My Insulin Pump Controller Uses the Linux Kernel. It Also Violates the Gpl
Key topics
A heated debate erupted after a developer discovered that their insulin pump controller, which runs on Linux, is violating the GPL, sparking discussions on enforcement against the Chinese company allegedly involved. Commenters weighed in on the primary offender, with some pointing to Insulet, the device manufacturer, rather than Nuu, the Chinese hardware maker. The conversation took a turn when some suggested that tariffs could be a solution, while others debated the feasibility of enforcing the GPL, with experts pointing out that the Software Freedom Conservancy (SFC) is the organization to contact for GPL enforcement, not the FSF. Amidst the discussion, a tangential conversation about a notable GPL expert's name change added a touch of humor to the thread.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
26m
Peak period
80
0-6h
Avg / period
16
Based on 160 loaded comments
Key moments
- 01Story posted
Dec 26, 2025 at 2:13 PM EST
10 days ago
Step 01 - 02First comment
Dec 26, 2025 at 2:39 PM EST
26m after posting
Step 02 - 03Peak activity
80 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 29, 2025 at 8:41 PM EST
6d ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
What's "illegal" about these products?
> send the importer a big fine.
And that gets paid?
> This is already an established process.
And has it ever been used for /civil/ software GPL violations?
How do they triage and decide what to pursue?
The dominant legal theory is that the GPL can only be enforced by the party holding the copyright. SFC's lawsuit against Vizio is strategically trying to establish precedent changing that; establishing that end-users are "third party beneficiaries" under the GPL, so others can enforce the GPL; but for now the copyright holder is the only one who can enforce it.
So the FSF could only take it up if the violation is on projects that do copyright-assignment to the FSF (i.e.: most GNU stuff). If you do find a violation of GNU stuff, the process is "email license-violation@gnu.org". I do not know what process Craig and Krzysztof use when triaging reports and deciding what to pursue.
Many Linux-kernel contributors (also, SFC member projects such as OpenWrt, Git, Qemu) have assigned their copyright to SFC or named SFC as their legal representative (also, SFC member projects; so SFC can take up something like this. Similarly, you can report violations to them by emailing compliance@sfconservancy.org (see https://sfconservancy.org/copyleft-compliance/help.html for more info).
Now, the SFC is aware of more violations than they could ever possibly pursue, so they're strategic about pursuing ones that are high-impact. I'm not sure how they decide that. But I can say that medical devices are near-and-dear to them, between executive-director Karen Sandler's implanted defibrillator and policy-fellow Bradley Kühn's blood glucose monitor.
I saw that spelling for the first time last week, I think.
Did he change his name? Has he always been Kühn, but went with Kuhn, because Umlaute are hard for Americans?
https://fedi.copyleft.org/@bkuhn/115461658201124515
The FSF could help a lot here by publishing demand letter templates outlining the statutory and precedential basis for license enforcement and recovery of damages.
Yeah there are are startups where head guys don’t know that and developers jump the gun because they feel like they’re ones that have the best understanding of the issue at hand.
But of course that’s legal territory.
The GPL grants rights to use and distribute, but does not grant ownership. It’s not suddenly in the public domain.
This is technically not true. It is an oversimplification of the common case, but what actually normally should happen is that:
1. The GPL requires the company to send the user a written offer of source code.
2. The user uses this offer to request the source code from the company.
3. If the user does not recieve the source code, the user can sue the company for not honoring its promises, i.e. the offer of source code. This is not a GPL violation; it is a straight contract violation; the contract in this case being the explicit offer of source code, and not the GPL.
Note that all this is completely off the rails if the user does not recieve a written offer of source code in the first place. In this case, the user has no right to source code, since the user did not recieve an offer for source code.
However, the copyright holders can immediately sue the company, since the company did not send a written offer of source code to the user. It does not matter if the company does or does not send the source code; the fact that the company did not send a written offer is in itself a GPL violation.
That doesn't sound right to me.
A written offer is not the same thing as a contract.
A written offer on its own would not normally be directly enforceable in many (most?) jurisdictions, for the same sort of reason that retailers can't be held to incorrectly published prices (in the UK at least, a displayed price is an “invitation to tender”, not a contract or other promise) except where other laws/regulations (anti bait&switch rules for instance), or the desire to avoid fighting in the court of public opinion, come into effect.
But in this instance, the written offer would be part of the wider licence that has been agreed to.
> If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.
Similar clauses in Sec 6.
[1] https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
> c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.
Or, instead of theorycrafting reasons why it shouldn't work, you could "just" sue them and see if the judge agrees.
The hell? Over here, the price tags are a sort of public contract, to which the seller pre-commits. The seller forgot to change the tags? That's not the buyer's problem.
The other solid bait & switch is advertising a product that they don't have any of to sell, in the hope that you'll come in and buy something more expensive (or lower value) instead.
You don't have to be "guilty" of anything to be liable in civil law (which contract law is a part of). "Guilt" is a concept from criminal law. It isn't required for contracts to be enforceable.
It's not illegal to not honor written offers, it's illegal to distribute copyrighted material in violation of it's license.
This is not only possible but also prudent for a device which can also kill you.
The argument is over providing you the source code.
The offer of source code seems to be a way to facilitate the conveyance of source code through opt-in means separately from the object code rather than some legal trickery to create a user-licensee contract.
While the offer may indeed convey a licensee-user obligation, a compliant distribution would attach a license anyway, converting the user into a licensee and licensor to licensee in a recursive fashion
I wonder if lawyers specialize in this, it sounds very cool and not at all standard law, but somehow compatible with contract law
IANAL
If you accept someones offer, provided it meets the rest of the criteria for a valid contract - congratulations you now have a contract. If the any party violates it, yes this is a breach of contract.
> A written offer is not the same thing as a contract.
An offer is a precondition and component of a contract
But GPL is a contract
I think the distinction you are pointing would be between a gpl licensor-licensee contract, rather than a licensee-user contract.
(IANAL)
Not according to the original reasoning by its creators, but opinions differ wildly. However, this is irrelevant to the point; the written offer, which is separate from the GPL, is what is failing to be honored, not the GPL. If you did not receive such a written offer, the GPL, in itself, makes no guarantee that you have the right to the source code.
Wrong. The requirement to provide source code under the GPL is primarily governed by Section 3 of the GNU General Public License v2 and Section 1 of the GNU General Public License v3. The whole point of the the GPL is to make it so users of software could get source code to the software.
https://social.kernel.org/notice/B1aR6QFuzksLVSyBZQ
Linus rants that the SFC is wrong and argues that the GPLv2 which the kernel is licensed under does NOT force you to open your hardware. The spirit of the GPL was about contributing improvements back to the community.
Which brings us to the question: what is this guy going to do with (presumably) the kernel source? Force the Chinese to contribute back their improvements to the kernel? Of which there are likely none. Try and run custom software on his medical device which can likely kill him? More than likely.
This is about as ridiculous as buying a ticket on an airplane and thinking you are entitled to the source code of the Linux in-seat entertainment system.
The airplane entertainment system example is irrelevant because the airline is not distributing the airplane software to you.
For the same reason you can't find an airplane entertainment system in the trash and call up the company and demand source code.
It's subsequently transferred to you after presenting a prescription, without any accompanying offer of source code. In other words, assume you are the second owner in all cases when it comes to certified medical equipment.
AFAIK if you find an Android phone in the trash, you are not entitled to source either since you never received the offer of source during a purchase transaction. You know that little slip of paper you toss as soon as you open some new electronics that says "Open Source Software Notice".
By that logic, _any_ company can effectively ignore the GPL constraints by just selling it to a reseller, first; one that they have a contract with to _not_ offer the source code when they re-sell it.
It is my understanding that, if I use GPL in my code, and I distribute it to someone that then re-distributes it to someone else... the GPL is still binding. I don't see why that wouldn't be the case with hardware using GPL'd software.
if the license does not travel with the copy, then the copy is unlicensed and is a copyright violation. the license carries restrictions and grants rights. those aspects cannot be violated or the license ceases to exist.
you don't know what you are talking about, so stop guessing.
The licensee has to offer code to users. It doesn’t say they have to purchase anything to be a legitimate user.
If you file a statement of claim to a court that is just riffing on the theme of "Compiled binaries of GPL code are being distributed" - you won't get anywhere.
I implore you to learn how to identify the parties involved, which contracts get formed when and between whom, de minimis, exemptions to copyright, and the non-copyrightable parts of code.
You were right up to this point. Medical devices requiring a prescription must be obtained via specialized suppliers, like a pharmacy for hardware. These appliances are not sold directly to end users because they can be dangerous if misused. This includes even CPAP machines.
In theory, that written offer only needs to go to the device suppliers. When the device is transferred or resold to you, it need not be accompanied by the offer of source.
If that was true, anyone reselling an Android phone could open themselves up to legal liability. Imagine you average eBayer forgetting to include an Open Source Software Notice along with some fingerprint-encrusted phone.
That’s only an appeal to ridicule. If those are valid, here’s an opposing one:
If this is not true, then any company can violate the GPL all it likes just by funneling all its products through a second company, like a reseller.
That the GPL potentially fails to achieve what it intends to is neither a legal argument, nor particularly surprising.
The copyright doesn’t go away when copies are sold to a distributor. Someone (probably the manufacturer) still has legal obligations to the copyright holder.
A sale of an object does not transfer those licenses (but those licenses are still valid on the seller - a manufacturer selling widgets will have to obey the GPL clauses. If an end user of this widget wants the source code, they have to go back all the way to the manufacturer, rather than any of the middle-men presumably).
This is false. The person transferring the device must either pass along the offer they received (GPLv2 clause 3(c), and only if performing non-commercial redistribution), or pass along the source code (GPLv2 clause 3(a)).
The GPL clearly specifies users, it doesn’t say anything about suppliers.
One interesting link:
https://www.drugtopics.com/view/hacking-diabetes-the-diy-bio...
I would trust the people that hack on these systems to be even more motivated than the manufacturers to make sure they don't fuck up, it's the equivalent of flying a plane you built yourself.
A great analogy because people die that way. I personally would never push code to another person’s insulin pump (or advertise code as being used for an insulin pump) because I couldn’t live with the guilt if my bug got someone else killed.
And to the best of my knowledge none of the closed-loop people have died as a result of their work and they are very good at peer reviewing each others work to make sure it stays that way. And I'd trust my life to open source in such a setting long before I'd do it to closed source. At least I'd have a chance to see what the quality of the code is, which in the embedded space ranges from 'wow' all the way to 'no way they did that'.
which is why lots of systems and processes (sometimes called red tape) exist to try and prevent the undesired outcome, and dont rely on the competency of a single person as the weak link!
So the question really becomes - Are these people working on their own pumps with open source more or less invested than the random programmers hired by a company that pretty clearly can't get details right around licensing, and is operating with a profit motive?
More reckless as well? Perhaps. But at least motivated by the correct incentives.
Your "prototype" is a plane from the original manufacturer with no physical modifications but a software patch to use data from sensors the plane already had to prevent the computer from getting confused under under high wind conditions in a way that has already caused two fatal crashes.
Now you have to fly somewhere and your options for a plane are the one with the history of fatal crashes or the same one with your modifications, and it's windy today. Which plane are you getting on?
Are you kidding me? How many times have you unwillingly introduced bugs into a code base you didn’t fully understand? That’s basically table stakes for software engineering.
Nobody said it was untested.
> How many times have you unwillingly introduced bugs into a code base you didn’t fully understand? That’s basically table stakes for software engineering.
Which applies just the same to the people the company hired to do it, and now we're back to "the people with a stronger incentive to get it right are the people who die if it goes wrong".
We aren't all building our own planes because it's worse, but because it's time consuming. I don't have 20,000 hours to burn learning about how planes work to make my own.
If we magically beamed the knowledge straight into people's heads and also had a matter fabricator, I'd imagine yes - everyone would build their own plane. And it might be safer, I don't know.
Point is, the ideas are not mutually exclusive. You can believe both and still resolve it internally and with the world
Why on earth would you think an experimental aircraft made by a hobbyist would be safer?
Sorry. I would be much more inclined to have something made by somebody passionate about it, as done by some guy that received hopefully some kind of instruction on how to do things and was then left alone.
In this context (GA) we are not comparing Airbus/Boeing with a garage build. We are comparing some small company making 2 seaters with your hangar and maybe 10 certified aircraft mechanics that will help you a lot on the process.
Instead they got McDonnell Douglas'd
As it turns out the motivations matter way more than you might think.
By personal choice I use a commercial CGM (if I could “touch it,” I’d be firmly on the side of certainty about killing myself through sheer stupidity), but reading something like “associated with” really makes me angry. Before making such subtle insinuations about the open-source world (the source of the revolution of the last 10 years in this field), regulatory bodies should open their eyes to what is actually happening with the quality of current sensors and the real problems they are causing.
And strength to you. I had a business partner for some time that was much like you and every time he'd be 10 minutes late for an appointment I'd get nervous and if it was more than an hour I'd be on the phone to his family to check up on him.
Advertising that code, IMHO would be as showing of you doing extreme sports, for example. I do not think is any bad. A good disclaimer should be enough to take away any guilt.
I would think it's the opposite. People that hack on this only risk their own life. Companies risk many people's lives and will get sued. Of course the person doing the hacking doesn't want to die but they're also willing to take the risk.
- people try to wingsuit through narrow obstacles and miss
- people try to build their own planes and helicopters and die
- people try to build submersible vehicles to go see the titanic and, uh, don't have a 100% success rate
- people try to build steam-powered rockets and die
"It's their life, they won't fuck it up" doesn't exactly cover a lot of behaviors.
I'd argue home-rolling your own medical device firmware is closer to daredevil/"hold my beer" behavior than normal.
I would say that can have a lot to do with your average diabetic loop hacker.
You're comparing people with a death wish in disguise with people that are extremely motivated to improve the QOL and they're very careful about how they do this, in fact if you read up on this you'd notice the insane attention to detail and the very rigorous process, on par with what I've seen in industry and in fact probably better than most.
All of this talk in this thread makes me think back to a time when people were laughing at that Finnish kid that was making his own OS with his buddies. Surely nobody would ever trust their business, their property or the lives to open source.
There have been many people who "made informed decisions" about their medical treatments over the advice of professionals and ended up being wrong. They don't count as thrill seekers.
Even in other threads on HN, you'll find takes on this topic ranging from "I don't trust my device, so I do finger tests every day" to "I trust my vibes and my device and don't do finger tests anymore" which tells me there's a pretty wide spectrum along which hackers might fall.
I'm not at all arguing that it's impossible that someone would do a good job of hacking their device, let alone do better than pharma/med companies.
I just don't buy that everyone who hacks away at it will inherently do a better than said companies because their life is at stake. There are way too many examples of people taking their lives in their own hands and getting it wrong.
The baseline worst-case scenario of messing this up on yourself is that you die.
Yeah, only their own life, yknow, something not particularly valuable or motivating to conserve for them, as opposed to the companies financials!
Provided they do not risk anyone elses, that is entirely their right.
Linus is arguing against a strawman that Conservancy never actually argued. See https://sfconservancy.org/news/2025/dec/24/vizio-msa-irrelev... for details.
> Which brings us to the question: what is this guy going to do with (presumably) the kernel source?
https://openaps.org/
Yes, of course. It is abhorrent that people have devices implanted into their bodies and are in any way prevented from obtaining every last detail about how those devices operate.
> Separately, do you think it's remotely a good idea?
In rare circumstances, yes. See, by way of example, Karen Sandler's talk on her implanted pacemaker and its bugs, for specific details on why one might want to do so.
Where your interpretation means someone else needs to follow your whim for their own problem, despite the legalese stating otherwise.
I think that is an absurd position and I am sorry to feel the need to have to be blunt about it.
That happens every Tuesday, hardly newsworthy.
As the original Reddit comment explains, Insulet is an American company.
I think this sentence is very sad. Not only this is a hard accusation, it is also the primary argument of the anti right to repair movement. An argument that I think is extremely bogus and ill intentioned, and I particularly (like Mr. Rossman) viscerally dislike.
Maybe the primary motivation is a) curiosity, and b) just for kicks to know if they honor the license.
That’s about as ridiculous as buying a plane and knowing you’re entitled to the gpl sources used.
It's not like the OEM software also won't kill you: https://sfconservancy.org/blog/2025/dec/23/seven-abbott-free...
it doesn't bring us to the question, but the answer to the question is, run a diff between the software that has this guys life in its hands, and the version it was derived from, to see if they inserted back doors, stray pointers, etc.
In all likelihood, you would not receive the source code in the U.S., though. If deadset against release, the outcome would likely be that the offender would be fined and injoined from any further distribution.
I mean, the absolutely simplest, and cheapest, way for companies to comply with the GPL is to ship the source code together with the software. Stick it in a zip file in a directory somewhere. The company can then forget the whole thing and not worry about anyone contacting them and ranting about source code and the GPL. But nobody does that.
The other simple way for companies to comply with the GPL is for companies to provide a link to download the source code at the same place that users download the program itself. If the user did not download the source code when they had the chance, that’s the user’s problem. This will also let the company ignore any GPL worries. Nobody does this, either.
(The GPL provides a third way for individuals and non-profits, which is not relevant here.)
What's the consideration in the written offer? Promises aren't enforceable in court. For a contract to be enforceable, it has to be an exchange of something, not a one sided offer.
https://www.law.cornell.edu/wex/consideration
It should be noted that this is just one of three options that someone who wants to distribute binaries of GPL code can choose from. It's the most commonly chosen one, and one is only available for noncommercial distribution, so the odds are good that this is the option they are using.
The other available option is to accompany the binary with the source code.
That one leads to an interesting possibility where someone could end up with a binary and there is no one obligated to provide source to them. As far as I know this has not actually arisen, but it seems like something that is bound to happen sometime.
Suppose company X decides to make a generic hardware platform that other companies can buy to build their products on. X's platform is basically a small single board computer with WiFi, Bluetooth, dual, USB ports, a couple Ethernet ports, and some GPIO ports. X ports Linux to their hardware.
When X ships a system it comes with an SD card with a Linux distribution installed including their custom kernel. It is configured to boot from the first SD card slot, and then to run a custom login system that looks at the second SD card slot and if there is a card in there it mounts it, looks for an executable on its root name application.exe, and runs that as root. X includes in the box a small thumb drive with a copy of the source code for everything on the SD card.
The idea is that a company Y that wants to make something like a WiFi access point or an air quality monitor can buy these boards from X, put them in a case with whatever peripherals or sensors they need like air quality sensors, write the software for the application, put it on an SD card, and put that in the second SD card slot.
So lets say Y buys 1000 of these systems from X, builds 1000 of their access points or whatever from them, and sells them.
One of their customers asks Y for the source code of the GPL parts. Does Y have to provide it?
I'd say they do not. They are not making copies or derivative works. They are just receiving physical copies from X and passing those on unmodified to their customers. This should fall squarely under the First Sale Doctrine in US copyright law, and similar rules in other jurisdictions.
How about if they ask X for a copy?
X has made copies and derivative works and distributed them. But X satisfied their GPL requirements by including a thumb drive with the source with each board they shipped to Y.
The communication between your phone/pump or glucose sensor/pump is encrypted now for all newer devices.
> Diabetic companies like Insulet have been very lax when it’s come to the hacking of their devices
Absolutely not true, not any more.
May I ask where did you get this info? And what “newer” means here?
I'm a medical device developer working on this exact problem (glucose control)
In my experience, this is quite common when the development of hardware is viewed as a cost center and is outsourced to various providers and teams. Those providers and teams churn a lot and nobody who worked on that is likely still involved with the company via contracts or direct employment.
Front line support people aren’t equipped to respond to these requests. If you’re lucky they’ll get bounced around internally while project managers play hot potato with the e-mail until it gets forgotten. You might get lucky if you go the corporate legal route, but more likely is that the lawyers will do the math on the likelihood of you causing them actual legal trouble for anything and decide it’s best to ignore it.
Well, if your non-GPL code direcly linked to, or closely interoperated with, any GPL code, those users would have been right.
If you want to argue that the FSF’s lawyers are wrong, please provide more detailed, and hopefully referenced, arguments (as opposed to plain assertions).
You have to construct your own view based on existing statute and vaguely related cases.
Google LLC v. Oracle America, Inc., 593 U.S. 1 (2021) is not a pro-FSF opinion.
Whether linking (dynamic or not) is a derivative work is defined by things like incorporation, similarity, and creative expression.
I think the FSF view is unreasonably confident in its public opinions where the current law is that each potential infraction is going to be decided on a case by case basis. Read 17 USC 101 for yourself and square that with FSF/Stallman opinions.
There's too much nuance to have a stance about what happens when you link a program. "It depends" is the only thing you can say.
does not apply to the linking of GPLed code. Google copied just the application programming interfaces and then supplied their own code that they wrote themselves.
if you link to a GPL library you are including their copyrighted code, even if the API that GNU uses did not originate with them but came from POSIX or similar.
98 more comments available on Hacker News