Copyleft/guide
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Integrate this text and rewrite to make it work.

Browse source 
Also creates some label for references back.
This commit is contained in:
Bradley M. Kuhn 2014-11-11 11:40:38 -05:00
parent 8c1bf649d7
commit 82831c9b81
3 changed files with 51 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

92
compliance-guide.tex
View file

@ -947,61 +947,65 @@ revision system, telling your developers to use it, and requiring your
build guru to document his or her work! build guru to document his or her work!
% FIXME-URGENT: integrate, possibly create: \section{Non-Technical Compliance Issues}
% \section{Non-Technical Compliance Issues}
Compliance with GPLv2 \S7 is therefore a matter of legal review rather than Certainly, the overwhelming majority of compliance issues are, in fact,
technical or engineering practice. either procedural or technical. Thus, the primary material in this chapter
so far has covered those issues. However, a few compliance issues do require
more direct consideration of a legal situation. This portion guide does not
consider those in detail, as a careful reading of the earlier chapters of
Part~\ref{gpl-lgpl-part} shows various places where legal considerations are
necessary for considering compliance activity.
%FIXME-URGENT: integrate For example, specific compliance issues related to
% Possibly call this: \section{Self-Assessment of Compliance} \hyperref[GPLv2s7]{GPLv2\S7}, \hyperref[GPLv3s7]{GPLv3\S7}, and
\hyperref[GPLv3s7]{GPLv3\S11} demand a more traditional approach to legal
license compliance. Of course, such analysis and consideration can be
complicated, and some are considered in the enforcement case studies that
follow in the next part. However, compliance issues related to such sections
are not rare, and, as is typical, no specific training is available for
dealing with extremely rare occurrences.
\section{FIXME} \section{Self-Assessment of Compliance}
%FIXME-URGENT: integrate Most companies that adopt copylefted software believe they have complied.
Humans usually have difficult admitting their own mistakes, particularly
systematic ones. Therefore, perhaps the most important necessary step to
stay in compliance is a company's regular evaluation of their own compliance.
Measure your compliance from the position of the user downstream from you First, exercise a request CCS for all copylefted works from all your upstream
trying to exercise rights conveyed by the licenses. Has the user received providers of software and of components embedding software. Then, perform
notice of the copylefted software intentionally included in your product? Is your own CCS check on this material first, and verify that it meets the
complete, corresponding source code and applicable installation information requirements. This tutorial presents later a case study of a CEGEO's CCS
available to the user easily, preferably by automated means? Tools that check in \S~\ref{pristine-example}, which you can emulate when examining
measure what you deliver are more valuable than tools that only measure what their own CCS\@.
you build.
Always exercise your own right to request complete and corresponding source Second, measure all copyleft compliance from the position of the
code for all copylefted works from all your providers of software and of users\footnote{Realizing of course that user very well may not be your own
components embedding software, preferably in an automated process directly customer.} downstream from you exercising their rights under GPL\@. Have
feeding your overall software governance system. Where possible, reject as those users received notice of the copylefted software included in your
non-conforming components provided to you containing copylefted software for product? Is CCS available to the users easily (preferably by automated
which complete and corresponding source code is not furnished in response to means)? Ask yourself these questions frequently. If you cannot answer these
your request or which is not accompanied by a ``stackmark'' for automated questions with certainty in the positive, dig deeper and modify your process.
provisioning of source code. If you rely on an upstream provider for your
software you cannot ignore your GPL compliance requirements simply because
someone else packaged the software that you distribute.
%FIXME-URGENT: integrate Avoid ``compliance industry'' marketing distractions and concentrate on the
% Possibly call this: \section{Third-Party Compliance Assessors} copylefted software you already know is in your product. Historically, the
risk from a copylefted code snippet that some programmer dropped in your
\section{FIXME}
Concentrate on the copylefted software you know you are using. Historically,
the risk from a copylefted code snippet that some programmer dropped in your
proprietary product careless of the consequences is a problem far more proprietary product careless of the consequences is a problem far more
infrequent and less difficult to resolve. Efficient management of the risks infrequent and less difficult to resolve. Efficient management of the risks
of higher concern lies in making sure you can provide, for example, precisely of higher concern lies in making sure you can provide, for example, precisely
corresponding source code and makefiles for a copy of the Coreboot CCS for a copy of Coreboot, the kernel named Linux, Busybox, or GNU tar that
bootloader, Linux kernel, Busybox, or GNU tar that you included in a product you included in a product your company shipped two years ago than in the risk
you shipped two years ago. of 10 lines of GPL'd Java code an engineer accidentally pasted into the
source of your ERP system.
Dont rely blindly on code scanners as they work too late in the process to Thus, reject the ``compliance industry'' suggestions that code scanners find
improve your governance and too early in the process to catch problems in and help solve fundamental compliance problems. Consider how CEGEO's tend to
your delivery and post-sale provisioning. They do less important parts of the use code scanners. FOSSology is indeed an important part of a violation
job expensively, and more important parts of the job not at all. Use them, investigation, but such is the last step and catches only some (usually
where they are cost-effective, as a supplement to your own governance and minor) licensing notice problems. Thus, code scanners can help solve minor
verification processes, not as a primary tool of risk management. compliance problems once you have resolved the major ones. Code scanners
do not manage risk.
%FIXME-URGENT: END
\chapter{When The Letter Comes} \chapter{When The Letter Comes}

1
enforcement-case-studies.tex
View file

@ -241,6 +241,7 @@ compliance work.
% FIXME: make this section properly TeX-formatted % FIXME: make this section properly TeX-formatted
\chapter{ThinkPenguin Wireless Router: Excellent CCS} \chapter{ThinkPenguin Wireless Router: Excellent CCS}
\label{pristine-example}
Too often, case studies examine failure and mistakes. Indeed, most of the Too often, case studies examine failure and mistakes. Indeed, most of the
chapters that follow herein will consider the myriad difficulties discovered chapters that follow herein will consider the myriad difficulties discovered

1
gpl-lgpl.tex
View file

@ -26,6 +26,7 @@
\newcommand{\defn}[1]{\emph{#1}} \newcommand{\defn}[1]{\emph{#1}}
\part{Detailed Analysis of the GNU GPL and Related Licenses} \part{Detailed Analysis of the GNU GPL and Related Licenses}
\label{gpl-lgpl-part}
{\parindent 0in {\parindent 0in
\tutorialpartsplit{``Detailed Analysis of the GNU GPL and Related Licenses''}{This part} is: \\ \tutorialpartsplit{``Detailed Analysis of the GNU GPL and Related Licenses''}{This part} is: \\