1

I have researched this question quite a lot on stackexchange but my thoughts are inconclusive, the different licenses involved and options by the distribution vendors are giving me a headache.

My question is basically if there is any way around the high fees the distribution vendors are charging for their professional solutions if one is just casually (by casually I mean low volume sales but with commercial intent, not as a private hobby) developing and selling embedded devices (i.e. 20-30 devices p.a.).

Now to my concrete case:

Suppose I'd want to setup an embedded device and want to use a FOSS operating system (Debian, Ubuntu, any non commercial Linux distribution for instance) in a commercial setup, i.e. as a gateway computer. These are typically licensed with parts of GPL, LGPL, GPLv2, GPLv3 and other, more permissive licenses.

Suppose I automatically install (and most definitely update) a database on this system with the package manager but the package repository itself provided by the database developer. Suppose the database and all its accompanying software is licensed with Apache 2.0, BSD or MIT license. And suppose I do develop a program that gets executed on this operating system. The program should perform operations in connection with the OS, i.e. make IO operations from Ethernet to the database, maybe provide a server but there is no compiling or heavy shell scripting (maybe only to start an update routine) involved, perhaps a ssh connection may be used for maintenance.

Suppose I wanted to sell a pre-configured device with a FOSS OS, some Apache 2.0 and MIT licensed programs and own compiled source code along with the system to a customer. Do I then have to disclose my source code to customers, according to the GPL?

If not (meaning the stated above is in accordance to the GPL): Which pitfalls might occur?

If yes (meaning the stated above would violate the GPL and I'd need to disclose my source code): Does providing the device (the embedded device is kept as a property of mine) and just charging a monthly/yearly service fee change the situation (I think, as far as I understand this answer (although in that and this case the device was intended to be lend) here, not)?

Research

A similar case is discussed here:

But in this case the aspect of maintenance and (re)installing/updating system components (i.e. if a security risk bug is fixed and a system program need to be updated) is not addressed

This answer gives an insight to the above problematic. But my question remains: Is using the system's package manager to update system parts in an automated fashion and using system interfaces considered "intimate enough" or is this perfectly in accordance to the GPL?

In this answer I understand that if I do what I stated above I have to be prepared to provide full source code for 3 years

I want to thank you for taking the time reading through this wall of text and furthermore thank you in advance for providing me with an answer.

Improve this question
7
  • Every android phone seems to fit the scenario you describe.
    – planetmaker
    Commented May 7, 2021 at 23:29
  • I also thought about android, but the uncertain updates along with the special architecture (meaning most software needs to be adopted) is giving me a headache. With Android Things (that was intended to solve the update and security issues for production environments) abandoned by google, I don't think this is an easy task. Especially for that low quantity the development costs will never be feasible
    – Hans T
    Commented May 8, 2021 at 8:37
  • I meant the comment in a legal sense: android is a GPL-licensed OS on which much proprietary stuff runs. The scenario you describe sounds like any normal OS usage with some proprietary user-space programmes on top.
    – planetmaker
    Commented May 8, 2021 at 9:09
  • I always thought android was a redesigned system so that apache 2.0 licence could be applied by google? So you mean it is totally legally doable to do the things described above with i.e. a debian system?
    – Hans T
    Commented May 8, 2021 at 9:52
  • android is a kind of linux system and thus the kernel is of course under GPLv2: android.googlesource.com/kernel/samsung/+/refs/heads/…
    – planetmaker
    Commented May 8, 2021 at 9:58

1 Answer 1

Reset to default
2

Suppose I wanted to sell a pre-configured device with a FOSS OS, some Apache 2.0 and MIT licensed programs and own compiled source code along with the system to a customer. Do I then have to disclose my source code to customers, according to the GPL?

No, you do not have to disclose your source code to your customers, assuming your own application does not link to any libraries under the GPL license (LGPL or GPL+linking exception is fine), and assuming you did not copy any (L)GPL-licensed code into your application.

The Linux system libraries all have an exception in their license that allows you to create/distribute a user-space application under a license that is not compatible with the GPL license of the kernel.

For package managers, your application is just data they install on the system and thus the licenses of the packages are not affected by the license of the package manager itself.

If not (meaning the stated above is in accordance to the GPL): Which pitfalls might occur?

What you have to take into account is that you are required to inform your customers about the various licenses that apply to the third-party components in your device.

Also, you must provide the source code of all GPL parts in your device (or a written offer to send it) to your customers and if any code is under the GPLv3 license, then you also have to provide the information a customer needs to update/replace those parts themselves.

Improve this answer
5
  • Thanks for your answer. "then you also have to provide the information a customer needs to update/replace those parts themselves" -> i.e. if I provide a system that autostarts a browser and is restricted to this browser, it suffices to let the user install a different system via uefi/bios? Or do I need to disclose the other "super"user account's credentials?
    – Hans T
    Commented May 9, 2021 at 10:22
  • That would depend on if a user could recreate a functioning system that way. I the user cannot install a system with the same functionality as you sell, that could be seen as a violation of the GPL licence,(it is at least against the spirit of the GPL)
    – Bart van Ingen Schenau
    Commented May 9, 2021 at 10:32
  • Would "recreate a functioning system" mean the user can be expected to configure the system all by themselves by the given foss software packages and that they have to develop the proprietary part themselves or does the proprietary part need to be disclosed, because without this, the system does not function in its intended way?
    – Hans T
    Commented May 9, 2021 at 13:19
  • @HansT, to "recreate a functioning system", at least the binaries of the proprietary part would have to be made available. This could be just the packages that your package manager downloads anyway for an update. The point is that if I made a bugfix/improvement to a GPLv3 utility used on the device, I should be able to apply that change without having to wait for you to make a new update and without necessarily rendering my device unusable.
    – Bart van Ingen Schenau
    Commented May 10, 2021 at 7:49
  • Thanks for clearing that up. That was very insightful, thank you for your expertise.
    – Hans T
    Commented May 10, 2021 at 21:28

Not the answer you're looking for? Browse other questions tagged or ask your own question.