SFC reports a successful (L)GPL suit in Germany

Historically, lawsuits have focused on the copyrights licensed under GPL (or the GPL and LGPL together). Steck's lawsuit uniquely focused exclusively on users' rights under the LGPL. Steck's work showed that despite being a "Lesser" license than GPL, LGPLv2.1 still guarantees users the right to repair, modify and reinstall modified versions of the software on their device. There is now no doubt that both GPL and LGPL mandate the device owner's ability to make changes to the software in the flash memory so those changes persist across reboots. to post comments

Source publication court-ordered? Posted Jan 9, 2025 17:37 UTC (Thu) by cloehle (subscriber, #128160) [Link] (9 responses) Was AVM court-ordered to hand over the source code? The SFC article is somewhat vague, only mentioning court-ordered legal fees. Source publication court-ordered? Posted Jan 9, 2025 18:05 UTC (Thu) by burki99 (subscriber, #17149) [Link] (8 responses) You find the court rulings at https://sfconservancy.org/copyleft-compliance/avm.html The ruling says "The defendant must bear the costs of the legal dispute because it has agreed to cover the costs." So the court's decision didn't discuss the LGPL in any way since AVM handed over the complete source code and agreed to pay the costs of the dispute and thus provided everything the complaint requested (1. to surrender to the plaintiff the complete source code / 2. to reimburse the plaintiff for his extrajudicial attorneys' fees) Source publication court-ordered? Posted Jan 9, 2025 18:26 UTC (Thu) by chris_se (subscriber, #99706) [Link] (7 responses) But it also means that their lawyers were of the opinion that they'd more likely than not lose anyway. The German legal system doesn't rely on precedent much anyway, so not having an official ruling by the lowest court this can be tried in will not have any detrimental effect on future legal challenges. (Only if this had been appealed up to the highest courts in Germany would this have potentially had any legal impact on future rulings.) But the fact that the lawyers of a fairly successful German company were of the opinion they'd lose the case here does set an implicit precedent on how other lawyers will advise their clients in the future. Source publication court-ordered? Posted Jan 9, 2025 20:22 UTC (Thu) by cesarb (subscriber, #6266) [Link] (6 responses) > But it also means that their lawyers were of the opinion that they'd more likely than not lose anyway. But it might instead mean that their lawyers and/or managers considered it a lower effort (and/or lower cost) to comply than to continue the lawsuit, independent of how likely they considered it that they would lose. Source publication court-ordered? Posted Jan 9, 2025 21:05 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (5 responses) How much do (the royal) we care whether the compliance is from "we're good FOSS community members", "it's cheaper to work upstream", "it's cheaper to comply than to fight developers in courts", "it's cheaper to comply than to fight users in courts", or "the courts made us comply" beyond the decision of which companies are even on this spectrum to prefer when shopping for commodities? Hopefully companies tend to shift left on this spectrum over time, but I'd take a "our stuff is open because we were made to comply" over a closed-source vendor any day of the week. Source publication court-ordered? Posted Jan 9, 2025 23:09 UTC (Thu) by pabs (subscriber, #43278) [Link] We should care because lawsuits are a time consuming process, that cost money which is usually only reimbursed after you win. There are more useful things to be doing, like development. Outcomes are also better for everyone when development work is done upstream too. So we should prefer at least the first two options and work towards them. Hopefully some of these sort of lawsuits will start changing some of the incentives a bit, so that at least companies do the minimum compliance actions by default. Converting them to good FOSS community members will take more work of different kinds though. Source publication court-ordered? Posted Jan 9, 2025 23:47 UTC (Thu) by farnz (subscriber, #17727) [Link] (3 responses) I think the better scale to consider is not the "why does a company comply" scale, but rather "what is the cost to a user or developer of exercising their rights?". The issue with "it's cheaper to comply than to fight in court" is that just getting to the point where the company is taking that decision costs me quite a lot of time and money. So the interesting scale is from "I can exercise my rights at low cost" to "I have to get a lawyer involved and pay to establish that I have rights, before eventually being reimbursed in full", through "I'll get my monetary outlay reimbursed, but no payment for the time and effort I put in", up to "I have to put time and money in, and may get nothing out". That's especially true since the motivations of a company change as the employees change, and a company that was "good FOSS community members" 10 years ago may become "it's cheaper to work upstream" or even "legal says we must comply because it's cheaper to comply upon request than to fight in court", and return to being "good FOSS community members", without anyone particularly noticing. On the other hand, "it's easy and cheap to get compliance" versus "it's hard but cheap" versus "it's hard and expensive" is easy to follow from the outside. Source publication court-ordered? Posted Jan 10, 2025 6:45 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (1 responses) > but rather "what is the cost to a user or developer of exercising their rights?". Indeed, thanks. Source publication court-ordered? Posted Jan 10, 2025 18:40 UTC (Fri) by ballombe (subscriber, #9523) [Link] Note that there are far more users than copyright holders, and it only need one to publish the source. The copyright holder might be a college student, but one of the users might be a large company that enough money to start a lawsuit if they feel that could benefit their business. This completely change the risk profile from the point of view of the offending company. Source publication court-ordered? Posted Jan 10, 2025 16:54 UTC (Fri) by iabervon (subscriber, #722) [Link] On the other hand, the cost to a user or developer will be low if the company is in compliance whenever they offer a product for sale, and they'll do that if their lawyers tell them that not being in compliance is an unnecessary legal risk. And this case suggests that it's now a big risk, because an attorney who can get Steck (or anyone else sufficiently knowledgeable) to identify a non-compliant product can get the fees they'd charge paid by the vendor without needing to do anything difficult or uncertain. I think the fact that Steck was a user (rather than a copyright holder) of the device moves non-compliance from "you might have to pay money" to "an adversary can make you pay them money", which is where companies' lawyers start telling them they need to be in compliance before anyone notices. Of course, that only gets as far as making it free for users and developers to exercise their rights, and culture matters as to whether the device comes with proprietary userspace software that can be aggregated into new firmware images by the build scripts but can't be modified. Misleading Posted Jan 9, 2025 19:52 UTC (Thu) by npws (subscriber, #168248) [Link] (4 responses) The information is pretty misleading from what I can tell. A case was filed, but settled, so the court basically decided AVM has to pay because they agreed to pay. Not because of the license, not because they lost the case. Regarding speculation that they would have lost, maybe, but from what I can tell, the guy was not even a copyright owner, but just wanted to take advantage of the written offer, so this was never a copyright case and he wouldn't have any of the measures of copyright law at his disposable. The costs of the case for AVM should be around 4-6k, so they might just have decided it's not worth fighting it. Misleading Posted Jan 9, 2025 20:16 UTC (Thu) by Wol (subscriber, #4433) [Link] (3 responses) But it sets another massive "precedent". He hasn't sued as a copyright holder, he's sued as a customer. So ANYone who receives a piece of kit with (L)GPL code now has a precedent to go and say "I want the code". Cheers, Wol Misleading Posted Jan 10, 2025 3:48 UTC (Fri) by npws (subscriber, #168248) [Link] (2 responses) > He hasn't sued as a copyright holder, he's sued as a customer. You can sue for any reason you like, you just might lose. Given that nothing at all regarding the validity of his claims was decided by the court, it comes down to "guy asks for code, guy eventually receives some code" (and according to comments here *still* not even the complete one). Something that hasn't happened many times before. Misleading Posted Jan 10, 2025 3:50 UTC (Fri) by npws (subscriber, #168248) [Link] (1 responses) Sorry, meant to write *Nothing* that hasn't happened many times before. Misleading Posted Jan 10, 2025 11:58 UTC (Fri) by Wol (subscriber, #4433) [Link] I guess you didn't bother to read the linked notice ... "Both SFC and Steck remain frustrated that companies like AVM usually ignore user requests under copyleft until a lawsuit is filed. Nevertheless, we are happy to see that the legal process confirmed Steck's rights, and required AVM to pay Steck's legal costs. “I am pleased that this litigation compelled AVM to provide the compilation and reinstallation information in the filings,” Steck said." Yes it hasn't changed the fact that users always seem to have to go to court. I'm not aware of previous cases that have been won and - in the words of the SFC - "the legal process confirmed Steck's rights". Cheers, Wol Libraries Posted Jan 9, 2025 23:13 UTC (Thu) by pabs (subscriber, #43278) [Link] From the discussion on the Conservancy XMPP room (bridged to IRC/Matrix), Sebastian specifically wanted to make changes to uClibc and compliance was also achieved for the libblkid, libexif, and libosip LGPL libraries on the device too. The GPL things on the device like the Linux kernel etc remain out of compliance unfortunately. Fritzbox Posted Jan 10, 2025 2:24 UTC (Fri) by stephenjudd (guest, #3227) [Link] For people who hadn't made the connection, like me, AVM make "Fritzbox" brand routers. Very common in Germany but also elsewhere. I'm guess this might be quite helpful for people porting OpenWRT etc to Fritzboxes? But can you modify and use it? Posted Jan 10, 2025 7:58 UTC (Fri) by epa (subscriber, #39769) [Link] (3 responses) Okay, the source code has been published. Is an owner of the device able to modify the code and install it? But can you modify and use it? Posted Jan 10, 2025 11:51 UTC (Fri) by Karellen (subscriber, #67644) [Link] (2 responses) From the fine article: The defendant, Berlin-based AVM, ultimately delivered the necessary information to reinstall modified software on their device. Delivery of this information resolved the lawsuit. The plaintiff was Sebastian Steck, who received a grant from SFC to pursue this work. Steck purchased an AVM router in May 2021 and quickly found that the source code candidate which AVM sent him could not be compiled and reinstalled onto his router. AVM, the largest home router manufacturer in Germany, refused to correct its source code candidate. Steck sued AVM in a Berlin court in July 2023. Months after the lawsuit was filed, AVM finally provided Steck with all remaining source code that Steck requested, including “the scripts used to control … installation of the library”. (Emphasis mine) But can you modify and use it? Posted Jan 10, 2025 12:05 UTC (Fri) by epa (subscriber, #39769) [Link] (1 responses) It wasn't completely clear whether this meant "a working installer, which Sebastian Steck has tried out successfully" or just "here's a complete buildable set of source code, which you would certainly be able to install on your device if you had the signing key, which of course we can't give you". I think the former, but I'm missing a more techy blog post where they demonstrate that this thing really works. But can you modify and use it? Posted Jan 10, 2025 14:34 UTC (Fri) by ossguy (guest, #82918) [Link] Yes, it is the former. You can try it out for yourself by downloading the source from https://sfconservancy.org/usethesource/candidate/avm-frit... , which has all the instructions. There are more details, including other source code candidates Steck received, at https://sfconservancy.org/copyleft-compliance/avm.html . Secure boot Posted Jan 10, 2025 12:24 UTC (Fri) by dezgeg (subscriber, #92243) [Link] (3 responses) This kind of ruling is interesting from the secure boot point of view. It seems this particular device can be downgraded to a version that doesn't enforce it, but if that were not the case would the manufacturer be forced to give out the signing key or implementing other means that would allow unsigned code execution? If that were the case, then I wonder could such a product ever be compliant with the new EU Cyber Resilience Act? Secure boot Posted Jan 10, 2025 14:00 UTC (Fri) by martin.langhoff (subscriber, #61417) [Link] The usual method is: customer can install their own key, and use secure boot tied to that customer-owned key... Secure boot Posted Jan 10, 2025 16:19 UTC (Fri) by audric (guest, #86999) [Link] I thought this was the whole point of having L/GPLv3? What am I missing here? Secure boot Posted Jan 10, 2025 19:22 UTC (Fri) by Wol (subscriber, #4433) [Link] > If that were the case, then I wonder could such a product ever be compliant with the new EU Cyber Resilience Act? Iirc the Cyber Resilience Act has nothing to say on the subject. Indeed, if the user can NOT upgrade the software, it might not be compliant with the CRA. Like a lot of EU legislation, the primary focus of the CRA is to make it explicit who is responsible for making sure goods work "as designed", and to enforce what good design is. So if Tommy Atkins buys an AVM/Fritz router, the CRA merely makes it clear what is the design life of the product, what the product is intended to do (including, importantly, "be fit for purpose"), and who is responsible for fixing it if bugs are found / it breaks. So if said Tommy Atkins modifies his own router, it is no longer the product AVM supplied, and they are not responsible. If a cracker modifies it, that should not have been possible (aka not fit for purpose), and AVM are responsible. Cheers, Wol

Posted Jan 9, 2025 17:37 UTC (Thu) by cloehle (subscriber, #128160) [Link] (9 responses)

Leave a Comment