ref to https://www.pwpw.pl/en/Aboutpwpw/Governing_bodies.html

Zbigniew Bogucki | Chairman of the Supervisory Board

so @majkrzak ask https://twitter.com/boguckizbigniew about it ..

@hillar Will be the best if one of copyright holders will do it.

@majkrzak I can give you my "blessing" to pursue this on my behalf, for example if you want to communicate in Polish. FYI, there's a proven record of me not liking these kinds of things in the past when a few other countries/vendors doing things like this. But "don't attribute malice to that which could be explained by incompetence or ignorance" so if you get past ignorant first reply to somebody who actually understands things, it might be easy. For example, in the case of Spain, it was the police who was responsible for the messup, and they rightfully understood what license violation means, even if the "fix" takes appropriate bureaucratic time to be implemented. Hopefully pwpw.pl folks also understand it without further actions.

Could you please provide binaries that would clearly show linking of OpenSC code with code that is not published under LGPL-compatible license?

Got notified that Lithuania also distributes the "pwpw software" https://www.nsc.vrm.lt/downloads.htm so the problem is shared, but possibly more avenues to reach competent and decision-authorized people.

@majkrzak https://twitter.com/martinpaljak/status/1245616094775140354 <- might help you get started.

Looking at the only-in-polish EULA during install and what gets installed later to opt/e-dowod/Licenses/license-e-dowod.html they also forget to mention the bundled OpenSSL. I can only assume/hope they are using a paid license of Qt instead of the opensource one.

I've just poked PWPW via the official channel (pwpw@pwpw.pl) not via the app support like previously. Let's see what they will respond.

@martinpaljak

I can only assume/hope they are using a paid license of Qt instead of the opensource one.

Judging by the strings in the project, I think they're using the LGPL version.

If you are serious about it open a case in court.

@zyga

If you are serious about it open a case in court.

It shouldn't require court to comply with open-source licenses.

@majkrzak Maybe try to ask referring to Law on access to public information?

@jadeszek , Unfortunately, several court cases show that the courts do not recognize the source code as content by the procedure written in natural language and do not consider it subject to the provisions on access to information (FOI law). Due to the specific legal structure of company and reference to business secrets, this can be additionally difficult and generate a long-term court dispute. Citizens Network Watchdog Poland may provide legal expert in this area.

In addition, administrative courts in Poland do not have the right to appoint an expert, so judges must assess documents and assess them on their simple (in terms of technical knowledge) mind. Lack of technical knowledge among judges is conducive to building secrets so as not to order too much to be revealed due to lack of own knowledge.

I think that it is worth considering - due to the less popular - use the provisions on the re-use of information from the public sector. ePaństwo Foundation ( http://epf.org.pl/ ) may have experience in this area.

We can ask for invoice and contract for paid license of Qt. The reply of such a request should not cause problems, and will eventually allow us to get the support of another injured copyright owner.

@ad-m @majkrzak

If FOI or similar laws do not apply in this case, could they be or have they been informed (in Polish) that they're violating the licenses of multiple projects and mustn't distribute those binaries?

could they

Who?

@ad-m

Who?

The ministry/institution that runs the gov.pl website that currently distributes the e-dowód software.

Responses translated to english

Vendor response

Dear user, due to security concerns, the source code of the application is a secret of the company and can't be publicly shared. Team eDO

Hello,

Please share the source code of the e-dowód Menedżer application, especially of its open source components like e-dowod-pkcs11-64 licensed under LGPL

Best regards,
Piotr Majkrzak

EULA head

Commercial copyrights of "e-dowód" application, which includes "e-dowód Menedżer", "e-dowód Podaj CAN", and "e-dowód Pomoc" and "Dokumentacja użytkownika MdO" document belong to Polska Wytwórnia Papierow Wartościowych (also called PWPW S.A.), located on Sanguszki 1 Street, Warsaw are protected by <Polish copyright law identificator in polish law system, you can see the document on the internet, but I guess it's only available in polish>

In general, FOI law is about getting information (this corresponds to a GET request in HTTP, for ease of explain) and is guaranteed by art. 61 of the Polish Constitution. In order to influence the operation of an institution (POST, PUT, PATCH in HTTP):

• everyone has the right to submit petitions, applications and complaints in the public, own or other person's interest with their consent to public authorities (Article 63 of the Polish Constitution),
• the copyright owner can take legal and judicial actions.

At the weekend I will try to find a moment to neatly formulate a petition to the Ministry
of Digital Affairs to verify the license status of the project and consider - at least temporarily - to suspend publication of the application binary until the legal doubts are removed. If anyone would like to co-sign the petition (this is not required) - please contact me.

@ad-m Is there any valid way to sign the petition online?

<joke>
@Keij0 You can make qualified signature with your ID
</joke>

@ad-m the case here should be to get them to comply with licenses, that is: publish source code and give credit. Not to pursue "cease and desist".

Open source wants to spread (suspending publication does not allow it) and it wants "freedoms" to be granted to users, in the form of source code. As a copyright holder I'd prefer a big red sign on the downloads page "this software include OpenSC, OpenSSL and Qt" until the source code issue is fixed, rather than that download page to disappear from the internet. And ASAP a "here is the source code for the download" link to appear next to download links, that would direct to github, if possible. The appearance of the latter is what this issue should be tracking.

Isn't this a case for http://gpl-violations.org/?

To provide some background about Open Source license infringement in Poland I think the first loud case was the one from 2010 when eClicto was released. You can read more about it here on page 5. Unfortunately there is no information about how it ended.

@Devligue OpenSC is LGPL, not GPL and I don't see any immediate value gpl-violations could provide.

During a previous case I got assistance from FSFE, in the form of a lawyer who understood the topic of IP as well as spoke the local language, and that helped a lot.

I'd first try to reach some decorated person from pwpw.pl (supervisory board member referred by @hillar is a good target) and if there is no reply or the reply is not sufficient, I'd pursue official government channels with gov.pl and also vrm.lt who distribute that software. Unless there is no reply or the reply is not satisfactory ("we will fix things next fiscal period, maybe" or similar BS) I'd pursue other avenues. From personal experience, I can say that even with best intentions bureaucratic processes can take anything from 6 to 12 months, especially currently (covid19 and summer coming).

Whatever the outcome of FOI approach would be (and Polish government has some history of neglecting the FOI requests), if this is really the case (as it reasonably seems to be), perhaps the first (and wise) thing to do - and in parallel - would be to issue a formal "call to stop copyright infringement" (in Polish: "wezwanie do zaprzestania naruszania praw autorskich") by the copyright owner (!!) towards the violating party. This step does not require any court interaction neither it does require collecting responses from the party.

Send a request for list of licenses of e-Dowód to Ministry of Digital Affairs (I believe this is more likely to succeed, as they distribute the software, PWPW merely developed it), will provide their response when they respond. Of course, additional requests are welcome.

@adibo small correction: it should be "zaprzestania naruszania" instead of "zaprzestania naruszenia". It's a subtle difference, something close to "had been infringing" versus "is infringing now". "Naruszenia" goes with "wezwanie do usunięcia naruszenia praw autorskich" (="call to remove copyright infringement"), which is also quite useful phrase -- it's used when you want to call someone for example to remove infringing materials, or to fix/patch something that currently goes against license (i.e. formally correct the copyrights wording, publish affected code, acknowledge authors, etc).

@quetzalcoatl corrected!

I suggest you stay calm. There is no reason to accept bad intentions for actions that can be explained by ignorance.

The energy obtained through emotional agitation can be used for constructive actions so that the government's project activities in this area are corrected.

If you expect the attention of the press - you can legibly present the topic (nowadays specialist knowledge of the LGPL license and expectations of the FOSS community to understand the problem are required) and provide information to the press. Press inquiries to the spokesperson can provide us with valuable information about a government project.

@ad-m I didn't notice earlier that you're affiliated with Citizens Network Watchdog Poland. I only noticed it through code commits on GitHub repository of https://porady.siecobywatelska.pl/ . Excuse me the noise generated, I was not aware that the Watchdog is already involved.

Yes, I am a member of Citizens Network Watchdog Poland (SOWP). It's always nice to hear someone noticing our work and informing others about it. 😸

I am acting privately in this issue so far, but using the knowledge gained through working with SOWP. If I need help - I know that I can count on the support of SOWP.

Additionally, I notice that at the beginning of the thread I wrote:

@jadeszek , Unfortunately, several court cases show that the courts do not recognize the source code as content by the procedure written in natural language and do not consider it subject to the provisions on access to information (FOI law). Due to the specific legal structure of company and reference to business secrets, this can be additionally difficult and generate a long-term court dispute. Citizens Network Watchdog Poland may provide legal expert in this area.

In addition, administrative courts in Poland do not have the right to appoint an expert, so judges must assess documents and assess them on their simple (in terms of technical knowledge) mind. Lack of technical knowledge among judges is conducive to building secrets so as not to order too much to be revealed due to lack of own knowledge.

I think that it is worth considering - due to the less popular - use the provisions on the re-use of information from the public sector. ePaństwo Foundation ( http://epf.org.pl/ ) may have experience in this area.

Responses translated to english

Vendor response

Dear user, due to security concerns, the source code of the application is a secret of the company and can't be publicly shared. Team eDO

Hello,
Please share the source code of the e-dowód Menedżer application, especially of its open source components like e-dowod-pkcs11-64 licensed under LGPL
Best regards,
Piotr Majkrzak

The information is similar in the act. I attach a file to the act with technical information: D2019000040001.pdf

Specyfikacja techniczna warstwy elektronicznej dowodu osobistego w części, w której opisano
szczegółowy sposób realizacji wymagań bezpieczeństwa, może stanowić tajemnicę
przedsiębiorstwa w rozumieniu przepisu art. 11 ust. 2 ustawy z dnia 16 kwietnia 1993 r.
o zwalczaniu nieuczciwej konkurencji (Dz. U. z 2018 r. poz. 419 i 1637).

Loose translation:

Technical specification of the electronic layer of the ID card in the part in which it is described
the detailed manner of implementing safety requirements may be a mystery
enterprises within the meaning of art. 11 sec. 2 of the Act of April 16, 1993.
on combating unfair competition (Journal of Laws of 2018, items 419 and 1637).

A similar case in Signal now, also by a Polish company signalapp/Signal-Android#11054 facepalm

The only common thing between these two cases that I can see is that it's done by Polish company. Other than that I can't see how the other case is relevant here. There are a lot of copyright infringement cases, some are bound to be from the same country.

Ref. no. II SAB / Wa 530/20

JUDGMENT DECISION OF THE COURT IN THE NAME OF THE REPUBLIC OF POLAND
Provincial Administrative Court in Warsaw composed of the following:

• Judge of the Provincial Administrative Court Ewa Radziszewska-Krupa (chairman)
• Judge of the Provincial Administrative Court Ewa Kwiecińska
• Judge of the Provincial Administrative Court Agnieszka Góra-Błaszczykowska (rapporteur)
  after examination in the simplified procedure on March 12, 2021, the case from the complaint of Adam Dobrawy against the inaction of the Minister of Interior and Administration regarding the examination of the application of April 4, 2020 for disclosure of public information

1. finds that the Minister of the Interior and Administration has been inactive;
2. states that the inactivity of the Minister of Internal Affairs and Administration did not take place with a gross violation of the law;
3. orders the Minister of the Interior and Administration to pay the applicant Adam Dobrawy the amount of 100 (one hundred) PLN as reimbursement of the costs of the proceedings.

The fifth paragraph from the end is rather interesting, stating (loosely) that "informations on how an authority functions or is organized—and information about source code is of this kind—are of technical nature and as such don't constitute public information [in the context of freedom of information]" ... "It is also unquestionable, that making some technical information public, may publicise information that has significant impact on security of a given IT solution".

Rest is just restating the facts, what the Ministry should have done, the base for the judgment of inactivity for the Ministry, and that while it was inactive, because it didn't have the information, it wasn't a gross violation.

There was some direct e-mail communication with some of the parties involved on this ticket as well.

This is how the story went in a nutshell:

• notices from different people in .pl, denied (as explained above in this ticket)
• notice from copyright holder (me, Apr 17 2020): denied, "a possible violation is a complex issue", "can't reply now, will take at least a month to even confirm potential violation. We take these things very seriously as we are a security company after all. Also COVID"
• repeat notices from copyright holder (me): after radio silence from PWPW "we can't confirm a potential license violation, but we need more time, this is complex (covid) and we take it seriously"
• finally a sudden notice (Jun 10 2020) from PWPW e-mail address:

At the moment, we cannot explicitly state how we may be able to meet the requirement of the LGPL licence when it comes to OpenSC.
Therefore, we have decided to do our best to immediately withdraw the publication of the indicated version of the e-dowód software.
The e-dowód software that is currently being provided by PWPW S.A has no OpenSC dependencies.
We believe that such a solution is an effective response to any doubts regarding the licence."

If you need time to work on a version that fixes the violation, just say it. But the strategy of denying and perplexing? My verdict on the approach by the company: "1/10, would not recommend".

But the original license issue can be closed.

Didn't a recent comment (#1992 (comment)) indicate that they've spent that time not removing the dependency but hiding it?

@mgorny Most likely they have rewritten it. Although it is hard to say without deeper analysis if this is their own solution now or it is still derived work.

Even if they hidden/removed this currently they derived from LGPL in past so they need to share source from past.

@nuschpl It doesn't work that way. GPL cannot infect code base unintentionally. If some MS intern would add a bit of GPL code to the Windows' codebase it wouldn't change the whole Windows to GPL. They would just admit a mistake and remove it.

. If some MS intern would add a bit of GPL code to the Windows' codebase it wouldn't change the whole Windows to GPL.

No intern in Microsoft could add anything to Windows codebase. He could only make a proposition of change that could be accepted by some seniors. So the senior will be the person introducing such code.

And MS regularly opens its code because of GPL violation https://www.infoworld.com/article/2630874/microsoft-violated-gpl-before-linux-code-release.html

That was just an example, you cannot accidentally turn your whole codebase GPL, that would be ridiculous. You could think about malicious senior instead of intern. You can agree to license only intentionally. If they released some code instead of rewriting it, good for them. I guess it was just less work.

. If some MS intern would add a bit of GPL code to the Windows' codebase it wouldn't change the whole Windows to GPL.

No intern in Microsoft could add anything to Windows codebase. He could only make a proposition of change that could be accepted by some seniors. So the senior will be the person introducing such code.

And MS regularly opens its code because of GPL violation https://www.infoworld.com/article/2630874/microsoft-violated-gpl-before-linux-code-release.html

Note that context matters here. Microsoft essentially had a choice between releasing Hyper-V driver as GPL or not having Hyper-V paravirtualization support for Linux (as kernel modifications would be necessary for that). Hyper-V working with Linux was absolutely critical for it (Microsoft themselves has said that on Microsoft Azure, Linux is used more often than Windows), so they went with releasing the source code.

@nuschpl It doesn't work that way. GPL cannot infect code base unintentionally. If some MS intern would add a bit of GPL code to the Windows' codebase it wouldn't change the whole Windows to GPL. They would just admit a mistake and remove it.

Besides what was already said above the context proposed by you is irrelevant. What's the case here is about that particular GPL library was modified and there is obligation to share code of modified version. In case of your intern example the scope would be limited to work derived from GPL. So it doesn't affect whole business of the company unless whole business was derived from such code what is very unlikely to happen. Additionally big corporates usually have SAST scanners which in addition to hints about code quality or security state mention licencing state of particular components. Often along with dedicated department assuring due diligence. We can't say company could ignore international laws being base of nowadays economy just because such company says 'it was not intended'

What's the case here is about that particular GPL library was modified and there is obligation to share code of modified version.

And what is the source for this statement? There is no absolute obligation like that. At worst, they could be sued by owners of the rights to the actual GPL, and they could demand exposing of the code, but I can guarantee that no court would treat it like an absolute obligation. If the company would be able to convince the court that it was a mistake, the case would be settled in a much less radical manner (they would donate money to some open-source foundation or whatever). These things don't work in absolute manners, and GPL isn't a word of God.

closing with #1992 (comment)

@frankmorgner I don't get why you've closed this basing on single opinion. The license was violated and is being violated unless source code is shared - derived work was already done and derived code was not shared. The fact that derived work is hidden or even deleted from places in the internet doesn't change that fact.
Have you closed this because somebody asked you or because your organisation Bundesdruckerei GmbH has business relations with PWPW S.A. ?

Sigh... I closed this issue, because Martin stated above that the original license issue can be closed. And if it is correct, that the e-dowód software [...] is currently being provided by PWPW S.A [with] no OpenSC dependencies., then I would consider this issue solved as well. To my understanding, there is no legal binding for getting the source code of older releases that aren't distributed anymore. Please let us know if there is still a problem with the current release.

I'm managing OpenSC in my free time for fun and education and I hope to continue the "fun" part also in the future...

I'm unsubscribing from this sad issue. Next time you want to finesse source code out of somebody you can try:

• getting their dox so you can sue them into submission in a court of law; that was the obvious course of action after they tried to deflect FOIA-like requests
• escalating things to a higher authority (like EU Tribunal) than some generic kangaroo court
• going full-Mitnick on their ass and social engineering the source code out of some clueless schmuck working at their office if you feel like breaking some lawl eggs to make graet justice an omlette (this is not serious advice but ngl it is quite lulzy)

Bye and thanks for all the fish.

@frankmorgner @Jakuje maybe discussions should be enabled for OpenSC? 🤔 (and this ticket closed closed for changes)

@nuschpl this is an open source project by volunteers. Issues are meant for tracking bugs and other types of actionable items, for developers and contributors. As someone who actually has copyright claims on parts of OpenSC source code (and who communicated with pwpw on this matter) the "solution" by pwpw was legally (not morally) sufficient for my taste and maybe should have closed the issue myself. Transparency and disclosure is important, but please pause and think before posting/asking such conspiracy theory style questions like in #1992 (comment)

Lets' get pack to meritum:
"The license was violated and is being violated unless source code is shared - derived work was already done and derived code was not shared. The fact that derived work is hidden or even deleted from places in the internet doesn't change that fact"

Feel free to bring this over to Discussions: https://github.com/OpenSC/OpenSC/discussions/categories/general

It is also an important public interest that citizens of Poland could use the above source code to make new applications using their e-ID cards.

Otherwise the commercial provider and license violator can keep them locked in to proprietary software without making e-ID functionality really open to the citizens.

I conclude that the issue was closed despite non-compliance, and against important public interest.

Checking e-dwod 4.3.0, which is currently distributed, I didn't find any signs of OpenSC being used anymore. Also, the OpenSSL license is now shown during installation. Since no other version that may violate OpenSC's LGPL is being distributed anymore, AFAICT there is no legal obligation of publishing e-dwod's source code.

That being said, you could now try asking for the old and outdated version of e-dwod's implementation of OpenSC. Since it is not used anymore, there should not be any "security risk" of publishing this code.