By ByteBot
After 20 years without a Mac version, Notepad++ appeared on macOS in April 2026—but it wasn’t official. Developer Andrey Letov released “Notepad++ for Mac” using the GPL-licensed code, the Notepad++ trademark, and even creator Don Ho’s name and biography to appear legitimate. On May 1, Ho published a scathing response calling it unauthorized, misleading, and trademark infringement. The conflict, now trending on Hacker News with 221 points and 90 comments, exposes a common misconception: GPL licensing grants code rights, not trademark rights.
GPL License Doesn’t Grant Trademark Rights
While the GPL allows anyone to modify and distribute Notepad++ code, it explicitly does not grant permission to use the “Notepad++” trademark. German courts have confirmed this distinction: licensing software under GPL does not grant a trademark license. Code rights and brand rights are completely separate legal domains.
The precedent is clear. When Debian wanted to distribute modified Firefox builds in 2006, Mozilla refused trademark permission. Debian’s solution? They rebranded to “Iceweasel” for a decade until reaching an agreement in 2016. The GPL FAQ states this explicitly—you can decline to grant trademark rights even when code is freely licensed.
Don Ho encouraged Mac ports but requested different branding. Letov ignored this. The result isn’t just a legal technicality—it’s a trust violation that confuses users about what’s official and what isn’t.
False Attribution and Deceptive Practices
Letov didn’t just use the trademark. He included Don Ho’s name and biography on the author page to suggest Ho was involved with the project. This false endorsement misled users and tech media into believing the port was official. Ho stated bluntly: “This site has absolutely nothing to do with Notepad++. It’s not authorized, not endorsed, and not affiliated.”
MacRumors and other outlets promoted it without basic verification—a single email to Don Ho would have caught this. Users who installed the software based on media coverage now face uncertainty. As one Hacker News commenter put it: “I installed it after seeing it here on HN and on MacRumors. Terrible failure on my part.”
Ho’s core concern isn’t just legal—it’s practical. He can’t verify the code lacks malware or backdoors. He had no time to review modifications. Users installing “Notepad++” expect software vetted by the original creator. False attribution destroys that trust.
Letov removed Ho’s name from the author page only after public pressure on May 1. The damage was already done. This wasn’t an innocent mistake—it was deliberate deception to gain legitimacy through someone else’s reputation.
XZ Utils Déjà Vu: Supply Chain Security Concerns
The Hacker News community immediately drew parallels to the XZ Utils backdoor discovered in March 2024. Attacker Jia Tan spent two years building trust before inserting malicious code into a compression library used across Linux distributions. A Microsoft engineer caught it accidentally during routine benchmarking—pure luck prevented a catastrophic supply-chain attack.
Letov’s profile raises similar red flags. Minimal prior open-source history. An allegedly AI-generated profile picture. No commit history before this project. Yet his LinkedIn claims fintech experience at major banks including Moody’s, BNY, and American Express. As one HN commenter noted: “I’ve shipped fintech and risk products at Moody’s, BNY, AxiomSL, Amex and many more. No inexperience here. It is malice.”
The project allegedly used “vibe-coding”—AI-assisted rapid development. Fast development doesn’t mean trustworthy code. Multiple commenters warned they wouldn’t install it: “Would not trust this…I would not be surprised if there’s some sort of back door.”
Open source doesn’t mean blind trust anymore. The XZ Utils attack showed that sophisticated attackers blend in. Trademark enforcement becomes a critical trust signal: this software is verified by the original maintainer.
How to Properly Fork GPL Software
Letov’s mistake was launching with the original name instead of rebranding from day one. Proper forking is straightforward: use GPL code legally, create a new name and logo, credit the original with “Based on Notepad++ by Don Ho,” and never impersonate or falsely attribute work.
Examples exist everywhere. CentOS is a legitimate rebrand of RHEL. Debian’s Iceweasel properly forked Firefox. These projects built their own identities while respecting trademark boundaries.
Letov promised rebranding in version 1.0.6—but only after getting caught. Why not start with a different name? HN users were blunt: “Shutting down the website and pulling the app offline should have taken minutes.” The delay between public pressure and action suggests damage control, not good faith.
The lesson for developers is simple. If you’re modifying GPL software for a different platform or use case, rebrand immediately. Don’t ride on someone else’s reputation. Build your own. The promise to rebrand “eventually” after launching with the original name isn’t ethical—it’s a calculated bet that you won’t get caught.
Key Takeaways
- GPL grants code rights, not brand rights—trademark law is separate from copyright. Rebrand forks immediately to avoid legal and ethical violations.
- False attribution isn’t just a legal technicality; it’s deception that puts users at risk by implying software is vetted by the original creator when it isn’t.
- Verify software sources even when covered by tech media. MacRumors and others promoted this without checking with Don Ho—media coverage isn’t endorsement.
- Trademark enforcement protects user trust in open source. After XZ Utils, the community is rightly cautious about unverified forks from unknown developers.
- If you’re forking GPL software, do it right: new name, new logo, clear attribution, no impersonation. Promising to rebrand after launch is damage control, not good faith.
