This is technically not true. It is an oversimplification of the common case, but what actually normally should happen is that:
1. The GPL requires the company to send the user a written offer of source code.
2. The user uses this offer to request the source code from the company.
3. If the user does not receive the source code, the user can sue the company for not honoring its promises, i.e. the offer of source code. This is not a GPL violation; it is a straight contract violation; the contract in this case being the explicit offer of source code, and not the GPL.
Note that all this is completely off the rails if the user does not receive a written offer of source code in the first place. In this case, the user has no right to source code, since the user did not receive an offer for source code.
However, the copyright holders can immediately sue the company for violating the GPL, since the company did not send a written offer of source code to the user. It does not matter if the company does or does not send the source code to the user; the fact that the company did not send a written offer to the user in the first place is by itself a GPL violation.
(IANAL)
https://social.kernel.org/notice/B1aR6QFuzksLVSyBZQ
Linus rants that the SFC is wrong and argues that the GPLv2 which the kernel is licensed under does NOT force you to open your hardware. The spirit of the GPLv2 was about contributing software improvements back to the community.
Which brings us to the question: what is this guy going to do with (presumably) the kernel source? Force the Chinese to contribute back their improvements to the kernel? Of which there are likely none. Try and run custom software on his medical device which can likely kill him? More than likely.
The judge's comments on the Vizio case are such that should this guy get his hands on the code, he has no right to modify/reinstall it AND expect it will continue to operate as an insulin pump.
This is about as ridiculous as buying a ticket on an airplane and thinking you are entitled to the source code of the Linux in-seat entertainment system.
One interesting link:
https://www.drugtopics.com/view/hacking-diabetes-the-diy-bio...
I would trust the people that hack on these systems to be even more motivated than the manufacturers to make sure they don't fuck up, it's the equivalent of flying a plane you built yourself.
A great analogy because people die that way. I personally would never push code to another person’s insulin pump (or advertise code as being used for an insulin pump) because I couldn’t live with the guilt if my bug got someone else killed.
And to the best of my knowledge none of the closed-loop people have died as a result of their work and they are very good at peer reviewing each others work to make sure it stays that way. And I'd trust my life to open source in such a setting long before I'd do it to closed source. At least I'd have a chance to see what the quality of the code is, which in the embedded space ranges from 'wow' all the way to 'no way they did that'.
which is why lots of systems and processes (sometimes called red tape) exist to try and prevent the undesired outcome, and dont rely on the competency of a single person as the weak link!
So the question really becomes - Are these people working on their own pumps with open source more or less invested than the random programmers hired by a company that pretty clearly can't get details right around licensing, and is operating with a profit motive?
More reckless as well? Perhaps. But at least motivated by the correct incentives.
Your "prototype" is a plane from the original manufacturer with no physical modifications but a software patch to use data from sensors the plane already had to prevent the computer from getting confused under high wind conditions in a way that has already caused two fatal crashes.
Now you have to fly somewhere and your options for a plane are the one with the history of fatal crashes or the same one with your modifications, and it's windy today. Which plane are you getting on?
Are you kidding me? How many times have you unwillingly introduced bugs into a code base you didn’t fully understand? That’s basically table stakes for software engineering.
Nobody said it was untested.
> How many times have you unwillingly introduced bugs into a code base you didn’t fully understand? That’s basically table stakes for software engineering.
Which applies just the same to the people the company hired to do it, and now we're back to "the people with a stronger incentive to get it right are the people who die if it goes wrong".
I would think it's the opposite. People that hack on this only risk their own life. Companies risk many people's lives and will get sued. Of course the person doing the hacking doesn't want to die but they're also willing to take the risk.
Provided they do not risk anyone elses, that is entirely their right.
It may be the case that when all is settled, the courts determine that the letter of the license means others' obligations are limited to what the judge in the Vizio case wrote. And Linus can speak authoritatively about his intent when he agreed to license kernel under GPL.
But I think that it's pretty clear—including and especially the very wordy Preamble—not to mention the motivating circumstances that led to the establishment of GNU and the FSF, the type of advocacy they engage in that led up to the drafting/publication of the license, and everything since, that the spirit of the GPL is very much in line with exactly the sort of activism the SFC has undertaken against vendors restricting the owners of their devices from using them how they want.
You were right up to this point. Medical devices requiring a prescription must be obtained via specialized suppliers, like a pharmacy for hardware. These appliances are not sold directly to end users because they can be dangerous if misused. This includes even CPAP machines.
In theory, that written offer only needs to go to the device suppliers. Who almost universally have no interest in source code. When the device is transferred or resold to you, it need not be accompanied by the offer of source.
If that was true, anyone reselling an Android phone could open themselves up to legal liability. Imagine your average eBayer forgetting to include an Open Source Software Notice along with some fingerprint-encrusted phone.
That’s only an appeal to ridicule. If those are valid, here’s an opposing one:
If this is not true, then any company can violate the GPL all it likes just by funneling all its products through a second company, like a reseller.
That the GPL potentially fails to achieve what it intends to is neither a legal argument, nor particularly surprising.
The GPL notably allows for the sale, it was legal here.
E.g. this sort of thing https://www.tomshardware.com/video-games/pc-gaming/steam-che...
The copyright doesn’t go away when copies are sold to a distributor. Someone (probably the manufacturer) still has legal obligations to the copyright holder.
A sale of an object does not transfer those licenses (but those licenses are still valid on the seller - a manufacturer selling widgets will have to obey the GPL clauses. If an end user of this widget wants the source code, they have to go back all the way to the manufacturer, rather than any of the middle-men presumably).
This is false. The person transferring the device must either pass along the offer they received (GPLv2 clause 3(c), and only if performing non-commercial redistribution), or pass along the source code (GPLv2 clause 3(a)).
The GPL clearly specifies recipients, it doesn’t say anything about suppliers.
For the same reason you can't find an airplane entertainment system in the trash and call up the company and demand source code.
"The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
It's subsequently transferred to you after presenting a prescription, without any accompanying offer of source code.
In other words, assume you are the second owner in all cases when it comes to certified medical equipment.
AFAIK if you find an Android phone in the trash, you are not entitled to source either since you never received the offer of source during a purchase transaction. You know that little slip of paper you toss as soon as you open some new electronics that says "Open Source Software Notice".
By that logic, _any_ company can effectively ignore the GPL constraints by just selling it to a reseller, first; one that they have a contract with to _not_ offer the source code when they re-sell it.
It is my understanding that, if I use GPL in my code, and I distribute it to someone that then re-distributes it to someone else... the GPL is still binding. I don't see why that wouldn't be the case with hardware using GPL'd software.
The licensee has to offer code to users (more precisely, to any third party). It doesn’t say they have to purchase anything to be a legitimate user.
That’s about as ridiculous as buying a plane and knowing you’re entitled to the gpl sources used.
As the original Reddit comment explains, Insulet is an American company.
Linus is arguing against a strawman that Conservancy never actually argued. See https://sfconservancy.org/news/2025/dec/24/vizio-msa-irrelev... for details.
> Which brings us to the question: what is this guy going to do with (presumably) the kernel source?
Yes, of course. It is abhorrent that people have devices implanted into their bodies and are in any way prevented from obtaining every last detail about how those devices operate.
> Separately, do you think it's remotely a good idea?
In rare circumstances, yes. See, by way of example, Karen Sandler's talk on her implanted pacemaker and its bugs, for specific details on why one might want to do so.
Where your interpretation means someone else needs to follow your whim for their own problem, despite the legalese stating otherwise.
I think that is an absurd position and I am sorry to feel the need to have to be blunt about it.
That doesn't sound right to me.
A written offer is not the same thing as a contract.
A written offer on its own would not normally be directly enforceable in many (most?) jurisdictions, for the same sort of reason that retailers can't be held to incorrectly published prices (in the UK at least, a displayed price is an “invitation to tender”, not a contract or other promise) except where other laws/regulations (anti bait&switch rules for instance), or the desire to avoid fighting in the court of public opinion, come into effect.
But in this instance, the written offer and the response to that offer are part of the wider licence that has been agreed to.
> If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.
Similar clauses in Sec 6.
> c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.
Or, instead of theorycrafting reasons why it shouldn't work, you could "just" sue them and see if the judge agrees.
The hell? Over here, the price tags are a sort of public contract, to which the seller pre-commits. The seller forgot to change the tags? That's not the buyer's problem.
This does not force you to honor the original offer though.
It's not illegal to not honor written offers, it's illegal to distribute copyrighted material in violation of it's license.
On the shelves are three insulin pumps: one with a 5-year warranty, one at a bargain barrel price that comes with no warranty, and one accompanied by a written offer allowing you to obtain the source code (and, subject to the terms of the GPL, prepare your own derivative works) at no additional charge any time within the next three years.
Weighing your options, you go with pump #3. You write to the company asking for the GPL source. They say "nix". They're in breach.
This is not only possible but also prudent for a device which can also kill you.
The argument is over providing you the source code.
The offer of source code seems to be a way to facilitate the conveyance of source code through opt-in means separately from the object code rather than some legal trickery to create a user-licensee contract.
While the offer may indeed convey a licensee-user obligation, a compliant distribution would attach a license anyway, converting the user into a licensee and licensor to licensee in a recursive fashion
I wonder if lawyers specialize in this, it sounds very cool and not at all standard law, but somehow compatible with contract law
IANAL
What's the consideration in the written offer? Promises aren't enforceable in court. For a contract to be enforceable, it has to be an exchange of something, not a one sided offer.
I mean, the absolutely simplest, and cheapest, way for companies to comply with the GPL is to ship the source code together with the software. Stick it in a zip file in a directory somewhere. The company can then forget the whole thing and not worry about anyone contacting them and ranting about source code and the GPL. But no company does that.
The other simple way for companies to comply with the GPL is for companies to provide a link to download the source code at the same place that users download the program itself. If the user did not download the source code when they had the chance, that’s the user’s problem. This will also let the company ignore any GPL worries. No company does this, either.
(The GPL provides a third way for individuals and non-profits, which is not relevant here.)
But GPL is a contract
I think the distinction you are pointing would be between a gpl licensor-licensee contract, rather than a licensee-user contract.
(IANAL)
Not according to the original reasoning by its creators, but opinions differ wildly. However, this is irrelevant to the point; the written offer, which is separate from the GPL, is what is failing to be honored, not the GPL. If you did not receive such a written offer, the GPL, in itself, makes no guarantee that you have the right to the source code.
In my experience, this is quite common when the development of hardware is viewed as a cost center and is outsourced to various providers and teams. Those providers and teams churn a lot and nobody who worked on that is likely still involved with the company via contracts or direct employment.
Front line support people aren’t equipped to respond to these requests. If you’re lucky they’ll get bounced around internally while project managers play hot potato with the e-mail until it gets forgotten. You might get lucky if you go the corporate legal route, but more likely is that the lawyers will do the math on the likelihood of you causing them actual legal trouble for anything and decide it’s best to ignore it.
When I worked at a company that had a history of GPL drama one of the first things I did was enforce a rule that every release had a GPL tarball that was archived and backed up. We educated support people on where to forward requests. I handled them myself. 7 out 10 times, the person on the other end was angry because they assumed the GPL entitled them to all of our source code and they were disappointed when they only found GPL code in the tarball. It really opened my eyes to some of the craziness you get exposed to with these requests (though clearly not the polite and informed request in this Reddit thread) which is probably another reason why support staff are uneasy about engaging with these requests.
Well, if your non-GPL code was directly linked to, or closely interoperated with, any GPL code, those users would have been right.
If you want to argue that the FSF’s lawyers are wrong, please provide more detailed, and hopefully referenced, arguments (as opposed to plain assertions).
You have to construct your own view based on existing statute and vaguely related cases.
Google LLC v. Oracle America, Inc., 593 U.S. 1 (2021) is not a pro-FSF opinion.
Whether linking (dynamic or not) is a derivative work is defined by things like incorporation, similarity, and creative expression.
I think the FSF view is unreasonably confident in its public opinions where the current law is that each potential infraction is going to be decided on a case by case basis. Read 17 USC 101 for yourself and square that with FSF/Stallman opinions.
There's too much nuance to have a stance about what happens when you link a program. "It depends" is the only thing you can say.
They reference a less on point but better known case (https://en.wikipedia.org/wiki/Lewis_Galoob_Toys,_Inc._v._Nin...., for some reason you have to manually add the period at the end of the link) about whether NES cheat cartridges were copyright infringement. If a work that directly links to and interoperates with a program is a derivative work of that program, the Game Genie really was illegal after all. To me that doesn't seem right, and given the FSF's general opinion on console restrictions (https://www.fsf.org/bulletin/2025/winter/new-nintendo-drm-ba...) I kinda feel like they'd have to agree.
That doesn't fit into the dynamic linking absolutists worldview at all.
The FSF could help a lot here by publishing demand letter templates outlining the statutory and precedential basis for license enforcement and recovery of damages.
The GPL grants rights to use and distribute, but does not grant ownership. It’s not suddenly in the public domain.
Yeah there are are startups where head guys don’t know that and developers jump the gun because they feel like they’re ones that have the best understanding of the issue at hand.
But of course that’s legal territory.
Oh well. Big Corp doing what Big Corps do. Paying lip service to legal requirements, but reluctantly and with barriers that would no doubt take a lot of time and money to even try and break down.
Please for the love of all that the FSF thinks is holy - just file a damn lawsuit if you are telling me they are violating the law. State your claim and have a court sort it out.
It costs hundreds of dollars. For a medical device? Seems like a good deal.
Making a blog post about someone elses copyright being violated is even more annoying to me.
Edit: My point is this is just another one of many annoying people you have to deal with who will email you alleging all sorts of legal violations, who don't themselves understand anything about the claims they are making.
They want the Linux kernel source code.
My understanding of the concept of "basis" does not fit the context of sending an email, and "reason" is the closest I can find that fits.
Basis being concerned with rules or authority. The assumption being when asking "what is the basis for X?" that there was a bar that needed to be met beyond the doers motivations. That there needed to be more than they wanted to. Which of course, does not apply to sending an email. I could email you right now asking you what your favourite type of fish is or seeing if you want to play a game of chess, no basis needed. I'd just need a reason to.
But sounds like we agree, they have no real basis for making a demand.
Just "there is no basis" as a response would be like saying "yes" or "no" to "have you stopped beating your wife?"
Whether you have a reason to make a claim is much different than whether you have a legal basis for your claim.
You can just do that. No GPL, open source, enforcement, demands, etc language needed. Just "I'm trying to do X, can I see the code for Y?". I receive and send them at work pretty frequently.
They've mentioned the GPL as a way to try to increase the chances of getting sent the code. A support person for a medical device company might not know anything about software licences or linux or GPL. If the company has some sort of "send GPL code to askers" policy and Lost-Entrepreneur439 just asks for the linux kernel, the support person might not know that the GPL policy applies and just say no. If you include it in your message then it increases the chances of them typing "GPL" in to whatever internal knowledge bank they have and seeing "for GPL requests, forward the enquiry to jeff@ourcompany.com" or something like that.
The GPL isn't between Lost-Entrepreneur439 and the company so I don't think "enforcement/exercising a legal right" is an accurate way to describe what we're talking about. That would be if the copyright holders to the linux kernel get involved.
EDIT: Although that seems like largely just a semantics thing. Like if a judge orders a company to pay you some money and you say "give it to austhrow743" is it valid to say that I have a right to that money? Or is it that you have the right that I get that money? If someone wants to phrase "linux kernel copyright holders have a right to demand users of their code share it with anyone who asks" as "anyone who asks has a right to that code" then I don't really have a problem with that.
I just see a big difference between making a request and making a claim. I don't need to think I'm legally entitled to something to ask for it. I don't even need to think that getting it is likely. Whereas Abigail appears to be treating sending and receiving requests by emails as equivalent to a court summons.
Edit:
Courts deal with contract law disputes all the time. It's their bread and butter, everyday, nothing special stuff.
Edit2:
To you below, citation needed
Edit: I'm somewhat mad that there's all these tools out there to solve the screeching about GPL violations and nobody seems to want to use them.
> The Copyright Claims Board (CCB) is available to resolve copyright disputes of a relatively low economic value and provides an efficient, less expensive alternative to federal court.
It's not trivial in terms of big company bureaucracy - this request will have to go through so many levels of red tape that they (correctly) decided not complying to random people's requests is more profitable.
I'm sure if you actually sue them then they will comply right away, because at that point paying for some engineer's time to tar up the source tree and send it to you now becomes cheaper than lawyer time.
But their analysis is correct in that nobody will waste time/money suing to get what is effectively a stock kernel they can get from the official source anyway. Which is why these complaints are also a bit stupid - they're not asking for anything of value or using the GPL to advance software freedom by freeing up some valuable code, they're just wasting both theirs and others' time asking for something they can already download directly.
Surely there is a way to cheaply obtain bluetooth and a controller without saying "we'll just use this already existing hardware - that happens to be a whole-ass phone - because it's $5 from China"?
Kinda feels like that just screams data-stealing, regardless of where it was made.
Funny thing is that the newer Omnipod 5 from the same company works with regular phones now, but only in th US.
So, this companion device is kind of a thing that Insulet had to release. You'll see this with CGM's too -- there's a small companion device sold with the Dexcom G7 (the "controller"), even though everyone just uses their phone.
This is kind of a regulatory quirk; basically from the FDA's point of view you had to have a complete standalone system, that did not include the phone, in order to be able to prescribe it. I think they do not require companion devices any more, it's OK to release something that requires the user to have a phone.
"we plan on users having a phone to connect to it and use primarily. FDA requires a primary/backup. well it's already phone-controlled, go find a phone that works with it. needs to be cheap, cuz no one will really use it anyway"
That makes a little more sense. I was imagining the development process involving both devices, rather than one device first, then determining what the second would be later.
Thanks for the insight!
The communication between your phone/pump or glucose sensor/pump is encrypted now for all newer devices.
> Diabetic companies like Insulet have been very lax when it’s come to the hacking of their devices
Absolutely not true, not any more.
May I ask where did you get this info? And what “newer” means here?
How do they triage and decide what to pursue?
The dominant legal theory is that the GPL can only be enforced by the party holding the copyright. SFC's lawsuit against Vizio is strategically trying to establish precedent changing that; establishing that end-users are "third party beneficiaries" under the GPL, so others can enforce the GPL; but for now the copyright holder is the only one who can enforce it.
So the FSF could only take it up if the violation is on projects that do copyright-assignment to the FSF (i.e.: most GNU stuff). If you do find a violation of GNU stuff, the process is "email license-violation@gnu.org". I do not know what process Craig and Krzysztof use when triaging reports and deciding what to pursue.
Many Linux-kernel contributors (also, SFC member projects such as OpenWrt, Git, Qemu) have assigned their copyright to SFC or named SFC as their legal representative (also, SFC member projects; so SFC can take up something like this. Similarly, you can report violations to them by emailing compliance@sfconservancy.org (see https://sfconservancy.org/copyleft-compliance/help.html for more info).
Now, SFC is aware of more violations than they could ever possibly pursue, so they're strategic about pursuing ones that are high-impact. I'm not sure how they decide that. But I can say that medical devices are near-and-dear to them, between executive-director Karen Sandler's implanted defibrillator and policy-fellow Bradley Kühn's blood glucose monitor.
I saw that spelling for the first time last week, I think.
Did he change his name? Has he always been Kühn, but went with Kuhn, because Umlaute are hard for Americans?