WEBVTT

00:00.000 --> 00:09.760
I am extremely pleased to introduce the next speaker who is, well, all the speakers in this

00:09.760 --> 00:11.480
room are good, I should say.

00:11.480 --> 00:15.160
So I do want to be like, one of these speakers better than all the others, but I'm really

00:15.160 --> 00:19.480
excited about the topic, and so I'm pleased to introduce Denver Gingrich, who is going

00:19.480 --> 00:24.440
to speak about LGPL enforced in Germany, how we helped a purchaser use the courts to compel

00:24.440 --> 00:25.440
compliance.

00:25.440 --> 00:26.440
Thanks, Denver.

00:26.440 --> 00:35.640
All right, so I'll jump in here first a little about me.

00:35.640 --> 00:39.360
I'm Denver Gingrich, that's my website.

00:39.360 --> 00:44.120
The main work I do is as director of compliance, it's software, freedom, conservancy.

00:44.120 --> 00:47.960
I also work a couple hours a week on J&P, that chat, which gives you a phone number

00:47.960 --> 00:48.960
freedom.

00:48.960 --> 00:55.680
Now, I wanted to talk a little bit first about copyright what it is, so it is the software

00:55.680 --> 01:01.200
right to repair and modify, to improve your devices, make them do what you want.

01:01.200 --> 01:06.480
The heart of it is this right to fix and improve your software.

01:06.480 --> 01:13.760
Now, this is text from the preamble of LGPL version 2.1, saying if you distribute copies,

01:13.760 --> 01:19.920
you must give the recipients all the rights that we gave you.

01:19.920 --> 01:26.560
So the rights that you received, the right to compile, modify, and install the software,

01:26.560 --> 01:32.480
so you must pass those on to other people if you are distributing the software to them.

01:32.480 --> 01:34.080
Who gets those rights?

01:34.080 --> 01:39.680
Well, the person you gave it to, so in the case of say a wireless router, the person who

01:39.680 --> 01:43.760
purchased that wireless router containing LGPL software.

01:43.760 --> 01:44.760
How do they get them?

01:44.760 --> 01:48.960
Hopefully, they just ask for the source code, and then they receive the complete source

01:48.960 --> 01:49.960
code.

01:49.960 --> 01:54.480
And if that doesn't happen, they should have the right to sue to get that.

01:54.480 --> 02:01.480
Now, the LGPL version 2.1 goes into some more detail about what this means in the preamble.

02:01.480 --> 02:06.920
It says you must provide these scripts used to control compilation and installation of the

02:06.920 --> 02:08.240
executable.

02:08.240 --> 02:13.320
So I think that's pretty clear, and we'll get into some even more detail on that in a little

02:13.320 --> 02:15.320
bit.

02:15.320 --> 02:17.320
So what are we talking about?

02:17.320 --> 02:24.360
We're talking about this right here, the Fritzbox 4020, a very popular router made by ABM,

02:24.360 --> 02:30.480
which I understand is the largest manufacturer of wireless routers in Germany.

02:30.480 --> 02:34.560
And so what exactly happened with this Fritzbox router?

02:34.560 --> 02:41.760
Well it had an offer for source code in it, and the purchaser of the device requested

02:41.760 --> 02:45.760
the complete source code per that offer.

02:45.760 --> 02:49.520
Now the complete source code was not received.

02:49.520 --> 02:54.160
And months of discussion actually I believe it was over two years now.

02:54.160 --> 02:58.520
The purchaser is actually in the front row here, Sebastian Steck.

02:58.520 --> 03:05.360
And he, yes, big, big round of applause.

03:05.360 --> 03:12.640
And he went back and forth, I believe, for more than two years on this before filing a

03:12.640 --> 03:13.640
lawsuit.

03:13.640 --> 03:18.240
And so he gave ABM a lot of time to get it right.

03:18.240 --> 03:22.560
And they didn't, so he filed the lawsuit.

03:22.560 --> 03:29.080
Now before I get into the details of the lawsuit, I just wanted to note that a little

03:29.080 --> 03:32.400
bit about software freedom conservancies involvement.

03:32.400 --> 03:37.160
So we did fund the lawsuit, and we supported it, but we were not the plaintiff, as noted

03:37.160 --> 03:40.560
the plaintiff is Sebastian here.

03:40.560 --> 03:47.480
Also I did want to mention that I did reach out to ABM, and I said, you know, we'd love

03:47.480 --> 03:52.280
to have a discussion with you at Faustem about this lawsuit, and they said they were

03:52.280 --> 03:55.120
not available to talk about it.

03:55.120 --> 04:00.880
So I will be providing you the information that I can, sorry, ABM is not here.

04:00.880 --> 04:03.640
I did try very hard.

04:03.640 --> 04:08.520
So the details we have are primarily at this website.

04:08.520 --> 04:14.440
This is linked also from the news item in the blog post that we made about the lawsuit.

04:14.440 --> 04:22.960
So you can find things like the complaint, any court decisions along the way, and also

04:22.960 --> 04:28.320
the exhibits, and links to the source code, which I'm going to talk about in a minute

04:28.320 --> 04:29.800
here.

04:29.800 --> 04:34.440
So as noted, the plaintiff was a purchaser of the device, ABM claimed to have source

04:34.440 --> 04:39.960
code for this device, and what ABM provided was not the complete source code.

04:39.960 --> 04:47.760
And therefore, in Germany and many other jurisdictions, the purchaser has a right to sue.

04:47.760 --> 04:53.040
And in particular, this lawsuit was about these four projects, which are all under LGPL,

04:53.040 --> 04:59.360
version 2.1, Sebastian chose to make the lawsuit about LGPL works.

04:59.360 --> 05:06.360
And it causes a very interesting result, because it shows us that even the lesser GPL

05:06.360 --> 05:13.920
does provide us all the same rights for compilation and reinstallation of modified versions

05:13.920 --> 05:19.320
of the works onto the device as the GPL does.

05:19.320 --> 05:23.440
So that's very fascinating.

05:23.440 --> 05:29.720
Now, brief interlude here, I want to talk a little bit about use the source, which is

05:29.720 --> 05:35.080
a project that we started at Software Freedom Conservancy last year.

05:35.080 --> 05:40.840
Actually, we launched it at Faustem one year ago, so it's a great place to be talking

05:40.840 --> 05:43.160
more about it today.

05:43.160 --> 05:44.440
And use the source.

05:44.440 --> 05:53.120
The goal is to show you a bunch of source code of different products and projects.

05:53.120 --> 05:56.000
So that you can do interesting things with this.

05:56.000 --> 06:00.600
And you can show us, you can tell us how you did those interesting things.

06:00.600 --> 06:06.360
So there are a lot of different products whose source candidates we've put up there.

06:06.360 --> 06:10.760
And I say candidates, because unfortunately, not all of them are complete source code.

06:10.760 --> 06:15.120
But that is generally the goal, so that you can show what interesting things you do.

06:15.120 --> 06:19.320
And if you're not able to do interesting things, maybe it's not in compliance with the

06:19.320 --> 06:20.320
license.

06:20.320 --> 06:25.280
Or you're not able to do interesting things, we also do note that as well.

06:25.280 --> 06:31.120
So I would recommend going there if you want to, at some point, I'm going to be going

06:31.120 --> 06:36.720
through the AVM source candidates that we've published there throughout this talk.

06:36.720 --> 06:42.320
I'll go into some detail, but if you view them on that page, you can get a little bit

06:42.320 --> 06:44.840
more insight as well.

06:44.840 --> 06:47.320
So let's see what we can do with it.

06:47.320 --> 06:48.720
What did they initially provide?

06:48.720 --> 06:55.160
So this is round one, and they provided a tarball, and it had a bunch of tarballs inside

06:55.160 --> 07:02.240
of it, and they had no instructions of any sort at the top level of the tarball.

07:02.240 --> 07:10.240
So what Sebastian did was he took a look and saw, well, what should I try compiling here?

07:10.240 --> 07:14.720
And so he thought, well, I'll start with GCC, the compiler probably good to start there,

07:14.720 --> 07:16.960
so I can build the rest of it.

07:16.960 --> 07:21.920
And then he tried to do some of the things that you would, you know, might think to do

07:21.920 --> 07:27.960
like type make, since there was a make file, and run this shell script.

07:27.960 --> 07:33.640
And none of those worked, they resulted in a bunch of errors.

07:33.640 --> 07:39.520
And so this is what Sebastian, part of what Sebastian wrote back to AVM.

07:39.520 --> 07:46.640
This is the English translation, that Sebastian provided, he sent them this in German.

07:47.320 --> 07:52.320
So yeah, there's clearly some problems here with these scripts used to control compiling.

07:52.320 --> 07:54.480
Now, that was not the only problem.

07:54.480 --> 07:58.640
There were also problems with these scripts used to control installation.

07:58.640 --> 08:01.680
In fact, it seemed that there may be no such scripts at all.

08:01.680 --> 08:07.200
And so Sebastian noted that for completeness when he was talking to AVM.

08:07.200 --> 08:14.160
And so here we are, well over two years before the lawsuit began, and this is what Sebastian

08:14.240 --> 08:17.200
is telling to AVM.

08:17.200 --> 08:27.120
So they go back and forth a bunch by email, and also Sebastian tells them, well, you know,

08:27.120 --> 08:31.760
I'm going to, I'm going to try to help you out here and try to fill in some of these

08:31.760 --> 08:32.720
missing pieces.

08:32.720 --> 08:37.280
And so Sebastian wrote a bunch of scripts.

08:37.280 --> 08:43.520
So that he could get to compliance faster because he wanted to be helpful and make

08:43.600 --> 08:50.480
sure that AVM was getting everything they needed, even though he wasn't required to do that.

08:50.480 --> 08:54.000
Like AVM is out of compliance, it's their responsibility to make these.

08:54.000 --> 08:58.320
But he wanted to fix it quickly, so he attempted to do that for them.

08:58.320 --> 09:03.600
And in the last candidate before the lawsuit was filed, this is round two here.

09:04.400 --> 09:10.160
We have all of these scripts written by Sebastian and then AVM added some other things.

09:10.800 --> 09:16.880
One example is this kernel layout environment variable, which was kind of one of the major missing

09:16.880 --> 09:25.040
pieces from the scripts used control in compilation, that value was needed from AVM still in order

09:25.040 --> 09:30.480
to complete the compilation because it was not obvious what device type should go in there,

09:30.480 --> 09:36.560
because it's all using code names that are kind of internal and not obvious.

09:36.880 --> 09:44.160
And there were also two somewhat of AVM's credits, some other scripts written by AVM.

09:45.200 --> 09:52.960
However, these scripts did not give Sebastian the same rights to install as AVM had that is the

09:52.960 --> 09:56.640
right to install modified versions of the software onto the router.

09:58.800 --> 10:05.520
Now this is a problem and so because of this problem and because it had been so long

10:05.600 --> 10:12.400
and it was clear, AVM was not going to do anything about it without a lawsuit, Sebastian filed the lawsuit.

10:12.400 --> 10:20.560
So the lawsuit progressed, you can read the filings and things on the website as much as we have

10:20.560 --> 10:28.080
and Ken published due to the way the German legal system works, it's not public record by default.

10:28.080 --> 10:33.840
So if you would like, you can ask AVM for their filings, we were not able to publish those ourselves.

10:34.640 --> 10:39.280
But that, you know, Ken shows some more information if you're interested.

10:40.400 --> 10:48.000
Now so we went back and forth with these filings that is to say Sebastian and AVM went back and forth

10:48.000 --> 10:55.120
with filings and eventually AVM did provide the scripts used to control installation.

10:55.120 --> 11:02.160
So this was very exciting and so that effectively ended the case.

11:02.720 --> 11:12.320
The lawsuit was about this LGPL compliance which Sebastian got and Sebastian very nicely shared the

11:12.320 --> 11:17.920
scripts with us as well. So these scripts used to control compilation and installation.

11:17.920 --> 11:23.120
He gave them to us at software feed and conservancy and so we were able to post them

11:23.120 --> 11:31.440
on use the source so that everyone can have the complete source code for the LGPL works on this AVM router.

11:32.640 --> 11:39.840
Now AVM has still not posted these scripts on their website. I'm not sure why that would make

11:39.840 --> 11:44.240
things a lot easier for people. I checked this morning. I still couldn't find them.

11:45.200 --> 11:55.360
And so we would encourage AVM to publish those on their website and and yeah, we think that would be

11:55.360 --> 12:02.160
a better way as opposed to having to have people ask them for the source code again and then

12:02.160 --> 12:07.040
maybe going back and forth. I hope they would provide you these if you asked for them for their

12:07.040 --> 12:14.480
offer but I don't know how they respond to that. So you may be interested in what these scripts

12:14.480 --> 12:20.720
used to control installation actually look like what is compliant with the license. Well,

12:21.680 --> 12:28.640
I'll go into some details here quote a few parts of these scripts and also just to

12:29.440 --> 12:37.840
just to kind of clarify here what we're talking about. So scripts scripts can be viewed broadly.

12:38.880 --> 12:46.800
So we didn't say to AVM you need to provide us with shell scripts that do all of these things

12:46.800 --> 12:54.480
to install it onto the device. We you know we've said it's okay if you provide

12:55.120 --> 13:01.440
things in a human language and in particular they provided the these scripts in German

13:02.480 --> 13:08.640
and they're primarily a set of German instructions with a few notes to use certain shell

13:08.640 --> 13:14.880
scripts or other programs along the way. And so what I'm going to quote here is the

13:15.840 --> 13:24.160
English translation that Sebastian provided to us of these German scripts from AVM. Both of them

13:24.160 --> 13:32.560
are included in the in the source package on on use the source. So the first thing you need to do

13:33.360 --> 13:40.800
is you get these original firmware images from AVM download them from their website or otherwise

13:40.880 --> 13:48.640
and then you unpack them. And it provides specific commands to use to do that. Then you replace

13:48.640 --> 13:54.880
the desired files with specially generated files. So here they're talking about the files that

13:54.880 --> 14:01.200
you may have modified these LGPL works. So you can replace the ones in the firmware image with the ones

14:01.200 --> 14:07.840
you have modified and then you pack those back into an image file and they provide the the commands

14:07.840 --> 14:14.160
that you would use to do that. Then you run this command right here and this installs that firmware

14:14.800 --> 14:23.200
including your modified LGPL works onto the device. And finally you supply the Fritzbox 4020 with power

14:23.200 --> 14:30.160
and achieve great success because you are now running the modified versions of the LGPL works on the

14:30.160 --> 14:36.160
router. So this is wonderful. We are very happy to have these scripts and have been able to share them

14:36.240 --> 14:43.680
with you as well. Now what exactly is it we won? Well we got all the rights that the software

14:43.680 --> 14:52.240
developers gave to AVM that is the right to compile, modify and install the software and we're

14:52.240 --> 14:59.680
very happy about that. We got the source code and also interestingly AVM also chose to pay

15:00.480 --> 15:09.120
Sebastian's legal costs in this case. So essentially the case was settled but Sebastian got everything

15:09.120 --> 15:16.160
he asked for in the lawsuit. So anyway I think that's an interesting result. The GPLs by which I

15:16.160 --> 15:25.440
mean the AGPL and GPL give rights to recipients. That's you know what we do and then Sebastian has shown

15:25.600 --> 15:31.040
us that if you weren't weren't given those rights you can get them by suing if you need to.

15:33.040 --> 15:39.600
So you may be interested in some other work that software freedom conservancy does to promote coffee

15:39.600 --> 15:46.880
left and make sure people can make practical use of the of the freedoms that they have.

15:47.600 --> 15:54.640
That is to be able to reinstall changes onto the devices that they have. So we show people how it's

15:55.360 --> 16:03.840
done. We make our own hardware. We made the OpenWRT1 this past year in collaboration with

16:05.280 --> 16:11.520
OpenWRT which is our member project and we of course provided the complete source code

16:11.520 --> 16:18.160
from day one for that. Not just because it was required since it is but because obviously we want

16:18.160 --> 16:24.320
to have people's ability to do as they want with their devices to be front and center.

16:25.200 --> 16:33.840
If you have an OpenWRT1 you can get the source code by using the offer on the box. It's also

16:33.840 --> 16:39.440
on use the source and just in case we also etched the offer for source code into the PCB.

16:40.000 --> 16:44.560
So if you have an OpenWRT1 you can open it up. Take a look at the bottom of the PCB and you'll

16:44.560 --> 16:52.000
have your offer for source code right there as well. So we don't like to sue. We would like

16:52.000 --> 16:57.360
things to get resolved without lawsuits but in case a company is not in compliance and it has been

16:57.360 --> 17:05.840
some time as was the case in Sebastian's suit. We sometimes do need to sue people. So

17:05.840 --> 17:14.480
sue companies that is. So in this case, physio here we bought a physio TV. We wanted to make

17:14.480 --> 17:22.080
an OpenWRT like system for the physio TVs. So we bought the TV and requested source code.

17:22.080 --> 17:30.160
We did not receive the complete source code. In fact, we still haven't to this day. And so

17:31.120 --> 17:37.120
we are in the middle of this lawsuit with physio. It goes to trial in September and we are of course

17:38.000 --> 17:44.320
hopeful for a positive result there. So we also discussed the code that we get as I mentioned

17:44.320 --> 17:51.120
on use the source and so I would encourage you to check out use the source and see what we have

17:51.120 --> 17:56.320
on the website and I really encourage you to upload any source candidates you receive so that

17:56.320 --> 18:04.080
people can see them and we can discuss those all together. So I just wanted to highlight that

18:04.080 --> 18:10.800
use the source again. Check it out. Also, you know, if you like our work, I'd encourage you to

18:10.800 --> 18:16.800
become a software freedom conservancy sustainer. And as you might expect for a talk of this nature,

18:17.360 --> 18:24.080
the complete source code for these slides are also available. So you can go to that slides link

18:24.160 --> 18:30.160
go to the last page and then tap on the slide source available. So thank you very much. I'll take some

18:30.160 --> 18:36.480
questions. And thank you. This is a fast jinn.

18:42.080 --> 18:51.920
Yeah, so I'm curious why were they required to publish the source code for LGPL a software since

18:51.920 --> 19:00.320
this is generally used for libraries and they tend to be dynamically loaded and basically this required

19:00.320 --> 19:10.960
requirement would not be applied unlike GPL or AGPL. So what was the software provider relationship

19:10.960 --> 19:19.200
with the upstream LGPL project in order for this constraint to be applied? So the LGPL requires that

19:19.360 --> 19:26.480
you provide the complete source code for all the LGPL works. If you are distributing those

19:26.480 --> 19:32.960
LGPL works to someone else. So I mean, if you have something that depends on an LGPL library

19:33.680 --> 19:39.600
and you only distribute that thing and not the LGPL library itself, then you know, they're perhaps

19:39.600 --> 19:46.000
there are other ways to comply. But in this case, ABM was distributing both the thing that was linked

19:46.080 --> 19:51.760
to this LGPL library and the LGPL library itself. So if that's what you're doing, then you need

19:51.760 --> 20:02.160
to provide the complete source code for the LGPL library. Hi, thank you for your talk. I'm wondering

20:02.160 --> 20:11.760
what's the general feedback from like how do judges, attorneys and such

20:12.720 --> 20:17.680
handles a subject because I guess most of them are not familiar at all with those technologies

20:17.680 --> 20:25.440
and those licenses. And so they feel like, I mean, how does that happen? Sure, so in a general sense

20:25.440 --> 20:31.680
and just to you know, back up here a little bit, I'm not a lawyer. I don't provide legal advice

20:31.680 --> 20:39.120
all of that stuff. And so, so to answer your question, I mean, just what what I've seen generally

20:39.120 --> 20:48.880
is, you know, lawyers do what they can with the facts that are available in the case of ABM looking

20:48.880 --> 20:56.560
through the the filings. It appears that an expert would have been called if necessary later on in the

20:56.560 --> 21:04.240
case. It sounds like due to how things worked out. That was not necessary in lawsuits in the United

21:04.240 --> 21:11.120
States often experts are introduced earlier in the case. And so, so that's usually what happens

21:11.120 --> 21:17.120
there speaking not as a lawyer, just as someone who's looked at some legal filings.

21:19.120 --> 21:24.160
Thanks for the interesting talk. Nowadays, many devices, even in the embedded world use

21:24.160 --> 21:28.880
techniques like secure boot for instance to make it impossible to run something that is not

21:28.960 --> 21:33.200
signed by the vendor, and especially for the low cost devices, usually that's a one way

21:34.000 --> 21:40.640
street, so you cannot like revert the secure boot mode once it is applied. How does it work out in

21:40.640 --> 21:45.680
this case? Can the vendor then provide a special unlock device for you or does it need to run

21:45.680 --> 21:51.920
on the same device or how does it work? So, there is a famous story of a printer

21:52.080 --> 22:00.320
where, yeah, okay, so most people know anyway, it seems like the the person who wanted to change

22:00.320 --> 22:05.600
the software on their printer did not want to buy a brand new printer to install that software

22:05.600 --> 22:12.880
onto, they wanted to do it on the device that they had with them already. And so, you know,

22:12.880 --> 22:19.760
there may be different ways that companies try to impede your ability to reinstall the LGPL

22:19.920 --> 22:24.960
and the GPL say you need to have the scripts used to control compilation and installation,

22:24.960 --> 22:33.360
so, you know, whether you do that by like wiping out some chip that requires a key or something

22:33.360 --> 22:41.920
like that, I mean, it's not specific in what it says you must do as long as that is achieved.

22:42.480 --> 22:51.920
Hi, there were thanks for the talk. AVM was sued, not because they're the manufacturer,

22:51.920 --> 22:58.480
but because there were the seller, right? AVM was the manufacturer is my understanding here.

22:58.480 --> 23:05.360
Right, but, yeah, do you sue the manufacturer or the guy who provided you the router?

23:05.360 --> 23:10.240
The guy who sold you, right? Yeah, I think it will be faster to sue the manufacturer

23:11.200 --> 23:18.080
because the distributor probably just pointed them, but that's just me as not a lawyer, etc.

23:20.080 --> 23:27.040
Hi, in your dealings with this and other companies, how much of this is bad faith or

23:27.040 --> 23:32.160
Mary's on their side, we're sucing competence or they just never thought about it before?

23:33.120 --> 23:42.960
Yeah, very good question. I, of course, wish that it were, you know, incompetence, sadly,

23:42.960 --> 23:49.840
because that would be perhaps easier to fix, but we found that a lot of times companies are

23:50.640 --> 23:57.600
appear to be, appear to be establishing a line they made up and they are just sticking to that line,

23:58.160 --> 24:03.600
and so that's why we unfortunately need lawsuits. I, you know, I don't know if that's the case

24:03.600 --> 24:09.440
and any particular one it just feels like it in some cases for me. We have one last question here.

24:15.360 --> 24:21.040
To what are, I understand where you're, where you're getting the, you need to provide

24:21.040 --> 24:27.600
the scripts that control the compilation installation, no problem. You seem to be inferring an

24:27.600 --> 24:34.800
additional requirement that those scripts succeed in an environment outside the, outside of the

24:34.800 --> 24:42.320
manufacturer. Let's say that I'm a manufacturer, I've got my scripts, they require my internal

24:42.320 --> 24:47.760
key signing, they require my internal infrastructure, they call out to these things. I give you

24:47.760 --> 24:54.880
my exact scripts, calls out to internal server one, internal server two, gets a bunch of keys,

24:54.880 --> 25:00.160
signs a bunch of stuff, does all this stuff. It absolutely was the exact script I used,

25:00.160 --> 25:04.880
I provided to you, you try and run it fails, as expected because you're not in my environment.

25:06.240 --> 25:14.400
What are you, depending, relying on for the idea that the script has to actually succeed in any other

25:14.720 --> 25:23.840
environment? So as I mentioned, the scripts can include, if, for example, your scripts do not

25:23.840 --> 25:31.120
successfully complete by themselves, then you can add add instructions in, you know, German or English

25:31.120 --> 25:38.080
or whatever, to describe how it completes. The issue here is that it sounds like in your

25:38.080 --> 25:45.520
situation that you're describing, you as the manufacturer are able to compile modified versions

25:45.520 --> 25:51.280
and install them on the device. And so that is what we're talking about here is passing on those

25:51.280 --> 25:55.920
rights, as mentioned in the preamble, you have to give those rights to compile and install

25:56.960 --> 26:02.720
onto the user. So that, that is what you have to do, and that is what we will sue to make happen.

26:02.720 --> 26:05.920
I think my time is up, so thank you very much.