GPL'd Code Finds New Home

A few days ago, we were contacted by one of the developers of Everybuddy, a "universal" instant messenger client for Linux. It seems that they were scoping out the competition, and found a Windows-only program offered by a company called DSF Internet. Many users of Everybuddy had asked for a Windows version of the software, but none of the Everybuddy developers were very familiar with the Windows platform, and so a port had never been completed. This program, MessengerA2Z, seemed to offer all the functionality of Everybuddy for Windows machines. Probably because it was based on Everybuddy's GPL'd code.

The proof was in the pudding, so to speak. Or at least, the proof was in downloading and installing the Windows version, then running the strings command against their compiled binary. Lo and behold, some of the strings of text included such gems as "Visit the Everybuddy website at http://www.everybuddy.com". Now how did that get in there?

(You could go a step further and dissassemble the Windows executable, examining the flow of their code and comparing it to the Everybuddy code. But it seems to me that the reference to Everybuddy is sufficiently damning already.)

Someone at DSF Internet took a shortcut to developing their own interoperable instant messenger client, and ported the Everybuddy code instead of starting from scratch. This isn't a bad thing - it's the whole purpose of open source, duh - but since the code was licensed under the GPL, a price was demanded in return: the Windows source code should be made available. It wasn't, of course.

Both Slashdot and the developer contacted this company, which is based in New Delhi, India. They initially denied that there was any GPL'd code in their product, but when presented with the evidence, the story changed, and it now seems that they're going to take some action. The final outcome isn't known - perhaps they'll publish the Windows code, perhaps they'll rewrite the whole thing from scratch, perhaps they'll just edit out the Everybuddy references and recompile. <shrug>

This situation seemed to be one tailor-made for the GPL. Code existed for one platform, there was the desire but not the ability to port it to another, and someone else saw the same opportunity and the usefulness of the code base, and had the ability to port the code. In theory, this should have been a win-win: the company in India gets a fast-track to development, and the open source project gets a Windows port of their code. But there isn't much of an enforcement mechanism to make everyone play fair.

Are the developers of Everybuddy likely to file a suit in India for violations of their license agreement? My guess is, no. Protest march outside their offices? Brick through the window? Hire some guys named Guido, errr, Rajanav, to go and break some kneecaps? No, and no, and no. The only real enforcement mechanism is a sort of peer pressure or the threat of public exposure, and this may or may not be sufficiently persuasive.

Incidents like this are only going to increase. There's at least a few possible responses:

• Just ignore it. The objective is to get the code out there, that's working, and generally enough people will obey the rules that the GPL will be effective in its goals.
• Spaz out over it. Scour the web looking for possible GPL-infringers and mailbomb them into submission.
• Send email to slashdot. Preferably misspelled email with unique grammatical qualities.
• Send email to Richard Stallman. Don't use pine to send it.
• CowboyNeal.

Seriously, this is an open question which needs to have some thought put into it. I can imagine some possibilities - perhaps a sort of "GPL Insurance", where GPL'd projects can pay into a pot of money to be used for sending legal nasty-grams and other enforcement. But I'm not sure that that's really the right course of action. Fundamentally, enforcing the GPL would be an extraordinarily difficult task - it's very difficult to detect abuses in the first place, and then you face national borders and other obstacles. Perhaps it is better to not worry about it too much, to save the collective energy of the community for more important purposes, and to simply realize that there will be abuses.

Update: 01/02 01:02 PM by michael : About five minutes before this story went live, I heard back from Ben Rigas of Everybuddy that DSF Internet is going to do the Right Thing and post the source code to their messenger program. This is excellent news, and hopefully will result in a robust cross-platform instant messenger program. However, I think the point I made above still stands: there will be cases where persuasion doesn't work, and the community should have a plan for dealing with those (even if the plan is "do nothing").

More news

Since then, they've taken the download down, and put up a message about "enhancements".

I wonder what kind of enhancements; the inclusion of source code, or the removal of distinguishing marks...

-

REGISTER YOUR COPYRIGHTS!

You have almost no recourse if you have not registered the copyright on your software. It only costs a few bucks, and you have to disclose the first fifteen and last fifteen pages of your source code like that's any big deal. Once you have a registered copyright, you can sue the bastards for treble actual damages PLUS statutory damages.
-russ
p.s. been there, done that.

Oh how noble

Caught red-handed, and now they're ready to cooperate. The ultimate noble gesture, sorta. The fact remains that these people(or someone in the company) tried to rip-off open source. What kind of punishment is it to let them get off with doing what they should have done in the first place?

I mean, really. Suppose the punishment for stealing was being forced to return the stolen goods, end of story, no ostricizing, no apology. Where's the accountability? Where's the programmer or manager who did this crawling around on his hands and knees with "Traitor" written all over his forehead? Where's the remorse? I don't want to see blood, but I do want the name of the responsible party made known to the community, maybe even for blacklisting at open-source shops.

There's at least a few possible responses:

Slashdotters: CowboyNeal! CowboyNeal! CowboyNeal!

DSF Internet: No, please! No more!

Slashdotters: We will say CowboyNeal to you again if you do not appease us.

DSF Internet: You are most gracious oh Slashdotters. What must we do?

Slashdotters: You must release the source for your instant messager or re-write your own without any GPLed code.

DSF Internet: Oh yes, gracious Slashdotters. It shall be done.

Slashdotters: And then you must take down the largest corporation in the world. With.....A HERRING!!!!

Steven

Not just 'Everybuddy'... authors of all libs used.

Not just the authors of EveryBuddy should be ticked off, but the authors and contributors to every GPL/LGPL library USED by EveryBuddy. i.e. libyahoo, libfaim, etc.

Re:REGISTER YOUR COPYRIGHTS!

> Once you have a registered copyright, you can sue the bastards for treble actual damages PLUS statutory damages.

One wonders how the courts would calculate triple damages for the bootlegging of something you're already giving away for free.

--

Re:REGISTER YOUR COPYRIGHTS!

Since 1976, anything created in the United States is automatically copyrighted to the author, regardless of registration. -m

Well and good, but...

Registering the software with the appropriate office will lead to being able to demand triple "damages;" the problem is that of determining precisely what that amount should be.

On the one hand, the original software is being offered "free of charge," which means that one could assume that "damages" are $0.

On the other hand, the GPL is an interesting license in that it does not necessarily prevent the authors of software from simultaneously licensing under some other arrangement.

How about this for an entertaining scenario:

• Software is licensed under the GPL;
• If you want to use some other licensing arrangement, you can contact the authors to make an arrangement;
• There is a default offer that if you do not offer the software explicitly under the GPL, and do not wish to contact the authors, you are free to deploy the software, At A Price.

  That price (heh, heh!) being $50,000 USD payable to each author for the source license, plus $5,000 USD payable to each author for deployment of each binary copy of the software.

Thus, if the gentle folk in New Delhi (having been there recently, it is really just the "newer" part of Delhi :-)), in not making arrangements, they would start by oweing $50,000, trebled to $150K, plus a not inconsiderable sum based on the number of copies of the software sold :-).

The "each author" part would need to be more clearly nailed down; it would mean that the company making the mistake of "pirating" the Linux kernel would owe payments to (at recent count of /usr/src/linux/CREDITS) 293 people, thus making the penalties owing not too distant from $1B, and giving those 293 people a tidy sum of money :-).

What about market pressures?

I am entirely for enforcement of the GPL. And I think that what this company did (if true) is reprehensible.

But what about the possibility that another course be taken which simply puts market pressure against the company instead of legal pressure? What I'm thinking is that the reason that this company had an oppurtunity is that the market was ready for everybuddy to run under winders but no one was doing it.

I've seen ports of a few GTK+ based programs, most notably nessus. Someone has ported GTK+ to winders, and that with cygwin apparently made the winders port of nessus quite easy. I would think it would also make a winders port of everybuddy equally easy because all of the basic stuff is there.

If that happened, then everybuddy running natively on winders would always be one step ahead of this theiving company's product. All the enhancements of an entire league of open source programs would be able to make everybuddy better and contain more features, and this company's product would always be trying to catch up with those features. Wouldn't it be better punishment to let the market ignore all their efforts? Or at the very least to make it so that whatever work they did is better spent by giving the work back to the open source project?

I don't have a clue about how easy it would be to port everybuddy to winders. But, doesn't this event necessitate it's being done? And if so, then would that fix the problem? And if so, is this a general course of action that could be taken to alleviate problems with GPL enforcement?

(Please remember before flaming and moderating me into oblivion that these are questions. If I knew the answers, I wouldn't have asked.)

Re:Berne convention

There's a lot of information on the subject in the Copyright FAQ [eserver.org] that's floating around. What you said seems to tally with this: in most countries, including the UK and the US, you have copyright in programs simply by creating them. BUT there are legal advantages in the US in registering your copyright.

IANAL.

You can read the full text of the Berne Convention [cornell.edu], if you like.

Yet another call for responsible journalism

It would be nice if the update on this article was displayed along with the headline instead of buried at the bottom of the article. Sounds to me like this company wasn't being slimy, just incompetent and/or unaware. Here's how I see what happened:

1. DSF is contacted by Zealous Open Source Rep.
2. DSF manager does initial ass-covering by stating, "Of course we don't use other peoples code!" He says this because that's probably what he believes and has been told.
3. Zealous Open Source Rep. sees plot to overthrow the Open Source movement and provides DSF Manager with evidence of his company's wrongdoing.
4. DSF Manager actually goes to the basement and asks DSF developper if this is true.
5. DSF Developper hems and haws and finally admits that he was lazy and used GPLed code for something that was supposed to be developped internally.
6. DSF Manager fires DSF Developper.
7. DSF Manager admits to world that the code was copied and takes down the code.
8. DSF Manager gets ass chewed out by DSF CEO for nearly getting the company into a legal mess.

Folks, 99% of these kind of violations are not due to intentional slimyness, just incompetence and lack of knowledge. No right minded company would even run the risk of getting sued over this kind of thing. Even one in India.

They legally have no choice in the matter.

The GPL is quite clear on this. They released binaries, and thus are legally bound to release the source to anyone who asks for it, up to (I believe) two years later. Simply pulling the binaries was never a legal option.

Just a clarification, as the Slashdot story indicated that would be an option.

Purposely installing backdoors/easter eggs?

This reminds me of a similar story that was up at the rinkworks computer stupidities section: a professor had developed a set of programs (in the 80s, so archaic language), and released freely to academia. A few years later, at a convention, he saw a company demoing their product that looked suspciously like his, save that his name wasn't there. In the middle of the public demo, he asked the demostrator to hit a certain key combo; the demostrated blurbed that it wouldn't do anything, the professor demanded it, and the demostrated did so, bringing up a nice little easter egg screen that basically had the professors name all over it. Ooops.

Maybe GPL'd code needs something similar: not necessarily a backdoor but some easter egg that isn't easy to strip from the code but is sufficient enough that if someone did what this story talked about, it should be relatively easy to find a fingerprint of the source. "strings" works, but only if the GPL abuser forgets to check this, though I can think of several ways to hide snippets of strings in #define's throughout the code that look meaningly alone but can be incriminating when put together.

Mind you, it's not perfect, but this is where the GPL has a weakness -- without court order it's nearly impossible to prove that GPL code was used incorrectly. For all we know, Win2000 may be a wrapper around a linux kernel ( doubtful, of course), but the possibility is there.

Re:What about market pressures?

The problem with that is the fact the company selling the software is making money, therefore they have advertising power. Everyone hears about this company's crappy product and knows nothing about the good windows version of Everybuddy. Its the basic problem with open source software, there's not enough money to tell the public how much better it is, therefore no one but the handful of geeks are using it.

Never knock on Death's door:

Re:Purposely installing backdoors/easter eggs?

...For all we know Win2k could be a wrapper around the Linux kernel...

-23235: Flamebait ?

Oh but wait.. heres a step I secretly captured from a Win2k build log!! Lets see what is revealed!!

gcc -DUSE_REAL_SMP \
-DWORKING_MULTI_THREADING \
-DACTUALLY_SCALE_TO_MULTIPLE_CPUS \
-DBASIC_NON_BRAINDEAD_ACLS \
-DPOST_1975_SECURITY_ARCHITECTURE \
src/arch/x86/hal.cpp \
-o '\\w2kbuild20\dailydrops\hal.o'

Man... i wonder if i can get any of these options to work in the normal linux builds ?

Check your facts

Boy am I getting tired of slashdotters who give out misinformation. Often it comes with profanity or insults. Check out this [templetons.com] site, or anything in the relevant DMOZ category [dmoz.org]. In the U.S., you do automatically own the copyright on everything you write, but registration strengthens your legal options against pirates.