GPG Suite might now be in violation of the GPL License

Mike Robinson's Avatar

Mike Robinson

23 Sep, 2018 05:57 PM

Although the GPL licenses which govern GPG "shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources," it does state that "The program must include source code, and must allow distribution in source code as well as compiled form. Where some form of a product is not distributed with source code, there must be a well-publicized means of obtaining the source code for no more than a reasonable reproduction cost, preferably downloading via the Internet without charge." And, with regard to derivative works such as GPGSuite might be considered to be, "they "must be distributed under the same terms as the license of the original software."

For a number of years, GPGSuite was truly "open source software,' but the GitHub repository has not been updated in a number of years and e.g. the mail plug-in "does not support Sierra." However, the most recent version does obviously support Sierra. Therefore, it is obvious that the product continues to be maintained by you, but that it is no longer "free and open-souce software."

However, GPGSuite, Inc. as the vendor of a now-proprietary and closed-source software product continues the deceptive trade practice of falsely claiming on its web-site that it remains open-source, and points to a GitHub repository that no longer contains the actual source code to the product. The most-recent version now demands payment for "support," but offers a "30-day trial," after which presumably the software will cease to run. (And if in fact it does not, GPGSuite is engaging in the deceptive trade practice of offering the false pretense that it will do so.

Your installation does not state that the software is now proprietary, giving no indication until such point that you engage in the deceptive trade practice of demanding payment for what you falsely represent to be free and open source software.

Having broken the copyright license terms of the GNU Public License, GPGSuite. Inc. no longer has the intellectual property rights to continue to use the "GPG" software, nor to use "GPG" in its product name. You cannot have it both ways.

You would do well to engage legal counsel, because your present stance is unlawful and is bound to very quickly attract the attention of the crypto community. To cure the situation, you must return to compliance with the GPL Licenses. You must furnish and maintain the actual source code to the product on GitHub or another public server of your choice, and you must not attempt to impose any sort of "time limit" nor to require payment under any pretense whatsoever. If you are unable to financially continue to support the product based on the donations you have so far received, you can relinquish it to the custodianship of another interested party.

Showing page 2 out of 3. View the first page

  1. Support Staff 31 Posted by Luke Le on 24 Sep, 2018 09:56 PM

    Luke Le's Avatar

    We would like to clarify that we have no analytics code. We use paddle as our reseller and they perform the remote validation of the activation code. We made sure that we don‘t even use their method to periodically validate the activations remotely, since we wanted that to only happen once. Paddle does provide a method to collect analytics but we don‘t use that. If we did, we would request your consent first. We don‘t collect any data on usage. We will have a Privacy Policy on our site soon that will have all the necessary details in it.

    Re. Google Re-captcha: unfortunately we can‘t currently run a support platform on our own servers so have been using Tender for many years now. But that also means that we can’t directly influence the decision. This may or may not change in the future

  2. 32 Posted by prof on 24 Sep, 2018 10:07 PM

    prof's Avatar

    We use paddle as our reseller and they perform the remote validation of the activation code. We made sure that we don‘t even use their method to periodically validate the activations remotely, since we wanted that to only happen once.

    If the code on Github is the code that's used in the distributed Libmacgpg binary, then this is plenty obvious from reading JailfreeTask.m.

    Is there any reason (Little Snitch logs, or whatever) to think otherwise?

    People seem to be getting a little paranoid around here ...

  3. 33 Posted by Carsten W. Rose on 25 Sep, 2018 04:54 AM

    Carsten W. Rose's Avatar

    This all seems to be a rushed release and a PR disaster. You seem to provide the normal information only in the afterthought.

  4. 34 Posted by Carsten on 25 Sep, 2018 04:57 AM

    Carsten's Avatar

    This all seems to be a rushed release and a PR disaster. Apparently you provide information only in the afterthought.

  5. 35 Posted by Ravi on 25 Sep, 2018 01:48 PM

    Ravi's Avatar

    This is turning out to be a Ransomware !!

  6. 36 Posted by Ollie on 29 Sep, 2018 06:23 PM

    Ollie's Avatar

    I get the same response as MV when compiling the provided source code - both from the Mojave branch on GitHub and from the txz compressed source provided in this discussion.

    @Luke Le - is there something missing?

  7. 37 Posted by Julien on 01 Oct, 2018 08:37 PM

    Julien's Avatar

    GPGMailLoader.mailbundle is installed by the GPGTools installer in /Library/Mail/Bundles, which is the directory in which previous versions of the GPGMail plug-in were installed. If I am not mistaken, it loads GPGMail_14.mailbundle, which is the real GPGMail plug-in for mojave and is located in /Library/Application Support/GPGTools/GPGMail.
    If you compile a GPGMail.mailbundle from source and put it in /Library/Mail/Bundles then Mail 12.0 complains about an incompatible plug-in. But if you put it in /Library/Application Support/GPGTools/GPGMail under the name GPGMail_14.mailbundle, then GPGMailLoader loads it and it works.

  8. 38 Posted by Ollie on 01 Oct, 2018 08:47 PM

    Ollie's Avatar

    Julien, if that is correct then GPGMailLoader should be provided along with the source code as this could be considered a corresponding source as defined under section 1 of the GPL License

    "The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities."

  9. 39 Posted by Julien on 02 Oct, 2018 06:41 AM

    Julien's Avatar

    Ollie, I agree with you. I am indeed unable to run the plugin without GPGMailLoader, whose source code is not provided. I think that the instructions in the readme should also be updated.

  10. Support Staff 40 Posted by Luke Le on 02 Oct, 2018 07:25 AM

    Luke Le's Avatar

    The loader is in no way required to get the bundle running. It is only required if you want to provide a smooth macOS upgrade path, which we do and have to.
    Many people have already managed to get the plugin running as is.

  11. 41 Posted by robertoschwald on 02 Oct, 2018 07:35 AM

    robertoschwald's Avatar

    Many people have already managed to get the plugin running as is.

    I tried as well from tgz and from the mojave branch and did not get it running without the loader.

  12. 42 Posted by Guido Sarducci on 02 Oct, 2018 03:43 PM

    Guido Sarducci's Avatar

    After having had sent them a synopsis of what’s happened here, I just received the following response from the Free Software Foundation:

    It sounds like you might have a violation on your hands. If you believe that is the case, please follow the instructions here In short, gather all the data and provide it to the copyright holder of the work; only the copyright holder has the legal power to enforce the terms of the license. Thanks for checking in on this, and I hope this helps.

    -- Sincerely,

    Donald R. Robertson, III, J.D.
    Licensing & Compliance Manager
    Free Software Foundation
    51 Franklin Street, Fifth Floor
    Boston, MA 02110, USA
    Phone +1-617-542-5942
    Fax +1-617-542-2652 ex. 56

  13. Support Staff 43 Posted by Luke Le on 02 Oct, 2018 05:25 PM

    Luke Le's Avatar

    Hi Guido,

    please forward the letter you sent to the Free Software Foundation to us as well.
    Something that might have been lost in this whole conversation is that we are the copyright holders of GPG Mail. If that wasn‘t clear, we apologize.
    I‘m also not entirely sure what more we can do than to provide all the necessary source code and basic instructions on how to compile it yourself.

  14. 44 Posted by Ollie Hayman on 02 Oct, 2018 05:35 PM

    Ollie Hayman's Avatar

    It’s not very open to have turned this discussion private and removed access for those of us involved in the conversation.

    Regardless of who owns the copyright to GPG Mail, the license it was released under is the GPL License and therefore it must be compliant with that license which at this time, it does not appear to be as the released source code does NOT work on the same platforms that the software distributed by GPGTools works on.

    I would advise you double check the source code you have released can be run on the same platforms as the distributed version as it does not appear to be the case and Guido did the correct thing by referring this to the Free Software Foundation.

    As this discussion has been made private, I too will now separately contact them with the evidence of breach of GPL that I have gathered.

  15. Support Staff 45 Posted by Luke Le on 02 Oct, 2018 07:20 PM

    Luke Le's Avatar

    No one who has already posted in this thread should have lost access. We decided to make it private, since it‘s probably not of public interest. There is at least one other thread on our support platform where a developer has managed to get everything working with the source code as released.

  16. 46 Posted by Julien on 02 Oct, 2018 10:31 PM

    Julien's Avatar

    I also don't understand why this thread has been made private, what is so secret about it ? The only person I've seen claiming that he could run the plugin from source without the loader didn't say if he was running mojave. It's 'guy', and he posted on this thread. I too could run the plugin in high sierra without the installer, but I can't in mojave. So there is something different. Why not simply provide the source code of the loader, if it is so unimportant ?

  17. 47 Posted by guy on 03 Oct, 2018 07:41 AM

    guy's Avatar

    When I first compiled this I was not using Mojave, and it worked first time. That's when I posted that it was easy to do.

    Later. I upgraded another computer to Mojave and attempted install the same binaries over there and suffered the same as everyone else here. That is until I kept the GPGMailLoader and put GPGMail_14 in the /Library/Application Support/GPGTools/GPGMail dir.

  18. 48 Posted by robertoschwald on 03 Oct, 2018 09:09 AM

    robertoschwald's Avatar

    I upgraded another computer to Mojave and attempted install the same binaries over there and suffered the same as everyone else here.

    So bottom line is, it does not work with the GPL source code. The wrapper seems to be an essential part to get it working in Mojave.
    IMHO the copyright owners need to shed some light how to get it running without their closed source code, or they release the wrapper source code as well.

    The loader is in no way required to get the bundle running. As it stands now this could not be proven, as nobody here seems to be able to run the GPL code on Mojave the way it was released as a commercial software bundle.

  19. 49 Posted by Mario on 04 Oct, 2018 11:21 PM

    Mario's Avatar


    as gnupg (pinentry is a clear dependency of gpgtools) is GPL, GPGtools can not be licensed conflicting to GPL. So sourcing GPGtools is not just a "good will"; it is mandatory by its dependency.
    However, I fully understand that hard-working people want to be able to pay their rent. But this is not the way to do. You can not force users to pay for something if they most likely choose your product because it is free.

    In my point of view, you can extend the features for the payed product. You can add a second product that is payed. But you can not change the rules without an information in advance. Imagine wikipedia, stackoverflow, wordpress or google would start charging for usage - without telling anything before. No one would expect this.

    To extend the "trial" in the latest version, I spent 10 minutes to patch the method in the xpc service that gives information about the activation state. Here is a very brief howto that enables you to use 2018.4 without activation.
    (this code/howto comes without any warrenties)

    In the meantime both parties can think about what they expect and what's worth it - the users of GPGtools as well as its authors. Have a look to other companies erning money with open source.

  20. 50 Posted by Luis Puerto on 05 Oct, 2018 06:30 AM

    Luis Puerto's Avatar

    @Mario thanks a lot for this.

    I have more or less the same opinion as you. They can create an added value for another version of the software that people have to pay. I think a good example could be They started as an opensource company and they still are. They have a free set of products and then a pay under license ones that are aimed mainly to companies and professionals with additional needs (rstudio pro

  21. 51 Posted by Bubba Singh on 05 Oct, 2018 09:33 AM

    Bubba Singh's Avatar

    Thanks, Mario for providing the above. If Luke and his crew had themselves done this right away, the raging inferno of a sh*tstorm would never have evolved beyond a few initially indignant sparks.
    The GPGTools team has graciously provided the fruits of their labours to the community for many years. It is understandable and more than reasonable that they finally wish to reap certain rewards for all of their hard work. However, to do it in such an ill-advised and misinformed manner by leveraging OpenSource software for their intended riches was not at all palatable, let alone proper.
    In any case, I hope that they emerge from this fiasco only slightly bruised and ready to successfully make their commercial mark upon the world with their own fully-proprietary software. Their obviously effective coding skills and Luke's (not so sure about Steve's) customer-centric ethics and morals (proven clearly by his decision to return this discussion to the Public realm) are sure to take them far.

  22. 52 Posted by Julien on 05 Oct, 2018 07:15 PM

    Julien's Avatar

    First of all, thanks to the GPGTools team for making this discussion public again. There are ways to run a modified code and to avoid the activation check. However, as far as I understand, all these alternative methods use the loader whose source code is not available, and nobody here has been able to run GPGmail in Mojave from the provided source code (with or without activation/trial/paywall, that's not the point). Despite claims of the contrary by Luke, my feeling is that the GPGTools developers are intentionally withholding some necessary source code so that others can't build and run the software from source. And this seems to be incompatible with the GPL license under which their software is licensed.

  23. 53 Posted by Bubba Singh on 05 Oct, 2018 08:38 PM

    Bubba Singh's Avatar

    @Julien: Luke is seemingly much too smart to be withholding anything right now. It's simply too risky to run afoul of the FSF et al when one's product is based on FOSS. Again: It's perfectly within the rules for somebody to charge for OpenSource-based software. Many do! They then make their revenue through private one-on-one support, customisations or consulting. Getting back to what you are alluding to... If anything were being held back, I and others wouldn't have been able to pull and make the Libmacgpg code as we were successfully able to do which then resulted in full functionality of GPGMail once again. No ransom, no nagging and no stress. The GPG team wasn't very wise to have approached this the way they did 2 weeks ago. However, from my perspective, they are clearly reputable, responsive and fully compliant. Hey, if this weren't the case, threads like this would never have seen the screen light of day; they would have been shut down before anybody else had an opportunity to see their compromising contents.

  24. 54 Posted by Rob on 06 Oct, 2018 03:53 AM

    Rob's Avatar

    . If anything were being held back, I and others wouldn't have been able to pull and make the Libmacgpg code as we were successfully able to do which then resulted in full functionality of GPGMail once again.

    Bubba, have you been able ro compile the plugin.and install in Mojave Mail successfully without any 3rd party component? We tried, and it didn‘t work. Replacing the libmacgpg framework with another one is not the problem or the point. gpgMail Info.plist holds the correct identifiers but is rejected by Mail.
    So if you ware able to run a self compiled gpgMail, tell us how you did that.

    And btw: I‘m a paying customer. The need to get compensated for their great work, but I“m very sensitive when it comes to OSS license violations, and I want to know if thats the case or not in this project.

  25. 55 Posted by Mario on 06 Oct, 2018 05:41 AM

    Mario's Avatar

    Hey Rob,

    i don‘t run Mojave at present but in theory I don’t see any reason why it should not work. If you install the plugin as usual (provided by the gpgtools team) and then use my patch for the xpc component (no patch for the plugin required as far as I read the code), everything works like a charm. See my github link a few posts before.

    So in my point of view no GPL violation at all, because the proprietary Paddle Feamework ist „optional“ for the functionality.


  26. 56 Posted by Ollie Hayman on 06 Oct, 2018 06:32 AM

    Ollie Hayman's Avatar

    First off, I would like to thank the GPGTools developers for making this public again. Openness comes in many forms and one of the key things for GPL is that it’s that it has a community-oriented license enforcement model - so being able to have discussions such as this one are important for the community.

    Mario and Bubba, GPL is not about being able to remove the Paddle license check from the xpc component of libmacgpg and that is not what we are taking issue with. It’s about being able to take a GPL licensed work and compile, install, use and alter it in any way.

    All components of the GPGTools suite are GPL licensed - GPL is a what’s known as a “viral” license, if you use a single GPL component then you are required to also license your code under GPL. This means that the GPGMail extension should be able to be compiled, installed and modified without limitation.

    The issue being discussed by Rob, Julien, guy and I is that this does not appear possible in the latest supported operating system (Mojave) without a loader component that is not part of the source release. That violates the GPL license as, without using the GPGTools installer and instead by simply compiling all the components it should be possible to compile, install and modify all components of the GPGTools suite and it is not.

    Once again the ability to remove the Paddle check does not feature in if the GPL license has been breached or not and I do not believe any of us are trying to claim that the developers decision to charge a subscription is against the license (as it is not). Our issue is that there appears to be a key component missing in the source release that is required to comply with the open source license of the project.

  27. 57 Posted by Bubba Singh on 06 Oct, 2018 06:47 AM

    Bubba Singh's Avatar

    I suppose, Ollie, that in this sense you may be quit correct, particularly if ANY part of the code is missing.
    I was coming at this with a purely selfish and pragmatic perspective: After having had followed Mario's instructions I was satisfied to find that, upon restart, GPGMail became fully functional. As I'm not a coder, I can't explain why. Perhaps it may have something to do with me running High Sierra rather than Mohave on my box.

  28. 58 Posted by Julien on 06 Oct, 2018 10:23 AM

    Julien's Avatar

    Ollie, thank you for explaining much more clearly than I did our issue with the GPGTools team. In my opinion, the question of the paid subscription is indeed a different problem. (And considering the amount of work that must have been necessary to develop and maintain their software, I can understand the move, although maybe it should have been better prepared.)

    Mario, you say that in theory you don't see any reason why it should not work in Mojave. So did I, because before Mojave I was able to compile, install and run the plugin in High Sierra. But either Mojave, or Mail 12.0 (which comes with Mojave), or both, handle the plugins differently and the same installation method does not work. And the GPGTools developers have indeed changed their software so that instead of directly calling the plugin, Mail first calls a loader (whose source code is not available) which then loads the plugin. And it seems that nobody has been able to bypass this closed source loader and install the plugin directly (in Mojave).

    Luke, apparently you do not wish to release the source code of the loader, or you would have done so a week ago and this discussion would be over. Can you explain why, and why you think this does not make GPGTools in violation of the GPL License?

  29. 59 Posted by Smith on 08 Oct, 2018 06:37 AM

    Smith's Avatar

    I managed to build and run a self-compiled version.
    I disabled system integrity protection and loaded GPGMail without any problems.

  30. 60 Posted by Ollie Hayman on 13 Oct, 2018 02:04 PM

    Ollie Hayman's Avatar

    Smith I would not recommend disabling SIP and it certainly is not the solution to this problem.

    I have managed to compile the mailbundle and get it running under MacOS Mojave without doing this and have created a pull request ( <>) for the developers.

    Hopefully they will merge this so that others do not need to struggle. However, for all those following this thread I hope this will come as a sign of relief that it is possible to run GPGMail.mailbundle with Mail 12.0 (and 12.1) without the need for the GPGMailLoader.mailbundle and it was as simple as one line missing form a header file.

    I did also reverse engineer GPGMailLoader to find this solution and can also report that, whilst the source code has not been shared, it is as described and simply checks the OS version and loads the appropriately named GPGMail_xx.mailbundle

    If anyone would like the source code for my own version of GPGMailLoader, please just comment and I shall make it available on my GitHub.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac