Copyleft/guide
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

FLOSS to free software

Browse source
This commit is contained in:
Donald Robertson, III 2014-03-20 15:25:21 -04:00 committed by Bradley M. Kuhn
parent 6d5ca098a1
commit 957fff699c
1 changed files with 24 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
compliance-guide.tex
View file

@ -53,7 +53,7 @@ often in public Usenet discussions.\footnote{One example is the public
proprietary.} Over the next decade, the Free Software Foundation (FSF), proprietary.} Over the next decade, the Free Software Foundation (FSF),
which holds copyrights in many GNU programs, was the only visible entity which holds copyrights in many GNU programs, was the only visible entity
actively enforcing its GPL'd copyrights on behalf of the community of actively enforcing its GPL'd copyrights on behalf of the community of
Free/Libre and Open Source Software (FOSS) developers. FSF's enforcement Free/Libre and Open Source Software (free software) developers. FSF's enforcement
was generally a private process; the FSF contacted violators was generally a private process; the FSF contacted violators
confidentially and helped them to comply with the license. Most confidentially and helped them to comply with the license. Most
violations were pursued this way until the early 2000's. violations were pursued this way until the early 2000's.
@ -81,7 +81,7 @@ violations resulting from preventable problems such as inadequate
attention to licensing of upstream software, misconceptions about the attention to licensing of upstream software, misconceptions about the
GPL's terms, and poor communication between software developers and their GPL's terms, and poor communication between software developers and their
management. In this document, we highlight these problems and describe management. In this document, we highlight these problems and describe
best practices to encourage corporate users of FOSS to reevaluate their best practices to encourage corporate users of free software to reevaluate their
approach to GPL'd software and avoid future violations. approach to GPL'd software and avoid future violations.
SFLC continues to conduct GPL enforcement and compliance efforts for many SFLC continues to conduct GPL enforcement and compliance efforts for many
@ -96,7 +96,7 @@ when a violation occurs.
\chapter{Best Practices to Avoid Common Violations} \chapter{Best Practices to Avoid Common Violations}
\label{best-practices} \label{best-practices}
Unlike highly permissive FOSS licenses (such as the ISC license), which Unlike highly permissive free software licenses (such as the ISC license), which
typically only require preservation of copyright notices, the GPL places a typically only require preservation of copyright notices, the GPL places a
number of important requirements upon licensees. These requirements are number of important requirements upon licensees. These requirements are
carefully designed to uphold certain values and standards of the software carefully designed to uphold certain values and standards of the software
@ -110,7 +110,7 @@ GPL violations are often caused or compounded by a failure to adopt sound
practices for the incorporation of GPL'd components into a company's practices for the incorporation of GPL'd components into a company's
internal development environment. In this section, we introduce some best internal development environment. In this section, we introduce some best
practices for software tool selection, integration and distribution, practices for software tool selection, integration and distribution,
inspired by and congruent with FOSS methodologies. We suggest companies inspired by and congruent with free software methodologies. We suggest companies
establish such practices before building a product based on GPL'd establish such practices before building a product based on GPL'd
software.\footnote{This document addresses compliance with GPLv2, software.\footnote{This document addresses compliance with GPLv2,
GPLv3, LGPLv2, and LGPLv3. Advice on avoiding the most common GPLv3, LGPLv2, and LGPLv3. Advice on avoiding the most common
@ -139,7 +139,7 @@ under the LGPL (e.g., the GNU C Library). Sometimes, these programs have
been patched or slightly improved by direct modification of their sources, been patched or slightly improved by direct modification of their sources,
resulting unequivocally in a derivative work. Alongside these programs, resulting unequivocally in a derivative work. Alongside these programs,
companies often distribute fully independent, proprietary programs, companies often distribute fully independent, proprietary programs,
developed from scratch, which are designed to run on the FOSS operating developed from scratch, which are designed to run on the free software operating
system but do not combine with, link to, modify, or otherwise derive from system but do not combine with, link to, modify, or otherwise derive from
the GPL'd components.\footnote{However, these programs do often combine the GPL'd components.\footnote{However, these programs do often combine
with LGPL'd libraries. This is discussed in detail in \S~\ref{lgpl}.} with LGPL'd libraries. This is discussed in detail in \S~\ref{lgpl}.}
@ -183,15 +183,15 @@ failure in the software acquisition and procurement process. Integration
of third-party proprietary software typically requires a formal of third-party proprietary software typically requires a formal
arrangement and management/legal oversight before the developers arrangement and management/legal oversight before the developers
incorporate the software. By contrast, your developers often obtain and incorporate the software. By contrast, your developers often obtain and
integrate FOSS without intervention. The ease of acquisition, however, integrate free software without intervention. The ease of acquisition, however,
does not mean the oversight is any less necessary. Just as your legal does not mean the oversight is any less necessary. Just as your legal
and/or management team negotiates terms for inclusion of any proprietary and/or management team negotiates terms for inclusion of any proprietary
software, they should be involved in all decisions to bring FOSS into your software, they should be involved in all decisions to bring free software into your
product. product.
Simple, engineering-oriented rules help provide a stable foundation for Simple, engineering-oriented rules help provide a stable foundation for
FOSS integration. Ask your software developers to send an email to a free software integration. Ask your software developers to send an email to a
standard place describing each new FOSS component they add to the system, standard place describing each new free software component they add to the system,
and have them include a brief description of how they will incorporate it and have them include a brief description of how they will incorporate it
into the product. Make sure they use a revision control system, and have into the product. Make sure they use a revision control system, and have
store the upstream versions of all software in a ``vendor branch'' or store the upstream versions of all software in a ``vendor branch'' or
@ -203,7 +203,7 @@ chaotic and poorly-sourced development process has begun, the challenges
of determining and cataloging the presence of GPL'd components is of determining and cataloging the presence of GPL'd components is
difficult. If you are in that situation, we recommend the difficult. If you are in that situation, we recommend the
\href{http://fossology.org/}{Fossology system}, which analyzes a \href{http://fossology.org/}{Fossology system}, which analyzes a
source-code base and produces a list of FOSS licenses that may apply to source-code base and produces a list of free software licenses that may apply to
the code. Fossology can help you build a catalog of the sources you have the code. Fossology can help you build a catalog of the sources you have
already used to build your product. You can then expand that into a more already used to build your product. You can then expand that into a more
structured inventory and process. structured inventory and process.
@ -618,7 +618,7 @@ Linux\footnote{``Linux'' refers only to the kernel, not the larger system
as a whole.} and a filesystem. That filesystem contains various binary as a whole.} and a filesystem. That filesystem contains various binary
programs, including some GPL'd binaries, alongside some proprietary programs, including some GPL'd binaries, alongside some proprietary
binaries that are separate works (i.e., not derived from, nor based on binaries that are separate works (i.e., not derived from, nor based on
FOSS sources). Consider what, in this case, constitutes adequate free software sources). Consider what, in this case, constitutes adequate
``scripts to control compilation and installation'' or items ``needed to ``scripts to control compilation and installation'' or items ``needed to
generate, install and run'' the GPL'd programs. generate, install and run'' the GPL'd programs.
@ -661,9 +661,9 @@ build scripts, and packaging scripts.
Nonetheless, in the interest of goodwill and the spirit of the GPL, most Nonetheless, in the interest of goodwill and the spirit of the GPL, most
companies do provide the compiler itself when they are able, particularly companies do provide the compiler itself when they are able, particularly
when the compiler is based on GCC\@ or another FOSS compiler. If you have when the compiler is based on GCC\@ or another free software compiler. If you have
a GCC-based system, it is your prerogative to redistribute that GCC a GCC-based system, it is your prerogative to redistribute that GCC
version (binaries plus sources) to your customers. We in the FOSS version (binaries plus sources) to your customers. We in the free software
community encourage you to do this, since it often makes it easier for community encourage you to do this, since it often makes it easier for
users to exercise their software freedom. However, if you chose to take users to exercise their software freedom. However, if you chose to take
this recommendation, ensure that your GCC distribution is itself this recommendation, ensure that your GCC distribution is itself
@ -681,7 +681,7 @@ it requires that you give the user all the essential non-proprietary facts
that you had at your disposal to build the software. Therefore, if you that you had at your disposal to build the software. Therefore, if you
choose not to distribute the compiler, you should include a {\sc readme} choose not to distribute the compiler, you should include a {\sc readme}
about where you got it, what version it was, and who to contact to acquire about where you got it, what version it was, and who to contact to acquire
it, regardless of whether your compiler is FOSS, proprietary, or it, regardless of whether your compiler is free software, proprietary, or
internally developed. internally developed.
\section{Best Practices and Corresponding Source} \section{Best Practices and Corresponding Source}
@ -763,9 +763,9 @@ let the conversation lapse until the situation is fully resolved.
Proactively follow up with synchronous communication means to be sure Proactively follow up with synchronous communication means to be sure
communications sent by non-reliable means (such as email) were received. communications sent by non-reliable means (such as email) were received.
Remember that the FOSS community generally values open communication and Remember that the free software community generally values open communication and
cooperation, and these values extend to GPL enforcement. You will cooperation, and these values extend to GPL enforcement. You will
generally find that FOSS developers and their lawyers are willing to generally find that free software developers and their lawyers are willing to
have a reasonable dialogue and will work with you to resolve a violation have a reasonable dialogue and will work with you to resolve a violation
once you open the channels of communication in a friendly way. once you open the channels of communication in a friendly way.
@ -840,11 +840,11 @@ copyright holders often require.
\begin{itemize} \begin{itemize}
\item {\bf Compliance on all FOSS copyrights}. Copyright holders of FOSS \item {\bf Compliance on all free software copyrights}. Copyright holders of free software
often want a company to demonstrate compliance for all GPL'd software in often want a company to demonstrate compliance for all GPL'd software in
a distribution, not just their own. A copyright holder may refuse to a distribution, not just their own. A copyright holder may refuse to
reinstate your right to distribute one program unless and until you reinstate your right to distribute one program unless and until you
comply with the licenses of all FOSS in your distribution. comply with the licenses of all free software in your distribution.
\item {\bf Notification to past recipients}. Users to whom you previously \item {\bf Notification to past recipients}. Users to whom you previously
distributed non-compliant software should receive a communication distributed non-compliant software should receive a communication
@ -854,10 +854,10 @@ copyright holders often require.
situations), an alternative form of notice may be required (such as a situations), an alternative form of notice may be required (such as a
magazine advertisement). magazine advertisement).
\item {\bf Appointment of a GPL Compliance Officer.} The FOSS community \item {\bf Appointment of a GPL Compliance Officer.} The free software community
values personal accountability when things go wrong. Copyright holders values personal accountability when things go wrong. Copyright holders
often require that you name someone within the violating company often require that you name someone within the violating company
officially responsible for FOSS license compliance, and that this officially responsible for free software license compliance, and that this
individual serve as the key public contact for the community when individual serve as the key public contact for the community when
compliance concerns arise. compliance concerns arise.
@ -952,7 +952,7 @@ violations are resolved much more smoothly (at least from the point of
view of the redistributor). view of the redistributor).
Consider the cost of potential violations in your acquisition process. Consider the cost of potential violations in your acquisition process.
Using FOSS allows software vendors to reduce costs significantly, but be Using free software allows software vendors to reduce costs significantly, but be
wary of vendors who have done so without regard for the licenses. If your wary of vendors who have done so without regard for the licenses. If your
vendor's costs seem ``too good to be true,'' you may ultimately bear the vendor's costs seem ``too good to be true,'' you may ultimately bear the
burden of the vendor's inattention to GPL compliance. Ask the right burden of the vendor's inattention to GPL compliance. Ask the right
@ -988,7 +988,7 @@ completely unmodifiable\footnote{Consider that the iPhone, a device
and modified within 48 hours of its release.}, users are generally on and modified within 48 hours of its release.}, users are generally on
notice that they risk voiding their warranties and losing their update and notice that they risk voiding their warranties and losing their update and
support services when they make modifications.\footnote{A popular t-shirt support services when they make modifications.\footnote{A popular t-shirt
in the FOSS community reads: ``I void warranties.''. Our community is in the free software community reads: ``I void warranties.''. Our community is
well-known for modifying products with full knowledge of the well-known for modifying products with full knowledge of the
consequences. GPLv3's ``Installation Instructions'' section merely consequences. GPLv3's ``Installation Instructions'' section merely
confirms that reality, and makes sure GPL rights can be fully exercised, confirms that reality, and makes sure GPL rights can be fully exercised,
@ -1011,7 +1011,7 @@ requirements.
Compliance is straightforward when the entirety of your enterprise is Compliance is straightforward when the entirety of your enterprise is
well-informed and well-coordinated. The receptionists should know how to well-informed and well-coordinated. The receptionists should know how to
route a GPL source request or accusation of infringement. The lawyers route a GPL source request or accusation of infringement. The lawyers
should know the basic provisions of FOSS licenses and your source should know the basic provisions of free software licenses and your source
disclosure requirements, and should explain those details to the software disclosure requirements, and should explain those details to the software
developers. The software developers should use a version control system developers. The software developers should use a version control system
that allows them to associate versions of source with distributed that allows them to associate versions of source with distributed
@ -1020,7 +1020,7 @@ art can understand, and inform the lawyers when they bring in new
software. Managers should build systems and procedures that keep everyone software. Managers should build systems and procedures that keep everyone
on target. With these practices in place, any organization can comply on target. With these practices in place, any organization can comply
with the GPL without serious effort, and receive the substantial benefits with the GPL without serious effort, and receive the substantial benefits
of good citizenship in the FOSS community, and lots of great code of good citizenship in the free software community, and lots of great code
ready-made for their products. ready-made for their products.
\vfill \vfill