[schmuckonwheels]

This got buried on HN a few days ago which is a shame:

https://social.kernel.org/notice/B1aR6QFuzksLVSyBZQ

Linus rants that the SFC is wrong and argues that the GPLv2 which the kernel is licensed under does NOT force you to open your hardware. The spirit of the GPLv2 was about contributing software improvements back to the community.

Which brings us to the question: what is this guy going to do with (presumably) the kernel source? Force the Chinese to contribute back their improvements to the kernel? Of which there are likely none. Try and run custom software on his medical device which can likely kill him? More than likely.

The judge's comments on the Vizio case are such that should this guy get his hands on the code, he has no right to modify/reinstall it AND expect it will continue to operate as an insulin pump.

This is about as ridiculous as buying a ticket on an airplane and thinking you are entitled to the source code of the Linux in-seat entertainment system.

[jacquesm]

There are a lot of people hacking on insulin pumps and they are lightyears ahead of commerce. If you want a very interesting rabbit hole to dive into try 'artificial pancreas hacking' as google feed.

One interesting link:

https://www.drugtopics.com/view/hacking-diabetes-the-diy-bio...

I would trust the people that hack on these systems to be even more motivated than the manufacturers to make sure they don't fuck up, it's the equivalent of flying a plane you built yourself.

[bitmasher9]

> it's the equivalent of flying a plane you built yourself

A great analogy because people die that way. I personally would never push code to another person’s insulin pump (or advertise code as being used for an insulin pump) because I couldn’t live with the guilt if my bug got someone else killed.

[jacquesm]

I know people die that way (GA). But someone is working for the companies that make insulin pumps and they are not as a rule equally motivated so I would expect them to do worse, not better.

And to the best of my knowledge none of the closed-loop people have died as a result of their work and they are very good at peer reviewing each others work to make sure it stays that way. And I'd trust my life to open source in such a setting long before I'd do it to closed source. At least I'd have a chance to see what the quality of the code is, which in the embedded space ranges from 'wow' all the way to 'no way they did that'.

[chii]

> I would expect them to do worse, not better.

which is why lots of systems and processes (sometimes called red tape) exist to try and prevent the undesired outcome, and dont rely on the competency of a single person as the weak link!

[firtoz]

There are more financial reasons to violate and cheat the red tape than there are incompetent open source hackers in the world.

[f1shy]

Anytime anybody does something himself, there is a risk. People die because of welding parts cleaned with break-cleaner, people die driving, diving, sky-diving, doing bungee jumping...

Advertising that code, IMHO would be as showing of you doing extreme sports, for example. I do not think is any bad. A good disclaimer should be enough to take away any guilt.

[RobotToaster]

I'm not aware of any deaths attributed to open source artificial pancreas systems. Meanwhile there have been multiple attributed to closed source glucose monitors.

[croemer]

Not attributed to. The FDA wording says "associated with" which is much weaker causally.

[UomoNeroNero]

I can guarantee you, from my personal experience of being diabetic for 30 years, that every day—and in the most incredible ways—I have managed to “almost kill myself.” Whether when I used finger-prick testing, sensors, injecting insulin with pens, or managing insulin with a pump. Our life is always a delicate balancing act between too little, too much, and way too much—the kind where this time I really kick the bucket

By personal choice I use a commercial CGM (if I could “touch it,” I’d be firmly on the side of certainty about killing myself through sheer stupidity), but reading something like “associated with” really makes me angry. Before making such subtle insinuations about the open-source world (the source of the revolution of the last 10 years in this field), regulatory bodies should open their eyes to what is actually happening with the quality of current sensors and the real problems they are causing.

[jacquesm]

Thank you.

And strength to you. I had a business partner for some time that was much like you and every time he'd be 10 minutes late for an appointment I'd get nervous and if it was more than an hour I'd be on the phone to his family to check up on him.

[fsflover]

https://news.ycombinator.com/item?id=46398414

[horsawlarway]

And yet someone IS pushing code to these devices. Every single one.

So the question really becomes - Are these people working on their own pumps with open source more or less invested than the random programmers hired by a company that pretty clearly can't get details right around licensing, and is operating with a profit motive?

More reckless as well? Perhaps. But at least motivated by the correct incentives.

[dullcrisp]

So flying in a plane you built yourself is in fact safer than flying commercial because the motivations line up. Got it.

[AnthonyMouse]

You, an engineer at a major aircraft manufacturer that isn't Boeing, have been working after hours with some of your colleagues on a hobby project to add some modern safety features to an older model of small private plane, because you regard it as unsafe even though it still has a government certification and you got into this field because you want to save lives.

Your "prototype" is a plane from the original manufacturer with no physical modifications but a software patch to use data from sensors the plane already had to prevent the computer from getting confused under high wind conditions in a way that has already caused two fatal crashes.

Now you have to fly somewhere and your options for a plane are the one with the history of fatal crashes or the same one with your modifications, and it's windy today. Which plane are you getting on?

[sarusso]

This example is so right. Including the parallel with what happened with those two aircrafts.

[amrocha]

Definitely not the untested code I wrote myself!

Are you kidding me? How many times have you unwillingly introduced bugs into a code base you didn’t fully understand? That’s basically table stakes for software engineering.

[mindslight]

Flying in a plane you built yourself is likely safer than flying in the same model of plane built by a company that assembled it for you using lowest-bid labor while making you sign a twenty page lawyer barf disclaiming liability.

[TylerE]

We have decades of data saying that isn’t true. Homebuilt aircraft have much worse accident rates than factory built aircraft.

[habinero]

Are you really comparing an amateur skillset to designs from paid engineers made on a company assembly line with QC?

Why on earth would you think an experimental aircraft made by a hobbyist would be safer?

[amrocha]

You can’t honestly believe that or you wouldn’t be able to function in society.

[replyifuagree]

Those people on the boeing flights would have appreciated a little more of the correct motivations.

Instead they got McDonnell Douglas'd

As it turns out the motivations matter way more than you might think.

[socalgal2]

> I would trust the people that hack on these systems to be even more motivated than the manufacturers to make sure they don't fuck up

I would think it's the opposite. People that hack on this only risk their own life. Companies risk many people's lives and will get sued. Of course the person doing the hacking doesn't want to die but they're also willing to take the risk.

[tavavex]

The absolute worst-case scenario of messing this up as a company is that you get sued and they win, or you're forced to settle. You pay out some money, post a public apology, whatever. If things get really bad, the company goes under. But you're likely still far richer than the average person, and the blame is distributed enough that no one gets a criminal sentence - not that it was a realistic option to begin with.

The baseline worst-case scenario of messing this up on yourself is that you die.

[Dilettante_]

>People that hack on this only risk their own life

Yeah, only their own life, yknow, something not particularly valuable or motivating to conserve for them, as opposed to the companies financials!

[array_key_first]

Right, but getting sued is basically the least risky activity ever. Okay, a little dramatic but: you won't go to jail, and if you're rich and become less rich you're still better off than most people. In pure absolutionist terms, being a business owner is basically always less risky than being labor.

[wpm]

> People that hack on this only risk their own life.

Provided they do not risk anyone elses, that is entirely their right.

[rkomorn]

A lot of the other responses say something along the lines of "of course people have more incentive not to mess up, they care about their own lives more than corporations care about getting sued" and sure, that's true in general, but:

- people try to wingsuit through narrow obstacles and miss

- people try to build their own planes and helicopters and die

- people try to build submersible vehicles to go see the titanic and, uh, don't have a 100% success rate

- people try to build steam-powered rockets and die

"It's their life, they won't fuck it up" doesn't exactly cover a lot of behaviors.

I'd argue home-rolling your own medical device firmware is closer to daredevil/"hold my beer" behavior than normal.

[jacquesm]

None of these have anything to do with your average diabetic loop hacker. You are comparing people that live for the thrills with people that are just trying to live.

[rkomorn]

They're also people who had a lot of confidence in their own skills (including thinking they knew better than others) and ended up being wrong.

I would say that can have a lot to do with your average diabetic loop hacker.

[jacquesm]

I'd like some proof that the embedded programmers working for 'the man' at medical device companies are better and more motivated than those that are hacking on loop devices.

You're comparing people with a death wish in disguise with people that are extremely motivated to improve the QOL and they're very careful about how they do this, in fact if you read up on this you'd notice the insane attention to detail and the very rigorous process, on par with what I've seen in industry and in fact probably better than most.

All of this talk in this thread makes me think back to a time when people were laughing at that Finnish kid that was making his own OS with his buddies. Surely nobody would ever trust their business, their property or the lives to open source.

I checked and this is actually hacker news, not the BSA.

[cxr]

> The spirit of the GPLv2 was about contributing software improvements back to the community.

It may be the case that when all is settled, the courts determine that the letter of the license means others' obligations are limited to what the judge in the Vizio case wrote. And Linus can speak authoritatively about his intent when he agreed to license kernel under GPL.

But I think that it's pretty clear—including and especially the very wordy Preamble—not to mention the motivating circumstances that led to the establishment of GNU and the FSF, the type of advocacy they engage in that led up to the drafting/publication of the license, and everything since, that the spirit of the GPL is very much in line with exactly the sort of activism the SFC has undertaken against vendors restricting the owners of their devices from using them how they want.

[ryandrake]

Why is it ridiculous? If the license says you have the right to obtain the source code to software that was distributed to you, then you have the right to obtain the source code. It doesn't matter what your intended use of it is.

[teddyh]

Rather crucially, the license itself does not say that you have the right to the source code. It is only the separate written offer which gives you that right. If you did not receive such an offer, you don’t have any right to it. But then, the company has already, unquestionably, violated the GPL, and the company can be sued immediately. Specifically, you don’t have to first ask the company for the source code! The lack of a written offer is in itself a clear violation.

[schmuckonwheels]

> But then, the company has already, unquestionably, violated the GPL, and the company can be sued immediately.

You were right up to this point. Medical devices requiring a prescription must be obtained via specialized suppliers, like a pharmacy for hardware. These appliances are not sold directly to end users because they can be dangerous if misused. This includes even CPAP machines.

In theory, that written offer only needs to go to the device suppliers. Who almost universally have no interest in source code. When the device is transferred or resold to you, it need not be accompanied by the offer of source.

If that was true, anyone reselling an Android phone could open themselves up to legal liability. Imagine your average eBayer forgetting to include an Open Source Software Notice along with some fingerprint-encrusted phone.

[teddyh]

> If that was true, anyone reselling an Android phone could open themselves up to legal liability.

That’s only an appeal to ridicule. If those are valid, here’s an opposing one:

If this is not true, then any company can violate the GPL all it likes just by funneling all its products through a second company, like a reseller.

[gpm]

Here's an appeal to the law, the doctrine of copyright exhaustion (also known as the first sale doctrine) dictates that copyright is exhausted upon the first sale of the device (i.e. to the distributor) and they have no rights to control or prevent further sales.

That the GPL potentially fails to achieve what it intends to is neither a legal argument, nor particularly surprising.

[AnthonyMouse]

Wouldn't that imply that end-user license agreements are all unenforceable because the software was sold through a retailer, and even if it wasn't you could just a get a secondhand copy?

[8ytecoder]

Distribution agreement is generally different from a sale. Distributors act as agents of the manufacturer. It’s not yet counted as a sale. Most warranties are limited to first owner and do not transfer. How do you think this squares with that? Does it mean I don’t get warranty on the dishwasher I got from Costco? It’s also the same principle of a distributor acting as an agent that enables the manufacturer to have a contract with you.

[mr_toad]

> first sale doctrine) dictates that copyright is exhausted upon the first sale of the device (i.e. to the distributor).

The copyright doesn’t go away when copies are sold to a distributor. Someone (probably the manufacturer) still has legal obligations to the copyright holder.

[JoshTriplett]

> When the device is transferred or resold to you, it need not be accompanied by the offer of source.

This is false. The person transferring the device must either pass along the offer they received (GPLv2 clause 3(c), and only if performing non-commercial redistribution), or pass along the source code (GPLv2 clause 3(a)).

[gpm]

By my understanding under US law first sale doctrine means that 3 (both (a) and (c)) doesn't apply, copyright has been exhausted and the intermediate party here doesn't need a license at all to sell the device on. Even if you want to argue the GPL is a contract and not just a license the intermediate owner has never been required to become a party to it. Even if for some reason they agreed to the contract - and somehow it was a binding contract despite the complete lack of consideration - it seems unlikely that the courts would interpret 3 to apply because reselling a device isn't "distributing" within the meaning of copyright law because of first sale doctrine.

[Y_Y]

My Android phone does come with an explicit written offer of source. It's in Settings>About>Legal.

[mr_toad]

> In theory, that written offer only needs to go to the device suppliers.

The GPL clearly specifies recipients, it doesn’t say anything about suppliers.

[ryandrake]

You already created an interesting top-level comment analyzing the difference between "offering" and "providing" which has a lot of discussion. I'm just saying it's not "ridiculous" to expect software licensing terms to be applied and enforced, whatever a judge decides those terms end up meaning.

[schmuckonwheels]

It's a medical device that requires a prescription. You can't buy it off the shelf. They're not distributing software to you either. You must go through a medical equipment supplier who transfers the device to you after insurance has paid for some or all of it.

For the same reason you can't find an airplane entertainment system in the trash and call up the company and demand source code.

[kevin_thibedeau]

It doesn't matter what form it takes. Compiled binaries of GPL code are being distributed. The recipients of that binary are entitled to the source of the GPL portions in a usable form:

  "The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."

The GPL here doesn't extend beyond the kernel boundary. Userland is isolated unless they have GPL code linked in there as well. If they were careless about the linkage boundaries then that's on them.

[abigail95]

You've gone off the rails by narrowly focusing on a passage of a software license without understanding the contract law and copyright law environments that those licenses and transactions exist in.

If you file a statement of claim to a court that is just riffing on the theme of "Compiled binaries of GPL code are being distributed" - you won't get anywhere.

I implore you to learn how to identify the parties involved, which contracts get formed when and between whom, de minimis, exemptions to copyright, and the non-copyrightable parts of code.

[schmuckonwheels]

The recipient of that object code is the medical device supplier, not the end-user.

It's subsequently transferred to you after presenting a prescription, without any accompanying offer of source code.

In other words, assume you are the second owner in all cases when it comes to certified medical equipment.

AFAIK if you find an Android phone in the trash, you are not entitled to source either since you never received the offer of source during a purchase transaction. You know that little slip of paper you toss as soon as you open some new electronics that says "Open Source Software Notice".

[mr_toad]

> purchase transaction

The licensee has to offer code to users (more precisely, to any third party). It doesn’t say they have to purchase anything to be a legitimate user.

[RHSeeger]

> In other words, assume you are the second owner in all cases when it comes to certified medical equipment.

By that logic, _any_ company can effectively ignore the GPL constraints by just selling it to a reseller, first; one that they have a contract with to _not_ offer the source code when they re-sell it.

It is my understanding that, if I use GPL in my code, and I distribute it to someone that then re-distributes it to someone else... the GPL is still binding. I don't see why that wouldn't be the case with hardware using GPL'd software.

[RichardLake]

Would you disagree with this logic? You distribute GPL code to me on a dvd. I give that dvd to someone else. I have not made a copy of the source code, so copyright does not come into this. If instead I copied the dvd and emailed the iso to someone else I would be distributing and copyright comes into it.

[kevin_thibedeau]

So when I buy a product with GPL code via Amazon, Amazon is the one with the rights to receive the source? That medical supplier is getting paid via the medical coverage the end user is paying for.

[isodev]

> what is this guy going to do with (presumably) the kernel source? Force the Chinese to contribute back their improvements to the kernel?

As the original Reddit comment explains, Insulet is an American company.

[qmr]

> This is about as ridiculous as buying a ticket on an airplane and thinking you are entitled to the source code of the Linux in-seat entertainment system.

Broken take. You are entitled to the source code.

[jonway]

Big disagree, if they distribute the code they’re on the hook for the gpl source, too!

That’s about as ridiculous as buying a plane and knowing you’re entitled to the gpl sources used.

[wizzwizz4]

> Try and run custom software on his medical device which can likely kill him? More than likely.

It's not like the OEM software also won't kill you: https://sfconservancy.org/blog/2025/dec/23/seven-abbott-free...

[JoshTriplett]

> Linus rants

Linus is arguing against a strawman that Conservancy never actually argued. See https://sfconservancy.org/news/2025/dec/24/vizio-msa-irrelev... for details.

> Which brings us to the question: what is this guy going to do with (presumably) the kernel source?

https://openaps.org/

[schmuckonwheels]

If you have a pacemaker implanted, do you believe you have the right to modify and update the software that operates it? Separately, do you think it's remotely a good idea?

[JoshTriplett]

> If you have a pacemaker implanted, do you believe you have the right to modify and update the software that operates it?

Yes, of course. It is abhorrent that people have devices implanted into their bodies and are in any way prevented from obtaining every last detail about how those devices operate.

> Separately, do you think it's remotely a good idea?

In rare circumstances, yes. See, by way of example, Karen Sandler's talk on her implanted pacemaker and its bugs, for specific details on why one might want to do so.

[iinnPP]

Not that person, but yes. You have entirely missed the ability to simply view and understand what's inside your own body.

Where your interpretation means someone else needs to follow your whim for their own problem, despite the legalese stating otherwise.

I think that is an absurd position and I am sorry to feel the need to have to be blunt about it.

[brendyn]

Obviously yes to the first question. How could you possibly not have the right to operating your own heart. Naturally it would generally not be a good idea.

[fsckboy]

>Which brings us to the question: what is this guy going to do with (presumably) the kernel source?

it doesn't bring us to the question, but the answer to the question is, run a diff between the software that has this guys life in its hands, and the version it was derived from, to see if they inserted back doors, stray pointers, etc.

[f1shy]

>> Try and run custom software on his medical device which can likely kill him? More than likely

I think this sentence is very sad. Not only this is a hard accusation, it is also the primary argument of the anti right to repair movement. An argument that I think is extremely bogus and ill intentioned, and I particularly (like Mr. Rossman) viscerally dislike.

Maybe the primary motivation is a) curiosity, and b) just for kicks to know if they honor the license.

[RobotToaster]

> Linus rants

That happens every Tuesday, hardly newsworthy.