  • so parts of it can be excluded from the binary – Does this mean that components that don't affect the final binary itself aren't subject to the requirements to release them? What about comments which are stripped by the compiler? Or variable and function names when symbols are stripped? How are they different from code guarded by an #ifdef CONFIG_FOO? – forest Jun 08 '21 at 23:14
  • @forest all questions for a court, not for us. I doubt theres been any serious ruling to that level yet. But to keep it simple, if its not part of the binary, its not distributed, so a plain text reading of the license and of copyright law would indicate that the copyright holders of those bits not distributed dont have an actionable claim. There might be some considerations with regard to derivative works etc but as I said, thats probably going to need a court to rule on it. –  Jun 08 '21 at 23:43
6

Anyone can demand the source code. But if you don't get it, only copyright holders can sue. The fact that anyone didn't receive the source code they demanded makes the distribution copyright infringement. So a copyright holder can sue for copyright infringement, even if they were not the person who was refused the source code.

So your steps would be: Request the source code. If you don't get it, inform a copyright holder. You may also send a letter informing the company of the legal requirements in case they don't know. For the copyright holder it would be the simplest, easiest and cheapest way to do the same, except they can add "if you don't play by the rules, I will sue you". Which has a good chance of solving the problem at minimal cost.

gnasher729
  • 34,028
  • 2
  • 46
  • 88