My insulin pump controller uses the Linux kernel. It also violates the GPL

> I then decided to contact Insulet to get the kernel source code for it, being GPLv2 licensed, they're obligated to provide it.

This is technically not true. It is an oversimplification of the common case, but what actually normally should happen is that:

1. The GPL requires the company to send the user a written offer of source code.

2. The user uses this offer to request the source code from the company.

3. If the user does not receive the source code, the user can sue the company for not honoring its promises, i.e. the offer of source code. This is not a GPL violation; it is a straight contract violation; the contract in this case being the explicit offer of source code, and not the GPL.

Note that all this is completely off the rails if the user does not receive a written offer of source code in the first place. In this case, the user has no right to source code, since the user did not receive an offer for source code.

However, the copyright holders can immediately sue the company for violating the GPL, since the company did not send a written offer of source code to the user. It does not matter if the company does or does not send the source code to the user; the fact that the company did not send a written offer to the user in the first place is by itself a GPL violation.

(IANAL)

Be sure to read the top comment where someone who claims to have worked for the company provides some inside information.

In my experience, this is quite common when the development of hardware is viewed as a cost center and is outsourced to various providers and teams. Those providers and teams churn a lot and nobody who worked on that is likely still involved with the company via contracts or direct employment.

Front line support people aren’t equipped to respond to these requests. If you’re lucky they’ll get bounced around internally while project managers play hot potato with the e-mail until it gets forgotten. You might get lucky if you go the corporate legal route, but more likely is that the lawyers will do the math on the likelihood of you causing them actual legal trouble for anything and decide it’s best to ignore it.

When I worked at a company that had a history of GPL drama one of the first things I did was enforce a rule that every release had a GPL tarball that was archived and backed up. We educated support people on where to forward requests. I handled them myself. 7 out 10 times, the person on the other end was angry because they assumed the GPL entitled them to all of our source code and they were disappointed when they only found GPL code in the tarball. It really opened my eyes to some of the craziness you get exposed to with these requests (though clearly not the polite and informed request in this Reddit thread) which is probably another reason why support staff are uneasy about engaging with these requests.

As always, the solution is to contact their legal department, preferably via a lawyer. Engineers and support staff are not going to risk their jobs making legal decisions about giving away company property.

The FSF could help a lot here by publishing demand letter templates outlining the statutory and precedential basis for license enforcement and recovery of damages.

I get mad triggered by software license violation discussions.

Please for the love of all that the FSF thinks is holy - just file a damn lawsuit if you are telling me they are violating the law. State your claim and have a court sort it out.

It costs hundreds of dollars. For a medical device? Seems like a good deal.

If the only GPLed component used is the Linux kernel, you probably aren't entitled to any noteworthy source code. It's well established that using the kernel doesn't create a GPL requirement userspace software running on the same device, and the most likely arrangement here is a completely-uncustomized kernel paired with an open-source userspace program that does all the interesting bits.

If they built the kernel directly from tree, just pointing out the correct https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin... should be enough...

Let me guess. Omnipod. They've had some pretty bad recalls too. Never in a lifetime would I trust my well-being to their p.o.s. hardware / software combo. Apologies that person in this thread that worked there, but I hope you are working for a better company now.

Why is this relevant for understanding how the IP works or even tweaking it? Whatever is relevant for that matter will most certainly not be a modification to the Linux kernel that the android system is running. It will not fall under the GPL that the kernel is licensed under. Can someone explain why this dispute is worth having beyond a theoretical legal debate on whether they should hand out the particular source tree from which their kernel was built (if they even built it)?

Oh well. The whole thing has already been reverse engineered. Look up Loop or Trio or OpenAPS. Diabetic companies like Insulet have been very lax when it’s come to the hacking of their devices. This isn’t really that big a deal. What we need right now is help REing the Omnipod 5

I recall idly looking through the manual of our Bosch dishwasher when it was delivered and seeing that they offered to share GPL'ed source code from the machine's embedded guts. I thought to myself, "that's kind of interesting, I'll take them up on that". So I emailed the address they provided for this purpose. I got an auto email back saying, effectively, "No. You're not an authorised person, we don't recognise your email address, we don't know who you are, we're not going to talk to you."

Oh well. Big Corp doing what Big Corps do. Paying lip service to legal requirements, but reluctantly and with barriers that would no doubt take a lot of time and money to even try and break down.

So can someone tell me - a non-insulin-dependent individual - why would an insulin pump need to be (controlled by?) a phone (in this case, the Nuu phone referenced)?

Surely there is a way to cheaply obtain bluetooth and a controller without saying "we'll just use this already existing hardware - that happens to be a whole-ass phone - because it's $5 from China"?

Kinda feels like that just screams data-stealing, regardless of where it was made.

It shocks me how much comments, here in HACKER news, are something like:

"Why do you want the source code?! leave it alone! Don't touch it, is unsafe! Big Pharma companies know much better than you what they do!"

REALLY?! REALLY?!

I'm not saying, go changing the SW like crazy. Is clear it can kill you. But this "anybody who is not a mega pharma company is absolutely unable to do anything right, you will absolutely kill yourself if you look at the code" that is just... idk... so low.

It may be named hacker news, but boy, many people here are not remotely near what I would call a hacker...

Out of interest is there a process to petition the FSF to take up something like this?

How do they triage and decide what to pursue?

> This honestly disgusts me. GPL violations are already bad on their own, but on a medical device? That me, and thousands of people rely on to stay alive?

Disgusting is not respecting the producers who put together the device that wouldn’t exist otherwise, leaving thousands of people in pain or death.

Good luck trying to enforce the GPL against a Chinese company

[flagged]