Fortinet Under Fire for Allegedly Violating GPL Terms

By Peter Galli  |  Posted 2005-04-14

Fortinet Under Fire for Allegedly Violating GPL Terms

A German court has issued an injunction against Fortinet (UK) Ltd., the British subsidiary of Fortinet Inc., the Sunnyvale, Calif., company that produces firewall and antivirus security software products.

The project uncovered alleged violations by Fortinet (UK) Ltd. of the GPL (GNU General Public License); specifically that Fortinet used GPL software in certain products and then used cryptographic techniques to hide that usage.

The project, whose goal is to raise public awareness about past and present infringing use of GPL-licensed software, said in a news release Thursday that a district court in Munich, Germany, has granted a preliminary injunction against Fortinet Ltd., banning it from further distributing its products until they are in compliance with the GPL.

One of the tenets of the GPL is that while it does not charge any royalties for use of the software source code, all distributors have to provide the full corresponding source code and a copy of the full license text.

Not only did Fortinet Ltd. not do so, according to Harald Welte, a Linux Kernel developer and the founder of the project, but it "actively tried to hide that violation," he said.

Asked by eWEEK if the German injunction would affect the companys ability to sell its products in the United States, Michelle Spolver, director of worldwide public relations at Fortinet, told eWEEK that it would not.

In an interview with eWEEK, Welte said he agrees with that assessment, but he added that any noncompliant distribution of GPL-licensed software is a copyright infringement in any country that has a copyright system and signed the respective international treaties.

"If Fortinet actually continued to disregard the license terms in the U.S. or some other jurisdiction, this would mean that we need to take legal action there. That is something Im not quite happy to do, but which I certainly would consider if the need arises," he said.

"Fortinet recently became aware of Mr. Weltes allegations and has, in good faith, been diligently working with him to resolve this matter outside of the German court system," the company said in a statement.

"Fortinet is actively taking steps to ensure that its products are compliant with GPL requirements. Therefore, Fortinet is surprised that Mr. Welte pursued a preliminary injunction against Fortinet in Germany and believes that this is an unnecessary action. Fortinet is continuing its efforts to expeditiously resolve this matter with Mr. Welte," the statement said.

Fortinets Spolver declined to comment further, saying the company is involved in legal discussions with Welte on the matter.

Next Page: A 30-day window for negotiations.


Welte said he is not aware of any legal action under way in the United States on this matter, adding that the enforcement body, the Free Software Foundation, prefers a "much more quiet approach to GPL enforcement."

"This is partly a strategic difference, and partly due to the difference in how the legal system works," he said.

"Here in Germany, you basically only have 30 days from discovery of an infringement for negotiations. Only within 30 days you can apply for injunctive relief. If you apply any later, the court would rule that the matter is not urgent, and you should go for a regular copyright trial, which would last years," he told eWEEK.

Click here to read about the Free Software Foundation targeting RTLinux for GPL violations.

Fortinet sells the FortiGate and FortiWi-Fi products, on which, Welte said, "Fortinet claims to run the FortiOS operating system. However, as the project uncovered, FortiOS is using the Linux operating system kernel and numerous other free software products that are licensed exclusively under the GNU GPL. This information was not disclosed by Fortinet," he said.

Asked to be more specific, Welte said the violations occurred in "all FortiGate and FortiWi-Fi products, that is, FGT60, FGT100, FGT200, FGT300, FGT400, FGT500, FGT800, FGT1000, FGT3000, FGT3600, FGT4000, FGT5000 and FWF60."

"The software in question includes, but is not limited to, the Linux kernel Version 2.4.18,; the UCL data compression library; the Reiser file system [reiserfs]; l2tpd; the GNU C Library [glibc]; and the GNU zlib Compression Library [zlib]," he said.

However, the injunction was issued only on "initrd," which is part of the Linux kernel and the "only piece of code in their devices that I hold copyright to," he said.

Going forward and as a settlement, Welte and want Fortinet to include a copy of the GPL license text with every product, to include the full corresponding source code or a "written offer" indicating the source codes availability on some Web site, and to ensure that both requirements are met for distribution of physical products as well as for firmware updates that could be downloaded, he said.

Infringing companies often request a grace period during which they can sell already produced and noncompliant products, Welte said. "This is acceptable to us, but in that case, we insist on some kind of donation," he said.

Outside of that, "it would be nice to see them making a donation to organizations within the free and open-source software community, but that is totally up to Fortinet itself. That is not a condition or requirement from our side," he told eWEEK.

Welte said he is always open for negotiation. "In fact, my lawyer just received a call from Fortinet some hours ago, indicating their interest in a settlement," he said.

Welte said the court-ordered injunction follows a warning notion from the project last month, Fortinet Ltd.s failure to agree to and sign a cease-and-desist agreement, and the inability to reach a negotiated, out-of-court settlement in a timely manner.

Check out eWEEK.coms for the latest open-source news, reviews and analysis.

Rocket Fuel