diff --git a/compliance-guide.tex b/compliance-guide.tex index 1983d81..b46aa1a 100644 --- a/compliance-guide.tex +++ b/compliance-guide.tex @@ -115,116 +115,147 @@ commercial distributors, redistributors, and resellers on how to avoid violations in the first place, and to respond adequately and appropriately when a violation occurs. -%FIXME-URGENT: integrate (into its own chapter) -\chapter{FIXME-URGENT} - \section{Who Has Compliance Obligations?} -Distributors of licensed works—whether they are distributing modified or -unmodified versions of the works, whether they have embedded executable -copies of licensed works in a device, or are selling or otherwise -transferring only a digital copy—have obligations to at least the users to -whom they or intermediary parties distributed those copies. Whether those -obligations run also to third parties not directly receiving their -distribution of the works depends on the precise license involved, and their -chosen mode of either distributing or offering to distribute source code. In -addition, they have obligations to upstream parties, to preserve reasonable -legal notices embedded in the code, and to mark modified versions -appropriately. - -Both service providers and distributors have the obligation, in order to -protect users’ rights, to refrain from imposing any additional restrictions -on downstream parties. They must refrain from terms in ``umbrella licenses,'' -EULAs, or sublicenses that restrict downstream users’ rights as described -above. Under the terms of LGPL, they must also refrain from license terms on -works based on the licensed work that prohibit replacement of the licensed -components of the larger non-LGPL’d work, or prohibit decompilation or -reverse engineering in order to enhance or fix bugs in the LGPL’d components. - -Patent holders having claims reading on works they distribute have an -obligation to refrain from enforcing those claims against parties to whom -they distribute. Patent holders modifying and distributing works under the -version 3 family of licenses have an obligation to refrain from enforcing any -claims reading on the version they distributed, not only against that version -as distributed, but also against any subsequent version or work based thereon -that also practices those claims. - -All parties have an obligation to refrain from acting as a provider of -services or distributor of licensed works if they have accepted, or had -imposed on them by judicial action, binding legal conditions that would -prevent them from meeting obligations to users as described. If a party is -under such conflicting obligations, it has a duty to refrain from playing the -role in which it is no longer free to meet its license obligations. - -\section{FIXME: Understanding Risk} - -we have observed that there is a significant mismatch between the assumptions -businesses make about compliance and the realities of what goes wrong, what -causes disputes, and how those disputes are resolved. Often, we have found -companies preparing at great expense to avoid unlikely risks that have low -historical incidence of occurrence and low cost of remediation, while leaving -unmanaged the risks that have historically resulted in all the litigation and -other adverse outcomes. In this section, we describe in broad terms the -activities that help businesses prepare to meet their compliance obligations -with minimal effort at minimal cost, dealing preventively with the compliance -risks they really face. - -The mismatch between actual compliance risk and compliance risk management, -in our experience, results from a misunderstanding of licensor -intentions. Commercial parties often expect copyleft project communities to -approach compliance as a form of copyright monetization, or else as an -ideological effort to force proprietary software to be relicensed under -copyleft terms. Under the assumption that the intention of the licensors is -to take advantage of non-compliance to extract royalties, or to force the -business’s proprietary products to be distributed under copyleft, businesses -manage the risk that they will ``accidentally''—or as the result of -unsupervised activity by individual programmers—copy infringing ``snippets'' of -copylefted code into their own proprietary computer program. Risk management -involves the purchase of expensive proprietary ``code scanning'' services that -purport to detect such accidental inclusions. Effort is concentrated on how -proprietary computer programs are made, to prevent ``infection'' by free -software. - -In fact, however, development communities that use copyleft regard compliance -failures as an opportunity to improve compliance. Every compliance failure -downstream from their project represents a loss of rights by their users. The -project, as copyright holder, is the guardian of its users’ rights. Their -activity is designed to restore those rights, and to protect the project’s -contributors’ intentions in the making of their software. Projects’ goals in -seeking compliance are more often frustrated by the way software is delivered -to users than by the way combinations of proprietary and free software are -made. In particular, +All distributors of modified or unmodified versions of copylefted works +unmodified versions of the works have compliance obligations. Common methods +of modifying the works include innumerable common acts, such as: \begin{itemize} -\item Users aren’t provided with required information about the presence of - copylefted programs and their applicable license terms in the product they - have purchased; or + \item embedding those works as executable copies + into a device, -\item Users can’t reliably get complete and corresponding source code to - copylefted programs the distributor knew it was using and intended to use - pursuant to the license terms; or + \item transferring a digital copy of excutable copies to someone else, + + \item posting a patch to the copylefted software to a public mailing list. -\item Users get no response when they communicate with published addresses - requesting fulfillment of businesses’ obligations. \end{itemize} +Such distributors have obligations to (at least) the users to whom they (or +intermediary parties) distribute those copies. In some cases, distributors +have obligations to third parties not directly receiving their distribution +of the works (depending on the distributors chosen licensing options, as +described later in \S~\ref{binary-distribution-permission}). In addition, +distributors have compliance obligations to upstream parties, such as +preservation of reasonable legal notices embedded in the code, and +appropriate labeling of modified versions. -In these and similar situations, the project’s goal is compliance with -obligations intentionally incurred by intentional use of copylefted programs, -through observance of fulfillment obligations to downstream users. Failures -of this type, which are uncaught by scanning programs or other similar -services, have resulted in all the litigation ever brought by copyleft -communities around the world. +Online service providers and distributors alike have other compliance +obligations. In general, they must refrain from imposing any additional +restrictions on downstream parties. Most typically, such compliance problems +arise from ``umbrella licenses:'' EULAs, or sublicenses that restrict +downstream users’ rights under copyleft. (See \S~\ref{GPLv2s6} and +\S~\ref{GPLv3s10}). -Inclusions of free software in commercial proprietary products do happen. In -our practice on behalf of copyleft-using development communities, we -encounter such problems not frequently, but regularly. To the best of our -knowledge, not one such instance has ever resulted in compliance litigation -by a community party. These issues are regularly settled in an amicable and -cooperative fashion. +Patent holders having claims reading on GPL'd works they distribute must +refrain from enforcing those claims against parties to whom they distribute. +Furthermore, patent holders holding copyrights on GPLv3'd works must further +grant an explicit patent license for any patent claims reading on the version +they distributed, and therefore cannot enforce those specific patent claims +against anyone making, using or selling a work based on their distributed +version. All parties must refrain from acting as a provider of services or +distributor of licensed works if they have accepted, or had imposed on them +by judicial action, any legal conditions that would prevent them from meeting +any obligation under GPL\@. (See \S~\ref{GPLv2s7}, \S~\ref{GPLv3s11} and +\S~\ref{GPLv3s12}. -%FIXME-URGENT: END +\section{What Are The Risks of Non-Compliance?} + +Copyleft experts have for decades observed a significant mismatch between the +assumptions most businesses make about copyleft compliance and the realities. +Possibly due to excessive marketing of proprietary tools and services from +the for-profit compliance industry, businesses perennially focus on the wrong +concerns. This tutorial seeks to educate those businesses about what +actually goes wrong, what causes disputes, and how to resolve those disputes. + +Many businesses currently invest undue resources to avoid unlikely risks that +have low historical incidence of occurrence and low cost of remediation, +while leaving unmanaged the risks that have historically resulted in all the +litigation and other adverse outcomes. For example, some ``compliance +industry''\footnote{``Compliance industry'' refers to third-party for-profit + companies that market proprietary software tools and/or consulting services + that purport to aid businesses with their Free Software license compliance + obligations, such as those found in GPL and other copyleft licenses. This + tutorial leaves the term in quotes throughout, primarily to communicate the + skepticism most of this tutorial's authors feel regarding the mere + existence of this industry. Not only do copyleft advocates object on + principle to proprietary software tools in general, and to their ironic use + specifically to comply with copyleft, but also to the ``compliance + industry'' vendors' marketing messaging, which some copyleft advocates + claim as a cause in the risk misassessments discussed herein. Bradley + M.~Kuhn, specifically, regularly uses the term ``compliance industrial + complex'' + \href{http://en.wikipedia.org/wiki/Military-industrial_complex}{to + analogize the types of problems in this industry to those warned against + in the phrase of origin}.} vendors insist that great effort must be +expended to carefully list, in the menus or manuals of embedded electronics +products, copyright notices for every last copyright holder that contributed +to the Free Software included in the product. While nearly all Free Software +licenses, including copylefts like GPL, require preservation and display of +copyright notices, failure to meet this specific requirement is trivially +remedied. Therefore, businesses should spend just reasonable efforts to +properly display copyright notices, and note that failure to do so is simply +remedied: add the missing copyright notice! + +\section{Understanding Who's Enforcing} +\label{compliance-understanding-whos-enforcing} + +The mismatch between actual compliance risk and compliance risk management +typically results from a misunderstanding of licensor intentions. For-profit +businesses often err by assuming other actors have kindred motivations. The +primary enforcers of the GPL, however, have goals that for-profit businesses +will find strange and perhaps downright alien. + +Specifically, community-oriented GPL enforcement organizations (called +``COGEOs'' throughout the remainder of this tutorial) are typically +non-profit charities (such as the FSF and Software Freedom Conservancy) who +declare, as part of their charitable mission, advancement of software freedom +for all users. In the USA, these COGEOs are all classified as charitable +under the IRS's 501(c)(3) designation, which is reserved for organizations +that have a mission to enhance the public good. + +As such, these COGEOs enforce GPL primarily to pursue the policy goals and +motivations discussed throughout this tutorial: to spread software freedom +further. As such, COGEOs are unified in their primary goal to bring the +violator back into compliance as quickly as possible, and redress the damage +caused by the violation. COGEOs are steadfast in their position in a +violation negotiation: comply with the license and respect freedom. + +Certainly, other entities do not share the full ethos of software freedom as +institutionalized by COGEOs, and those entities pursue GPL violations +differently. Oracle, a company that produces the GPL'd MySQL database, upon +discovering GPL violations typically negotiates a proprietary software +license separately for a fee. While this practice is not one a COGEO would +undertaking nor endorsing, a copyleft license technically permits this +behavior. To put a finer point on this practice already discussed +in~\S~\ref{Proprietary Relicensing}, copyleft advocates usually find copyleft +enforcement efforts focused on extract alternative proprietary licenses +distasteful at best, and a corrupt manipulation of copyleft at worst. Much +to the advocates' chagrin, such for-profit enforcement efforts seem to +increase rather than decrease. + +Thus, unsurprisingly, for-profit adopters of GPL'd software often incorrectly +assume that all copyright holders seek royalties. Businesses therefore focus +on the risk of so-called ``accidental'' (typically as the result of +unsupervised activity by individual programmers) infringe copyright by +incorporating ``snippets'' of copylefted code into their own proprietary +computer program. ``Compliance industry'' flagship products, therefore, +focus on ``code scanning'' services that purport to detect accidental +inclusions. Such effort focuses on proprietary software development and view +Free Software as a foreign interloper. Such approach not only ignores +current reality that many companies build their products directly on major +copylefted projects (e.g., Android vendor's use of the kernel named Linux), +but also creates a culture of fear among developers, leading them into a +downward spiral of further hiding their necessary reliance on copylefted +software in the company's products. + +Fortunately, COGEOs regard GPL compliance failures as an opportunity to +improve compliance. Every compliance failure downstream represents a loss of +rights by their users. The COGEOs are the guardian of its users’ and +developers' rights. Their activity seeks to restore those rights, and +to protect the project’s contributors’ intentions in the making of their +software. \chapter{Best Practices to Avoid Common Violations} \label{best-practices} @@ -285,8 +316,28 @@ creative expression, no copyleft provisions are invoked. The core compliance issue faced, thus, in such a situation, is not an discussion of what is or is not a combined, derivative, and/or modified version of the work, but rather, issues related to distribution and conveyance of binary works based on GPL'd source, but without Complete, -Corresponding Source. This tutorial therefore focuses primarily on that issue. +Corresponding Source. +As such, issues of software delivery are the primary frustration for GPL +enforcers. In particular, the following short list accounts for at least 95\% +of the GPL violations ever encountered: + +\begin{itemize} + +\item The violator fails to provide required information about the presence + of copylefted programs and their applicable license terms in the product + they have purchased. + +\item The violator fails to reliably deliver \hyperref[CCS + Definition]{complete, corresponding source} (CCS) for copylefted programs + the violator knew were included (i.e., the CCS is either delivered but + incomplete, or is not delivered at all). + +\item Requestors are ignored when they communicate with violator's published + addresses requesting fulfillment of businesses’ obligations. +\end{itemize} + +This tutorial therefore focuses primarily on these issue. Admittedly, a tiny minority of compliance situations relate to question of derivative, combined, or modified versions of the work. Those @@ -979,49 +1030,6 @@ under the GPL\@. This section outlines a typical enforcement case and provides some guidelines for response. These discussions are generalizations and do not all apply to every alleged violation. -\section{Understanding Who's Enforcing} -\label{compliance-understanding-whos-enforcing} -% FIXME-LATER: this text needs work. - -Both FSF and Conservancy has, as part their mission, to spread software -freedom. When FSF or Conservancy -enforces GPL, the goal is to bring the violator back into compliance as -quickly as possible, and redress the damage caused by the violation. -That is FSF's steadfast position in a violation negotiation --- comply -with the license and respect freedom. - -However, other entities who do not share the full ethos of software freedom -as institutionalized by FSF and Conservancy pursue GPL violations differently. Oracle, a -company that produces the GPL'd MySQL database, upon discovering GPL -violations typically negotiates a proprietary software license separately for -a fee. While this practice is not one that FSF nor Conservancy would ever -consider undertaking or even endorsing, it is a legal way for copyright -holders to proceed. - -Generally, GPL enforcers come in two varieties. First, there are -Conservancy, FSF, and other ``community enforcers'', who primarily seek the -policy goals of GPL (software freedom), and see financial compensation as -ultimately secondary to those goals. Second, there are ``for-profit -enforcers'' who use the GPL either as a crippleware license, or sneakily -induce infringement merely to gain proprietary licensing revenue. - -Note that the latter model \textit{only} works for companies that hold 100\% of -the copyrights in the infringed work. As such, multi-copyright-held works -are fully insulated from these tactics. - -% FIXME-URGENT: integrate, and rewrite so it doesn't laud behavior that is -% ultimately problematic. - -companies have often formed beneficial consulting or employment relationships -with project developers they first encountered through compliance -inquiries. In some cases, working together to alter the mode of use of the -project’s code in the company’s products was an explicit element in dispute -resolution. More often, the communication channels opened in the course of -the inquiry served other and more fruitful purposes later. - - %FIXME-URGENT: END - - \section{Communication Is Key} GPL violations are typically only escalated when a company ignores the @@ -1245,6 +1253,11 @@ contradict this permission. %FIXME-URGENT: integrate +Under the terms of LGPL, they must also refrain from license terms on works +based on the licensed work that prohibit replacement of the licensed +components of the larger non-LGPL’d work, or prohibit decompilation or +reverse engineering in order to enhance or fix bugs in the LGPL’d components. + Section 2(a) states that if a licensed work is a software library (defined in \S0 as ``a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those @@ -1383,6 +1396,20 @@ with GPLv2, the license gives you clear provisions that you can rely on when you are forced to cut off support, service or warranty for a customer who has chosen to modify. + +% FIXME-URGENT: integrate, and rewrite so it doesn't laud behavior that is +% ultimately problematic. +\section{FIXME} + +companies have often formed beneficial consulting or employment relationships +with project developers they first encountered through compliance +inquiries. In some cases, working together to alter the mode of use of the +project’s code in the company’s products was an explicit element in dispute +resolution. More often, the communication channels opened in the course of +the inquiry served other and more fruitful purposes later. + +%FIXME-URGENT: END + \chapter{Conclusion} GPL compliance need not be an onerous process. Historically, struggles diff --git a/comprehensive-gpl-guide.tex b/comprehensive-gpl-guide.tex index ec3bd06..69785ab 100644 --- a/comprehensive-gpl-guide.tex +++ b/comprehensive-gpl-guide.tex @@ -39,6 +39,19 @@ % These should be made consistent, using only two forms: one for line and % one for a long quoted section. + + +% FIXME: s/GPL enforcers/COGEOs/g + +% (the term coined later but not used throughout) This can't be done +% by rote, since it may not be appropriate everywhere and shouldn't be +% used *before* it's coined in the early portions of +% compliance-guide.tex (and it's probably difficult to coin it earlier +% anyway). BTW, I admit COGEOs isn't the best acronym, but I started +% with ``Community Enforcement Organizations'', which makes CEO, which +% is worse. :) My other opting was COEO, which seemed too close to +% CEO. Suggestions welcome. + \usepackage{hyperref} \usepackage{listings} \usepackage{enumerate} diff --git a/gpl-lgpl.tex b/gpl-lgpl.tex index c9110fa..13109f3 100644 --- a/gpl-lgpl.tex +++ b/gpl-lgpl.tex @@ -2652,6 +2652,7 @@ escape their obligations under the GPL by resorting to shrouded source or obfuscated programming. \subsection{CCS Definition} +\label{CCS Definition} The definition of CCS\footnote{Note that the preferred term for those who work regularly with both GPLv2 and GPLv3 is ``Complete Corresponding @@ -3954,6 +3955,7 @@ In future deals, distributors engaging in ordinary business practices can structure the agreements so that they do not fall under GPLv3~\S11\P7. \section{GPLv3~\S12: Familiar as GPLv2~\S7} +\label{GPLv3s12} GPLv2~\S12 remains almost completely unchanged from the text that appears in GPLv2~\S7. This is an important provision that ensures a catch-all to ensure