Open source-y people will love this-- talking about legal bullshit instead of coding
-
I've been trying to research what kind of notices/disclosures/files you need to ship when you include a GPLv3 application with a closed-source proprietary application.
To be clear: the GPLv3 application is not linked to the closed-source application in any way; it's remote-controlled using CLI commands (the same way a user of PowerShell would use it, for example). None of the GPLv3 code has been touched.
Here's what I assume so far, please let me know if any of these assumptions are wrong:
- The GPLv3 software needs to be present in its entirety in the application folder of the closed-source application (especially including the "copying" file, or whatever the license file happens to be named)
- The closed-source software itself needs to have some kind of notice in its About dialog or EULA screen that there is GPLv3 software bundled with it
- The closed-source software needs to have a link to the GPLv3's source code (since the project has no website, I assume this means a link to its GitHub homepage?)
- The closed-source software's website needs to have a link to the GPLv3's source code
- (I don't expect this to actually happen but...) if anybody emails me about the software, I'd be required to provide the above links on request.
Have I covered all the bases here? Is there something I'm forgetting?
There's about a million articles about this, most of which are out-of-date and only talk about GPLv2 or are simply confusing as fuck and don't consider my exact situation.
-
I would say you basically have it covered...but, interpretations vary, and there is an entire industry profiting from filing claims of license violations and then settling (as the cost of defense can be high).
I think long and hard about including GPL (any version), and will go to fairly extreme measures to avoid it, if at all possible.
-
@thecpuwizard Yeah, I agree. I always prefer BSD over GPL. The only time I don't care is for 100% server-side code.
@blakey: if you're basically doing "remote calls" to the GPL software, can you just turn the GPL software into a network service? Then you don't have to distribute the GPL software at all, and GPL is 100% irrelevant.
-
@thecpuwizard said in Open source-y people will love this-- talking about legal bullshit instead of coding:
I think long and hard about including GPL (any version), and will go to fairly extreme measures to avoid it, if at all possible.
Have done, and unfortunately it's not. I was able to find free licenses for the stuff I actually need to link into the program itself, however. (And even that was a challenge-- there's a VB.Net DLL built into this C# program because that's the only language I could find a free version of a particular validator I need. Fortunately .NET is .NET.)
So I guess I've done all I need and just hope it's a low enough profile that those idiots who troll around trying to find GPL violators to sue will leave me alone.
-
@captain said in Open source-y people will love this-- talking about legal bullshit instead of coding:
@blakey: if you're basically doing "remote calls" to the GPL software, can you just turn the GPL software into a network service? Then you don't have to distribute the GPL software at all, and GPL is 100% irrelevant.
Good idea but unfortunately I can't in this case. Sorry I'm trying to avoid talking about specifics because this is an unannounced product and I don't want to give too much away. (Also when it is announced it sure as shit won't be announced with the "blakeyrat" name. So that too.)
-
AFAIK as long as the closed-source app depends on GPL app and not the other way around, you're basically just a distributor, so only need to include copyright notice and repo link.
-
@gąska Well that's good to hear, but I'm not going to remove anything because I'm paranoid as shit over this legal bullshit.
-
@gąska said in Open source-y people will love this-- talking about legal bullshit instead of coding:
AFAIK as long as the closed-source app depends on GPL app and not the other way around, you're basically just a distributor, so only need to include copyright notice and repo link.
Court case from about 3 years ago. Closed Source program shelled out to an exe that was GPL. The existence of the (string) containing the exe name, and the various switches was sufficient to allow a lawsuit to be brought [state of Maryland]. As usual, the case was settled for an undisclosed amount.
-
@thecpuwizard Have a link?
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
@thecpuwizard Have a link?
I don't have it on my local machine [traveling, domestically, and quite mundane] and a quick google did not turn anything up. It was a relatively minor case [total damages sought were around $5K IIRC] so I doubt it ever made the news directly (and thus easily searchable for).
The context was a document [which had many citations] involving various scams and security risks of using 3rd party software. In the relevant examples, software is produced that is "alluring", but the license contains significant restrictions. The producer (typically a shell of a company) actively monitors for usage of the codebase and files legal challenges in the hope of collecting money from settlements...
Let me look when I get back home....
-
@blakeyrat Would it be feasible (I'm guessing not) to have the user install your program and then go and install the GPLv3 application themselves? Audacity does something like this -- you have to download the mp3 encoder separately.
-
@slapout1 said in Open source-y people will love this-- talking about legal bullshit instead of coding:
@blakeyrat Would it be feasible (I'm guessing not) to have the user install your program and then go and install the GPLv3 application themselves? Audacity does something like this -- you have to download the mp3 encoder separately.
The whole point is to get a GPLv3 app that does something unique but has absolutely ass shit usability/installability/UX/everything-except-being-functional-at-its-main-task and making it usable. Like I said above, it doesn't even have a web site it's so user-unfriendly.
So yes I could ask the user to do that, and there'd still be some benefit from the closed-source program being able to remote control it intelligently, but it suck out like 80% of the value from what I'm trying to sell.
-
@thecpuwizard said in Open source-y people will love this-- talking about legal bullshit instead of coding:
Let me look when I get back home....
Thanks. I couldn't find anything on Google about it either.
-
@blakeyrat Maybe your installer could trigger the GPL installer then? And install to your app's AppData or something? A nice thing about Unixy stuff is that there's a decent chance the installer takes command line options for this kind of thing.
-
@captain said in Open source-y people will love this-- talking about legal bullshit instead of coding:
Maybe your installer could trigger the GPL installer then?
There is none; the GPLv3 app is complete garbage.
Again: the whole idea here is that people want to do what this GPLv3 app does, but it's fucking impossible for normal human beings to ever use. It's utter garbage. If open source developers weren't so shit at their jobs, there'd be no reason for this closed-source program to exist.
@captain said in Open source-y people will love this-- talking about legal bullshit instead of coding:
The nice thing about Unixy stuff is that there's a decent chance the installer takes command line options for this kind of thing.
None of this stuff runs on Unix. AFAIK, "Unixy stuff" usually doesn't have installers at all, you're expected to download from Git and build the code yourself.
-
@blakeyrat BTW if CPUWizard's lawsuit was legit, there's another strategy I could use to make this work:
- Make up a simple "program-to-generic-helper" IPC communication protocol
- Create a exe that implements that protocol between the closed-source app and the GPLv3 app
- Make that exe GPLv3
That way my closed-source app wouldn't even have the GPLv3 app's binary name. It'd be 100% insulated. Even if someone wanted to sue over a GPLv3 violation, I'd be the owner of the relevant GPLv3 app in the first place and I could refuse.
Only a few hours of development time, but I'd still like to avoid if it I can-- adds a lot more places where things can go wrong for no (practical) benefit to the user.
In any case, when you think about it, if Microsoft (and Atlassian and GitKraken, etc) can do basically exactly what I'm doing between their apps and Git, I don't see how there could be any problem with what I'm doing.
-
My suggestion would be to contact the developers and ask what they would want in order for you to commercially license it. Then you can get around the GPL entirely.
-
@polygeekery Best yet, the chap who runs the OG website of this forum. Him build tools lets you check the licensing and build.
Sidenote : I've demoed Proget at work and was part of my monthly progress update.
-
@polygeekery Unfortunately, it's a projects with dozens or hundreds of contributors and I'm 99% sure it's including GPLv3 from other projects also. I doubt it's feasible.
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
if CPUWizard's lawsuit was legit
It's not. But US has very weak protection against frivolous lawsuits.
Also - have you tried contacting the author of that app? If there's only one author (if there's more, you might try digging through repo history to find latest single-author version and see if it meets your needs), they might agree to relicense it at more permissive license. Just stress out how much you love his work, how much you'd love to use it and how GPL makes it impossible. Just don't be too honest about those.
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
@polygeekery Unfortunately, it's a projects with dozens or hundreds of contributors and I'm 99% sure it's including GPLv3 from other projects also. I doubt it's feasible.
I know you are probably going to blakeyrant me, but it can't hurt to ask. The worst they can say is no.
-
@polygeekery said in Open source-y people will love this-- talking about legal bullshit instead of coding:
I know you are probably going to blakeyrant me, but it can't hurt to ask. The worst they can say is no.
The worst that can happen is it puts my work on their radar and then they get the most aggressive lawyer they can find to come after me.
If the answer is likely to be no, it's better for me to remain off the radar as long as possible.
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
@blakeyrat ... If TheCPUWizard's lawsuit was legit...
Just be sure I am clear, "legit" can have many meanings. Lawsuits can range from having "full merit" down to "frivolous". What I have been referring to are [IMPO, IANAL, etc.] very close to the frivolous line (not even really sure which side of that line).
The bar to file, is very low. This is why there are about 15 million lawsuits filed every day in the USA (that is about 2 lawsuits per second over the course of normal business days - assuming I did the math right).
In many cases, the party with access to the better legal resources is the one who wins. The cost of being active (on either side) is high, even if there is insurance (they prefer to spend money on a sure settlement than a fight which has risk) or if one represents pro-se [still takes time, and time is money]
That is why I (and thus, my firm) have taken strong risk mitigation approach. Others certainly choose differently, and as was recently said in a different discussion "Different strokes for different folks".
(I am still going to look for the material once this trip is finished. Completely off topic, I hate it when a client requires one to be on-site for an extended period, then working with machines (that are remotely accessible) and not interacting with actual people - the primary value of being on-site in the first place)
-
@thecpuwizard Right; I get that, but even a $5000 settlement might wipe out profitability from this project. Mostly I'm just being savvy internet facts man asking, "is this fake news?" before blindly trusting it.
-
@blakeyrat Why don't you have professional indemnity insurance. I have like 2 million quid mate.
-
@blakeyrat if your expected profit is about $5000, then it's not worth it. And this is true even without this whole GPL thing, but especially so with the GPL thing.
-
In the minds of the EFF, as I understand it, if an application cannot perform its primary function without using GPL'ed code then it must be GPL. But if that flew in court then commercial applications on linux would not be a thing at all.
I'm sceptical that your GPL'ed padding layer would make much difference.
-
Also if it was simple to reproduce.... just write your own implementation. This smells to me of general @blakeyrat complaining, rather than sorting it.
-
@lucas1 If he's already more than superficially looked at the source of the GPL program that's bound to be a very bad idea.
-
@lucas1 said in Open source-y people will love this-- talking about legal bullshit instead of coding:
Why don't you have professional indemnity insurance.
I've never heard of that in connection with software engineering, but it's an interesting idea.
@gąska said in Open source-y people will love this-- talking about legal bullshit instead of coding:
if your expected profit is about $5000, then it's not worth it. And this is true even without this whole GPL thing, but especially so with the GPL thing.
Fuck off.
Like it's not hard enough to make something original and new and release it to the world, there has to be assholes like you spouting out everywhere how you're a stupid idiot to start a business and it's not worth your time, etc. Fuck off.
@pleegwat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
In the minds of the EFF, as I understand it, if an application cannot perform its primary function without using GPL'ed code then it must be GPL. But if that flew in court then commercial applications on linux would not be a thing at all.
The app does several things independently of the GPLv3 code, some of which gets displayed to the user (and thus is a "feature" of the app even if the GPLv3 part didn't exist.) Most of it it just used to intelligently remote-control the GPLv3 app.
@pleegwat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
I'm sceptical that your GPL'ed padding layer would make much difference.
Why's that?
My understanding is that a lot of companies successfully use that technique, including video card makers wanting to insulate the proprietary code in their device drivers from having to be GPL by being included in the Linux kernel.
@lucas1 said in Open source-y people will love this-- talking about legal bullshit instead of coding:
Also if it was simple to reproduce...
Who said it was?
The problem with the GPLv3 code is that it's an unusable mess. I don't know where you got "simple" from that. On the contrary, even figuring out how to use the program took me several weeks.
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
Like it's not hard enough to make something original and new and release it to the world, there has to be assholes like you spouting out everywhere how you're a stupid idiot to start a business and it's not worth your time, etc. Fuck off.
I specifically meant making money. If you were to open source it (at non-GPL license, please), you'd push the already miniscule risk of getting your ass sued down to virtually zero - and I'd say "go for it!" But making money off GPL code angers many GNU fanatics, so if you're not going for at least $50k, the risk-to-reward ratio is just too low IMO.
-
@gąska Tell you what, you split the difference, pay me say $25,000 then I'll make it open source. Deal?
Or just get the fuck out of my thread.
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
@gąska Tell you what, you split the difference, pay me say $25,000 then I'll make it open source. Deal?
Deal. Just let me first save up that amount of money. This might take a while since, as you know, I'm back in Poland, and have Polish salary.
Look. I'm just giving you honest, non-expert advice. Like everyone else here. "I think"s is the best you're going to get from anyone here. If you want something you can actually rely on, buy a legal advice from a copyright lawyer. My free unsolicited advice is that if paying a lawyer would make your thing unprofitable, don't go for it. Because 99.9% of GPL lawsuits are utter bullshit, but it's bullshit you have to take care of if it happens, and taking care of takes money.
-
@lucas1 said in Open source-y people will love this-- talking about legal bullshit instead of coding:
@blakeyrat Why don't you have professional indemnity insurance. I have like 2 million quid mate.
I (my company) has a policy in excess of $2M USD, but as I mentioned earlier this is not a "magic shield". We once had to sue a firm for non-payment. They countersued for non-service. We had admissible evidence that this was a common tactic for the company to get out of paying.
The insurance company paid 80% of the bill that was due from the client (over $50K) because they believed they would spend more than that on the court case(s).
All good, right? We got most of our money.... Except that for years afterwards we had to pay significantly higher insurance premiums (the original company did not renew us - even though 20 years in business without any claim). When this was added to the days where I had to deal with the case, instead of doing billable work, it would have been better financially, to just have ignored the client when they did not pay.
-
@thecpuwizard I know it was shit, but it would have been a lot more shit without it.
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
The problem with the GPLv3 code is that it's an unusable mess. I don't know where you got "simple" from that. On the contrary, even figuring out how to use the program took me several weeks.
looking forward to your Git client :-)
-
@thecpuwizard said in Open source-y people will love this-- talking about legal bullshit instead of coding:
(the original company did not renew us - even though 20 years in business without any claim).
I had an auto insurance company do that to me once. 7 years with no accident, they have to pay out a TINY FRACTION of what I paid in, and they dropped me as soon as the next billing cycle ended.
That shit should be illegal.
-
Ultimately, you'd need to ask a lawyer if you want good information, but:
If your interaction with the app is through some kind of wrapper, and that wrapper can just be an actual Powershell script or something, and you make that MIT licensed, it would seem to me to be very difficult to make any claims against you.
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
The worst that can happen is it puts my work on their radar and then they get the most aggressive lawyer they can find to come after me.
If that is your worry then you need to find some other way to get where you want to go. It sounds like you are courting disaster. This is not an area where it is easier to ask forgiveness than permission.
-
@polygeekery Mainly I'm just annoyed that it's impossible to get a firm answer about this from anybody. I'm 99% sure I'm in the clear.
-
Back to the OP:
GPLv3 is cancer. If you are wanting to pass information to it you are probably going to have to release your part as GPLv3. Some of the changes made in v3 were to capture web apps that did not require client installation. Simply passing information from your app to GPLv3 apps puts you in GPLv3 territory.
This is how it was explained to me. IANAL. We have a piece of GPLv3 software in one of our apps. I talked to the devs and pay them for a commercial license so that GPLv3 doesn't touch our codebase. Part of that contract stipulates that if there is any question on whether we are in compliance then the developer has to pay our legal and compliance fees.
Amazon and Google won't touch GPLv3, so we won't either. It is cancer. If I were you I would find a way around it or find some other way to do it.
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
@polygeekery Mainly I'm just annoyed that it's impossible to get a firm answer about this from anybody. I'm 99% sure I'm in the clear.
Well, no one knows for sure. GPLv3 is total shit. It is meant to be confusing.
Also, I am 85% sure you are in violation. IANAL. YMMV. Etc.
-
@polygeekery Yeah but you're also a complete dick who's an ass to me in every way possible at every opportunity, so I don't really give a fuck what you think.
-
Disclaimer: not a lawyer.
Have I covered all the bases here?
It seems that you have. Maybe even slightly over-covered, but better safe than sorry. Your program would be an "aggregate" (section 5 of the license) that should not be covered by GPLv3. The FAQ (1 2) seems to support this, since your application is using the user interface of the GPLv3 application. It would help if your application was at least partially useful without the GPLv3 application.
Just in case: does the GPLv3 application have any non-system (for sane definitions of "system", section 1) dependencies by itself? You may be required to provide links to those, too.
-
@aitap said in Open source-y people will love this-- talking about legal bullshit instead of coding:
It would help if your application was at least partially useful without the GPLv3 application.
It is.
@aitap said in Open source-y people will love this-- talking about legal bullshit instead of coding:
Just in case: does the GPLv3 application have any non-system (for sane definitions of "system", section 1) dependencies by itself? You may be required to provide links to those, too.
I don't believe so... basically you download it from the GitHub page and it's ready to run, so any dependencies it has are already packaged in.
-
@aitap I am out about this, it is another @blakeyrat just trying to shit on something.
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
Yeah but you're also a complete dick who's an ass to me in every way possible at every opportunity
I am not. I am an asshat to you when you are an asshat to me. Try not being an asshat to people and see if things improve for you.
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
so I don't really give a fuck what you think.
You are in no way obligated to. The advice I gave you is worth precisely what you paid for it.
-
@blakeyrat said in Open source-y people will love this-- talking about legal bullshit instead of coding:
@polygeekery Mainly I'm just annoyed that it's impossible to get a firm answer about this from anybody. I'm 99% sure I'm in the clear.
The problem why you're not getting a firm answer: Mostly everybody thinks you are in the clear, but even if that were a lawyer's opinion it wouldn't protect you from the mentioned frivolous lawsuits.
The large Open Source groups wouldn't sue you for money immediately if they think you're infringing, btw, they'd try to work with you to bring you into compliance first. But that doesn't at all help if whoever wrote what you're using is a keen on suing for profit.
To add something to your list: if it's possible and not way too much, you could include the source of the gpl package instead of just linking to a repo.
-
@polygeekery said in Open source-y people will love this-- talking about legal bullshit instead of coding:
Some of the changes made in v3 were to capture web apps that did not require client installation.
Wasn't that AGPL? IIRC GPLv3 came out before web apps (as we know them now) were a thing. And the reason for AGPL was that GPLv3 could be circumvented by web apps.
-
@topspin said in Open source-y people will love this-- talking about legal bullshit instead of coding:
The problem why you're not getting a firm answer: Mostly everybody thinks you are in the clear, but even if that were a lawyer's opinion it wouldn't protect you from the mentioned frivolous lawsuits.
Yeah I suppose that's the best it gets.
