-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Polish e-Dowód management tool violates OpenSC LGPL license #1992
Comments
ref to https://www.pwpw.pl/en/Aboutpwpw/Governing_bodies.html
so @majkrzak ask https://twitter.com/boguckizbigniew about it .. |
@hillar Will be the best if one of copyright holders will do it. |
@majkrzak I can give you my "blessing" to pursue this on my behalf, for example if you want to communicate in Polish. FYI, there's a proven record of me not liking these kinds of things in the past when a few other countries/vendors doing things like this. But "don't attribute malice to that which could be explained by incompetence or ignorance" so if you get past ignorant first reply to somebody who actually understands things, it might be easy. For example, in the case of Spain, it was the police who was responsible for the messup, and they rightfully understood what license violation means, even if the "fix" takes appropriate bureaucratic time to be implemented. Hopefully pwpw.pl folks also understand it without further actions. Could you please provide binaries that would clearly show linking of OpenSC code with code that is not published under LGPL-compatible license? |
Got notified that Lithuania also distributes the "pwpw software" https://www.nsc.vrm.lt/downloads.htm so the problem is shared, but possibly more avenues to reach competent and decision-authorized people. |
@majkrzak https://twitter.com/martinpaljak/status/1245616094775140354 <- might help you get started. |
Looking at the only-in-polish EULA during install and what gets installed later to |
I've just poked PWPW via the official channel ([email protected]) not via the app support like previously. Let's see what they will respond. |
Judging by the strings in the project, I think they're using the LGPL version. |
If you are serious about it open a case in court. |
It shouldn't require court to comply with open-source licenses. |
@majkrzak Maybe try to ask referring to Law on access to public information? |
@jadeszek , Unfortunately, several court cases show that the courts do not recognize the source code as content by the procedure written in natural language and do not consider it subject to the provisions on access to information (FOI law). Due to the specific legal structure of company and reference to business secrets, this can be additionally difficult and generate a long-term court dispute. Citizens Network Watchdog Poland may provide legal expert in this area. In addition, administrative courts in Poland do not have the right to appoint an expert, so judges must assess documents and assess them on their simple (in terms of technical knowledge) mind. Lack of technical knowledge among judges is conducive to building secrets so as not to order too much to be revealed due to lack of own knowledge. I think that it is worth considering - due to the less popular - use the provisions on the re-use of information from the public sector. ePaństwo Foundation ( http:https://epf.org.pl/ ) may have experience in this area. |
We can ask for invoice and contract for paid license of Qt. The reply of such a request should not cause problems, and will eventually allow us to get the support of another injured copyright owner. |
Who? |
The ministry/institution that runs the gov.pl website that currently distributes the e-dowód software. |
Responses translated to englishVendor response
EULA head
|
In general, FOI law is about getting information (this corresponds to a GET request in HTTP, for ease of explain) and is guaranteed by art. 61 of the Polish Constitution. In order to influence the operation of an institution (POST, PUT, PATCH in HTTP):
At the weekend I will try to find a moment to neatly formulate a petition to the Ministry |
@ad-m Is there any valid way to sign the petition online? |
|
@ad-m the case here should be to get them to comply with licenses, that is: publish source code and give credit. Not to pursue "cease and desist". Open source wants to spread (suspending publication does not allow it) and it wants "freedoms" to be granted to users, in the form of source code. As a copyright holder I'd prefer a big red sign on the downloads page "this software include OpenSC, OpenSSL and Qt" until the source code issue is fixed, rather than that download page to disappear from the internet. And ASAP a "here is the source code for the download" link to appear next to download links, that would direct to github, if possible. The appearance of the latter is what this issue should be tracking. |
Isn't this a case for http:https://gpl-violations.org/? To provide some background about Open Source license infringement in Poland I think the first loud case was the one from 2010 when eClicto was released. You can read more about it here on page 5. Unfortunately there is no information about how it ended. |
@Devligue OpenSC is LGPL, not GPL and I don't see any immediate value gpl-violations could provide. During a previous case I got assistance from FSFE, in the form of a lawyer who understood the topic of IP as well as spoke the local language, and that helped a lot. I'd first try to reach some decorated person from pwpw.pl (supervisory board member referred by @hillar is a good target) and if there is no reply or the reply is not sufficient, I'd pursue official government channels with gov.pl and also vrm.lt who distribute that software. Unless there is no reply or the reply is not satisfactory ("we will fix things next fiscal period, maybe" or similar BS) I'd pursue other avenues. From personal experience, I can say that even with best intentions bureaucratic processes can take anything from 6 to 12 months, especially currently (covid19 and summer coming). |
Whatever the outcome of FOI approach would be (and Polish government has some history of neglecting the FOI requests), if this is really the case (as it reasonably seems to be), perhaps the first (and wise) thing to do - and in parallel - would be to issue a formal "call to stop copyright infringement" (in Polish: "wezwanie do zaprzestania naruszania praw autorskich") by the copyright owner (!!) towards the violating party. This step does not require any court interaction neither it does require collecting responses from the party. |
Send a request for list of licenses of e-Dowód to Ministry of Digital Affairs (I believe this is more likely to succeed, as they distribute the software, PWPW merely developed it), will provide their response when they respond. Of course, additional requests are welcome. |
@adibo small correction: it should be "zaprzestania naruszania" instead of "zaprzestania naruszenia". It's a subtle difference, something close to "had been infringing" versus "is infringing now". "Naruszenia" goes with "wezwanie do usunięcia naruszenia praw autorskich" (="call to remove copyright infringement"), which is also quite useful phrase -- it's used when you want to call someone for example to remove infringing materials, or to fix/patch something that currently goes against license (i.e. formally correct the copyrights wording, publish affected code, acknowledge authors, etc). |
@quetzalcoatl corrected! |
I suggest you stay calm. There is no reason to accept bad intentions for actions that can be explained by ignorance. The energy obtained through emotional agitation can be used for constructive actions so that the government's project activities in this area are corrected. If you expect the attention of the press - you can legibly present the topic (nowadays specialist knowledge of the LGPL license and expectations of the FOSS community to understand the problem are required) and provide information to the press. Press inquiries to the spokesperson can provide us with valuable information about a government project. |
@ad-m I didn't notice earlier that you're affiliated with Citizens Network Watchdog Poland. I only noticed it through code commits on GitHub repository of https://porady.siecobywatelska.pl/ . Excuse me the noise generated, I was not aware that the Watchdog is already involved. |
Yes, I am a member of Citizens Network Watchdog Poland (SOWP). It's always nice to hear someone noticing our work and informing others about it. 😸 I am acting privately in this issue so far, but using the knowledge gained through working with SOWP. If I need help - I know that I can count on the support of SOWP. Additionally, I notice that at the beginning of the thread I wrote:
|
The information is similar in the act. I attach a file to the act with technical information: D2019000040001.pdf
Loose translation:
|
The only common thing between these two cases that I can see is that it's done by Polish company. Other than that I can't see how the other case is relevant here. There are a lot of copyright infringement cases, some are bound to be from the same country. |
|
The fifth paragraph from the end is rather interesting, stating (loosely) that "informations on how an authority functions or is organized—and information about source code is of this kind—are of technical nature and as such don't constitute public information [in the context of freedom of information]" ... "It is also unquestionable, that making some technical information public, may publicise information that has significant impact on security of a given IT solution". Rest is just restating the facts, what the Ministry should have done, the base for the judgment of inactivity for the Ministry, and that while it was inactive, because it didn't have the information, it wasn't a gross violation. |
There was some direct e-mail communication with some of the parties involved on this ticket as well. This is how the story went in a nutshell:
If you need time to work on a version that fixes the violation, just say it. But the strategy of denying and perplexing? My verdict on the approach by the company: "1/10, would not recommend". But the original license issue can be closed. |
Didn't a recent comment (#1992 (comment)) indicate that they've spent that time not removing the dependency but hiding it? |
@mgorny Most likely they have rewritten it. Although it is hard to say without deeper analysis if this is their own solution now or it is still derived work. |
Even if they hidden/removed this currently they derived from LGPL in past so they need to share source from past. |
@nuschpl It doesn't work that way. GPL cannot infect code base unintentionally. If some MS intern would add a bit of GPL code to the Windows' codebase it wouldn't change the whole Windows to GPL. They would just admit a mistake and remove it. |
No intern in Microsoft could add anything to Windows codebase. He could only make a proposition of change that could be accepted by some seniors. So the senior will be the person introducing such code. And MS regularly opens its code because of GPL violation https://www.infoworld.com/article/2630874/microsoft-violated-gpl-before-linux-code-release.html |
That was just an example, you cannot accidentally turn your whole codebase GPL, that would be ridiculous. You could think about malicious senior instead of intern. You can agree to license only intentionally. If they released some code instead of rewriting it, good for them. I guess it was just less work. |
Note that context matters here. Microsoft essentially had a choice between releasing Hyper-V driver as GPL or not having Hyper-V paravirtualization support for Linux (as kernel modifications would be necessary for that). Hyper-V working with Linux was absolutely critical for it (Microsoft themselves has said that on Microsoft Azure, Linux is used more often than Windows), so they went with releasing the source code. |
Besides what was already said above the context proposed by you is irrelevant. What's the case here is about that particular GPL library was modified and there is obligation to share code of modified version. In case of your intern example the scope would be limited to work derived from GPL. So it doesn't affect whole business of the company unless whole business was derived from such code what is very unlikely to happen. Additionally big corporates usually have SAST scanners which in addition to hints about code quality or security state mention licencing state of particular components. Often along with dedicated department assuring due diligence. We can't say company could ignore international laws being base of nowadays economy just because such company says 'it was not intended' |
And what is the source for this statement? There is no absolute obligation like that. At worst, they could be sued by owners of the rights to the actual GPL, and they could demand exposing of the code, but I can guarantee that no court would treat it like an absolute obligation. If the company would be able to convince the court that it was a mistake, the case would be settled in a much less radical manner (they would donate money to some open-source foundation or whatever). These things don't work in absolute manners, and GPL isn't a word of God. |
closing with #1992 (comment) |
@frankmorgner I don't get why you've closed this basing on single opinion. The license was violated and is being violated unless source code is shared - derived work was already done and derived code was not shared. The fact that derived work is hidden or even deleted from places in the internet doesn't change that fact. |
Sigh... I closed this issue, because Martin stated above that the original license issue can be closed. And if it is correct, that the e-dowód software [...] is currently being provided by PWPW S.A [with] no OpenSC dependencies., then I would consider this issue solved as well. To my understanding, there is no legal binding for getting the source code of older releases that aren't distributed anymore. Please let us know if there is still a problem with the current release. I'm managing OpenSC in my free time for fun and education and I hope to continue the "fun" part also in the future... |
I'm unsubscribing from this sad issue. Next time you want to finesse source code out of somebody you can try:
Bye and thanks for all the fish. |
@frankmorgner @Jakuje maybe discussions should be enabled for OpenSC? 🤔 (and this ticket closed closed for changes) @nuschpl this is an open source project by volunteers. Issues are meant for tracking bugs and other types of actionable items, for developers and contributors. As someone who actually has copyright claims on parts of OpenSC source code (and who communicated with pwpw on this matter) the "solution" by pwpw was legally (not morally) sufficient for my taste and maybe should have closed the issue myself. Transparency and disclosure is important, but please pause and think before posting/asking such conspiracy theory style questions like in #1992 (comment) |
Lets' get pack to meritum: |
Feel free to bring this over to Discussions: https://github.com/OpenSC/OpenSC/discussions/categories/general |
It is also an important public interest that citizens of Poland could use the above source code to make new applications using their e-ID cards. Otherwise the commercial provider and license violator can keep them locked in to proprietary software without making e-ID functionality really open to the citizens. I conclude that the issue was closed despite non-compliance, and against important public interest. |
Checking e-dwod 4.3.0, which is currently distributed, I didn't find any signs of OpenSC being used anymore. Also, the OpenSSL license is now shown during installation. Since no other version that may violate OpenSC's LGPL is being distributed anymore, AFAICT there is no legal obligation of publishing e-dwod's source code. That being said, you could now try asking for the old and outdated version of e-dwod's implementation of OpenSC. Since it is not used anymore, there should not be any "security risk" of publishing this code. |
Context
In March 2019 Polish governments introduced the new identity card. First Polish identity card with the electronic layer. Also, management application was released, which is the main reason of this issue. (ref)
Copyright infringement
At lest one component of the eDo (
e-dowod-pkcs11-64.so
) looks, smells and acts like derived from OpenSC pkcs11 lib. It can be easily noticed by investigating content of the file, or even by looking into the logs emitted bye-dowod_can
(ref). According to those traces, at least following files were affected:There is no information about OpenSC or any other LGPL content used by the application. Eula(ref) states that PWPW (Polish Security Printing Works)(ref) is the copyright holder of everything.
My actions
I have opened the issue on the official support channel, but I got informed that the source code is the "company secret and can not be revealed"(ref). As I'm not holding any copyrights of OpenSC I'm not legit of taking any further actions according to that.
Appendixes
e-Dowód URL-s
Vendor response
Fragment of ~./edowod/can.log
EULA head
PWPW (Polish Security Printing Works) contact
The text was updated successfully, but these errors were encountered: