Vertical Medical
Jan 25, 2018 GitHub DMCA

On Jan 25, 2018, the Odoo Community Association's Vertical Medical repository received a DMCA notice for violation of licensing terms. All forks of the repository also received this notification, which are likely all shut down at the time of this writing (unless you have taken actions yourself).

We would like to take this time to clarify what happened historically to bring us to this point, what actions were taken in response, and what you must do if you are using the previous versions of the code.

GNU Health

GNU Health was initially released on October 12, 2008 and was originally authored by Luis Falcón. According to its Wikipedia article, it is a free Health and Hospital Information System that provides the following functionality:

    Electronic Medical Record (EMR)
    Hospital Information System (HIS)
    Laboratory Information System
    Health Information System

It is designed to be multi-platform, so it can be installed in different operating systems (eg Linux, FreeBSD, MS Windows) and different database management systems (PostgreSQL). It's written in Python and uses the Tryton framework as one of its components.

OEMedical Origins

OEMedical started before the OCA began, with the first merge taking place on Nov 27, 2012 under an AGPLv3 license with a 2004 copyright by Tech Receptives. Special credit and thanks were provided to Thymbra Latinoamericana S.A. for an unspecified reason.

40 additional direct commits were made that day, completing the architecture of OEMedical under a 2004 Tech Receptives copyright and an AGPLv3 license.

Over the next few years, a good amount of organic growth took place in the repository by numerous contributors. Bugs were fixed, features were added, code was cleaned up, new modules were created.

Vertical Medical

In mid 2014, it was decided that OEMedical would become Vertical-Medical using an Odoo technical name "medical". It was at this point that the project was transferred to OCA ownership and moved from Launchpad to GitHub. For the most part, the repository was stagnant for the next year.

Between mid 2015 and the present day, we saw a significant influx of contributions and all modules were being rewritten. History and attribution on these modules remained intact for the obvious ethical reasons, and the architecture was kept fairly similar in order to allow for easier migrations.

On February 17, 2017, Vertical-Medical was relicensed to LGPLv3 at the request of the PSC Lead, Dave Lasley. All known license holders were contacted and gave explicit approval for this change.

License Allegations

The Odoo Community Association first received word that Vertical Medical allegedly violates the license of Luis Falcón via a Twitter message. Dave Lasley, OCA Board Member and PSC Lead of Vertical Medical, responded the same day and immediately created a GitHub issue for resolution.

The investigation was purely proactive at the time, and the copyright owners were invited to work with the OCA to resolve the allegations numerous times. To this date, Odoo Community Association has not received a communication from the author or their authorized representatives in any manner other than Twitter.

The investigation confirmed that the original work submitted to us was a derivative of GNU Health, but it was inconclusive on whether the version 9 and 10 project still represented a modified or derivative work due to the rewrites. 

Without any word from the copyright holders on what actions they wanted for the code that was determined license violation, Dave removed the associated branches and deleted the remaining old code from the newer branches. The issue seemed squashed at that time, particularly given that the copyright holder did not notify us of continued violation within the 60 days dictated by GPLv3's Termination Clause.

GitHub DMCA and Our Response

 

On January 25, 2018, the Odoo Community Association received a DMCA notice on the Vertical Medical from GitHub. This served as our first and only official notification of an alleged violation, and we took swift action.

The Odoo Community Association is absolutely committed to respecting the rights of code owners, and the licenses that they set forth for that code. Within hours of receiving an official communication, the OCA board had started an internal dialog via instant message in order to determine our actions. Minutes after that, we again reached out to the copyright holders and have not received any response.

Although no trace of relationship was found between the code at the current date and the original code from 2012, one can see through the commit history of the project that the current status is an end result of a complex evolutionary process. The OCA board thus determined that the original license (GPLv3) should be respected, with attribution added to point back to the GNU Health project.

After the proper changes were made, the OCA board responded to GitHub to advise that the repository was now in compliance. We have not received any response, but for all intents and purposes, this is resolved.

Revocation of ECLA

During our investigation, we uncovered deliberate copyright alteration and removal of attribution by Tech Receptives Solutions Pvt. Ltd. We contacted Tech Receptives for clarification on intent, but have not received any response from them either.

Taking into account the absence of a defense and the recent court injunction by Odoo SA against Tech Receptives for the same type of violations, the Odoo Community Association Board has determined that this company has exhibited a significant and consistent disregard for licensing and copyright.

We feel that these violations are likely to continue, so we have revoked the Tech Receptives ECLA effective immediately. Code that was submitted under their ECLA will still be maintained and upgraded, but no new submissions will be accepted.

What Now?

If you are running a version of Vertical Medical from prior to January 25, 2018, you must update your code to the most recent version immediately. Not doing so can open you or your customers to lawsuit due to the licensing and attribution issues described above.

Additionally if you have created a module that depends on a Vertical Medical module, you must make sure that your module is licensed and distributed properly. Licenses that are compatible with Vertical Medical are:

  • GPLv3 (or later)

  • AGPLv3 (or later)

Going Forward

In parallel, a new project has also arisen from different OCA contributors that intends to implement the HL7 FHIR health standard in Odoo v11. This work was started on an experimental branch (11.0-dev) in the vertical-medical repository, but has been removed from the project due to the colliding ambitions.

As creators ourselves, the Odoo Community Association Board's goal is to ensure that licensing and attribution are in compliance for all of our modules. To help us with this task are the Leaders and Representatives of each PSC. With the sheer amount of code out there, it is possible that something can slip through the cracks such as it did here. We encourage any license or copyright holder that feels their rights are being infringed upon due to content contained within one of our repositories contact us immediately at legal@odoo-community.org so that we can work towards an amicable resolution without the need to involve legal processes.
Vertical Medical
LasLabs, Dave Lasley 6 February, 2018
Share this post
Archive
Sign in to leave a comment
A word from the president