This is technically not true. It is an oversimplification of the common case, but what actually normally should happen is that:
1. The GPL requires the company to send the user a written offer of source code.
2. The user uses this offer to request the source code from the company.
3. If the user does not receive the source code, the user can sue the company for not honoring its promises, i.e. the offer of source code. This is not a GPL violation; it is a straight contract violation; the contract in this case being the explicit offer of source code, and not the GPL.
Note that all this is completely off the rails if the user does not receive a written offer of source code in the first place. In this case, the user has no right to source code, since the user did not receive an offer for source code.
However, the copyright holders can immediately sue the company for violating the GPL, since the company did not send a written offer of source code to the user. It does not matter if the company does or does not send the source code to the user; the fact that the company did not send a written offer to the user in the first place is by itself a GPL violation.
(IANAL)
https://social.kernel.org/notice/B1aR6QFuzksLVSyBZQ
Linus rants that the SFC is wrong and argues that the GPLv2 which the kernel is licensed under does NOT force you to open your hardware. The spirit of the GPLv2 was about contributing software improvements back to the community.
Which brings us to the question: what is this guy going to do with (presumably) the kernel source? Force the Chinese to contribute back their improvements to the kernel? Of which there are likely none. Try and run custom software on his medical device which can likely kill him? More than likely.
The judge's comments on the Vizio case are such that should this guy get his hands on the code, he has no right to modify/reinstall it AND expect it will continue to operate as an insulin pump.
This is about as ridiculous as buying a ticket on an airplane and thinking you are entitled to the source code of the Linux in-seat entertainment system.
One interesting link:
https://www.drugtopics.com/view/hacking-diabetes-the-diy-bio...
I would trust the people that hack on these systems to be even more motivated than the manufacturers to make sure they don't fuck up, it's the equivalent of flying a plane you built yourself.
It may be the case that when all is settled, the courts determine that the letter of the license means others' obligations are limited to what the judge in the Vizio case wrote. And Linus can speak authoritatively about his intent when he agreed to license kernel under GPL.
But I think that it's pretty clear—including and especially the very wordy Preamble—not to mention the motivating circumstances that led to the establishment of GNU and the FSF, the type of advocacy they engage in that led up to the drafting/publication of the license, and everything since, that the spirit of the GPL is very much in line with exactly the sort of activism the SFC has undertaken against vendors restricting the owners of their devices from using them how they want.
As the original Reddit comment explains, Insulet is an American company.
Broken take. You are entitled to the source code.
That’s about as ridiculous as buying a plane and knowing you’re entitled to the gpl sources used.
It's not like the OEM software also won't kill you: https://sfconservancy.org/blog/2025/dec/23/seven-abbott-free...
Linus is arguing against a strawman that Conservancy never actually argued. See https://sfconservancy.org/news/2025/dec/24/vizio-msa-irrelev... for details.
> Which brings us to the question: what is this guy going to do with (presumably) the kernel source?
it doesn't bring us to the question, but the answer to the question is, run a diff between the software that has this guys life in its hands, and the version it was derived from, to see if they inserted back doors, stray pointers, etc.
I think this sentence is very sad. Not only this is a hard accusation, it is also the primary argument of the anti right to repair movement. An argument that I think is extremely bogus and ill intentioned, and I particularly (like Mr. Rossman) viscerally dislike.
Maybe the primary motivation is a) curiosity, and b) just for kicks to know if they honor the license.
That happens every Tuesday, hardly newsworthy.
It should be noted that this is just one of three options that someone who wants to distribute binaries of GPL code can choose from. It's the most commonly chosen one, and one is only available for noncommercial distribution, so the odds are good that this is the option they are using.
The other available option is to accompany the binary with the source code.
That one leads to an interesting possibility where someone could end up with a binary and there is no one obligated to provide source to them. As far as I know this has not actually arisen, but it seems like something that is bound to happen sometime.
Suppose company X decides to make a generic hardware platform that other companies can buy to build their products on. X's platform is basically a small single board computer with WiFi, Bluetooth, dual, USB ports, a couple Ethernet ports, and some GPIO ports. X ports Linux to their hardware.
When X ships a system it comes with an SD card with a Linux distribution installed including their custom kernel. It is configured to boot from the first SD card slot, and then to run a custom login system that looks at the second SD card slot and if there is a card in there it mounts it, looks for an executable on its root name application.exe, and runs that as root. X includes in the box a small thumb drive with a copy of the source code for everything on the SD card.
The idea is that a company Y that wants to make something like a WiFi access point or an air quality monitor can buy these boards from X, put them in a case with whatever peripherals or sensors they need like air quality sensors, write the software for the application, put it on an SD card, and put that in the second SD card slot.
So lets say Y buys 1000 of these systems from X, builds 1000 of their access points or whatever from them, and sells them.
One of their customers asks Y for the source code of the GPL parts. Does Y have to provide it?
I'd say they do not. They are not making copies or derivative works. They are just receiving physical copies from X and passing those on unmodified to their customers. This should fall squarely under the First Sale Doctrine in US copyright law, and similar rules in other jurisdictions.
How about if they ask X for a copy?
X has made copies and derivative works and distributed them. But X satisfied their GPL requirements by including a thumb drive with the source with each board they shipped to Y.
That doesn't sound right to me.
A written offer is not the same thing as a contract.
A written offer on its own would not normally be directly enforceable in many (most?) jurisdictions, for the same sort of reason that retailers can't be held to incorrectly published prices (in the UK at least, a displayed price is an “invitation to tender”, not a contract or other promise) except where other laws/regulations (anti bait&switch rules for instance), or the desire to avoid fighting in the court of public opinion, come into effect.
But in this instance, the written offer and the response to that offer are part of the wider licence that has been agreed to.
The hell? Over here, the price tags are a sort of public contract, to which the seller pre-commits. The seller forgot to change the tags? That's not the buyer's problem.
If you accept someones offer, provided it meets the rest of the criteria for a valid contract - congratulations you now have a contract. If the any party violates it, yes this is a breach of contract.
> A written offer is not the same thing as a contract.
An offer is a precondition and component of a contract
It's not illegal to not honor written offers, it's illegal to distribute copyrighted material in violation of it's license.
The offer of source code seems to be a way to facilitate the conveyance of source code through opt-in means separately from the object code rather than some legal trickery to create a user-licensee contract.
While the offer may indeed convey a licensee-user obligation, a compliant distribution would attach a license anyway, converting the user into a licensee and licensor to licensee in a recursive fashion
I wonder if lawyers specialize in this, it sounds very cool and not at all standard law, but somehow compatible with contract law
IANAL
On the shelves are three insulin pumps: one with a 5-year warranty, one at a bargain barrel price that comes with no warranty, and one accompanied by a written offer allowing you to obtain the source code (and, subject to the terms of the GPL, prepare your own derivative works) at no additional charge any time within the next three years.
Weighing your options, you go with pump #3. You write to the company asking for the GPL source. They say "nix". They're in breach.
You don't have to be "guilty" of anything to be liable in civil law (which contract law is a part of). "Guilt" is a concept from criminal law. It isn't required for contracts to be enforceable.
In general (there are exceptions) offers alone aren't enforceable and don't result in a contract. You need other elements (agreement by the parties, plus something done in return for what's offered) for a contract to be formed - and then it's enforceable.
I mean, the absolutely simplest, and cheapest, way for companies to comply with the GPL is to ship the source code together with the software. Stick it in a zip file in a directory somewhere. The company can then forget the whole thing and not worry about anyone contacting them and ranting about source code and the GPL. But no company does that.
The other simple way for companies to comply with the GPL is for companies to provide a link to download the source code at the same place that users download the program itself. If the user did not download the source code when they had the chance, that’s the user’s problem. This will also let the company ignore any GPL worries. No company does this, either.
(The GPL provides a third way for individuals and non-profits, which is not relevant here.)
What's the consideration in the written offer? Promises aren't enforceable in court. For a contract to be enforceable, it has to be an exchange of something, not a one sided offer.
In all likelihood, you would not receive the source code in the U.S., though. If deadset against release, the outcome would likely be that the offender would be fined and injoined from any further distribution.
But GPL is a contract
I think the distinction you are pointing would be between a gpl licensor-licensee contract, rather than a licensee-user contract.
(IANAL)
Not according to the original reasoning by its creators, but opinions differ wildly. However, this is irrelevant to the point; the written offer, which is separate from the GPL, is what is failing to be honored, not the GPL. If you did not receive such a written offer, the GPL, in itself, makes no guarantee that you have the right to the source code.
Wrong. The requirement to provide source code under the GPL is primarily governed by Section 3 of the GNU General Public License v2 and Section 1 of the GNU General Public License v3. The whole point of the the GPL is to make it so users of software could get source code to the software.
In my experience, this is quite common when the development of hardware is viewed as a cost center and is outsourced to various providers and teams. Those providers and teams churn a lot and nobody who worked on that is likely still involved with the company via contracts or direct employment.
Front line support people aren’t equipped to respond to these requests. If you’re lucky they’ll get bounced around internally while project managers play hot potato with the e-mail until it gets forgotten. You might get lucky if you go the corporate legal route, but more likely is that the lawyers will do the math on the likelihood of you causing them actual legal trouble for anything and decide it’s best to ignore it.
When I worked at a company that had a history of GPL drama one of the first things I did was enforce a rule that every release had a GPL tarball that was archived and backed up. We educated support people on where to forward requests. I handled them myself. 7 out 10 times, the person on the other end was angry because they assumed the GPL entitled them to all of our source code and they were disappointed when they only found GPL code in the tarball. It really opened my eyes to some of the craziness you get exposed to with these requests (though clearly not the polite and informed request in this Reddit thread) which is probably another reason why support staff are uneasy about engaging with these requests.
Well, if your non-GPL code was directly linked to, or closely interoperated with, any GPL code, those users would have been right.
If you want to argue that the FSF’s lawyers are wrong, please provide more detailed, and hopefully referenced, arguments (as opposed to plain assertions).
The FSF could help a lot here by publishing demand letter templates outlining the statutory and precedential basis for license enforcement and recovery of damages.
The GPL grants rights to use and distribute, but does not grant ownership. It’s not suddenly in the public domain.
Yeah there are are startups where head guys don’t know that and developers jump the gun because they feel like they’re ones that have the best understanding of the issue at hand.
But of course that’s legal territory.
Please for the love of all that the FSF thinks is holy - just file a damn lawsuit if you are telling me they are violating the law. State your claim and have a court sort it out.
It costs hundreds of dollars. For a medical device? Seems like a good deal.
Making a blog post about someone elses copyright being violated is even more annoying to me.
You can choose to disagree, of course. My guess is that you have never done this and you have never been involved in a nontrivial legal dispute outside, perhaps, small claims court. You probably don't even own a nontrivial business. Not one person running a business would ever suggest a lawsuit could cost a few hundred dollars.
Like I said, in the real world things are different. I know people who have burned through over $50K in seemingly simple cases (one of them self-represented) only to bow out once they realized they only scratched the surface. In one case they went broke, had to sell their home to pay for the losses and move to a lower cost state just to survive. Tragic. And, BTW, they didn't lose the case. They just got to a point, tens of thousands of dollars later, where they simply had to drop it or face ending-up in a far worse situation.
When I was much younger (and really stupid as most young know-it-alls are) I decided to go after a company that owed me $100K in contractually agreed-upon consulting fees. They had already paid me over a million dollars over a couple of years, so this was not about a little $100K contract.
There was a change in management and they simply decided not to pay vendors. They did this as the simplest method (aside from laying people off) to improve financials. The new CEO and his wife also happened to own a law practice.
So, I hired an attorney (no way to do this on your own for $400). $11K later I finally understood that the balance of power was not in my favor. I may have won. It may have cost me somewhere around $75K to do so.
However, then the other reality would kick in: Collecting. Yup. Collecting was probably going to cost money and maybe even another lawsuit. Not to mention the time, measured in years, for the full experience. Not to mention the real potential of them filing for bankruptcy to gift me the experience of using my judgement as rough toilet paper.
In fact, that is precisely what they did about 18 months later to other vendors, who, like me, where chasing payment. They took a year to transfer all assets to a new corporation. When the original corporation had no assets whatsoever, the went ahead and filed BK and told everyone to go shove their judgements (if any).
I was actually glad that I only burned $12K to learn an important lesson: The legal path is only viable when you are talking about going up against an equal. Like anything, there are exceptions to this, however, in general, this is the way the real world works.
Still don't believe me? If you happen to be a budding entrepreneur looking for investors, do this: During your meeting, tell them that you are not concerned about lawsuits because they can be sorted with $405. Don't blink or you'll miss to witness just how quickly they leave the room. Really.
Edit:
Courts deal with contract law disputes all the time. It's their bread and butter, everyday, nothing special stuff.
Edit2:
To you below, citation needed
It's not trivial in terms of big company bureaucracy - this request will have to go through so many levels of red tape that they (correctly) decided not complying to random people's requests is more profitable.
I'm sure if you actually sue them then they will comply right away, because at that point paying for some engineer's time to tar up the source tree and send it to you now becomes cheaper than lawyer time.
But their analysis is correct in that nobody will waste time/money suing to get what is effectively a stock kernel they can get from the official source anyway. Which is why these complaints are also a bit stupid - they're not asking for anything of value or using the GPL to advance software freedom by freeing up some valuable code, they're just wasting both theirs and others' time asking for something they can already download directly.
That is a gratuitous assumption. My experience is, as long as there is the smallest custom hardware, you will have to make some tweaks here and there.
> they're not asking for anything of value or using the GPL to advance software freedom by freeing up some valuable code, they're just wasting both theirs and others' time asking for something they can already download directly.
I'm sorry that the company which is making lots of money by using a copyrighted SW has to "waste" 200 dollars in some bureaucracy, printing and postage. But is the license of the SW they are using, and should abide by it.
The communication between your phone/pump or glucose sensor/pump is encrypted now for all newer devices.
> Diabetic companies like Insulet have been very lax when it’s come to the hacking of their devices
Absolutely not true, not any more.
May I ask where did you get this info? And what “newer” means here?
Surely there is a way to cheaply obtain bluetooth and a controller without saying "we'll just use this already existing hardware - that happens to be a whole-ass phone - because it's $5 from China"?
Kinda feels like that just screams data-stealing, regardless of where it was made.
Funny thing is that the newer Omnipod 5 from the same company works with regular phones now, but only in th US.
So, this companion device is kind of a thing that Insulet had to release. You'll see this with CGM's too -- there's a small companion device sold with the Dexcom G7 (the "controller"), even though everyone just uses their phone.
This is kind of a regulatory quirk; basically from the FDA's point of view you had to have a complete standalone system, that did not include the phone, in order to be able to prescribe it. I think they do not require companion devices any more, it's OK to release something that requires the user to have a phone.
"we plan on users having a phone to connect to it and use primarily. FDA requires a primary/backup. well it's already phone-controlled, go find a phone that works with it. needs to be cheap, cuz no one will really use it anyway"
That makes a little more sense. I was imagining the development process involving both devices, rather than one device first, then determining what the second would be later.
Thanks for the insight!
Insulin pumps are paired with glucose monitor. I bet it is handy to check glucose levels to make things are stable and correct if off.
Oh well. Big Corp doing what Big Corps do. Paying lip service to legal requirements, but reluctantly and with barriers that would no doubt take a lot of time and money to even try and break down.
It's part of the debate of whether (1) GPL is a contract, (2) GPL can be enforced by non-parties, (3) How Fair Use applies, (4) Methods to bully/shame companies to give up source code ...? (5) Who the actual parties involved are if the actual rights holder (Linux Kernel) tries to sue someone. (First Sale doctrine might apply).
How do they triage and decide what to pursue?
The dominant legal theory is that the GPL can only be enforced by the party holding the copyright. SFC's lawsuit against Vizio is strategically trying to establish precedent changing that; establishing that end-users are "third party beneficiaries" under the GPL, so others can enforce the GPL; but for now the copyright holder is the only one who can enforce it.
So the FSF could only take it up if the violation is on projects that do copyright-assignment to the FSF (i.e.: most GNU stuff). If you do find a violation of GNU stuff, the process is "email license-violation@gnu.org". I do not know what process Craig and Krzysztof use when triaging reports and deciding what to pursue.
Many Linux-kernel contributors (also, SFC member projects such as OpenWrt, Git, Qemu) have assigned their copyright to SFC or named SFC as their legal representative (also, SFC member projects; so SFC can take up something like this. Similarly, you can report violations to them by emailing compliance@sfconservancy.org (see https://sfconservancy.org/copyleft-compliance/help.html for more info).
Now, SFC is aware of more violations than they could ever possibly pursue, so they're strategic about pursuing ones that are high-impact. I'm not sure how they decide that. But I can say that medical devices are near-and-dear to them, between executive-director Karen Sandler's implanted defibrillator and policy-fellow Bradley Kühn's blood glucose monitor.
"Why do you want the source code?! leave it alone! Don't touch it, is unsafe! Big Pharma companies know much better than you what they do!"
REALLY?! REALLY?!
I'm not saying, go changing the SW like crazy. Is clear it can kill you. But this "anybody who is not a mega pharma company is absolutely unable to do anything right, you will absolutely kill yourself if you look at the code" that is just... idk... so low.
It may be named hacker news, but boy, many people here are not remotely near what I would call a hacker...
Seems like this company already understands enforcement is crap.
Disgusting is not respecting the producers who put together the device that wouldn’t exist otherwise, leaving thousands of people in pain or death.
You wouldn't download a CAR, would you? You wouldn't hack your own INSULIN pump, would you?
Face it: If it's GPL and vulnerable to interference, responsibility is squarely on the manufacturer and the fastest death-free way to prove it. If it's GPL and modified by the owner, fuck off.
