Looks like Orange created something called "IDMP platform" (didn't find anything about it online) and used a library called Lasso that is licenced under the infectious GPL without releasing the source code to the "IDMP platform"
Or alternatively, buying a proprietary license from Entr'Ouvert. The court finally recognized the authors' purpose with the licensing model and validated it, that's really good news.
Definitely - I did not mean "infectious" in a disparaging way, since that's what the licence was written for. If you include GPL code, the licence "infects" everything around it.
The infection meme is very good to easily explain how GPL works - but it does "infect" only if you follow the license terms.
If you do not follow the license terms, you are using a copyrighted work without permission. And then, we are back to plain copyright law, with potential damages being awarded etc. (And the copyright owner is under no obligation to let the past infraction slip just because the violating party decides to suddenly follow the GPL terms.)
>And the copyright owner is under no obligation to let the past infraction slip just because the violating party decides to suddenly follow the GPL terms.
The owner might not, the court might. Proving damages from tardy publishing of source code would be tedious (at least in the EU). In this case they used their proprietary license option to justify the damages, which doesn't exist for a lot of software.
Yes, that is a very good point. To be awarded monetary damages, you have to make a case for it. In practice, I think a lot of companies wouldn't want to find out and try to settle in private instead.
In this case as you say, they had a proprietary license, so I guess the bottom floor for damages is the same price as a proprietary license. But I could from my complete layman perspective imagine damages to reputation, decreased likelyhood of getting new proprietary sales in the future if companies can ignore the licensing terms with impunity etc?
As someone who worked at Orange, I’m not sure you want to read all of it. There’s definitely some getting-the-internet-to-work magic in there, but a lot of it is… Let’s just say not every developer is incentivized to write good code.
The user is the French government who contracted Orange to build its portal and Orange forked the Lasso single-sign-on library without respecting the GPL or buying the proprietary license on offer.
I’m very worried about these kind of things. I’ve worked on a number of projects that were not checking any of the licenses they were building on top of. As long as it’s open sourced people always assume that it’s OK to use it. I really wish it was the case. It’s really like people are leaving these small mines here and there for people to trip on it.
If you act in good faith and fix issues as they are raised, nothing really bad should happen to you. Usually, GPL breakages are amicably pointed out and only if no agreement can be reached, the big legal tools are used.
As a developer, it's your responsibility to make sure the licenses check out; chances are you know more about those than your manager or employer's legal department.
On that note, we should probably double check our licenses and that we publish them as well.
Tell that to the average JavaScript dev who uses npm to download a library with 12 dependencies in order to use a function that returns the number of words in a string.
As a company, it's your responsibility to set and enforce a clear policy on using third party code. License is only one part of the problem.
It cannot be the individual dev's sole responsibility.
There must be a clear policy and hoops to go through (decision on choice of library, reviews before integration in code base/product, audits, etc). If that does not exist then the organisation must really step up its game.
By the way, it is the very job of the legal department to know about this and to inform policies, and of the managers to enforce those policies and processes.
Did you also use Windows without any regard to Microsoft's licensing? Whatever software you use, you must be aware of the license. It has nothing to do with whether or not the software is open source.
Lasso is a free software C library aiming to implement the Liberty Alliance standards; it defines processes for federated identities, single sign-on and related protocols. Lasso is built on top of libxml2, XMLSec and OpenSSL and is licensed under the GNU General Public License (with an OpenSSL exception).
We strongly recommend the use of the GNU General Public License each time it is possible.
But for proprietary projects, that wouldn't want to use it, we designed a commercial license.
IMO, using "free software" to describe GPL work doesn't really make sense. If I give you something, but require you to adhere to certain conditions, it's not really "free".
Say, if Bertram Gilfoyle lets you live in an apartment he owns as long as you remain a practicing member of the Church of Satan, that's not really "free", now, is it?
Of course, this idea of "freedom" is on a spectrum. By my lights, the MIT license is more free than the GPL because it imposes fewer restrictions on the user.
Personally, I don't let GPL software come anywhere near anything I'm working on. I don't even like using GCC, and was very happy when LLVM appeared on the scene with a less-scary license.
Maybe I will be downvoted to oblivion, but here is what I think. As a Free Software proponent, I find the GPL license oppressive as far as free software goes and I never considered it a true Free as in Freedom license.
I know the arguments and I see where people come from. But I find BSD-like licenses a lot easier to enforce and understand, and a lot more compatible with my personal concept of Free Software
First if 'service-public.fr' still mandate a big tech browser (aka javascript) and does not have a noscript/basic (x)html portal/compatibility, it should go to hell, really.
90% of their activity is keeping the portals safe and available: it is extremely hard for "juicy" web portals, usually you need special handling from state grade internet carriers (don't be fooled this is not a "small" thing, and you better know how to do that yourself, or Big Tech will take it all away and will dictate everything to your own core network/telecom infrastructure).
Second, I don't really know that piece of software, but if it is GPLv2, Orange should have provided the modified source code to the french administration (the "user"). If there was an "affero" clause, the french adminitration would have to publish to the french people the modified source code (or point to "upstream" if using verbatim).
If you want to screw your "clients" with open source: use massive and complex (SDK included, for instance using c++/rust/similar) open source software breaking it sufficiently often to force planned obsolescence (ISO+feature creeps is about 5-10 years planned obsolescence cycle), you know, what we actually today...
Orange is not just any telecom in France. It’s the incumbent, a bit like AT&T or Verizon in the US or BT in the UK, the French government still owns almost a quarter of the company.
41 comments
[ 3.6 ms ] story [ 95.0 ms ] threadIf Orange wanted a commercial license, there doesn't appear to be any reason why it couldn't have bought one.
https://lasso.entrouvert.org/
https://www.entrouvert.com/expertise/licences/
Self-inflicted.
If you do not follow the license terms, you are using a copyrighted work without permission. And then, we are back to plain copyright law, with potential damages being awarded etc. (And the copyright owner is under no obligation to let the past infraction slip just because the violating party decides to suddenly follow the GPL terms.)
The owner might not, the court might. Proving damages from tardy publishing of source code would be tedious (at least in the EU). In this case they used their proprietary license option to justify the damages, which doesn't exist for a lot of software.
In this case as you say, they had a proprietary license, so I guess the bottom floor for damages is the same price as a proprietary license. But I could from my complete layman perspective imagine damages to reputation, decreased likelyhood of getting new proprietary sales in the future if companies can ignore the licensing terms with impunity etc?
I want the whole source code published. That would be a real punishment - your proprietary code is now GPL'd.
That could also be leveraged to find security issues, that can be interesting in an auth system.
This has been discussed (on HN) with the recent Vizio judicial ruling.
For instance see https://news.ycombinator.com/item?id=39082722
(there might have better links)
Orange knows what they are doing.
On that note, we should probably double check our licenses and that we publish them as well.
As a company, it's your responsibility to set and enforce a clear policy on using third party code. License is only one part of the problem.
There must be a clear policy and hoops to go through (decision on choice of library, reviews before integration in code base/product, audits, etc). If that does not exist then the organisation must really step up its game.
By the way, it is the very job of the legal department to know about this and to inform policies, and of the managers to enforce those policies and processes.
That's hardly hiding the choice, someone at the telecom company chose not to get a commercial use license.
Edit: So are the links for the GPL and the OpenSSL Exception - https://lasso.entrouvert.org/license
https://dev.entrouvert.org/issues/52569
https://git.entrouvert.org/entrouvert/lasso
For commercial usage, though, the git page and forums are active enough and real live humans can be communicated with.
But who will check the licences of those softwares to build the corpus?
Say, if Bertram Gilfoyle lets you live in an apartment he owns as long as you remain a practicing member of the Church of Satan, that's not really "free", now, is it?
Of course, this idea of "freedom" is on a spectrum. By my lights, the MIT license is more free than the GPL because it imposes fewer restrictions on the user.
Personally, I don't let GPL software come anywhere near anything I'm working on. I don't even like using GCC, and was very happy when LLVM appeared on the scene with a less-scary license.
I know the arguments and I see where people come from. But I find BSD-like licenses a lot easier to enforce and understand, and a lot more compatible with my personal concept of Free Software
90% of their activity is keeping the portals safe and available: it is extremely hard for "juicy" web portals, usually you need special handling from state grade internet carriers (don't be fooled this is not a "small" thing, and you better know how to do that yourself, or Big Tech will take it all away and will dictate everything to your own core network/telecom infrastructure).
Second, I don't really know that piece of software, but if it is GPLv2, Orange should have provided the modified source code to the french administration (the "user"). If there was an "affero" clause, the french adminitration would have to publish to the french people the modified source code (or point to "upstream" if using verbatim).
If you want to screw your "clients" with open source: use massive and complex (SDK included, for instance using c++/rust/similar) open source software breaking it sufficiently often to force planned obsolescence (ISO+feature creeps is about 5-10 years planned obsolescence cycle), you know, what we actually today...