SFC reports a successful (L)GPL suit in Germany

11 min read Original article ↗

[Posted January 9, 2025 by corbet]

The Software Freedom Conservancy is reporting that AVM has released the full source and installation scripts for its routers in response to a lawsuit, filed by Sebastian Steck, based on Lesser GNU Public License rights.
Historically, lawsuits have focused on the copyrights licensed under GPL (or the GPL and LGPL together). Steck's lawsuit uniquely focused exclusively on users' rights under the LGPL. Steck's work showed that despite being a "Lesser" license than GPL, LGPLv2.1 still guarantees users the right to repair, modify and reinstall modified versions of the software on their device. There is now no doubt that both GPL and LGPL mandate the device owner's ability to make changes to the software in the flash memory so those changes persist across reboots.

to post comments

Source publication court-ordered?

Posted Jan 9, 2025 17:37 UTC (Thu) by cloehle (subscriber, #128160) [Link] (10 responses)

Was AVM court-ordered to hand over the source code? The SFC article is somewhat vague, only mentioning court-ordered legal fees.

Source publication court-ordered?

Posted Jan 9, 2025 18:05 UTC (Thu) by burki99 (subscriber, #17149) [Link] (9 responses)

Source publication court-ordered?

Posted Jan 9, 2025 18:26 UTC (Thu) by chris_se (subscriber, #99706) [Link] (8 responses)

Source publication court-ordered?

Posted Jan 9, 2025 20:22 UTC (Thu) by cesarb (subscriber, #6266) [Link] (7 responses)

Source publication court-ordered?

Posted Jan 9, 2025 21:05 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (6 responses)

How much do (the royal) we care whether the compliance is from "we're good FOSS community members", "it's cheaper to work upstream", "it's cheaper to comply than to fight developers in courts", "it's cheaper to comply than to fight users in courts", or "the courts made us comply" beyond the decision of which companies are even on this spectrum to prefer when shopping for commodities? Hopefully companies tend to shift left on this spectrum over time, but I'd take a "our stuff is open because we were made to comply" over a closed-source vendor any day of the week.

Source publication court-ordered?

Posted Jan 9, 2025 23:09 UTC (Thu) by pabs (subscriber, #43278) [Link]

We should care because lawsuits are a time consuming process, that cost money which is usually only reimbursed after you win. There are more useful things to be doing, like development. Outcomes are also better for everyone when development work is done upstream too. So we should prefer at least the first two options and work towards them. Hopefully some of these sort of lawsuits will start changing some of the incentives a bit, so that at least companies do the minimum compliance actions by default. Converting them to good FOSS community members will take more work of different kinds though.

Source publication court-ordered?

Posted Jan 9, 2025 23:47 UTC (Thu) by farnz (subscriber, #17727) [Link] (3 responses)

I think the better scale to consider is not the "why does a company comply" scale, but rather "what is the cost to a user or developer of exercising their rights?".

The issue with "it's cheaper to comply than to fight in court" is that just getting to the point where the company is taking that decision costs me quite a lot of time and money. So the interesting scale is from "I can exercise my rights at low cost" to "I have to get a lawyer involved and pay to establish that I have rights, before eventually being reimbursed in full", through "I'll get my monetary outlay reimbursed, but no payment for the time and effort I put in", up to "I have to put time and money in, and may get nothing out".

That's especially true since the motivations of a company change as the employees change, and a company that was "good FOSS community members" 10 years ago may become "it's cheaper to work upstream" or even "legal says we must comply because it's cheaper to comply upon request than to fight in court", and return to being "good FOSS community members", without anyone particularly noticing. On the other hand, "it's easy and cheap to get compliance" versus "it's hard but cheap" versus "it's hard and expensive" is easy to follow from the outside.

Source publication court-ordered?

Posted Jan 10, 2025 6:45 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (1 responses)

Source publication court-ordered?

Posted Jan 10, 2025 18:40 UTC (Fri) by ballombe (subscriber, #9523) [Link]

Source publication court-ordered?

Posted Jan 10, 2025 16:54 UTC (Fri) by iabervon (subscriber, #722) [Link]

Source publication court-ordered?

Posted Jan 11, 2025 21:23 UTC (Sat) by Heretic_Blacksheep (subscriber, #169992) [Link]

Misleading

Posted Jan 9, 2025 19:52 UTC (Thu) by npws (subscriber, #168248) [Link] (18 responses)

Misleading

Posted Jan 9, 2025 20:16 UTC (Thu) by Wol (subscriber, #4433) [Link] (17 responses)

Misleading

Posted Jan 10, 2025 3:48 UTC (Fri) by npws (subscriber, #168248) [Link] (16 responses)

Misleading

Posted Jan 10, 2025 3:50 UTC (Fri) by npws (subscriber, #168248) [Link] (15 responses)

Misleading

Posted Jan 10, 2025 11:58 UTC (Fri) by Wol (subscriber, #4433) [Link] (14 responses)

Misleading

Posted Jan 12, 2025 2:33 UTC (Sun) by npws (subscriber, #168248) [Link] (13 responses)

Misleading

Posted Jan 12, 2025 12:38 UTC (Sun) by pizza (subscriber, #46) [Link] (12 responses)

Misleading

Posted Jan 12, 2025 15:31 UTC (Sun) by Wol (subscriber, #4433) [Link] (11 responses)

Misleading

Posted Jan 14, 2025 19:19 UTC (Tue) by tbird20d (subscriber, #1901) [Link] (10 responses)

Misleading

Posted Jan 14, 2025 21:51 UTC (Tue) by pizza (subscriber, #46) [Link] (8 responses)

Misleading

Posted Jan 22, 2025 20:27 UTC (Wed) by tbird20d (subscriber, #1901) [Link] (7 responses)

Misleading

Posted Jan 22, 2025 21:16 UTC (Wed) by pizza (subscriber, #46) [Link] (6 responses)

Misleading

Posted Jan 23, 2025 10:46 UTC (Thu) by Wol (subscriber, #4433) [Link] (1 responses)

Misleading

Posted Jan 23, 2025 14:00 UTC (Thu) by pizza (subscriber, #46) [Link]

Misleading

Posted Mar 18, 2025 19:41 UTC (Tue) by tbird20d (subscriber, #1901) [Link] (3 responses)

If you believe that Patrick McHardy was a good-faith actor, I don't think we have much more to discuss. Some of the companies he sued definitely had issues with their compliance, but others only made trivial mistakes. Most people in the Linux kernel community I talked to (including TAB members who worked behind the scenes to resolve this issue) view Partick's legal antics as a scourge on effective enforcement and community-building.

Misleading

Posted Mar 19, 2025 10:35 UTC (Wed) by paulj (subscriber, #341) [Link] (2 responses)

Misleading

Posted Mar 19, 2025 13:04 UTC (Wed) by pizza (subscriber, #46) [Link] (1 responses)

Misleading

Posted Mar 19, 2025 13:18 UTC (Wed) by paulj (subscriber, #341) [Link]

Also misleading, tbird20

Posted Jan 15, 2025 2:04 UTC (Wed) by bkuhn (subscriber, #58642) [Link]

tbird20d wrote:

I know of cases where Linux or gcc was dropped from a product at least partly due to perceived legal risks, and this ups the ante.

“Legal risk”, in this case, of course means the “risk that we might be required by law to give our customers the same rights that we have under this license.”

But that's always been the “legal risk” of redistribution of copylefted software. Those who want to make proprietary software know where to find non-copyleft stuff to build on and always have. Those who are willing to treat their customers reasonably and give them equal rights are welcome and encouraged to use GCC and Linux.

The root cause of for-profit companies changing away from the copylefted software is that they have begun to slowly realize that they can't just get away consequence-free when they ignore their legal requirements anymore — as they often could in the past.

It's similar to factories closing when they can't meet the pollution standards: we all are indeed sad that jobs were lost, but that short-term societal pain is worth living through so we get cleaner air and water. The factories could always have invested in cleaner technologies instead of firing people; they just chose to blame their workers and the regulators rather than their own bad behavior.

Sadly, I am not surprised that — in both copyleft and environmental policy — wealthy for-profit companies get away with setting the narrative that the regulation is at fault rather than their refusal to invest in following the regulations. They build well-funded trade associations to spin that message for them.

Libraries

Posted Jan 9, 2025 23:13 UTC (Thu) by pabs (subscriber, #43278) [Link]

From the discussion on the Conservancy XMPP room (bridged to IRC/Matrix), Sebastian specifically wanted to make changes to uClibc and compliance was also achieved for the libblkid, libexif, and libosip LGPL libraries on the device too. The GPL things on the device like the Linux kernel etc remain out of compliance unfortunately.

Fritzbox

Posted Jan 10, 2025 2:24 UTC (Fri) by stephenjudd (guest, #3227) [Link]

For people who hadn't made the connection, like me, AVM make "Fritzbox" brand routers. Very common in Germany but also elsewhere. I'm guess this might be quite helpful for people porting OpenWRT etc to Fritzboxes?

But can you modify and use it?

Posted Jan 10, 2025 7:58 UTC (Fri) by epa (subscriber, #39769) [Link] (3 responses)

Okay, the source code has been published. Is an owner of the device able to modify the code and install it?

But can you modify and use it?

Posted Jan 10, 2025 11:51 UTC (Fri) by Karellen (subscriber, #67644) [Link] (2 responses)

From the fine article:

The defendant, Berlin-based AVM, ultimately delivered the necessary information to reinstall modified software on their device. Delivery of this information resolved the lawsuit. The plaintiff was Sebastian Steck, who received a grant from SFC to pursue this work. Steck purchased an AVM router in May 2021 and quickly found that the source code candidate which AVM sent him could not be compiled and reinstalled onto his router. AVM, the largest home router manufacturer in Germany, refused to correct its source code candidate. Steck sued AVM in a Berlin court in July 2023.

Months after the lawsuit was filed, AVM finally provided Steck with all remaining source code that Steck requested, including “the scripts used to control … installation of the library”.

(Emphasis mine)

But can you modify and use it?

Posted Jan 10, 2025 12:05 UTC (Fri) by epa (subscriber, #39769) [Link] (1 responses)

But can you modify and use it?

Posted Jan 10, 2025 14:34 UTC (Fri) by ossguy (subscriber, #82918) [Link]

Secure boot

Posted Jan 10, 2025 12:24 UTC (Fri) by dezgeg (guest, #92243) [Link] (3 responses)

Secure boot

Posted Jan 10, 2025 14:00 UTC (Fri) by martin.langhoff (subscriber, #61417) [Link]

The usual method is: customer can install their own key, and use secure boot tied to that customer-owned key...

Secure boot

Posted Jan 10, 2025 16:19 UTC (Fri) by audric (guest, #86999) [Link]

I thought this was the whole point of having L/GPLv3? What am I missing here?

Secure boot

Posted Jan 10, 2025 19:22 UTC (Fri) by Wol (subscriber, #4433) [Link]

ooooof

Posted Jan 11, 2025 22:41 UTC (Sat) by snajpa (subscriber, #73467) [Link]

After reading a bit into those claims and the work SFC has done on this case _and_ after seeing how it was presented, I have no respect left for SFC, I think they're completely useless people overstating importance of the work they claim to do, but don't do obviously, if _this_ is such a newsworthy development in 2025. Oh, they forced a company which is an integral part of the western society to comply with... with what, to be continued ladies and gentlemen... just read into it a bit. It's hilariously funny how important some feel. But obviously they aren't, can't reach or change or enforce anything effectively, Asia as a main producer of such funny router boxes, remains completely unaffected, it's like nothing happened at all. I even think SFC are probably doing the whole ecosystem, myself in it included, a big disservice - by existing, by functioning this way. It's sad.

AVM user here

Posted Jan 12, 2025 16:44 UTC (Sun) by nettings (subscriber, #429) [Link] (3 responses)

AVM user here

Posted Jan 12, 2025 19:38 UTC (Sun) by snajpa (subscriber, #73467) [Link] (2 responses)

AVM user here

Posted Jan 13, 2025 10:01 UTC (Mon) by farnz (subscriber, #17727) [Link]

How exactly would the SFC go for the contractors who create the problematic firmware to begin with, given that their very identities are kept as commercial secrets by companies like BestBuy, Samsung, JVC, AVM, Humax, Bosch, Zyxel and Vizio (to name only some of the companies that the SFC has assisted with legal action against)?

The only weapon the legal system offers them, by design, is that the SFC and its compatriots can take action against the entity that puts the infringing firmware on the market; those entities, including AVM, may then have a course of action against their contractors for breach of contract, assuming they were smart enough to put terms around legal right to use the code in the contract. This isn't abuse of the legal system - this is the system working as designed.

AVM user here

Posted Jan 23, 2025 22:51 UTC (Thu) by branden (guest, #7029) [Link]

You are this topic's Jigar Kumar and I claim my five pounds.