In a better parallel universe, we found a different innovation without using brute-force computation to train systems that unreliably and inefficiently compute things and still leaves us able to understand what we're building.
I've been running not just HTTPS-by-default but strict HTTPS-only for a while now. Firefox, at least, mostly even handles things like captive portals correctly. Judging by the rarity of encountering anything that has HTTP and doesn't listen on HTTPS, I think we're to the point where any non-technical user could use an HTTPS-only configuration and correctly treat any site that doesn't work with it as broken.
The difference is that you can statically link GTK+, and it'll work. You can't statically link glibc, if you want to be able to resolve hostnames or users, because of NSS modules.
Not inherently, but static linking to glibc will not get you there without substantial additional effort, and static linking to a non-glibc C library will by default get you an absence of NSS.
This is an open legal question, which the Conservancy v Vizio case will hopefully change; in that case, Conservancy is arguing that consumers have the right to enforce the GPL in order to receive source code.
Linus rants that the SFC is wrong and argues that the GPLv2 which the kernel is licensed under does NOT force you to open your hardware. The spirit of the GPLv2 was about contributing software improvements back to the community.
Which brings us to the question: what is this guy going to do with (presumably) the kernel source? Force the Chinese to contribute back their improvements to the kernel? Of which there are likely none. Try and run custom software on his medical device which can likely kill him? More than likely.
The judge's comments on the Vizio case are such that should this guy get his hands on the code, he has no right to modify/reinstall it AND expect it will continue to operate as an insulin pump.
This is about as ridiculous as buying a ticket on an airplane and thinking you are entitled to the source code of the Linux in-seat entertainment system.
There are a lot of people hacking on insulin pumps and they are lightyears ahead of commerce. If you want a very interesting rabbit hole to dive into try 'artificial pancreas hacking' as google feed.
I would trust the people that hack on these systems to be even more motivated than the manufacturers to make sure they don't fuck up, it's the equivalent of flying a plane you built yourself.
> it's the equivalent of flying a plane you built yourself
A great analogy because people die that way. I personally would never push code to another person’s insulin pump (or advertise code as being used for an insulin pump) because I couldn’t live with the guilt if my bug got someone else killed.
I know people die that way (GA). But someone is working for the companies that make insulin pumps and they are not as a rule equally motivated so I would expect them to do worse, not better.
And to the best of my knowledge none of the closed-loop people have died as a result of their work and they are very good at peer reviewing each others work to make sure it stays that way. And I'd trust my life to open source in such a setting long before I'd do it to closed source. At least I'd have a chance to see what the quality of the code is, which in the embedded space ranges from 'wow' all the way to 'no way they did that'.
which is why lots of systems and processes (sometimes called red tape) exist to try and prevent the undesired outcome, and dont rely on the competency of a single person as the weak link!
Anytime anybody does something himself, there is a risk. People die because of welding parts cleaned with break-cleaner, people die driving, diving, sky-diving, doing bungee jumping...
Advertising that code, IMHO would be as showing of you doing extreme sports, for example. I do not think is any bad. A good disclaimer should be enough to take away any guilt.
I'm not aware of any deaths attributed to open source artificial pancreas systems. Meanwhile there have been multiple attributed to closed source glucose monitors.
I can guarantee you, from my personal experience of being diabetic for 30 years, that every day—and in the most incredible ways—I have managed to “almost kill myself.” Whether when I used finger-prick testing, sensors, injecting insulin with pens, or managing insulin with a pump. Our life is always a delicate balancing act between too little, too much, and way too much—the kind where this time I really kick the bucket
By personal choice I use a commercial CGM (if I could “touch it,” I’d be firmly on the side of certainty about killing myself through sheer stupidity), but reading something like “associated with” really makes me angry. Before making such subtle insinuations about the open-source world (the source of the revolution of the last 10 years in this field), regulatory bodies should open their eyes to what is actually happening with the quality of current sensors and the real problems they are causing.
And strength to you. I had a business partner for some time that was much like you and every time he'd be 10 minutes late for an appointment I'd get nervous and if it was more than an hour I'd be on the phone to his family to check up on him.
And yet someone IS pushing code to these devices. Every single one.
So the question really becomes - Are these people working on their own pumps with open source more or less invested than the random programmers hired by a company that pretty clearly can't get details right around licensing, and is operating with a profit motive?
More reckless as well? Perhaps. But at least motivated by the correct incentives.
You, an engineer at a major aircraft manufacturer that isn't Boeing, have been working after hours with some of your colleagues on a hobby project to add some modern safety features to an older model of small private plane, because you regard it as unsafe even though it still has a government certification and you got into this field because you want to save lives.
Your "prototype" is a plane from the original manufacturer with no physical modifications but a software patch to use data from sensors the plane already had to prevent the computer from getting confused under high wind conditions in a way that has already caused two fatal crashes.
Now you have to fly somewhere and your options for a plane are the one with the history of fatal crashes or the same one with your modifications, and it's windy today. Which plane are you getting on?
Are you kidding me? How many times have you unwillingly introduced bugs into a code base you didn’t fully understand? That’s basically table stakes for software engineering.
> Definitely not the untested code I wrote myself!
Nobody said it was untested.
> How many times have you unwillingly introduced bugs into a code base you didn’t fully understand? That’s basically table stakes for software engineering.
Which applies just the same to the people the company hired to do it, and now we're back to "the people with a stronger incentive to get it right are the people who die if it goes wrong".
I can’t tell if you seriously think a random person writing code in their basement is equivalent to a company that has access to API docs, design specs, actual test hardware, the expertise of a ton of engineers that have worked on the project and understand how it can go wrong, not to mention all the regulations and verifications they’re subject to.
But if you do then wow. That really puts in perspective the kind of people that use hacker news. I’m gonna be more selective about who I bother replying to going forward.
> I can’t tell if you seriously think a random person writing code in their basement is equivalent to a company that has access to API docs, design specs
Are you saying not having those things is dangerous? They should be required to publish all of that for safety-critical devices then.
> actual test hardware
Why would arbitrary people be unable to buy test hardware? Again something to be addressed if true rather than used as an excuse.
> the expertise of a ton of engineers that have worked on the project and understand how it can go wrong
Do they not have internet access? If they don't even work for the company anymore then that could be the only way to access that information.
Literally something which is happening on the linked Reddit page.
> not to mention all the regulations and verifications they’re subject to.
Regulations are for preventing someone else from harming you. You don't need a government incentive to protect you from yourself, you already come with that incentive.
Tested how? With 100% "unit test" coverage? I can certainly see how a random person on the internet might be highly motivated and actually talented enough to contribute to these sorts of projects. But they don't have the budget and resources that commercial entities have. They don't have the same due diligence requirements. They don't have the same liability. If I use a commercial device unaltered, it's the company's fault if the device fucks up or is defective and causes harm. If I install random internet software on my medical device and it fucks up and causes harm, it's my fault.
I say this as someone who might modify my own medical devices because I'm so fucking jaded over the capitalist march towards enshitification and maximizing profit over human lives. There is simply no way random folks on the internet can test these types of systems to any reliable degree. It requires rigorous testing across hundreds to thousands of test cases. They at best can give you the recipe that works well for them and the few people that have voluntarily tried their version. That doesn't scale and certainly isn't any safer than corporate solutions.
Why do people think constantly something made by some random company is automatically better than something made "DIY".
I totally understand, that because of liability and some more availability of resources, you would expect a company product to be "safe". BUT: if it is your butt that is going to be in the line, then I bet you: you will be much more careful that a random engineer in some random company. About the resources available in a big company, they are usually more directed to marketing, legal (including lobbing to avoid right to repair) and oder areas to maximize revenue, and not exactly in quality.
I worked in 2 different big companies which worked in "mission critical systems" and boy! I can tell you some stories about how unsafe is what they do, and how much money is invested in "cover your ass" instead of making products better/safer.
I thought I explained it, but I'll break it down into smaller words. Medical software doesn't just have to solve one particular users's problems. It has to be generalized to the majority of folk seeking treatment for a particular problem. If one particular CPAP user is able to tweak their settings to work better for their particular lifestyle, it is not generalizeable to every CPAP user. A corporation offering a general solution is put under *far* more scrutiny than a random github repo is. A corporation can be sued for releasing a product that kills people, but good luck convincing a court that your family deserves restitution for you installing a random script you found on the internet into your insulin pump.
This has fuck all to do with how much corporations care about people. It has everything to do with liability laws and how victims can get restitution. It has everything to do with the actual risks of installing random internet scripts versus the corporations who have to jump through regulatory hoops. And it's not to say corporations get everything right. They fuck things up constantly. But they fuck things up constantly with oversight and regulation and you want me to believe random internet users will make a better product without it. It's nonsense.
I have explained it already in other comments, but let me break it down for you again:
The “liability”, “scrutiny”, “regulation” only generate “cover your ass” measures, bureaucracy, red tape, costs, and hardly any real measure to increase quality or safety. My work is in such a critical mission systems company, and they don’t give a shit about safety, just are interested in coming out clean or not waste too much money in settlement with dead people relatives.
> but good luck convincing a court that your family deserves restitution for you installing a random script you found on the internet into your insulin pump.
And good luck fighting a Pharma corporation for whatever did wrong. BTW, you bring the CPAP topic. Maybe you can read this at leisure [1] in this case, because it was a huge scandal, they pay. But 90% of the time, they don’t. And even if this case, with legal cost deducted, and divided by all people, is not a real compensation (spoiler alert: it never ever is!).
Please note in this case they DID KNOW about the issue, and did nothing. So much for liability and scrutiny.
This is fucking retarded. Liability isn't just CYA. It's real fucking consequences when someone dies. From your own fucking source:
> Philips Respironics agreed to a $1.1 billion settlement on April 29, 2024, to compensate people for financial damages related to the recall.
Which open source individual contributor will agree to a $1.1 billion dollar settlement because of wrongdoing? Not a single fucking one because those numbers don't make sense when random internet users are promising salvation if you just download their firmware. What a complete crock of shit you're suggesting here and you're just reinforcing my point. Did you even do the barest amount of critical thinking here?
random internet users are not promising salvation, nor or they taking profit.
they are saying: i made this and it worked for me in my specific case. you can look at it (or have a trusted knowledgable friend look at it), and use it, for zero payment; if you want to, if the paid solutions offered on the market are insufficient for your specific case.
they would never need to come up with 1.1 billion dollars because they're not making 10x that from selling things that still harm people despite the resources that that profit makes available.
> But they don't have the budget and resources that commercial entities have.
Everyone is standing on the shoulders of giants. You're not going from stone tools to jet engines in a month, but you could fix a bug in one in that time.
> They don't have the same due diligence requirements. They don't have the same liability.
Things that exist to try to mitigate the misalignment of incentives that comes from paying someone else to create something you depend on. Better for the incentives to align to begin with.
Notice also that these things are floors, not ceilings. The company is only required to do the minimum. You can exceed it by as much as you like.
> If I use a commercial device unaltered, it's the company's fault if the device fucks up or is defective and causes harm. If I install random internet software on my medical device and it fucks up and causes harm, it's my fault.
And then if the community version fixes a bug that would have killed you and you stick with the commercial version you can sue them for killing you. Except that you're dead.
> There is simply no way random folks on the internet can test these types of systems to any reliable degree.
Basically the entire population is on the internet, so the set of them includes all the people doing it for a corporation. Are they going to forget how to do their jobs when they go home, or when they or a member of their family gets issued another company's device and they want it to be right?
Flying in a plane you built yourself is likely safer than flying in the same model of plane built by a company that assembled it for you using lowest-bid labor while making you sign a twenty page lawyer barf disclaiming liability.
See my other follow up comment ("same model"). Medical device software development feels much closer to homegrown (or worse) than aeronautical engineering.
Why do you think a random person, who is VERY passionate about something, as to invest all the free hours in life to do something, is less skilled that one who just does it because is needed to survive?
Sorry. I would be much more inclined to have something made by somebody passionate about it, as done by some guy that received hopefully some kind of instruction on how to do things and was then left alone.
In this context (GA) we are not comparing Airbus/Boeing with a garage build. We are comparing some small company making 2 seaters with your hangar and maybe 10 certified aircraft mechanics that will help you a lot on the process.
And why do you think pathos arguments are logical? Granted, they didn't cite them, but assuming it is true, empirical studies showing the accident rates are the logical point from which to draw conclusions. What you would like, how you and others feel about it, and what you would expect are meaningless.
You're also equivocating. They made it extremely clear they are referring to hobbyist and other such groups with vague or unknown qualifications; whereas, you go in and make stipulated claims about small businesses with certified mechanics, etc. These two are clearly not the same category, making your argument non-responsive. It's also contradictory in terms of discussed liabilities and such, as the small company, and its mechanics, that whoever worked with, would have liability as well, as opposed to the "random git repo".
You write that as if you have ample experience with codebases of medical devices and I'm going to take a stab at this and say that you don't. Prove me wrong.
My comment rests on the fact that the types of planes you can build yourself are completely different models than the fully assembled models from the likes of Boeing etc. I do agree that a kit 737, if such a thing existed, would be less safe than one off the line.
I think the Beechcraft Bonanza deserves special mention here. I'm sure all the people that worked on it were experts too!
The big problem with this analogy is that it conflates three very important things:
- GA is more dangerous, period. Doesn't matter whether you build the plane yourself or if you bought it ready made (hopefully new, hopefully very well maintained if second hand)
- GA craft tend to have less experienced pilots than airliners, but even airliner pilots tend to do worse as GA pilots than when they're at work. The reason for that is simple: the processes are what keeps commercial aviation (mostly) safe.
- GA craft tend to kill the pilots, because they are more often than not the only person on the plane.
- GA craft have malfunctions like larger aircraft, there is nothing special about them in that sense. But there is something that they don't have that larger aircraft do have: redundancy. In electronics systems, in the design of the mechanical bits, and finally in the people.
- GA craft that are designed and built by their operators are experimental class for a reason: they are untested and so more likely to fail than the ones that are certified. The design processes for commercial aircraft are nothing compared to the design processes employed by what we'll call hobbyists to distinguish them.
- And finally, even though it is a fun analogy I only meant it from a skin-in-the-game point of view, a GA hobbyist is still going to do his level best to make sure that he's not going to get killed. Boeing executives only care about the bottom line, safety is a distant second. And based on my experience with the difference between the guts of various bits and pieces of avionics and the software that they run on compared to my experience looking at medical devices, their guts and the software that they run on I would be more than happy to bet that the loop hackers know as much more more about the failure modes of these devices as the manufacturers do.
Cleanroom manufacturing under sterile conditions is the main differentiator here, and that just applies to the hardware, and it is an art that the medical industry understands very well. Electronics is already at a lower level of competence and their software knowledge tends to be terrible, not to mention the QA processes on said software.
Programmers working for corporations don't necessarily suddenly grow an extra quality brain when they do their work.
Now look at something like the Bede BD-5 and see how many of it's amatuer builders IT killed. Death rate on the first flight alone was something like 10%.
PS: AIrcraft aren't assembled in cleanrooms.
Frankly, you don't have a damn clue on and are getting basically everything wrong in the process
You can believe it and simultaneously function in society.
We aren't all building our own planes because it's worse, but because it's time consuming. I don't have 20,000 hours to burn learning about how planes work to make my own.
If we magically beamed the knowledge straight into people's heads and also had a matter fabricator, I'd imagine yes - everyone would build their own plane. And it might be safer, I don't know.
Point is, the ideas are not mutually exclusive. You can believe both and still resolve it internally and with the world
Not the original poster, but that was snark and not meant literally.
Also, building your own plane is absolutely worse, even if you do have expert-level knowledge. That's true for any complex design. Aircraft design, material sourcing, fabrication, assembly and quality control are all very different skill sets, but the real kicker is experience.
The reason why commercial aircraft are so safe is a lot of work goes into investigating and understanding the root causes of accidents, and even more work goes into implementing design fixes and crew training.
The problem is that the system incentivizes incompetence. The mechanics who are paid a skilled wage, take their time, and double check to make sure they are not missing anything show up as big red problems on the beancounters' spreadsheets and get optimized away.
The system can make up for this in other ways like repeatability of processes, redundancy, etc. Which is why commercial aviation is safer than general aviation, and also why I specifically worded my comment as being about the same model of plane - ie if instead of building your own experimental-class kit plane, you hired it out to a liability-limiting company hiring minimum-wage workers to follow the directions. I'm guessing such a thing is illegal per FAA regs, but that kind of proves my point.
For another example, have you experienced the medical system lately? Doctors are generally smart people, but that intelligence is squandered by having their attention smashed into 10 minute chunks, with the entire rest of the system revolving around blame passing - the end result is a lot of smart and well-meaning people ending up grossly incompetent through emergent effects. I would much rather be able to go to a doctor and trust whatever answers they gave me rather than having to do my own independent research and advocacy to drive the process. But that is not how the system we have works.
I don’t even disagree with you about the system incentives. I hate capitalism just as much as you!
But I still trust the institutions around me to keep me safe. Obviously that depends on where you live, I wouldn’t feel the same way if I still lived in Brazil.
Last time I went to a doctor was about 3 years ago. They diagnosed me in 5 minutes, and took another 10 to treat me and write me a prescription. It was great, I loved it.
Sounds like you have this trust issue with lots of different areas of your life, it might be worth reexamining your own perspective. Or maybe you just have to move to somewhere that you do trust.
I'm glad for you that you've had good experiences so far! "Diagnosed me in 5 minutes" doesn't sound like anywhere near a complex medical issue though.
I certainly keep trying to obtain good results from the system, ie extend trust, but situations routinely run aground. Can you really say it's a "trust issue" when the problem is that I dig into details of situations and repeatedly discover how so-called professionals abjectly drop key issues on the floor?
Latest example: I need a new dishwasher. I should be able to read some reviews, spend $1k, and get the problem solved, right? Guess again - first delivery, a dent (crease) in the tub from the thing being slammed so hard that its plastic frame deformed and pushed up into the metal tub. Second delivery - loud noise from wash motor. I try to engage with warranty service figuring I'd be fine with them swapping the whole pump assembly. Nope, the guy that comes can't even be assed to do his job either! "Oh that's normal so there is nothing to fix, this is a good model, you should keep it". Third try, wash motor sounds a little better but still has a problem. The third set of delivery guys didn't even take away unit #2 for the exchange (even though I even pushed back when they said someone else was going to come later). I had wanted to simply pay money to solve the problem, but instead I'm left with two noisy dishwashers and a big ole project in my court. (do I keep pushing this exchange button? do I just order a new pump assembly and fix it myself, considering the bonus dishwasher compensation for that? do I say fuck it to the whole brand and rethink the purchase decision?)
Sure, I could drop my standards here, check out, and stop caring about the details. The dented tub probably wouldn't leak a decade down the line, the loud motor isn't really that big of a deal if I only run it overnight, and if the motor needs replacing in a few years it's only a $200 repair. But should not giving in to this "best effort" service (after paying $1k) really be considered a "me" problem? It seems more like an economy problem, with me only being exceptional for noticing, having some expertise on how these things should function, and having the willingness to push back.
(although I am thankful that the thing in the front of my mind that I'm frustrated with is an appliance rather than dealing with the medical system again)
> I would trust the people that hack on these systems to be even more motivated than the manufacturers to make sure they don't fuck up
I would think it's the opposite. People that hack on this only risk their own life. Companies risk many people's lives and will get sued. Of course the person doing the hacking doesn't want to die but they're also willing to take the risk.
The absolute worst-case scenario of messing this up as a company is that you get sued and they win, or you're forced to settle. You pay out some money, post a public apology, whatever. If things get really bad, the company goes under. But you're likely still far richer than the average person, and the blame is distributed enough that no one gets a criminal sentence - not that it was a realistic option to begin with.
The baseline worst-case scenario of messing this up on yourself is that you die.
Right, but getting sued is basically the least risky activity ever. Okay, a little dramatic but: you won't go to jail, and if you're rich and become less rich you're still better off than most people. In pure absolutionist terms, being a business owner is basically always less risky than being labor.
A lot of the other responses say something along the lines of "of course people have more incentive not to mess up, they care about their own lives more than corporations care about getting sued" and sure, that's true in general, but:
- people try to wingsuit through narrow obstacles and miss
- people try to build their own planes and helicopters and die
- people try to build submersible vehicles to go see the titanic and, uh, don't have a 100% success rate
- people try to build steam-powered rockets and die
"It's their life, they won't fuck it up" doesn't exactly cover a lot of behaviors.
I'd argue home-rolling your own medical device firmware is closer to daredevil/"hold my beer" behavior than normal.
None of these have anything to do with your average diabetic loop hacker. You are comparing people that live for the thrills with people that are just trying to live.
I'd like some proof that the embedded programmers working for 'the man' at medical device companies are better and more motivated than those that are hacking on loop devices.
You're comparing people with a death wish in disguise with people that are extremely motivated to improve the QOL and they're very careful about how they do this, in fact if you read up on this you'd notice the insane attention to detail and the very rigorous process, on par with what I've seen in industry and in fact probably better than most.
All of this talk in this thread makes me think back to a time when people were laughing at that Finnish kid that was making his own OS with his buddies. Surely nobody would ever trust their business, their property or the lives to open source.
I checked and this is actually hacker news, not the BSA.
I'm arguing that "it's their life, so they'll be more careful than 'the man'" is tenuous.
There have been many people who "made informed decisions" about their medical treatments over the advice of professionals and ended up being wrong. They don't count as thrill seekers.
Even in other threads on HN, you'll find takes on this topic ranging from "I don't trust my device, so I do finger tests every day" to "I trust my vibes and my device and don't do finger tests anymore" which tells me there's a pretty wide spectrum along which hackers might fall.
I'm not at all arguing that it's impossible that someone would do a good job of hacking their device, let alone do better than pharma/med companies.
I just don't buy that everyone who hacks away at it will inherently do a better than said companies because their life is at stake. There are way too many examples of people taking their lives in their own hands and getting it wrong.
Well, in this case the proof is there for your perusal: it works. They have ironed out most if not all of the kinks and manufacturers are pissed that they got shown up by a bunch of people who they consider to be subjects, not having agency. Because after all, if a bunch of ordinary but skilled people can do this their justification for obscene pricing all but evaporates.
I look at these companies for a living. Every two weeks on average another one. I see their codebases. I interview their engineers. There is no magic sauce. It is rare that you come across a company that really gets engineering and that doesn't see the product as a minor obstacle on the way to profits. Medical device companies in general are not exceptional in this sense (though I am aware of one that is).
But fine, you think that the people that work for these companies are somehow better than that ones whose lives are at stake. I beg to differ.
True, but the suggestions made here are that they are worse and shouldn't be trusted. I disagree with that. They are at least as good, and they could well be better.
> The spirit of the GPLv2 was about contributing software improvements back to the community.
It may be the case that when all is settled, the courts determine that the letter of the license means others' obligations are limited to what the judge in the Vizio case wrote. And Linus can speak authoritatively about his intent when he agreed to license kernel under GPL.
But I think that it's pretty clear—including and especially the very wordy Preamble—not to mention the motivating circumstances that led to the establishment of GNU and the FSF, the type of advocacy they engage in that led up to the drafting/publication of the license, and everything since, that the spirit of the GPL is very much in line with exactly the sort of activism the SFC has undertaken against vendors restricting the owners of their devices from using them how they want.
Why is it ridiculous? If the license says you have the right to obtain the source code to software that was distributed to you, then you have the right to obtain the source code. It doesn't matter what your intended use of it is.
Rather crucially, the license itself does not say that you have the right to the source code. It is only the separate written offer which gives you that right. If you did not receive such an offer, you don’t have any right to it. But then, the company has already, unquestionably, violated the GPL, and the company can be sued immediately. Specifically, you don’t have to first ask the company for the source code! The lack of a written offer is in itself a clear violation.
> But then, the company has already, unquestionably, violated the GPL, and the company can be sued immediately.
You were right up to this point. Medical devices requiring a prescription must be obtained via specialized suppliers, like a pharmacy for hardware. These appliances are not sold directly to end users because they can be dangerous if misused. This includes even CPAP machines.
In theory, that written offer only needs to go to the device suppliers. Who almost universally have no interest in source code. When the device is transferred or resold to you, it need not be accompanied by the offer of source.
If that was true, anyone reselling an Android phone could open themselves up to legal liability. Imagine your average eBayer forgetting to include an Open Source Software Notice along with some fingerprint-encrusted phone.
Here's an appeal to the law, the doctrine of copyright exhaustion (also known as the first sale doctrine) dictates that copyright is exhausted upon the first sale of the device (i.e. to the distributor) and they have no rights to control or prevent further sales.
That the GPL potentially fails to achieve what it intends to is neither a legal argument, nor particularly surprising.
Wouldn't that imply that end-user license agreements are all unenforceable because the software was sold through a retailer, and even if it wasn't you could just a get a secondhand copy?
By my understanding EULAs are based on contract law and having a clickwrap agreement that requires you agree to it before using the software, not copyright law. Except perhaps to the extent that copyright law would prevent you from creating a derivative work that doesn't require you to agree to that clickwrap agreement prior to using the software.
I think the usual argument is that you don't own the digital good, you have a license to use it, and that license is between you and the originator (or their reseller) directly. And you aren't allowed to resell the license.
> No, not if the same itself was unlawful because Alice signed a contract to not sell it like that.
It's the contract that's the violation, isn't it? What would the first sale doctrine be if in order to get a copy you could be required to sign a contract not to exercise your rights under it? For that matter, how could state-level contract law override the federal first sale doctrine?
The "derivative work" hack also seems kind of fragile. The normal way to get someone to agree to something is that they need a right from the license, which they then don't get if they don't agree to it. But if it doesn't give them anything that they need then "there are ways to use the copy they own and have a right to use without agreeing to any additional terms" is more like the default you're trying to hack your way out of than something they're exploiting a loophole to get into, and where does that leave you if anything slips?
Suppose Alice is a three year old. She owns the copy, she presses the button and now she has a running copy even though she's not competent to enter into a contract, and then Bob buys it from her. Or Alice owns the copy and Carol presses the button, and then maybe Carol could be sued, but also maybe Carol lives in another country, and either way Alice now owns a running copy she never agreed not to sell. And then you want to be able to say "but that's cheating" except that it's not any less cheating than what you were doing to try to get them to agree to it.
Sure, maybe anyways but let's assume it is, the parties to that contract are the manufacturer and the copyright holder. The contract allows the manufacturer to distribute it to the distributor without requiring the distributor to agree to the terms and itself become a party. The distributor can then sell the device with the software on it on without acquiring a license and becoming a party to the contract because the copyright has been exhausted (first sale doctrine).
EULA's get around this by forcing the end user to become a party to the contract via a click wrap agreement. There is usually no such click wrap agreement binding the distributor in the case of the GPL. And the GPL doesn't require the creation or maintenance of such a click wrap agreement so the manufacturer would be free to remove it even if the original software had one.
Like when I buy a second hand book and then I start printing copies of the book and selling them without any agreement with the original author or publisher?
Like when you buy or sell a second hand book without getting permission from the copyright holder to distribute their copyrighted material, which would otherwise be necessary.
Distribution agreement is generally different from a sale. Distributors act as agents of the manufacturer. It’s not yet counted as a sale. Most warranties are limited to first owner and do not transfer. How do you think this squares with that? Does it mean I don’t get warranty on the dishwasher I got from Costco? It’s also the same principle of a distributor acting as an agent that enables the manufacturer to have a contract with you.
> first sale doctrine) dictates that copyright is exhausted upon the first sale of the device (i.e. to the distributor).
The copyright doesn’t go away when copies are sold to a distributor. Someone (probably the manufacturer) still has legal obligations to the copyright holder.
copyright doesn't give you the kind of rights that a GPL license does - which is not based on copyright, but on contract law (ala, it's in the name - licenses).
A sale of an object does not transfer those licenses (but those licenses are still valid on the seller - a manufacturer selling widgets will have to obey the GPL clauses. If an end user of this widget wants the source code, they have to go back all the way to the manufacturer, rather than any of the middle-men presumably).
> When the device is transferred or resold to you, it need not be accompanied by the offer of source.
This is false. The person transferring the device must either pass along the offer they received (GPLv2 clause 3(c), and only if performing non-commercial redistribution), or pass along the source code (GPLv2 clause 3(a)).
By my understanding under US law first sale doctrine means that 3 (both (a) and (c)) doesn't apply, copyright has been exhausted and the intermediate party here doesn't need a license at all to sell the device on. Even if you want to argue the GPL is a contract and not just a license the intermediate owner has never been required to become a party to it. Even if for some reason they agreed to the contract - and somehow it was a binding contract despite the complete lack of consideration - it seems unlikely that the courts would interpret 3 to apply because reselling a device isn't "distributing" within the meaning of copyright law because of first sale doctrine.
You already created an interesting top-level comment analyzing the difference between "offering" and "providing" which has a lot of discussion. I'm just saying it's not "ridiculous" to expect software licensing terms to be applied and enforced, whatever a judge decides those terms end up meaning.
It's a medical device that requires a prescription. You can't buy it off the shelf. They're not distributing software to you either. You must go through a medical equipment supplier who transfers the device to you after insurance has paid for some or all of it.
For the same reason you can't find an airplane entertainment system in the trash and call up the company and demand source code.
It doesn't matter what form it takes. Compiled binaries of GPL code are being distributed. The recipients of that binary are entitled to the source of the GPL portions in a usable form:
"The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
The GPL here doesn't extend beyond the kernel boundary. Userland is isolated unless they have GPL code linked in there as well. If they were careless about the linkage boundaries then that's on them.
You've gone off the rails by narrowly focusing on a passage of a software license without understanding the contract law and copyright law environments that those licenses and transactions exist in.
If you file a statement of claim to a court that is just riffing on the theme of "Compiled binaries of GPL code are being distributed" - you won't get anywhere.
I implore you to learn how to identify the parties involved, which contracts get formed when and between whom, de minimis, exemptions to copyright, and the non-copyrightable parts of code.
The recipient of that object code is the medical device supplier, not the end-user.
It's subsequently transferred to you after presenting a prescription, without any accompanying offer of source code.
In other words, assume you are the second owner in all cases when it comes to certified medical equipment.
AFAIK if you find an Android phone in the trash, you are not entitled to source either since you never received the offer of source during a purchase transaction. You know that little slip of paper you toss as soon as you open some new electronics that says "Open Source Software Notice".
> In other words, assume you are the second owner in all cases when it comes to certified medical equipment.
By that logic, _any_ company can effectively ignore the GPL constraints by just selling it to a reseller, first; one that they have a contract with to _not_ offer the source code when they re-sell it.
It is my understanding that, if I use GPL in my code, and I distribute it to someone that then re-distributes it to someone else... the GPL is still binding. I don't see why that wouldn't be the case with hardware using GPL'd software.
Would you disagree with this logic?
You distribute GPL code to me on a dvd. I give that dvd to someone else. I have not made a copy of the source code, so copyright does not come into this. If instead I copied the dvd and emailed the iso to someone else I would be distributing and copyright comes into it.
No it doesn't. It can not bind someone that has not agreed to it. A failure to agree might mean they are infringing on copy-right and is liable for damages, but it is wrong to say it binds everyone that distributes it.
They are distributing it without the right to distribute it. The only thing that allows them to distribute it is agreeing to the license/contract to do it in a specific way. If they don't do that, they don't have the right to distribute it. The person they got it from saying otherwise doesn't change that.
the license travels with the copy, it is what allows the copy.
if the license does not travel with the copy, then the copy is unlicensed and is a copyright violation. the license carries restrictions and grants rights. those aspects cannot be violated or the license ceases to exist.
you don't know what you are talking about, so stop guessing.
So when I buy a product with GPL code via Amazon, Amazon is the one with the rights to receive the source? That medical supplier is getting paid via the medical coverage the end user is paying for.
If you have a pacemaker implanted, do you believe you have the right to modify and update the software that operates it? Separately, do you think it's remotely a good idea?
> If you have a pacemaker implanted, do you believe you have the right to modify and update the software that operates it?
Yes, of course. It is abhorrent that people have devices implanted into their bodies and are in any way prevented from obtaining every last detail about how those devices operate.
> Separately, do you think it's remotely a good idea?
In rare circumstances, yes. See, by way of example, Karen Sandler's talk on her implanted pacemaker and its bugs, for specific details on why one might want to do so.
Obviously yes to the first question. How could you possibly not have the right to operating your own heart.
Naturally it would generally not be a good idea.
>Which brings us to the question: what is this guy going to do with (presumably) the kernel source?
it doesn't bring us to the question, but the answer to the question is, run a diff between the software that has this guys life in its hands, and the version it was derived from, to see if they inserted back doors, stray pointers, etc.
>> Try and run custom software on his medical device which can likely kill him? More than likely
I think this sentence is very sad. Not only this is a hard accusation, it is also the primary argument of the anti right to repair movement. An argument that I think is extremely bogus and ill intentioned, and I particularly (like Mr. Rossman) viscerally dislike.
Maybe the primary motivation is a) curiosity, and b) just for kicks to know if they honor the license.
If you carefully read what I wrote, you will notice that I never claimed otherwise. Whether or not third parties have standing to sue on a GPL violation is immaterial to my point, none of which is “an open question”.
I will pick a web app over a proprietary "native" app every time. That way, it can stay in a sandbox where it belongs. Discord, Zoom, Meet, Trello, YouTube, and various others, all stay in sandboxed browser tabs.
WebAssembly also runs in places other than the web, where there isn't a JavaScript interpreter at hand. It'd be nice to have a fast JavaScript engine that integrates inside the WebAssembly sandbox, and can call and be called by other languages targeting WebAssembly.
That way, programs that embed WebAssembly in order to be scriptable can let people use their choice of languages, including JavaScript.
> Someone has to deal with the utility rate hikes that tend to follow large new consumers
Commercial power is often charged differently than residential power, and there's also nothing that prevents charging disproportionately higher rates for e.g. 90th percentile power usage.
There's nothing inherent that means a data center in a locale should cause individual residential customers to pay more.
> There's nothing inherent that means a data center in a locale should cause individual residential customers to pay more.
Well the utility will have to make investments that are on a depreciation schedule anywhere on the scale of 20-50 years... so there will have to be a general rate hike to cover for the bank loan (banks aren't stupid, they want at least something in incoming cashflow increase), and when the AI bubble pops, guess who will have their rates hiked a second or third time? Yup the average consumers.
If adding a datacenter to a locale is not a net gain for the locale, you're failing to charge appropriately for things you should be charging for.
I'm sure there have been some datacenters that have tried to use "brings in jobs" incentives, and that could certainly go wrong if the incentives aren't designed correctly (e.g. proportional to the actual number of jobs), but as long as there aren't incentives being abused, a datacenter should be a net win.
Yeah seriously. If you're going to fight. "tooth and nail" against a data center, maybe reevaluate and direct your energy towards some productive like better tax laws, more energy generation, and so on.
reply