Copyleft/guide
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rework two compliance guide sections in Background

Browse source 
Some of the text pasted in earlier commits was certainly useful, but
needed a complete rework.

Also, the text pasted was far too terse, and more detail was needed.

Therefore, I've moved text around and build a more comprehensive
Background section.  I've moved the burgeoning "Understanding Who's
Enforcing" section into the Background chapter and made it complete.

Probably the most bizarre (?) change I've made here is coining this
acronym COGEO.  This is non-optimal for sure, and I've added a FIXME to
seek a better term.
This commit is contained in:
Bradley M. Kuhn 2014-11-10 18:56:14 -05:00
parent 2ce793aa05
commit 851be52e62
3 changed files with 184 additions and 142 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

311
compliance-guide.tex
View file

@ -115,116 +115,147 @@ commercial distributors, redistributors, and resellers on how to avoid
violations in the first place, and to respond adequately and appropriately
when a violation occurs.
%FIXME-URGENT: integrate (into its own chapter)
\chapter{FIXME-URGENT}
\section{Who Has Compliance Obligations?}
Distributors of licensed works—whether they are distributing modified or
unmodified versions of the works, whether they have embedded executable
copies of licensed works in a device, or are selling or otherwise
transferring only a digital copy—have obligations to at least the users to
whom they or intermediary parties distributed those copies. Whether those
obligations run also to third parties not directly receiving their
distribution of the works depends on the precise license involved, and their
chosen mode of either distributing or offering to distribute source code. In
addition, they have obligations to upstream parties, to preserve reasonable
legal notices embedded in the code, and to mark modified versions
appropriately.
Both service providers and distributors have the obligation, in order to
protect users rights, to refrain from imposing any additional restrictions
on downstream parties. They must refrain from terms in ``umbrella licenses,''
EULAs, or sublicenses that restrict downstream users rights as described
above. Under the terms of LGPL, they must also refrain from license terms on
works based on the licensed work that prohibit replacement of the licensed
components of the larger non-LGPLd work, or prohibit decompilation or
reverse engineering in order to enhance or fix bugs in the LGPLd components.
Patent holders having claims reading on works they distribute have an
obligation to refrain from enforcing those claims against parties to whom
they distribute. Patent holders modifying and distributing works under the
version 3 family of licenses have an obligation to refrain from enforcing any
claims reading on the version they distributed, not only against that version
as distributed, but also against any subsequent version or work based thereon
that also practices those claims.
All parties have an obligation to refrain from acting as a provider of
services or distributor of licensed works if they have accepted, or had
imposed on them by judicial action, binding legal conditions that would
prevent them from meeting obligations to users as described. If a party is
under such conflicting obligations, it has a duty to refrain from playing the
role in which it is no longer free to meet its license obligations.
\section{FIXME: Understanding Risk}
we have observed that there is a significant mismatch between the assumptions
businesses make about compliance and the realities of what goes wrong, what
causes disputes, and how those disputes are resolved. Often, we have found
companies preparing at great expense to avoid unlikely risks that have low
historical incidence of occurrence and low cost of remediation, while leaving
unmanaged the risks that have historically resulted in all the litigation and
other adverse outcomes. In this section, we describe in broad terms the
activities that help businesses prepare to meet their compliance obligations
with minimal effort at minimal cost, dealing preventively with the compliance
risks they really face.
The mismatch between actual compliance risk and compliance risk management,
in our experience, results from a misunderstanding of licensor
intentions. Commercial parties often expect copyleft project communities to
approach compliance as a form of copyright monetization, or else as an
ideological effort to force proprietary software to be relicensed under
copyleft terms. Under the assumption that the intention of the licensors is
to take advantage of non-compliance to extract royalties, or to force the
businesss proprietary products to be distributed under copyleft, businesses
manage the risk that they will ``accidentally''—or as the result of
unsupervised activity by individual programmers—copy infringing ``snippets'' of
copylefted code into their own proprietary computer program. Risk management
involves the purchase of expensive proprietary ``code scanning'' services that
purport to detect such accidental inclusions. Effort is concentrated on how
proprietary computer programs are made, to prevent ``infection'' by free
software.
In fact, however, development communities that use copyleft regard compliance
failures as an opportunity to improve compliance. Every compliance failure
downstream from their project represents a loss of rights by their users. The
project, as copyright holder, is the guardian of its users rights. Their
activity is designed to restore those rights, and to protect the projects
contributors intentions in the making of their software. Projects goals in
seeking compliance are more often frustrated by the way software is delivered
to users than by the way combinations of proprietary and free software are
made. In particular,
All distributors of modified or unmodified versions of copylefted works
unmodified versions of the works have compliance obligations. Common methods
of modifying the works include innumerable common acts, such as:
\begin{itemize}
\item Users arent provided with required information about the presence of
copylefted programs and their applicable license terms in the product they
have purchased; or
\item embedding those works as executable copies
into a device,
\item Users cant reliably get complete and corresponding source code to
copylefted programs the distributor knew it was using and intended to use
pursuant to the license terms; or
\item transferring a digital copy of excutable copies to someone else,
\item posting a patch to the copylefted software to a public mailing list.
\item Users get no response when they communicate with published addresses
requesting fulfillment of businesses obligations.
\end{itemize}
Such distributors have obligations to (at least) the users to whom they (or
intermediary parties) distribute those copies. In some cases, distributors
have obligations to third parties not directly receiving their distribution
of the works (depending on the distributors chosen licensing options, as
described later in \S~\ref{binary-distribution-permission}). In addition,
distributors have compliance obligations to upstream parties, such as
preservation of reasonable legal notices embedded in the code, and
appropriate labeling of modified versions.
In these and similar situations, the projects goal is compliance with
obligations intentionally incurred by intentional use of copylefted programs,
through observance of fulfillment obligations to downstream users. Failures
of this type, which are uncaught by scanning programs or other similar
services, have resulted in all the litigation ever brought by copyleft
communities around the world.
Online service providers and distributors alike have other compliance
obligations. In general, they must refrain from imposing any additional
restrictions on downstream parties. Most typically, such compliance problems
arise from ``umbrella licenses:'' EULAs, or sublicenses that restrict
downstream users rights under copyleft. (See \S~\ref{GPLv2s6} and
\S~\ref{GPLv3s10}).
Inclusions of free software in commercial proprietary products do happen. In
our practice on behalf of copyleft-using development communities, we
encounter such problems not frequently, but regularly. To the best of our
knowledge, not one such instance has ever resulted in compliance litigation
by a community party. These issues are regularly settled in an amicable and
cooperative fashion.
Patent holders having claims reading on GPL'd works they distribute must
refrain from enforcing those claims against parties to whom they distribute.
Furthermore, patent holders holding copyrights on GPLv3'd works must further
grant an explicit patent license for any patent claims reading on the version
they distributed, and therefore cannot enforce those specific patent claims
against anyone making, using or selling a work based on their distributed
version. All parties must refrain from acting as a provider of services or
distributor of licensed works if they have accepted, or had imposed on them
by judicial action, any legal conditions that would prevent them from meeting
any obligation under GPL\@. (See \S~\ref{GPLv2s7}, \S~\ref{GPLv3s11} and
\S~\ref{GPLv3s12}.
%FIXME-URGENT: END
\section{What Are The Risks of Non-Compliance?}
Copyleft experts have for decades observed a significant mismatch between the
assumptions most businesses make about copyleft compliance and the realities.
Possibly due to excessive marketing of proprietary tools and services from
the for-profit compliance industry, businesses perennially focus on the wrong
concerns. This tutorial seeks to educate those businesses about what
actually goes wrong, what causes disputes, and how to resolve those disputes.
Many businesses currently invest undue resources to avoid unlikely risks that
have low historical incidence of occurrence and low cost of remediation,
while leaving unmanaged the risks that have historically resulted in all the
litigation and other adverse outcomes. For example, some ``compliance
industry''\footnote{``Compliance industry'' refers to third-party for-profit
companies that market proprietary software tools and/or consulting services
that purport to aid businesses with their Free Software license compliance
obligations, such as those found in GPL and other copyleft licenses. This
tutorial leaves the term in quotes throughout, primarily to communicate the
skepticism most of this tutorial's authors feel regarding the mere
existence of this industry. Not only do copyleft advocates object on
principle to proprietary software tools in general, and to their ironic use
specifically to comply with copyleft, but also to the ``compliance
industry'' vendors' marketing messaging, which some copyleft advocates
claim as a cause in the risk misassessments discussed herein. Bradley
M.~Kuhn, specifically, regularly uses the term ``compliance industrial
complex''
\href{http://en.wikipedia.org/wiki/Military-industrial_complex}{to
analogize the types of problems in this industry to those warned against
in the phrase of origin}.} vendors insist that great effort must be
expended to carefully list, in the menus or manuals of embedded electronics
products, copyright notices for every last copyright holder that contributed
to the Free Software included in the product. While nearly all Free Software
licenses, including copylefts like GPL, require preservation and display of
copyright notices, failure to meet this specific requirement is trivially
remedied. Therefore, businesses should spend just reasonable efforts to
properly display copyright notices, and note that failure to do so is simply
remedied: add the missing copyright notice!
\section{Understanding Who's Enforcing}
\label{compliance-understanding-whos-enforcing}
The mismatch between actual compliance risk and compliance risk management
typically results from a misunderstanding of licensor intentions. For-profit
businesses often err by assuming other actors have kindred motivations. The
primary enforcers of the GPL, however, have goals that for-profit businesses
will find strange and perhaps downright alien.
Specifically, community-oriented GPL enforcement organizations (called
``COGEOs'' throughout the remainder of this tutorial) are typically
non-profit charities (such as the FSF and Software Freedom Conservancy) who
declare, as part of their charitable mission, advancement of software freedom
for all users. In the USA, these COGEOs are all classified as charitable
under the IRS's 501(c)(3) designation, which is reserved for organizations
that have a mission to enhance the public good.
As such, these COGEOs enforce GPL primarily to pursue the policy goals and
motivations discussed throughout this tutorial: to spread software freedom
further. As such, COGEOs are unified in their primary goal to bring the
violator back into compliance as quickly as possible, and redress the damage
caused by the violation. COGEOs are steadfast in their position in a
violation negotiation: comply with the license and respect freedom.
Certainly, other entities do not share the full ethos of software freedom as
institutionalized by COGEOs, and those entities pursue GPL violations
differently. Oracle, a company that produces the GPL'd MySQL database, upon
discovering GPL violations typically negotiates a proprietary software
license separately for a fee. While this practice is not one a COGEO would
undertaking nor endorsing, a copyleft license technically permits this
behavior. To put a finer point on this practice already discussed
in~\S~\ref{Proprietary Relicensing}, copyleft advocates usually find copyleft
enforcement efforts focused on extract alternative proprietary licenses
distasteful at best, and a corrupt manipulation of copyleft at worst. Much
to the advocates' chagrin, such for-profit enforcement efforts seem to
increase rather than decrease.
Thus, unsurprisingly, for-profit adopters of GPL'd software often incorrectly
assume that all copyright holders seek royalties. Businesses therefore focus
on the risk of so-called ``accidental'' (typically as the result of
unsupervised activity by individual programmers) infringe copyright by
incorporating ``snippets'' of copylefted code into their own proprietary
computer program. ``Compliance industry'' flagship products, therefore,
focus on ``code scanning'' services that purport to detect accidental
inclusions. Such effort focuses on proprietary software development and view
Free Software as a foreign interloper. Such approach not only ignores
current reality that many companies build their products directly on major
copylefted projects (e.g., Android vendor's use of the kernel named Linux),
but also creates a culture of fear among developers, leading them into a
downward spiral of further hiding their necessary reliance on copylefted
software in the company's products.
Fortunately, COGEOs regard GPL compliance failures as an opportunity to
improve compliance. Every compliance failure downstream represents a loss of
rights by their users. The COGEOs are the guardian of its users and
developers' rights. Their activity seeks to restore those rights, and
to protect the projects contributors intentions in the making of their
software.
\chapter{Best Practices to Avoid Common Violations}
\label{best-practices}
@ -285,8 +316,28 @@ creative expression, no copyleft provisions are invoked.
The core compliance issue faced, thus, in such a situation, is not an discussion of what is or is not a
combined, derivative, and/or modified version of the work, but rather, issues related to distribution and
conveyance of binary works based on GPL'd source, but without Complete,
Corresponding Source. This tutorial therefore focuses primarily on that issue.
Corresponding Source.
As such, issues of software delivery are the primary frustration for GPL
enforcers. In particular, the following short list accounts for at least 95\%
of the GPL violations ever encountered:
\begin{itemize}
\item The violator fails to provide required information about the presence
of copylefted programs and their applicable license terms in the product
they have purchased.
\item The violator fails to reliably deliver \hyperref[CCS
Definition]{complete, corresponding source} (CCS) for copylefted programs
the violator knew were included (i.e., the CCS is either delivered but
incomplete, or is not delivered at all).
\item Requestors are ignored when they communicate with violator's published
addresses requesting fulfillment of businesses obligations.
\end{itemize}
This tutorial therefore focuses primarily on these issue.
Admittedly, a tiny
minority of compliance situations relate to question of derivative,
combined, or modified versions of the work. Those
@ -979,49 +1030,6 @@ under the GPL\@. This section outlines a typical enforcement case and
provides some guidelines for response. These discussions are
generalizations and do not all apply to every alleged violation.
\section{Understanding Who's Enforcing}
\label{compliance-understanding-whos-enforcing}
% FIXME-LATER: this text needs work.
Both FSF and Conservancy has, as part their mission, to spread software
freedom. When FSF or Conservancy
enforces GPL, the goal is to bring the violator back into compliance as
quickly as possible, and redress the damage caused by the violation.
That is FSF's steadfast position in a violation negotiation --- comply
with the license and respect freedom.
However, other entities who do not share the full ethos of software freedom
as institutionalized by FSF and Conservancy pursue GPL violations differently. Oracle, a
company that produces the GPL'd MySQL database, upon discovering GPL
violations typically negotiates a proprietary software license separately for
a fee. While this practice is not one that FSF nor Conservancy would ever
consider undertaking or even endorsing, it is a legal way for copyright
holders to proceed.
Generally, GPL enforcers come in two varieties. First, there are
Conservancy, FSF, and other ``community enforcers'', who primarily seek the
policy goals of GPL (software freedom), and see financial compensation as
ultimately secondary to those goals. Second, there are ``for-profit
enforcers'' who use the GPL either as a crippleware license, or sneakily
induce infringement merely to gain proprietary licensing revenue.
Note that the latter model \textit{only} works for companies that hold 100\% of
the copyrights in the infringed work. As such, multi-copyright-held works
are fully insulated from these tactics.
% FIXME-URGENT: integrate, and rewrite so it doesn't laud behavior that is
% ultimately problematic.
companies have often formed beneficial consulting or employment relationships
with project developers they first encountered through compliance
inquiries. In some cases, working together to alter the mode of use of the
projects code in the companys products was an explicit element in dispute
resolution. More often, the communication channels opened in the course of
the inquiry served other and more fruitful purposes later.
%FIXME-URGENT: END
\section{Communication Is Key}
GPL violations are typically only escalated when a company ignores the
@ -1245,6 +1253,11 @@ contradict this permission.
%FIXME-URGENT: integrate
Under the terms of LGPL, they must also refrain from license terms on works
based on the licensed work that prohibit replacement of the licensed
components of the larger non-LGPLd work, or prohibit decompilation or
reverse engineering in order to enhance or fix bugs in the LGPLd components.
Section 2(a) states that if a licensed work is a software library (defined in
\S0 as ``a collection of software functions and/or data prepared so as to be
conveniently linked with application programs (which use some of those
@ -1383,6 +1396,20 @@ with GPLv2, the license gives you clear provisions that you can rely on
when you are forced to cut off support, service or warranty for a customer
who has chosen to modify.
% FIXME-URGENT: integrate, and rewrite so it doesn't laud behavior that is
% ultimately problematic.
\section{FIXME}
companies have often formed beneficial consulting or employment relationships
with project developers they first encountered through compliance
inquiries. In some cases, working together to alter the mode of use of the
projects code in the companys products was an explicit element in dispute
resolution. More often, the communication channels opened in the course of
the inquiry served other and more fruitful purposes later.
%FIXME-URGENT: END
\chapter{Conclusion}
GPL compliance need not be an onerous process. Historically, struggles

13
comprehensive-gpl-guide.tex
View file

@ -39,6 +39,19 @@
% These should be made consistent, using only two forms: one for line and
% one for a long quoted section.
% FIXME: s/GPL enforcers/COGEOs/g
% (the term coined later but not used throughout) This can't be done
% by rote, since it may not be appropriate everywhere and shouldn't be
% used *before* it's coined in the early portions of
% compliance-guide.tex (and it's probably difficult to coin it earlier
% anyway). BTW, I admit COGEOs isn't the best acronym, but I started
% with ``Community Enforcement Organizations'', which makes CEO, which
% is worse. :) My other opting was COEO, which seemed too close to
% CEO. Suggestions welcome.
\usepackage{hyperref}
\usepackage{listings}
\usepackage{enumerate}

2
gpl-lgpl.tex
View file

@ -2652,6 +2652,7 @@ escape their obligations under the GPL by resorting to shrouded source or
obfuscated programming.
\subsection{CCS Definition}
\label{CCS Definition}
The definition of CCS\footnote{Note that the preferred term for those who
work regularly with both GPLv2 and GPLv3 is ``Complete Corresponding
@ -3954,6 +3955,7 @@ In future deals, distributors engaging in ordinary business practices
can structure the agreements so that they do not fall under GPLv3~\S11\P7.
\section{GPLv3~\S12: Familiar as GPLv2~\S7}
\label{GPLv3s12}
GPLv2~\S12 remains almost completely unchanged from the text that appears in
GPLv2~\S7. This is an important provision that ensures a catch-all to ensure