I’m actually considering reaching out directly to the CEO and telling the full story. But honestly? There’s a good chance he’s fully aware — and totally fine with it. That’s part of what makes it so disappointing.
We’re not rushing into legal action — it’s not worth the energy for now — but publicly calling out the behavior felt necessary. It also sends a message to others in the ecosystem about the kind of nonsense OSS maintainers sometimes face.
And yes, while I’m still holding off on naming the company directly… I haven’t ruled it out.
I very much doubt the CEO is aware. It is much more likely that some person is doing this because that is what they have always done- they are coasting. Alternatively, it is some poor sap that is in over their head and just following some instructions the original jerk put together to keep things running.
The CEO will prob hand you off to some director who is going to be annoyed that they were made out to look foolish and that they now have a task that the CEO is going to want regular status updates on.
If you don't do anything legally threatening, then you make it that much harder for every single OSS vendor to make money, because the precedent is getting established that there is no penalty for breaking the rules.
When I was a teenager I would do super cut-rate work on computers for people, and my father did helpfully point out that undercharging for valuable work just makes it harder for people whose day job is to do the same work, because then they have to compete with a naive teenager. You're the kind hearted OSS / freemium vendor in this case. Threatening legal action costs nothing. Punishment is meant as a deterrent for antisocial behavior. Failing to even threaten them will result in less money going to people who deliver a public good.
> Threatening legal action costs nothing.
Not really. If you want it to have teeth, then it should come under a lawyer's letterhead, and that usually costs something (probably not much, for one letter).
> Threatening legal action costs nothing
It costs your reputation as a vendor which is permanent.
You don't threaten legal action against companies before calmly advising them of the situation.
> It costs your reputation as a vendor which is permanent.
You say that as if that is some bad thing. As a vendor you want to have a reputation for asking what you are fairly owed. The other option is to have a reputation for being a wet tissue anyone can walk through.
> You don't threaten legal action against companies before calmly advising them of the situation.
These are not incompatible with each other. Of course you calmly advise the company of the situation. 100%. You tell them that their 15 day trial period lapsed at <date> and that they continue using the <product> without proper license in place. You tell them where they can reach out to find the right licence for their needs. And you tell them that you intend to pursue them for damages if they remain out of compliance. All very calmly and professionally. Nobody is angry with anyone here. There is no bad blood. It is just a contracting oopsie!
> As a vendor you want to have a reputation for asking what you are fairly owed.
They've never asked the company.
Instead you want to jump straight to legal action which is insane.
> Instead you want to jump straight to legal action which is insane.
Read again my comment.
There's no obligation to publicly reveal the threat of a lawsuit to a party that is abusing your license. In fact, if you don't reveal the existence of the lawsuit, the only way then that you'd gain that reputation is if the threatened party then publishes their threat, which they won't do if they straight up know that they're in the wrong, because then that damages their reputation. Why would a big company publish a blog about a small company suing them for blatantly violating their software license? They want that crap to go away. Get the money. Shaming a company doesn't make anyone any money unless they decide to voluntarily comply, which is what is being asked here. They're being asked to voluntarily do the right thing. If they were likely to voluntarily do the right thing, they would've done that first.
> publicly calling out the behavior
> I’m still holding off on naming the company directly
Does not compute. Why not name them?
> Does not compute. Why not name them?
Legal risk. If the company decides to be a litigious prick about being named & shamed they might not win, but before losing they'll cost the product owner a pile of time and, at least temporarily, money.
Stating the errant company's industry and size gives us plenty of information to make an educated guess, without actually stating the name. I suspect that this action blocks any useful future relationship as much as direct naming would, so that risk has been taken, but I also assume that no such beneficial relationship was likely to happen anyway so doing this is worth it to get the publicity, both through the story and perhaps a little cheeky marketing down the road (“as used extensively by the famous company we won't name, but you can guess”).
One thing I would definitely do at this point, now the company knows they have been detected, is to try¹ make sure all support for that company is on the lowest priority possible. Absolute minimum response time 24 hours. 24 working hours, especially if the issue seems urgent to them. No responses beyond automated ones outside of normal business hours. Never try to guess: any missing information in a support query gets queried and the subsequent clarifying responses are subject to the same 24+ working hour latency. If anyone tries the “we are a big company, you should prioritise this” thing, respond with “With an email address like that? Yeah, nah.” or more directly “We know, a big company who knows it is massively in breach of our licence, and yet we are still generously responding to you at all.”.
------
[1] They may of course have/find crafty ways to get around this too, but if they are determined to avoid doing the right thing at least make them work to avoid doing the right thing!
Sounds a lot like it is BlackSky NYSE: BKSY
https://www.businesswire.com/news/home/20250508909866/en/Bla...
Because as long as they don't name them, there's still a chance they'll pay up or self-host. As soon as they do name them, any chance of a meaningful business relationship will disappear.
Did you read how much work these people put into not paying? I think that ship has sailed long ago.
Because this is almost always just the fault of some low level engineer trying to save some time rather than some systemic issue at the heart of the company.
The company will just apologise and the CEO will make sure to tell everyone they know never to deal with this vendor ever again. IT is a very small world and reputations last a long time.
by declaring, but not acting yet, the OP gives the company an out, and allow a potential payday to come. After all, everybody is after money. Any action which seems strange or wild, when considered from the POV of making money, would start to sense.
Because they could sue you. Even if the suit is baseless it’ll cost a lot to defend, and you might accidentally give them some basis in the process
This doesn’t make sense as a risk… can’t anyone in the US already sue anyone else whenever?
Yes but the company in question has no motive to sue. They aren't named and any lawsuit would be completely fraught and easily dismissed. On top of that, they would be revealing themselves by suing. It gets more complicated if they are named and now have an actual reason.
Lawsuits aren’t fun.
Aren't they? I sued a huge multinational company years ago, as an individual. People predicted the apocalypse. I won. It was lots of fun.
(It was in France so the lawyers' fees weren't what they are in the US. But the way people advised me not to sue, was very similar.)
> We’re not rushing into legal action — it’s not worth the energy for now — but publicly calling out the behavior felt necessary.
Wth. Why go public instead of just .. emailing them, and asking for payment?
They did reach out.
So we reached out.
They vaguely apologized and claimed they’d switch to using the source version instead.
Which — fine. Not ideal, but technically within the rules. What stung more was their complete disinterest in any kind of professional support — even when we simply brought up the idea of a volume discount (!). They shut it down immediately. Apparently, sending satellites into orbit is easier than entertaining the thought of paying for open source support.
And did they actually switch to the source?
Of course not.
They just kept going — now using personal Outlook addresses and incrementing the email handles like they were running a script.
> There’s a good chance he’s fully aware — and totally fine with it
Why would you think that a CEO would involve himself in matters like this ?
Especially given that whichever aerospace company it is would be far more concerned with issues like tariffs, geopolitics, recession risks etc than whether or not a company is using an open source versus a community edition of some forgettable infrastructure component.
Also choosing to pursue legal action instead of simply blocking them from downloading more free trials seems childish and short sighted.
"forgettable infrastructure component": this is what runs their entire IT. We build both the hypervisor and the backup/orchestration for it. Our stack could kill their entire operations if it's down because $whatever. 4000 virtual machines running isn't just the print server or the coffee machine.
> 4000 virtual machines
At that point I would have created some scripts to randomly reboot or fuck with their VMs. How long will you accept this? They won't pay ever.
No they run their entire IT. Not you.
They can easily move to the hundreds of alternative platforms which do exactly the same thing.
I'm not sure you are aware about the cost of migrating from one virtualization platform to another, especially when you have 4000 VMs. I can tell you it's not exactly easy, and that's even our business now (migrating from VMware to our stack).
It's not like changing a light bulb.
Huh? Blocking them seems much more "actual fight" and disruptive than going for legal action. Legal action was invented to settle disputues without resorting to raw power.
First, congrats on having a successful company and doing what you love (and employing others - a great feeling to know you are helping technical folks live their dream).
Second, some thoughts.
A. State in your policy that multiple trials are possible but may incur a rest period between activations for a “given company.” Even 5 days should be reasonable for honest folks but cause a pain point for dishonest ones.
B. If you can add a license activation feature to your software, collect metrics when you present the license activation screen, and “bake in” the telemetry to your trial license key request. Things like CPU ID, hard drive serial numbers, TPM quotes, asset tag serial number. Use that telemetry to determine “given company.” The abusers are likely installing this on the same system over and over.
C. Independent of the activation idea, If the trial hard-stops after 30 days, maybe you could delay the approval process on all new trials by X days (X randomly chosen from range 0..5, and all trial requests independent of requestor) and then activate the product for 30-X days. Assuming the dishonests have integrated the VM into their production systems, this will cause an unpredictable unavailability and trigger a pain point somewhere. At worst, it will cause them to step up their request efforts.
As others probably are saying, this might be one for the lawyers.
I believe all options you suggest are more than OK, but. Why don't you limit the trial with some capacity limits? Say, 1000 vms for installation. Of course, you'll need to have two artifacts: one for paying customers, and a second one to non-paying ones.
Sad to hear this and I hope (some semblance of) justice will be served, but just to play the devil’s advocate: if you refuse to name them, how can we know you’re telling the truth and not just pulling a publicity stunt?
It sounds like you’re navigating a really difficult and emotionally draining situation—and I respect the restraint and clarity in how you’re approaching it.
one option is to talk to their customers. the customers almost certainly don't know, and might be interested to know that their launch provider is possibly going to have some serious issues
it's astra isn't it? I had an internship there and it was pretty toxic. I could totally see them pulling this shit.
Just straight to court
" it’s not worth the energy for now"
Not sure what the amount is, but Small Claims is pretty straightforward and energy efficient? You can get like 10K depending on jurisdiction. The whole trial is like 1 hour.
We operate globally, and this company isn’t even on our continent. On top of that, it’s a semi state-operated entity — so you can probably imagine where any legal effort would end up: somewhere between bureaucratic limbo and /dev/null.
Ah I didn't consider that. International case certainly is going to be more complex.
That said, I think that small cases are still worth pursuing on a matter of principle and strategy.
It's better to practice pursuing payment from international clients when it's small amounts you don't care about, so that you are prepared if you have an issue with a huge client and bankruptcy is on the line.