Open source skulduggery
May 21, 2008 7:23 AM   Subscribe

How should an open source project deal with someone misappropriating its code for profit?

I help administer HandBrake, a small video conversion project that's somewhat popular in the Mac world.

We've just been informed that a company called Kandalu has appropriated our code, modified it to add licensing and changed some icons, and is now selling it for $25 a pop as KVideoPodPro.

They do not make source code available, and they claim on their website they wrote it themselves. However, even a cursory comparison of screenshots reveals the truth. Running their executable through the strings command even reveals an instance of "HandBrake 0.9.1" in the binary as well the fact that when they were slapping on the registration code they were working in this filepath:

/Developer/Projects/Others/HandBrake/macosx/Registration/Fondamentals/SESenuti.m

Considering that HandBrake has no "Registration" directory, since it's free, that's a pretty clear-cut sign they've modified the code.

Now, HandBrake is GPL. We give it away free, but there's no reason someone can't sell it (not that I'd suggest it with libdvdcss in there...). And there's no reason they can't modify it.

But they aren't publishing the modifications, and they aren't crediting the original authors, and they sure aren't following the GPL.

Added fun: HandBrake uses a lot of other open source libraries like ffmpeg and x264. It modifies these libraries with patches, that are publicly available on our website. This "KVideoPodPro" is using the same patches and building the same ibraries, but isn't saying it's using them, that's it modifying them, or how it's modifying them. So this does extend out to the greater FOSS world.

So what do we do? HandBrake is totally volunteer. We have no money at all to use in fighting this.

Obviously the first step is getting in touch with these people and asking them to publish their source code changes. But what's the right thing to say, and the right way to say it? And what do we do when they blow it off?
posted by jbrjake to Computers & Internet (10 answers total) 8 users marked this as a favorite
 
Best answer: Post it on GPL Violations!
posted by iknowizbirfmark at 7:30 AM on May 21, 2008


Best answer: I would consider getting in touch with the EFF, who I know have been involved in open-source related licensing violations in the past, and pretty much exist as an advocacy group for exactly this sort of thing. You might also want to post the same question in the debian-legal mailing list, which is a Debian list but has a lot of people who spend a lot of time dealing with this sort of thing. Good luck!
posted by whir at 7:32 AM on May 21, 2008


Best answer: The FSF specifically says:
The FSF acts on all GPL violations reported on FSF copyrighted code, and we offer assistance to any other copyright holder who wishes to do the same.
They and gpl-violations.org do these things regularly, they act in a very reasonable manner and have definitely more experience in how to handle this than anyone here. You should contact them first.
posted by criticalbeaver at 7:37 AM on May 21, 2008


Best answer: You might want to talk to Harald Welte over at gpl-violations.org (or, more generally, post to the mailing list there); they have a pretty good track record with this kind of stuff.

At the very least they might be able to give you an idea of what's proven effective in the past, and who knows -- maybe they even have some C&D notices that you could take a look at just to get an idea of what you might want to use.

The typical process as I understand it, is to send out a C&D informing them that you believe them to be in violation and telling them to cut it out. Basically, it's a threat: stop this or we'll sue you. Then, if they don't stop, you start filing papers and sue them in a court of competent jurisdiction (deciding which can be sort of a challenge in itself, from what I gather).

You probably want to get a lawyer to assist you in drafting the C&D, I would think. (Although I know lay people who've just used boilerplate and done okay; but then again people do DIY dentistry too -- just because you can doesn't mean it's advisable.) In terms of research that you can do before you start paying for time, gathering as much information about the company doing the violation would be helpful, especially where they're incorporated and do business, their mailing and physical addresses, etc., will probably be helpful.

I think the FSF provides legal aid via the SFLC to projects pursuing violators, but only for projects where the FSF is the copyright holder (which isn't necessarily all GPL projects). At least that was the deal at one point; you might want to contact them to figure out the current policy.

Also -- Handbrake rocks. :)

On preview, what others said ... I guess I'll still go ahead and post it, though.
posted by Kadin2048 at 7:44 AM on May 21, 2008


(This post alone is helpful to your cause -- it is now the second response on a google search for KVideoPodPro.)
posted by inigo2 at 8:04 AM on May 21, 2008


If the thieves have a website where one can download the software, you could send a DMCA takedown notice to their web host.
posted by adamrice at 8:05 AM on May 21, 2008


Best answer: Contact the Software Freedom Law Center, who provides legal services to free/open source software developers.
posted by andrewraff at 8:05 AM on May 21, 2008


(This post alone is helpful to your cause -- it is now the second response on a google search for KVideoPodPro.)

(As is the fact that it's now on Digg...)
posted by mkultra at 8:16 AM on May 21, 2008


Response by poster: Oops...wasn't trying to get a bunch of publicity for this, just looking for ways to resolve it. Per the gpl-violations site everyone's been pointing towards:

Beware the "public shaming" bomb. It's easy to let off, but very hard to defuse if you made a mistake or the issue turned out to be minor and is rapidly resolved. In addition companies may become very defensive in such cases and decide to "tough it out". We want to build bridges and giving a company no way to avoid losing face hinders that, especially in certain cultures.

I didn't realize it was *that* easy to set off, unfortunately :/

Anyway, thanks for the great responses so far, everyone!
posted by jbrjake at 8:30 AM on May 21, 2008 [1 favorite]


Best answer: even if, in the end, you don't have the resources to pursue this (assuming they are infringing and don't stop), the groups behind the libraries that HandBrake bundles also have an interest... if Kandalu(?) aren't interested in resolving the issue I'd be emailing the foo-dev lists of your component libraries to let them know what's up...
posted by russm at 11:08 PM on May 21, 2008


« Older Migrating from Lotus Notes to Outlook/Thunderbird   |   Help me find some healthy podcasts Newer »
This thread is closed to new comments.