
Onyx is violating the Linux kernel's license, refuses to release source code - Lammy
https://old.reddit.com/r/Onyx_Boox/comments/hk7d5v/onyx_is_violating_the_linux_kernels_license/
======
weinzierl
This is not unusual, there are _many_ cases of GPL violations out there and if
someone puts energy into them they are solved. Harald Welte and gpl-
violations.org [1] have been doing good work for many, many years in this
regard.

From their about page:

 _" By June 2006, the project has hit the magic "100 cases finished" mark, at
an exciting equal "100% legal success" mark. Every GPL infringement that we
started to enforce was resolved in a legal success, either in-court or out of
court."_

gpl-violations.org is in an extraordinary good position to help when it comes
to GPL violations in the Linux kernel, because they work closely with some
kernel developers that _" [..] have transferred their rights in a fiduciary
license agreement to enable the successful gpl-violations.org project [..]"_

Their website looks a little bit outdated but from what I understood from a
talk that Harald Welte gave last year[2], they are still active. If someone
wants to report the Onyx case you can do it at _license-violation@gpl-
violations.org_ but be prepared to provide solid information[2].

[1] [https://gpl-violations.org](https://gpl-violations.org)

[2]
[https://www.luga.de/static/LIT-2019/events/84.html](https://www.luga.de/static/LIT-2019/events/84.html)

[3] [https://gpl-violations.org/helping/](https://gpl-
violations.org/helping/).

------
colejohnson66
This was a problem with Creality in the 3d printing world two years back. They
used Marlin - a program for the embedded micros used in them - which is
licensed under the GNU GPLv3+. Creality refused to release their contributions
until they were convinced by Naomi Wu (Sexy Cyborg) that the community would
actually refuse to purchase from them unless they did, which they probably
would’ve.

[https://hackaday.com/2018/08/27/gpl-violations-cost-
creality...](https://hackaday.com/2018/08/27/gpl-violations-cost-creality-a-
us-distributor/)

~~~
artsyca
I seriously can't believe how short sighted people can be. That's bad
business.

I worked at a big bank too, you'd think they would understand about
investment? No. They simply leeched off open source in the same way.

~~~
user5994461
I worked at a bank too. There is a list of software and libraries approved for
usage. GPL cannot make it to the list because the license is the first thing
that's verified when requesting to add a new library.

I always wondered what would happen if some developers used some GPL lib and
shipped to customers and it was noticed and caused the company to be sued.
Would all the developers be fired on the spot and the software undone?

~~~
mhh__
I would guess no unless someone stepped in from above. Unless it ended in the
complete source code of all their systems, perhaps.

In a lot of commercial code there is almost literally nothing worth
protecting, just sunk-cost. If a finite element package got open sourced, that
would be a minor disaster (although even then you're paying for the UX and
support not the code) but things like firmware are barely worth the electrons
on the drive.

The point being the business impact would probably be fairly minor for most
projects.

~~~
derefr
"A bank" contains multitudes, though. The big banks all have investment arms,
which in turn have in-house algorithmic-trading subsidiaries. Now imagine that
someone snuck some _Affero GPLed_ code into the trading engine...

(It is at this point that I realize that maybe one of the reason that HFT
people like arcane formal-proof languages so much—besides just verifying that
they won't lose money—is that the ecosystems of unusual languages are
_smaller_ , so it's _less_ likely that any problem _has_ a solution involving
third-party code, and therefore there's less concern about IP contamination.)

------
Teknoman117
This kind of behavior is one of the things that kills me about grsecurity.
They're completely abusing the spirit of the GPLv2 license but are probably
following the letter of it.

If you choose to exercise your GPLv2 rights, your contract with them is
terminated and you will receive no further security updates (considering this
is a security product, it makes it pretty useless to you). You are then
blacklisted from doing business with them ever again.

~~~
andreareina
Bruce Perens argues[1] that this is a penalty for exercising your rights under
the GPL and therefore violates section 6[2]: "You may not impose any further
restrictions on the recipients' exercise of the rights granted herein"

[1] [https://perens.com/2017/06/28/warning-grsecurity-
potential-c...](https://perens.com/2017/06/28/warning-grsecurity-potential-
contributory-infringement-risk-for-customers/)

[2] [https://www.gnu.org/licenses/old-
licenses/gpl-2.0.html](https://www.gnu.org/licenses/old-licenses/gpl-2.0.html)

~~~
tzs
He argues contributory infringement and breach of contract, but he really only
goes into the breach of contract theory.

I'm more curious about the contributory infringement theory. You cannot have
contributory infringement without there being a direct infringement by someone
else for the contributory infringer to have contributed to. I don't see
offhand who would be the direct infringer whose infringement Grsecurity is
contributing to.

~~~
chaosite
The way I'm readying it, his point is that a Grsecurity customer, who is not
infringing Linux copyright (because they're not distributing kernels) would
still be on the hook for contributory infringement because they contributed to
Grsecurity's infringement.

------
mindB
Unfortunately this has been going at least as long as I've been aware of Onyx
Boox products. E.g.
[https://www.mobileread.com/forums/showthread.php?t=277431](https://www.mobileread.com/forums/showthread.php?t=277431).
It's by no means an isolated incident.

------
rjzzleep
I've said this elsewhere. But I genuinely don't think that they know what the
gpl means. Maybe someone could approach them in Chinese preferably directly to
the company instead of the forum minion. The forum minion always responds with
the same answer to any question that is asked. That person gives the same
answer to a quick switch option between the notes and library app.

Usually what happens in the onyx customer forum is that a person asks for
something. The forum minion says it's been forwarded and being worked on and
then the cycle repeats until one of the customers gets pissed and starts
threats.

~~~
ralph84
They know what it means. It means a copyright holder of the Linux kernel would
have to sue them in China. Good luck with that.

~~~
ballenf
Could users of the product also be sued by a Linux contributor?

If you can’t go after them, going after their customers would kill their
business.

But this approach seems too cute to be feasible even on the long shot that the
GPL would allow it.

~~~
slim
no, since they don't have access to source, they can't modify it and gpl does
not apply to them

~~~
lopmotr
It's rather that they're not distributing it (either source or binary) so the
GPL doesn't apply to them. Not having access to the source doesn't exempt you
from the GPL.

~~~
elchupanebre
But they are getting an unlicensed product. IMNAL, but if they are made aware
of the fact and continue to use the product, wouldn't it be willful
misconduct?

------
ChrisMarshallNY
I tend to license my stuff MIT. That’s mostly because I don’t want to deal
with legal agita. It helps to avoid people suing me because the hammer they
stole from me bends their screws.

We basically live in a digital kleptocracy. Everyone steals from everyone. I
tend not to, but that’s because I’m a complete control freak, and have a hard
time letting go.

I think that decompilers are so good, these days, and the use of intermediate
steps like LLVM, mean that people won’t have much difficulty figuring out
what’s going on, under the hood. With the financial incentives, it is quite
possible to hire top-notch folks to implement, and even improve the work.

Also, I don’t think anything I do is so great that I want to hide how I do it.
In fact, I see people do stuff in more clever fashion all the time. My own
advantage is in _how_ I do stuff, and it would be great if folks copied it. I
don’t think many would. It’s a pain, and is only efficient once it becomes
habit.

Go ahead and steal my stuff. Get rich. I doubt my stuff will be the “secret”
to your success. My only hope is that, if you do use it, there might be a tiny
piece of high-quality software in there. I do feel as if we should all strive
to do the best quality work possible, and take some personal pride in our
craft.

I don’t mind that going viral, and I don’t think a license will affect that.

~~~
stefan_
It's not about you, it's about the user.

~~~
ChrisMarshallNY
Yup. That's what I said. The user can benefit from my work.

Seriously. Why was what I wrote bad?

I just put enough legal fig leaf on to make sure I don't get sued for
anything, do the very best work I can, and put it out there, for all to use.

I literally wrote a post, encouraging people to open-source their software,
and I led by example; not decree, which is usually the best way to proceed.

Is the MIT license a bad license? If so, why?

I have found that if I make it GPL, then a lot of folks won't use it. I want
people to use my stuff. I think it's good stuff, and can benefit users, by
being a high-quality component.

I think I do have one GPL project; an ffmpeg wrapper that uses the GPL H.264
codec. I could probably get away with not licensing it GPL, but why bother?
It's not gonna save the world. I suspect no one will have much of a use for
it, anyway.

~~~
mhh__
The users that can't use the GPL are often commercial in my experience. In
that case I'd rather dual license than change to MIT (or similar).

You want it for free, give something back. (Is my thinking)

~~~
young_unixer
I try not to use GPL software out of principle, but it's hard not to use Linux
and GNU coreutils. I wish OpenBSD was as popular as Linux.

~~~
mhh__
Well, you have a completely different perspective on software to me then.

------
applecrazy
Seeing how this is a company in China, how would the legalities work?

~~~
floatingatoll
[https://heathermeeker.com/2018/04/30/first-gpl-case-in-
china...](https://heathermeeker.com/2018/04/30/first-gpl-case-in-china-or-is-
it/)

As the link warns, this is a secondhand translation, and my summary is
thirdhand. Do your own reading, especially in the original language, if able.

The general point here is that the Chinese legal system declared that the GPL
legalese is OK, but that judges have the power to evaluate it in context of
the case and retain the authority to override the legalese when it results in
inappropriate outcomes.

In this specific ruling, the judges ruled that bundling ('aggregation') of
GPLv3 and unlicensed code did not infect the unlicensed code with the GPLv3,
resulting in a loss for the defendant.

If Onyx is bundling GPLv3 code with non-GPLv3 code, based on this single case,
they are not required to disclose the source of the non-GPLv3 code that is
aggregated with the GPLv3 code. If they have also/instead modified GPLv3 code,
then they would probably be required to publish the source for the works
derived from GPLv3 code.

The usual arguments here are that modifying a bundle of GPLv3 code to include
non-GPLv3 code is itself a 'derivative work' of GPLv3 code, or that the GPLv3
specifies that such bundling shall result in the bundled code being forcibly
licensed under GPLv3. The Chinese court apparently did not accept this line of
reasoning.

YMMV, IANYL

~~~
CuriousSkeptic
I think you have a few details wrong.

Firstly (a minor detail) I don’t think GPL requires you to “publish” source
code per se. Just make sure that every recipient of a binary copy can also
receive the source code.

But more importantly, the license doesn’t “infect” things. In no way can you
be forced to license your code according GPL. Failure to comply with the GPL
simply means the license isn’t applicable and the situation reverts back to
normal copyright rules.

~~~
marcoperaza
> _But more importantly, the license doesn’t “infect” things._

[I’m not your lawyer and this is not legal advice.]

It can have that effect. My understanding is that if you include GPL code in
your software[1] and distribute it without sharing your source code, you are
committing an ongoing contract/copyright violation that can be remedied either
by recalling and destroying the offending products, complying with license
terms by releasing your source code, or settling with the original copyright
owner (effectively, paying a license).

As for a court forcing you to release the code, that is in fact what the GPL
contract requires so the court is within its rights to require specific
performance instead of monetary damages. Even though common law courts
strongly prefer monetary damages, they will turn to specific performance if
they think it's appropriate.

All of this is going to turn on some questions about when you can bring
copyright infringement vs. contract actions. It's not an area I'm super
familiar with, but see my response below about at least one case that suggests
you could sustain a contract action for a GPL violation in some circumstances.

[1] In the way that requires you to release your own software under the GPL.
Of course, there are ways to use GPL software that don't implicate that. I'm
not talking about those.

~~~
nkurz
> they will turn to specific performance if they think it's appropriate

Do you know of any cases with the GPL where a court has in fact done so? I'm
not aware of any outcomes where code has been forcefully licensed as a
penalty. Absent strange outside circumstances (like a signed contract) I'd
instinctively (but without legal training) think that that a court would treat
the violator as "acting without a license" rather than "had specifically
agreed to the terms of a contract and then broken it".

~~~
marcoperaza
It was a live issue in the _Artifex_ case. The parties ultimately settled so
we don't have a final answer, but the district court was going along with the
contract theory. The availability of specific performance remains an open
question too. But if you can in fact enforce the GPL as a contract, then it's
not a big step to some plaintiff getting specific performance, which is going
to turn on case-specific things like the adequacy of monetary damages.

[https://www.synopsys.com/blogs/software-security/breach-
gpl-...](https://www.synopsys.com/blogs/software-security/breach-gpl-license-
breach-contract/) [https://www.omm.com/resources/alerts-and-
publications/alerts...](https://www.omm.com/resources/alerts-and-
publications/alerts/client-alert-court-upholds-enforceability-of-open-source-
licenses/) [https://www.natlawreview.com/article/important-open-
source-r...](https://www.natlawreview.com/article/important-open-source-
ruling-confirms-enforceability-dual-licensing-and-breach-gpl)

~~~
nkurz
Thanks, this is a great answer! I'll try to look at these links later.

------
rimutaka
I have just updated their Wikipedia page with a mention of the incident. Let's
see how long it will take for someone to take it down
[https://en.wikipedia.org/w/index.php?title=Onyx_Boox&action=...](https://en.wikipedia.org/w/index.php?title=Onyx_Boox&action=history)

~~~
djeiasbsbo
It was removed because you apparently didn't quote/provide a reliable
source... Looks like you quoted a reddit comment?

------
c-c-c-c-c
They release their firmware updates on their page, packaged with upx. Someone
could enjoy decompressing it
[https://onyxboox.com/firmware](https://onyxboox.com/firmware)

~~~
adielsa
Their is no source code there. Decompress wont bring it back to soirce code
state

~~~
c-c-c-c-c
Download it, unpack it, patch it to enable ssh, ssh into the machine, monitor
internet traffic and see if its doing anything fishy.

~~~
Shared404
While this is certainly a method that could be used to tell if it's doing
anything it shouldn't, it still skips over the fact that this is a violation
of the GPL. That being said, this is apparently a Chinese company, and I have
no idea if the GPL even has teeth in this scenario.

------
fierarul
Not sure what Onyx is but my first though was about the System76 system
[https://system76.com/laptops/oryx](https://system76.com/laptops/oryx)

Turns out that one is called Oryx

~~~
thekyle
Onyx makes eInk tablets. I was actually thinking of buying one earlier this
year, but not after this.

------
nikita2206
So, wtf is Onyx and how does it violate GPLv2?

~~~
input_sh
To answer the second part of your question, if you modify code released under
GPL, you need a way to provide a machine-readable copy of your modifications
to your users.

So, it doesn't need to be publicly available (as in, you and me are not Onyx
users, therefore we don't need to have access to it), just to its users.
Screenshot shows their user requesting it and being denied the request, hence,
GPL violation.

[https://www.gnu.org/licenses/gpl-
faq.en.html#GPLRequireSourc...](https://www.gnu.org/licenses/gpl-
faq.en.html#GPLRequireSourcePostedPublic)

~~~
EE84M3i
>if you modify code released under GPL

_and distribute it_

Running it server-side is fine. That's what the AGPL addresses.

If you modify GPL code and only use it yourself without distributing it, you
never have to give anyone else access to the modifications.

~~~
iso947
Indeed - I amended the show waves filter in ffmpeg to create square wave forms
for, but my C is terrible and I’m far too embarrassed to commit to a public
code forum. As the binary goes no further than my own machines there’s no
issue.

------
maitredusoi
That is where MIT license is largely superior to GPL, you know what you are
buying for... ;) GPL put enforcement without the cops to maintain it ;) With
MIT, everyone is free to do whatever they want. In a way GPL recreate
(unnecessary) bureaucraty, where MIT generate pure liberty.

~~~
toyg
Ah, the freedom of business to exploit free labor! How do we long for that!

