GPG Suite might now be in violation of the GPL License

Mike Robinson's Avatar

Mike Robinson

23 Sep, 2018 05:57 PM

Although the GPL licenses which govern GPG "shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources," it does state that "The program must include source code, and must allow distribution in source code as well as compiled form. Where some form of a product is not distributed with source code, there must be a well-publicized means of obtaining the source code for no more than a reasonable reproduction cost, preferably downloading via the Internet without charge." And, with regard to derivative works such as GPGSuite might be considered to be, "they "must be distributed under the same terms as the license of the original software."

For a number of years, GPGSuite was truly "open source software,' but the GitHub repository has not been updated in a number of years and e.g. the mail plug-in "does not support Sierra." However, the most recent version does obviously support Sierra. Therefore, it is obvious that the product continues to be maintained by you, but that it is no longer "free and open-souce software."

However, GPGSuite, Inc. as the vendor of a now-proprietary and closed-source software product continues the deceptive trade practice of falsely claiming on its web-site that it remains open-source, and points to a GitHub repository that no longer contains the actual source code to the product. The most-recent version now demands payment for "support," but offers a "30-day trial," after which presumably the software will cease to run. (And if in fact it does not, GPGSuite is engaging in the deceptive trade practice of offering the false pretense that it will do so.

Your installation does not state that the software is now proprietary, giving no indication until such point that you engage in the deceptive trade practice of demanding payment for what you falsely represent to be free and open source software.

Having broken the copyright license terms of the GNU Public License, GPGSuite. Inc. no longer has the intellectual property rights to continue to use the "GPG" software, nor to use "GPG" in its product name. You cannot have it both ways.

You would do well to engage legal counsel, because your present stance is unlawful and is bound to very quickly attract the attention of the crypto community. To cure the situation, you must return to compliance with the GPL Licenses. You must furnish and maintain the actual source code to the product on GitHub or another public server of your choice, and you must not attempt to impose any sort of "time limit" nor to require payment under any pretense whatsoever. If you are unable to financially continue to support the product based on the donations you have so far received, you can relinquish it to the custodianship of another interested party.

  1. 1 Posted by Luis Puerto on 23 Sep, 2018 06:16 PM

    Luis Puerto's Avatar

    Besides all the other comments, which some of them are really to the point, I really think this is the most important issue here.

    Are they breaking the opensource license? perhaps they have been breaking it for long time for not publishing the source code.

    I hope they return to the road of reason and make the software free again and if they really want to charge for maintain it look for another solution. There are plenty of opensoruce software that charge a fee for premium services.

  2. 2 Posted by Bubba Singh on 23 Sep, 2018 06:32 PM

    Bubba Singh's Avatar

    " If you are unable to financially continue to support the product based on the donations you have so far received, you can relinquish it to the custodianship of another interested party." Well...

    ... as long as they pony up and comply with the requirement to make the source code freely available, anybody can then simply fork it into a new independent project, modify it at will (perhaps starting by addressing the EFAIL security vulnerability) and package it accordingly. And, of course, individuals are also perfectly within their rights to compile it themselves.

    Ironically, a new group of dedicated and competent Devs wishing to pursue the former who can show integrity and professionalism (more irony), should be able to make a good case for donations, if so desired, in light of the outrage resulting from the complete opposite shown by this crew.

    The good intentions shown by those who have already acquiesced to the extortion at hand are, in my opinion, a bit hasty. The funds may be at risk if it turns out that these boys may not be around in their present organisational format. This likelihood is great.

  3. 3 Posted by Nicola Apicella on 23 Sep, 2018 07:30 PM

    Nicola Apicella's Avatar

    Let's see how this thing develops. I'm planning to contact the FSF for advice on this GPL violation if nothing changes in the next couple of days.

  4. 4 Posted by paul on 23 Sep, 2018 07:59 PM

    paul's Avatar

    Would not have upgraded no warning this is a paid upgrade!

    Forget the Free trial thats sounds like commercial software speak.

    How can I get to the beta channel and bypass the 14 day timeout?

  5. 5 Posted by Thomas_U on 23 Sep, 2018 08:03 PM

    Thomas_U's Avatar

    My understanding is that the paid part relates only to the GPGMail part of the Suite while the GNU parts are free and just packaged into the suite for convenience of the user - like always before.

  6. 6 Posted by Dave on 23 Sep, 2018 11:54 PM

    Dave's Avatar

    If GPGMail is linked against any GPL code it is governed by the GPL - thats how that licence works.

    Like many other users I am a developer myself, so I don't begrudge anyone earning a living from software - but I clearly separate my work development from my open source contributions and I certainly don't, in an automated update to a free and open source (well it wasn't really was it) project suddenly switch it to a paid product without warning or rollback option.

    The GPL is viral, and in this regard may be inconsistent with your present financial aspirations - but that fact was made abundantly clear to you before you borrowed the hard work of others as the foundation for your own.

  7. Support Staff 7 Posted by Luke Le on 24 Sep, 2018 12:06 AM

    Luke Le's Avatar

    We are terribly sorry that you believe that GPG Suite or GPG Mail for that matter is no longer released under the GPL. It is and will be. We have been told from various people that as long as the activation code can be easily removed from the source code and distribution of self-compiled binaries is not prohibited, we will be fine. We will in fact again contact legal counsel to make sure that we are compliant. As our added FAQ now states, the full source code will be released in a few weeks. During the entire process of writing our Terms of Distribution with our lawyer we discovered that the preambles of most of our source files are not currently making it clear under which license the source code is released, that's the reason why we want to clean this up now once and for all.

    The result of all of this will probably be, that GPG Mail will be dual licensed, under GPL and a proprietary license. We do own all of the GPL code GPG Mail is linked against and all changes to code that is not ours can be found in our github repositories.

  8. 8 Posted by Dave on 24 Sep, 2018 12:09 AM

    Dave's Avatar

    So where is the updated source code then? I just followed the FAQ link to your GitHub repo and went through the last few commits. This isn't the source we are looking for.

  9. 9 Posted by Dave on 24 Sep, 2018 12:20 AM

    Dave's Avatar

    The FAQ actually says "Once released you will find the source code on this website and on Github." As I have been force "upgraded" and cannot roll back I'd say the application has been "released". There is no clause in the GPL or LGPL that mention any vaguely defined period of time permitted before the source is made available - in fact quite the opposite - the source is either to be distributed with the binary or the binary package is to include instructions (eg a weblink) providing access to the source. You have not provided either therefore you have not complied with the terms of the licence.

  10. 10 Posted by Dave on 24 Sep, 2018 12:26 AM

    Dave's Avatar

    Sadly for you I think, whether intentional or not this change seems incredibly deceptive and a violation of trust. Ironic yes? It will likely take a public mea culpa and pretty quick about face to maintain even a modest percentage of your user base. People don't mind paying - they just expect to be given the choice and some sort of explanation before the event.

  11. Support Staff 11 Posted by Luke Le on 24 Sep, 2018 12:37 AM

    Luke Le's Avatar

    @Mike Robinson: the claim that the current source code is not available is only the case for the currently released version, 2018.4 or rather GPG Mail 3. The Github repository contains all code up to GPG Mail 3.0b7. The different GPG Mail branches are in different branches. GPG Mail high-sierra branch contains High Sierra code. GPG Mail beta branch contains the Sierra code. GPG Mail dev branch contains the code for GPG Mail from 10.7 - 10.11. Until 2018.4 we have released the source code as a .tgz along side the current binary.

  12. Support Staff 12 Posted by Luke Le on 24 Sep, 2018 01:22 AM

    Luke Le's Avatar

    It was never our intention to hold back any code, so we decided to release the full source code of 2018.4 now on our website and soon on Github. We will do the clean up of license statement across the code in the following weeks.

    @Dave: simply uncomment the few lines regarding support contract and you should be good to go:

    It is 3:22 in the morning here, so we will respond to any new posts tomorrow.

  13. 13 Posted by Bubba Singh on 24 Sep, 2018 04:49 AM

    Bubba Singh's Avatar

    Is it just me or have the developers locked-down the Public Discussion forum to everybody? I can hardly blame them for wanting to escape from this sh*tstorm. However, doing so only adds insult to injury and makes the situation much worse than it already is.

  14. 14 Posted by prof on 24 Sep, 2018 05:00 AM

    prof's Avatar

    I, for one, am happy to pay $25 to support your efforts provided

    1. That fee is per-person (i.e., I can use the same license key on all my macs).
    2. It will last for at least a couple of years (i.e, we're not talking about ponying up again for 2019.x, having just paid for 2018.4).
    3. The source code is available so that, if I eventually decide that your terms are too onerous, I can exercise my FOSS rights and compile the software myself.

    Those conditions seem to be satisfied by your (revised) FAQ.

    A lot of the anger that you see expressed hereabouts is directly attributable to the lack of clarity about points 1-3. If only you'd taken the trouble to roll out the new FAQ (and the updated source tarball) before issuing the update, most of this unpleasantness could have been avoided...

  15. Support Staff 15 Posted by Luke Le on 24 Sep, 2018 05:13 AM

    Luke Le's Avatar

    Thank you, we do appreciate it!

    In hind sight that is very clear. At the time of the release our only concern was to have the new release ready before macOS Mojave. All necessary details would have been added after the weekend.

  16. 16 Posted by Luis Puerto on 24 Sep, 2018 05:39 AM

    Luis Puerto's Avatar

    It should have been the other way around. You first get ready the paperwork and then you release the software. If the software is not ready for the release of a new major OS update isn’t that problematic. When you update your OS you should check if all your current software is compatible with the new OS before you update. It’s a common sense rule...

    Please clarify everything and release the source, even better if you do it in GitHub or any other similar service.

    As same as others I’ll be happy to make a “donation”... if the terms are clear and conditions fair. If they aren’t... I would probably stop using the software or compiling myself since I’m not that heavy user but an enthusiast of GPG.

  17. Support Staff 17 Posted by Luke Le on 24 Sep, 2018 06:13 AM

    Luke Le's Avatar

    Luis, I generally agree with you. Over the years however we learned that most of our users tend to upgrade on day one or soon after. And there has always been a lot of complaints if the Software stopped working after that.

    We will clean this up further, no doubt. The code is already on Github at

    Freshly updated with the newest release.

  18. 18 Posted by Hans on 24 Sep, 2018 06:38 AM

    Hans's Avatar

    Would you please add a comment here if someone of you managed to compile the GPG Mail part for themselves? Preferably with instructions or a (legal, e.g. not containing icons and stuff that is protected) binary?

    Thank you!

  19. 19 Posted by robertoschwald on 24 Sep, 2018 08:31 AM

    robertoschwald's Avatar

    Are you sure the sourcecode you provided for download is for Mojave?
    GPGTools Installer installs GPGMailLoader plugin. There is no evidence of this target in the provided source-code or on GitHub.

  20. 20 Posted by Guido on 24 Sep, 2018 08:43 AM

    Guido's Avatar

    Even if the complete source code is finally pushed to git hub as per the required obligations and then compiled, will it not simply result in the same "ransomware"?

    Come on, all you coders out there, pull out your utensils and fork this puppy so that the time bombs and any other proprietary code can be removed. Thus returning it to the FOSS community from whence it was appropriated.

  21. 21 Posted by M Doo on 24 Sep, 2018 09:38 AM

    M Doo's Avatar
    Hope It shouldn't be long before a we get a decent fork

  22. Support Staff 22 Posted by Luke Le on 24 Sep, 2018 10:11 AM

    Luke Le's Avatar

    GPGMailLoader is not required. It only is necessary if you want to support upgrade paths as we have to. It‘s a minimal bundle that loads other bundles, based on which version of the OS is running.

  23. 23 Posted by MV on 24 Sep, 2018 12:33 PM

    MV's Avatar

    I managed to build GPGMail.mailbundle from the "mojave" branch. But complains about "Incomaptible Plug-in" as soon as the plugin is activated.

  24. 24 Posted by iprigger on 24 Sep, 2018 02:15 PM

    iprigger's Avatar


    Please, just calm it down. GPGTools has announced long time ago that it will have a fee with it. This could have been avoided if those who use it would have financially contributed on a regular basis. Who of you did ever donate a single buck?

    Second: To my understanding the GPL is not violated at all.

    3rd: If you complain "25 bucks is too much" then let me tell you one thing: The hosting does cost a lot of money. The time of those guys isn't free. You're acting up as if they had an obligation to serve you the plugin - which, let me tell you: IS NOT THE CASE.

    And then, after complaining about 25 bucks... a User comes up with a screenshot that the complie job he did is not working - what the hell?

    If you read the License of the source code: "... [..] as is where is [..]"

    If you want support, please: Buy the license.

    Kind Regards

  25. 25 Posted by MV on 24 Sep, 2018 02:26 PM

    MV's Avatar

    Dear i.p.rigger,

    I'm not trying to get any sort of support from the vendor. I even don't use this software by myself. I have heard from a friend about this "licensing drama" so I went to look and found out that the simplest thing I can do is to try and build the source from their repo using their instructions. My intent with that screenshot was to reply to user Hans in post #17.

    I'm done here. Cheers

  26. 26 Posted by Johnathan Gerbe... on 24 Sep, 2018 02:38 PM

    Johnathan Gerber's Avatar

    I have been a long term user of the free software, and although I'd like to keep my money together, I'm also happy to pay the people who put a lot of time and effort into something that is useful for me an appropriate amount of money - which for a security and privacy related issue, 24$ counts to me as such.

    As the team already has pointed out, everyone can compile their own version without code, so there is no violation of the GPL.

    I'm also shocked that so many people are so enraged simply because they feel they are entitled that someone who has provided them with a really useful tool for FREE for 10 years should continue to do so.

    And yes, it was announced for years, that this day will eventually come, and even has been postponed.

    So, dear devs, thanks for the 10 years of free service. I will be happy to use the tool from now on as a paying customer

  27. 27 Posted by robertoschwald on 24 Sep, 2018 02:58 PM

    robertoschwald's Avatar

    @iprigger Nobody needs to calm down. It's simply a question of whether the new licensing is GPL compliant or not. I didn't read any post here complaining about the license fee. People here just want to know if the code published matches the release. Maybe you read something else. As the released version uses a wrapper, the compiled GPGMail version seems not to be comparable easily to the commercial binaries, as it does not work ootb if used as a dropin bundle.

    For sure, the developer team could have done better by first preparing docs, then releasing a commercial version. But I'm sure they learned their lesson.

  28. 28 Posted by iprigger on 24 Sep, 2018 03:04 PM

    iprigger's Avatar

    Dear @MV

    Then, please, do all of us a favor: Keep it that way.


  29. 29 Posted by guy on 24 Sep, 2018 05:46 PM

    guy's Avatar

    I've downloaded the source from the link on the main page, extracted it, followed the docs about git cloning another library and issuing make.. Works just fine.

    I've also adjusted it to remove the license. I'm in two minds about this, I do understand the requirements for revenue but disagree with the way it's been implemented at this time including the analytics back to This is dead against GDPR as I didn't have an option to opt out. Also the schedule of having to pay more, (ie at each apple OS release). When things settle down and all the fires are put out I will likely payout for it as I do like it (Though this is likely after my 30 day trail would be over hence the adjustments), I don't have the time to maintain my own copy and appreciate the developers efforts here.

    And NO I'm not going to post how to change it or binaries. My feelings on that are simple.. IF you have the time and knowhow to do what I've done, it's easy do it. If you don't Pay up that's after all what you've paid the developers to do.

  30. 30 Posted by Carsten on 24 Sep, 2018 09:45 PM

    Carsten's Avatar

    So your tools are talking to Are U serious? I used GPG tools for several years as they have been a very convenient way to do PGP on Mac but first you force me to pay a quite hefty fee and now I read that you additionally use my data for analytics (what do you send there anyway??)? Do you have in mind that this is clash of interests? I strongly suggest you go one rout or the other! In my terms I hope you remove the analytics code! Else I will uninstall the tools and propagate my disgust about your doings!

    By the way the google recapcha is also not very assuring...

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac