User Products under LGPL-3.0

Episode 48: Better Built By Burkhard

User Products under LGPL-3.0

Why does it Matter?

If your product uses Qt or any other library under LGPL-3.0, it is important to know whether it is a B2C or B2B product. If it is a B2C or user product, you must allow its owner to install a modified version of Qt on the product and to run the product with the modified version. In the case of an embedded device, this implies that the owner must be able to (cross-)build Qt for the target device, install Qt on the device and to run the Qt application on the device. The owners may require passwords for accessing the device, cryptographic keys for signing the Qt libraries, an SDK and other things to exercise their rights.

Too many manufacturers are terrified by the idea of modified software on their products. If users can, for example, install a modified Qt version on their baking oven, the modifications could make the oven overheat and set the house on fire. Or, the oven could steal data from phones and computers in the same network. If it were so easy to circumvent the safety and security measures of the oven, the manufacturer would be in for heavy fines, if not for a sales ban (GDPR, EU Cyber Resilience Act, safety standards, etc.). Typically, these manufacturers are unwilling to invest into a proper security or safety architecture.

But hang on: Why should rightful owners damage their own ovens, TVs or cars on purpose!? The LGPL-3.0 grants the right to install a modified version on a product only to people who are in rightful possession of the product. And - manufacturers can even void the warranty and liability for the product, if owners install modified software. This makes the situation a lot less dramatic.

Some manufacturers of B2C products argue that the costs for allowing owners to install modified Qt versions on the product is simply too high. This is a weak argument, as most products can already be updated with new features or security fixes. If not, new regulation like the EU Cyber Resilience Act will soon force them.

The best news is that manufacturers of B2B products do not have to allow the owners of their products to install modified versions of LGPL-3.0 software on their products. So, the anti-tivoisation clause (GPL-3.0, Section 6) - the right to install modified software on a product - only applies to B2C products but not to B2B products.

What is a User Product?

A “User Product” is either (1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling.

GPL-3.0, Section 6, referred to as “Definition of User Product”

Examples for type-1 user products or consumer products are phones, TVs, set-top boxes (STBs), smart speakers, coffee makers, cars, vacuum cleaners, lawn mowers and power drills. Examples for type-2 user products are the heat pumps, heating systems, photovoltaic systems, thermostats, video door bells and home appliances installed in the place you live (e.g., room, flat, house). You could classify home appliances as consumer products as well. As long as a product fits into at least one of the two categories, it is a user product.

Examples of non-user or B2B products are tractors, harvesters, trucks, professional appliances, security systems for offices and medical devices used in medical practices and hospitals. While the classification of the first three examples should be clear, the classification of the last three needs some clarification. The GPL-3.0’s definition of “normally used” may help.

In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, “normally used” refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.

GPL-3.0, Section 6, referred to as “Definition of Normally Used”

Cooking devices for preparing meals for dozens, hundreds or even thousands of people in canteens and restaurants are B2B products. Even if a few hobby cooks use such a device to cook for their family and friends at home, “the only significant mode of use” of the device is for business purposes. Usually, a private person doesn’t prepare 100 steaks at the same time and doesn’t have the space for such a huge device in their homes. Moreover, manufacturers sell professional appliances only to businesses and not to private persons. The same argument applies to trucks as well as agricultural, construction and industrial machines.

If a product is used both by private persons and businesses, the product must be classified as user product. A business produces security systems for home owners. The product also becomes popular among small and medium businesses. The business sells 70% to private persons and 30% to businesses. Although this is a substantial business use, business use is certainly not the only significant way of using the security system. So, it’s a user product.

The same reasoning applies if the business sells 80% to businesses and 20% to private persons. 20%, 10% and even 5% still constitute a significant private or personal use. So, business use is not the only significant mode of use. The security system is still a user product. If, however, the security system is only sold to businesses who use it to protect residential and commercial buildings, it is a B2B product. Whether the odd millionaire uses the security system to protect his villa doesn’t change anything.

Medical devices give rise to some tricky differentiations. Polysommnography (PSG) tests whether patients suffer from sleep disorder. For a stationary PSG, patients stay overnight in a sleep lab. PSG devices monitor brain activity (EEG), eye movement (EOG), muscle activity (EMG), heart rhythm (ECG), respiratory airflow, blood oxygen saturation and other body functions. The patient is wired up to many instruments. Type-1 PSG is only performed in hospitals or special medical practices. Such a sleep lab is clearly a business product under the (L)GPL-3.0.

For an ambulatory PSG, the patient is wired up - by trained personnel in the hospital - with a single device that can monitor the respiratory airflow and blood oxygen saturation. The patient sleeps overnight at home and brings back the device next morning. A doctor assesses the result of the PSG. As it requires trained personell to wire up the patient and a doctor to interpret the results, the patient is not the user of the mobile PSG device. Hence, such a device is a business product and not a user product.

The hospital gives the patient a watch-like device to monitor the heart rhythm and the blood oxygen saturation. The device sounds an alarm to wake up the patient if the parameters reach critical values. The device is paid by health insurance at least for the duration of the therapy, maybe even longer. Now, the patient is clearly the user. Moreover, the following characteristic of a user product holds:

the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized)

GPL-3.0, Section 6, referred to as “Transfer of Possession”

The “right of possession” is transferred from the hospital to the patient for a long time, if not forever.

In the section Why does it Matter? above, I always used the term “owner of the product” and never “user of the product”. I did that on purpose. The owner is the person or legal entity who is in rightful possession of the product. The owner gains rightful possession of a product by buying it, renting it, subscribing to it, borrowing it, or receiving it as a present. The user need not be the owner, although the user often is.

Vending machines are a good example where the owner is not the user. And that makes the difference between a user and a business product. A manufacturer produces vending machines to businesses who set them up at airports, at train stations, in public places, in restaurants or in offices and operate them. Users purchase products like beverages, snacks, cigarettes, flowers and tickets from the vending machines.

The users are never the owners of the vending machines. They pay for the goods provided by the vending machine. They are the owners of the beverages, snacks and other goods. The businesses operating the vending machines are the owners. They become the owners when they buy or rent the vending machines from the manufacturer. In short: vending machines are business products. Neither the users nor the operators of the vending machines have the right to install a modified Qt version on the vending machine.

How do You Provide the Installation Information?

“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.

GPL-3.0, Section 6, referred to as “Installation Information”

The most important point is: You need not provide the installation information for business products. You must only provide the installation information for user products.

For an HMI application using Qt under LGPL-3.0 and running on an embedded Linux system, the installation information includes an SDK so that users can cross-build their modified Qt version for the target device and a way to install the modified Qt version on the device. This could be the same environment the developers use in their daily work.

You can install a modified Qt version on an embedded device in many ways:

• If the device has a USB port, the user copies the modified Qt libraries onto a USB drive and plugs the USB drive into the device. The main application offers a feature to install modified Qt libraries on the device.

• If users have ssh access to the device, they can simply copy the modified Qt libraries to the device with scp.

• If offline updates via USB are the standard way to update your device, you provide a script that creates an update archive with the modified Qt libraries. As the update archive is not signed or signed with a special key, the application performing the update can detect whether it is an official update or not.

• If your device is normally updated over the air (OTA), users can use this mechanism to install their modified Qt libraries. They create an update archive with the modified Qt libraries and upload it to the update server. As the upload is not from an official source, the update server marks the update, say, as “private” or “lgpl3”. The user installs the update on the device in the usual way. The beauty of this approach is that the manufacturer doesn’t need to provide any passwords or cryptographic keys that the user doesn’t have already.

• Similar to the checks in the App Store, you can check - automatically or manually - that the update uploaded by the user doesn’t do anything malicious or dangerous. The user can install the update on the device only if the update passed the check.

• Software for medical devices must run through strict safety and security certification and intensive testing before it can be installed on the device. The manufacturer can perform these checks as an elaborate “App Store test” and charge the user the full costs for the check. Once the user’s modifications passed the tests and the user paid the fees, the user can install the modified software on the device.

If the changes to the libraries don’t break the interfaces, the user must be able to run the application with the modified libraries. The user is responsible for ensuring interface compatibility. You must provide all the passwords and cryptographic keys the user needs to install and run the modified software.

You must not make the installation process more difficult for users exercising their LGPL-3.0 rights than for users installing the official software. But you don’t have to make it easier either. And, you can charge for the actual costs for installing the modified software. The GPL-3.0 gives you even more rights to ensure that your device operates in a safe and secure way.

The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.

GPL-3.0, Section 6, referred to as “Void Warranty”

If the owner installs modified Qt libraries on a baking oven, the manufacturer can void the warranty for the oven, can stop any support and doesn’t have to provide software updates any more. The manufacturer could even forbid the further operation of the oven because of safety concerns. This is true for any user product.

If the device detects modified software was installed by the user, say, by a signature check, the device can warn prominently and regularly about it. For example, the background of all GUI screens could be red from now on. Or, a status icon could be flashing regularly.

My Content

I gave two talks at QtGreece 2023:

• Ports-and-Adapters Architecture for Embedded HMIs (slides). My talk is based on my post Ports-and-Adapters Architecture: The Pattern. I look at the architecture from a production, testing and team perspective.

• Using Qt under LGPL-3.0 (slides). I explain how to use Qt under LGPL-3.0 on embedded Linux systems. You can find a lot more information in my post Using Qt 6 under LGPLv3.