*** empty log message ***

This commit is contained in:
Bradley M. Kuhn 2004-02-12 21:08:33 +00:00
parent 72f969b8a2
commit c19b9d2557
3 changed files with 293 additions and 250 deletions

View file

@ -41,7 +41,7 @@ Sponsored by the Free Software Foundation \\
Columbia Law School, New York, NY, USA \\
\vspace{.1in}
Wednesday 21 January 2003
Wednesday 21 January 2004
}
\vspace{.7in}
@ -85,7 +85,6 @@ any medium, provided this notice is preserved.
\begin{abstract}
This one-day course presents the details of five different GPL compliance
cases handled by FSF's GPL Compliance Laboratory. Each case offers unique
insights into problems that can arise when the terms of GPL are not
@ -101,6 +100,15 @@ that deal with Free Software on a regular basis. However, technical
managers and executives whose businesses use or distribute Free Software
will also find the course very helpful.
\bigskip
These course materials are merely a summary of the highlights of the
course presented. Readers of this material should assume that they have
missed the bulk of the material, as the detailed discussion of these case
studies is the most illuminating part about them. Merely reading this
material is akin to matriculating into a college course and read only the
textbook instead of going to class.
\end{abstract}
\tableofcontents
@ -124,58 +132,61 @@ propagate throughout the distribution chain of the software.
As we have learned, the assurance that Free Software under GPL remains
Free Software is accomplished through various terms of GPL: \S 3 ensures
that binaries are always accompanied with source; \S 2 ensures that the
sources are adequate, complete and usable; \S 6 and \S 7 ensures that the
sources are adequate, complete and usable; \S 6 and \S 7 ensure that the
license of the software is always GPL for everyone, and that no other
legal agreements or licenses trump GPL; \S 4 ensures that the GPL can be
enforced.
legal agreements or licenses trump GPL. It is \S 4, however, that ensures
that the GPL can be enforced.
In fact, \S 4 is where we begin our discussion of GPL enforcement. This
Thus, \S 4 is where we begin our discussion of GPL enforcement. This
clause is where the legal teeth of the license are rooted. As a copyright
license, GPL governs only the activities governed by copyright law ---
copying, modifying and redistributing computer software. Unlike most
copyright licenses, GPL gives wide grants of permission for engaging with
these activities. Such permissions continue and all parties may exercise
until such time as one party violates the terms of GPL\@. At the moment
of such a violation --- the engaging of copying, modifying or
redistributing in ways not permitted by GPL --- \S 4 is invoked.
them until such time as one party violates the terms of GPL\@. At the
moment of such a violation (i.e., the engaging of copying, modifying or
redistributing in ways not permitted by GPL) \S 4 is invoked. While other
parties may continue to operate under GPL, the violating party loses their
rights.
Specifically, \S 4 terminates the violators rights to continue engaging
Specifically, \S 4 terminates the violators' rights to continue engaging
in the permissions that otherwise granted by GPL\@. Effectively, their
permission go back to the copyright defaults --- no permission to copy,
modify, or redistribute the work. Meanwhile, \S 5 points out that if
if the violator has no rights under GPL --- as they will not once they
have violated it --- then they otherwise have no right and are prohibited
by copyright law from engaging in the activities of copying, modifying
and distributing.
permissions go back to the copyright defaults --- no permission is granted
to copy, modify, nor redistribute the work. Meanwhile, \S 5 points out
that if if the violator has no rights under GPL --- as they will not once
they have violated it --- then they otherwise have no rights and are
prohibited by copyright law from engaging in the activities of copying,
modifying and distributing.
\section{Ongoing Violations}
In conjunction with \S 4's termination of violators' rights, there is one
final industry fact is added to the mix: rarely, does on engage in a
single, solitary act of copying, distributing or modifying software.
Almost always, a violator will have legitimately acquired a copy a GPL'd
program --- either made modifications or not --- and then begun a ongoing
activity of distributing that work. For example, the violator may have
put the software in boxes and sold them at stores. Or perhaps the
software was put up for download on the Internet. Regardless of the
delivery mechanism, violators almost always are engaged in {\em ongoing\/}
final industry fact added to the mix: rarely, does one engage in a single,
solitary act of copying, distributing or modifying software. Almost
always, a violator will have legitimately acquired a copy a GPL'd program,
either making modifications or not, and then began a ongoing activity of
distributing that work. For example, the violator may have put the
software in boxes and sold them at stores. Or perhaps the software was
put up for download on the Internet. Regardless of the delivery
mechanism, violators almost always are engaged in {\em ongoing\/}
violation of GPL\@.
In fact, when we discover a GPL violation that occurred only once --- for
example, a user group who distributed copies of a GNU/Linux system without
source at a meeting once --- we rarely pursue it with a high degree of
diligence. In our minds, that is an educational problem, and unless the
user group becomes a repeat offender (as it turns out, the never do) we
simply send an FAQ entry that best explains how user groups can most
easily comply with GPL, and send them on there merry way.
source at one meeting --- we rarely pursue it with a high degree of
tenacity. In our minds, such a violation is an educational problem, and
unless the user group becomes a repeat offender (as it turns out, the
never do) we simply forward along an FAQ entry that best explains how user
groups can most easily comply with GPL, and send them on there merry way.
It is only the cases of {\em ongoing\/} GPL violation that warrant our
active attention. We vehemently pursue those cases where dozens, hundreds
or thousands of customers are receiving software that is out of
compliance, and the company continually puts for sale (or distributes
gratis as a demo) software distributions that include GPL'd components out
of compliance. Our goal is to maximize the impact of enforcement and
educate industries who are making a mistake on a large scale.
compliance, and where the company continually puts for sale (or
distributes gratis as a demo) software distributions that include GPL'd
components out of compliance. Our goal is to maximize the impact of
enforcement and educate industries who are making such a mistake on a
large scale.
In addition, such ongoing violation shows that a particular company is
committed to a GPL'd product line. We are thrilled to learn that someone
@ -186,40 +197,41 @@ gives us an active opportunity to educate a new contributor the GPL'd
commons about proper procedures to contribute to the community.
Our central goal is not, in fact, to merely clear up particular violation.
Over time, we hope that our compliance lab will be out of business. We
seek to educate the businesses that engage in commerce related to GPL'd
software to obey the rules of the road and allow them to operate freely
under them. Just as a traffic officer would not revel in reminding people
which side of the road to drive in, so we do not revel in violations. By
contrast, we revel in the successes of educating an ongoing violator about
GPL so that GPL compliance becomes a second-nature matter, and they join
the GPL ecosystem as contributors.
In fact, over time, we hope that our compliance lab will be out of
business. We seek to educate the businesses that engage in commerce
related to GPL'd software to obey the rules of the road and allow them to
operate freely under them. Just as a traffic officer would not revel in
reminding people which side of the road to drive on, so we do not revel in
violations. By contrast, we revel in the successes of educating an
ongoing violator about GPL so that GPL compliance becomes a second-nature
matter, allowing that company to join the GPL ecosystem as a contributor.
\section{How are Violations Discovered?}
Our enforcement of GPL is not a fund-raising effort; in fact, FSF's GPL
compliance lab runs at a loss (in other words, it is subsided by our
Compliance Lab runs at a loss (in other words, it is subsided by our
donors). Our violation reports come from volunteers, who have encountered
in their business or personal life, a device or software product that
appears to contain GPL'd software; these reports are usually sent via
email to $<$license-violation@fsf.org$>$.
appears to contain GPL'd software. These reports are almost always sent
via email to $<$license-violation@fsf.org$>$.
Our first order of business, upon receiving such a report, is to seek
independent confirmation. When possible, we get a copy of the software
product. For example, if it is an offering that is downloadable from a
website, we download it and investigate ourselves. When it is not
possible for us to actually get a copy of the software, we ask the
reporter to go through the same process we use in examining the software.
reporter to go through the same process we would use in examining the
software.
By rough estimation, about 95\% of violations at this stage can be
confirmed by simple commands. Since almost all violators have merely made
an error, and have no nefarious intentions, they have made no attempt to
remove our copyright notices from the software. Given the third-party
binary, {\tt tpb}, usually, a simple command (on a GNU/Linux system) such
as the following will find an Free Software copyright notice and GPL
reference:
confirmed by simple commands. Almost all violators have merely made an
error and have no nefarious intentions. They have made no attempt to
remove our copyright notices from the software. Thus, given the
third-party binary, {\tt tpb}, usually, a simple command (on a GNU/Linux
system) such as the following will find a Free Software copyright notice
and GPL reference:
\begin{quotation}
{\tt string tpb | grep Copyright}
{\tt strings tpb | grep Copyright}
\end{quotation}
In other words, it is usually more than trivial to confirm that GPL'd
software is included.
@ -229,17 +241,17 @@ determine whose copyright has been violated. Contrary to popular belief,
FSF does not have the power to enforce GPL in all cases. Since GPL
operates under copyright law, the powers of enforcement --- to seek
redress once \S 4 has been invoked --- lies with the copyright holder of
the software. FSF is one of the largest copyright holders in the world
of GPL'd software, but we are by no means the only one. Thus, we
sometimes discover that while GPL'd code is present in the software,
there is no software copyrighted by FSF.
the software. FSF is one of the largest copyright holders in the world of
GPL'd software, but we are by no means the only one. Thus, we sometimes
discover that while GPL'd code is present in the software, there is no
software copyrighted by FSF present.
In cases where FSF does not hold copyright interest in the software, but
we have confirmed a violation, we contact the copyright holders of the
software, and encourage them to enforce GPL\@. We offer our good offices
to help negotiate compliance on their behalf, and many times we help as a
third party to settle such GPL violations. However, what we will
describe in this course is FSF's first-hand experience enforcing its own
third party to settle such GPL violations. However, what we will describe
primarily in this course is FSF's first-hand experience enforcing its own
copyrights and GPL\@.
\section{First Contact}
@ -249,7 +261,7 @@ cooperation and mutual help. Our community has learned that cooperation
works best when you assume the best of others, and only change policy,
procedures and attitudes when some specific event or occurrence indicates
that a change is necessary. We treat the process of GPL enforcement in
the same way; our goal is to encourage violators to join the cooperative
the same way. Our goal is to encourage violators to join the cooperative
community of software sharing, so we want to open our hand in friendship
to them.
@ -263,7 +275,7 @@ compliance work.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\chapter{Case Study: Davrik's Modified GCC}
\chapter{Davrik: Modified GCC SDK}
In our first case study, we will consider Davrik, a company that produces
software and hardware toolkits to assist OEM vendors who products consumer
@ -287,13 +299,13 @@ with specious GPL violation complaints. FSF shelved the matter until
more evidence was discovered.
FSF was later able to confirm the violation when two additional reports
surfaced from other violation reports, both of whom had used the product
surfaced from other violation reporters, both of whom had used the SDK
professional and noticed clear similarities to FSF's GNU GCC\@. FSF's
Compliance Engineer asked the reporters to run standard tests to confirm
the violation, and it was confirmed that the product was indeed a
derivative work of GCC, ported to Windows and with a number of features
added, including support for a specific consumer device chipset and
additional features to aid in the linking process (``LP'') for the
the violation, and it was confirmed that Davrik's SDK was indeed a
derivative work of GCC\@. Davrik had ported to Windows and added a number
of features, including support for a specific consumer device chipset and
additional features to aid in the linking process (``LP'') for those
specific devices. FSF explained the rights that the GPL afforded these
customers and pointed out, for example, that Davrik only needed to provide
source to those in possession of the binaries, and that the users may need
@ -303,18 +315,18 @@ confirmed that such requests were not answered.
FSF brought the matter to the attention of Davrik, who immediately
escalated the matter to their attorneys. After a long negotiation, Davrik
acknowledged that their SDK was indeed a derivative work of GCC\@. Davrik
released most of the source, but some disagreement occurred over whether LP
was a derivate work of GCC\@. After repeated FSF inquiries, Davrik
released most of the source, but some disagreement occurred over whether
LP was a derivate work of GCC\@. After repeated FSF inquiries, Davrik
reaudited the source and discovered that FSF's analysis was correct and
determined that LP include a number of source files copied from the GCC
determined that LP included a number of source files copied from the GCC
code-base.
\label{davrik-build-problems}
Once the full software release was made available, FSF asked the
violation reporters if it addressed the problem. Reports came back that
in fact the source did not properly build. FSF asked Davrik to provide
better build instructions with the software, and such build instructions
were incorporated into the next software release.
Once the full software release was made available, FSF asked the violation
reporters if it addressed the problem. Reports came back that the source
did not properly build. FSF asked Davrik to provide better build
instructions with the software, and such build instructions were
incorporated into the next software release.
At FSF's request as well, Davrik informed customers who had previously
purchased the product that the source was now available, by announcing
@ -350,11 +362,11 @@ have under the GNU General Public License, Version 2.
This quelled Davrik's concerns about other patent licensing they sought to
do outside of the GPL'd software, and satisfied FSF's concerns that they
give no permissions to exercise teachings of patents that were not already
give proper permissions to exercise teachings of patents that were
exercised in their GPL'd software release.
Finally, a GPL Compliance Officer inside Davrik was appointed who is
responsible for all matters of GPL Compliance inside the company. Darvik
responsible for all matters of GPL compliance inside the company. Darvik
is responsible for informing FSF if the position is given to someone else
inside the company, and making sure that FSF has direct contact
information with Darvik's Compliance Officer.
@ -371,22 +383,23 @@ This case introduces a number of concepts regarding GPL enforcement.
GPL education, many users do not fully understand their rights and the
obligations that companies have. By working through the investigation
with reporters, the violation can be properly confirmed, and {\bf the
user of the software can be educated about what to expect as a user}.
When users and customers of GPL'd products know their rights, what to
expect, and how to properly exercise their rights (particularly under \S
3(b)), it reduces the chances for user frustration and inappropriate
community outcry about an alleged GPL violation.
user of the software can be educated about what to expect with GPL'd
software}. When users and customers of GPL'd products know their
rights, what to expect, and how to properly exercise their rights
(particularly under \S 3(b)), it reduces the chances for user
frustration and inappropriate community outcry about an alleged GPL
violation.
\item {\bf GPL compliance requires friendly negotiation and
cooperation.} Often, attorneys and managers are legitimately surprised
to find out GPL'd software is included in their company's products.
Engineers sometimes include GPL'd software without understanding the
requirements. This does not excuse companies from their obligations
under the license, but it does mean that care and patience are
essential for reaching GPL compliance. We want companies to understand
that participating and benefiting from a collaborative Free Software
community is not a burden, so we strive to make the process of coming
into compliance when a problem occurs as smooth as possible.
\item {\bf GPL compliance requires friendly negotiation and cooperation.}
Often, attorneys and managers are legitimately surprised to find out
GPL'd software is included in their company's products. Engineers
sometimes include GPL'd software without understanding the requirements.
This does not excuse companies from their obligations under the license,
but it does mean that care and patience are essential for reaching GPL
compliance. We want companies to understand that participating and
benefiting from a collaborative Free Software community is not a burden,
so we strive to make the process of coming into compliance as smooth as
possible.
\item {\bf Confirming compliance is a community effort.} The whole point
of making sure that software distributors respect the terms of GPL is to
@ -404,21 +417,21 @@ This case introduces a number of concepts regarding GPL enforcement.
violators to make some attempt --- such as via newsletters and the
company's website --- to inform those who already have the products as
to their rights under GPL\@. One of the key thrusts of GPL's \S 1 and
\S 3 is to {\em make sure the user knows he has these rights\/}. If a
product was received out of compliance by a customer, they may never
actually discover that they had such rights. Informing them, in a way
that is not burdensome but has a high probability of successfully
\S 3 is to {\em make sure the user knows she has these rights\/}. If a
product was received out of compliance by a customer, she may never
actually discover that she had such rights. Informing customers, in a
way that is not burdensome but has a high probability of successfully
reaching those who would seek to exercise their freedoms, is essential
to properly remedy the mistake.
\item {\bf Lines between various copyright, patent, and other legal
mechanisms must be precisely defined and considered.} The most
difficult negotiation point of this compliance case was drafting
language that simultaneously protected the Davrik's patent rights
outside of the GPL'd source, but was consistent with the implicit patent
grant in GPL\@. As we discussed in the first course in this series,
there is indeed an implicit patent grant with GPL, thanks to \S 6 and \S
7. However, many companies become nervous and wish to make the grant
difficult negotiation point of the Davrik case was drafting language
that simultaneously protected the Davrik's patent rights outside of the
GPL'd source, but was consistent with the implicit patent grant in
GPL\@. As we discussed in the first course in this series, there is
indeed an implicit patent grant with GPL, thanks to \S 6 and \S 7.
However, many companies become nervous and wish to make the grant
explicit to assure themselves that the grant is sufficiently narrow for
their needs. We understand that there is no reasonable way to determine
what patent claims read on a company's GPL holdings and which do not, so
@ -431,6 +444,11 @@ This case introduces a number of concepts regarding GPL enforcement.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\chapter{Bracken: a Minor Violation in a GNU/Linux Distribution}
In this case study, we consider a minor violation made by a company whose
knowledge of the Free Software community and it functions is deep.
\section{The Facts}
Bracken produces a GNU/Linux operating system product that is sold
primarily to OEM vendors to be placed in appliance devices that are used
for a single purpose, such as an Internet-browsing-only device. The
@ -439,8 +457,8 @@ related Free Software licenses.
FSF found out about this violation through a report first posted in a
comment on a Slashdot\footnote{Slashdot is a popular news and discussion
site for technical readers.} comment, and then later brought to our
attention by another Free Software copyright holder who had discovered the
site for technical readers.} comment, and then was brought to attention
again by another Free Software copyright holder who had discovered the
same violation.
Bracken's GNU/Linux product is delivered directly from their website.
@ -458,7 +476,7 @@ online distribution:
contradicted the permissions granted by GPL\@.
\end{itemize}
FSF contacted Bracken and gave them the details of the violation. Bracken
FSF contacted Bracken and gave them the details of the violation. Bracken
immediately ceased distribution of the product temporarily, and set forth
a plan to bring themselves back into compliance. This plan included the
following steps:
@ -473,14 +491,14 @@ following steps:
ever they distributed that way).
\item Bracken attorneys would run an internal seminar for its engineers
regarding GPL proper compliance, to help ensure that such oversights
regarding proper GPL compliance, to help ensure that such oversights
regarding source releases would not occur in the future.
\item Bracken would resume distribution of the product only after FSF
formally restored Bracken's distribution rights.
\end{itemize}
This work was completed in the matter of about a month. FSF approved the
This case was completed in the matter of about a month. FSF approved the
new EULA text. They key portion in the EULA relating to GPL read as
follows:
@ -511,7 +529,7 @@ completed as described.
\section{Lessons Learned}
This case was probably them most quickly and easily resolved of all GPL
This case was probably the most quickly and easily resolved of all GPL
violations in the history of FSF's Compliance Lab. The ease with which
the problem was resolved shows a number of cultural factors that play a
role in GPL compliance.
@ -520,13 +538,13 @@ role in GPL compliance.
\item {\bf Companies that understand Free Software culture better have an
easier time with compliance.} Bracken's products were designed and
build around the GNU/Linux system and Free Software components. Their
built around the GNU/Linux system and Free Software components. Their
engineers were deeply familiar with the Free Software ecosystem, and
their lawyers had seen and reviewed GPL before. The violation was
completely an honest mistake, and since the culture inside the company
had already adapted to the cooperative style of resolution to problems
in the Free Software world, there was very little work for either
party to bring the product into compliance.
completely an honest mistake. Since the culture inside the company had
already adapted to the cooperative style of resolution in the Free
Software world, there was very little work for either party to bring the
product into compliance.
\item {\bf When people in key positions understand the Free Software
nature of their software products, compliance concerns are as mundane as
@ -534,26 +552,26 @@ role in GPL compliance.
its problems, and successful business often depends on agile response to
the problems that do come up; avoiding problems altogether is a pipe
dream. Minor GPL violations can and do happen even with well-informed
redistributors, but when the company --- and in particular, the lawyers,
managers, and engineers working on the Free Software product lines --
have adapted to the cooperate Free Software culture, resolving such
problems are merely a mundane details of typical operation and resolved
just as easily.
redistributors. However, when the company --- and in particular, the
lawyers, managers, and engineers working on the Free Software product
lines --- have adapted to the cooperative Free Software culture,
resolving such problems is merely a mundane detail of typical operation
and resolution is reached quickly.
\item {\bf Legally, distribution must stop when a violation is
identified.} In our opinion, Bracken went above and beyond the call by
ceasing distribution while the violation was being resolved. Under GPL
\S 4, the redistributor loses the right to distribute the software, and
thus they are in ongoing violation of copyright law as they distribute.
It is FSF's policy to temporarily allow distribution while compliance
negotiations are ongoing and only in the most extreme cases where the
other party appears to be negotiating in bad faith does FSF even
threaten an injunction on copyright grounds. However, Bracken --- as a
good Free Software citizen --- chose to be on the safe side and do the
legally correct thing while the violation case was pending. Since from
start to finish it took less than am month to resolve, this lapse in
distribute did not, to FSF's knowledge, impact their business in any
way.
identified.} In our opinion, Bracken went above and beyond the call of
duty by ceasing distribution while the violation was being resolved.
Under GPL \S 4, the redistributor loses the right to distribute the
software, and thus they are in ongoing violation of copyright law if
they distribute before rights are restored. It is FSF's policy to
temporarily allow distribution while compliance negotiations are ongoing
and only in the most extreme cases (where the other party appears to be
negotiating in bad faith) does FSF even threaten an injunction on
copyright grounds. However, Bracken --- as a good Free Software citizen
--- chose to be on the safe side and do the legally correct thing while
the violation case was pending. Since from start to finish it took less
than am month to resolve, this lapse in distribution did not, to FSF's
knowledge, impact Bracken's business in any way.
\item {\bf EULAs are a common area for GPL problems.} Often, EULAs are
drafted from boilerplate text that a company uses for all its products.
@ -562,8 +580,8 @@ role in GPL compliance.
licenses. Drafting a EULA that accounts for such licenses is
straightforward; the text quoted above works just fine. The EULA must
be designed so that it does not trump and rights and permissions already
granted by GPL\@, and it must be certain that if there is a conflict
between EULA and GPL, with regard to GPL'd code, that the GPL is the
granted by GPL\@, and it clearly state that if there is a conflict
between the EULA and GPL, with regard to GPL'd code, that the GPL is the
overriding license.
\item {\bf Compliance Officers are rarely necessary when companies are
@ -601,15 +619,15 @@ a derivative work of GNU tar; the extraneous utilities merely made
compliance with GPL by releasing the source of GNU tar, with the
cryptographic modifications, to its customers.
Vigorien released the GNU tar sources, but kept the cryptographic library
proprietary. They argued that the security of their system depending on
keeping the software proprietary and that regardless, USA export
restrictions on cryptographic software prohibited such a release. FSF
disputed the claim on the first count, pointing out that Vigorien's had
only one option if they did not want to release the source: they would
have to remove GNU tar from the software and not distribute it further.
Vigorien rejected this suggestion, since GNU tar was an integral part of
the product and the security changes were useless without GNU tar.
Vigorien released the original GNU tar sources, but kept the cryptographic
modifications proprietary. They argued that the security of their system
depending on keeping the software proprietary and that regardless, USA
export restrictions on cryptographic software prohibited such a release.
FSF disputed the first claim, pointing out that Vigorien had only one
option if they did not want to release the source: they would have to
remove GNU tar from the software and not distribute it further. Vigorien
rejected this suggestion, since GNU tar was an integral part of the
product and the security changes were useless without GNU tar.
Regarding the export control claims, FSF proposed a number of options,
including release of the source from one of Vigorien's divisions overseas
@ -629,18 +647,26 @@ did so, and the violation was resolved.
\item {\bf Removing the GPL'd portion of the product is always an option.}
Many violators' first response is to simply refuse to release the source
code as GPL required. FSF offers the option to simply remove the GPL'd
code as GPL requires. FSF offers the option to simply remove the GPL'd
portions from the product and continue along without them indefinitely.
Every case where this has been suggested has led to the same conclusion.
Like Vigorien, the violator argues that the product cannot function
without the GPL'd components and they cannot effectively replace them.
Such an outcome of course is further evidence that the combined work in
Such an outcome is simply further evidence that the combined work in
question is indeed a derivative work of the original GPL'd component.
If the other components cannot stand on their own and be useful without
the GPL'd portions, then one cannot effectively argue that the work as a
whole is not a derivative of the GPL'd portions.
\item {\bf The whole product is not always covered.} In this case,
Vigorien had additional works aggregated. The backup system was a suite
of utilities, some of which were GPL and some of which were not. While
the cryptographic routines were tightly coupled with GNU tar and clearly
derivative works, the various GUI utilities were separate and
independent works merely aggregated with the distribution of the
GNU-tar-based product.
\item {\bf ``Security'' concerns do not exonerate a distributor from GPL
obligations, and ``security through obscurity'' does not work anyway.}
@ -662,11 +688,11 @@ did so, and the violation was resolved.
by identifying them early.
\item {\bf External regulatory problems can be difficult to resolve.}
GPL, though copyright law, does not have the power to trump regulations
like export controls. While Vigorien's ``security concerns'' were
specious, their export control concerns were not. It is indeed a
difficult problem that FSF acknowledges. We want compliance with GPL
and respect for users' freedoms, but we certainly do not expect
GPL, though grounded in copyright law, does not have the power to trump
regulations like export controls. While Vigorien's ``security
concerns'' were specious, their export control concerns were not. It is
indeed a difficult problem that FSF acknowledges. We want compliance
with GPL and respect for users' freedoms, but we certainly do not expect
companies to commit criminal offenses for the sake of compliance. We
will see more about this issue in our next case study.
\end{enumerate}
@ -676,8 +702,8 @@ did so, and the violation was resolved.
\chapter{Haxil, Polgara, and Thesulac: Mergers, Upstream Providers and Radio Devices}
This case study considers an ongoing (at the time of writing) violation
that occurred. By the end of the investigation period, three companies
were involved and many complex issues arose.
that has occurred. By the end of the investigation period, three
companies were involved and many complex issues arose.
\section{The Facts}
@ -695,10 +721,10 @@ arms about the violation.
Meanwhile, Haxil was in the midst of being acquired by Polgara. Polgara
was as surprised as everyone else to discover the product was based on
GPL'd software; it had not been part of the disclosures made during
GPL'd software; this fact had not been part of the disclosures made during
acquisition. FSF contacted both Haxil and Polgara, and product managers
who had transitioned into the ``Haxil division'' of newly merged Polgara
company worked and Polgara's General Counsel's office worked with FSF on
who had transitioned into the ``Haxil division'' of the newly-merged
Polgara company and Polgara's General Counsel's office worked with FSF on
the matter.
FSF meanwhile formed a coalition with the other primary copyright holders
@ -738,8 +764,8 @@ regarding the problem.
\begin{enumerate}
\item {\bf Community outrage, while justified, can often make negotiation
more difficult.} FSF has a strong policy to not publicized names of GPL
violators if they are negotiating in a friendly way and operating in
more difficult.} FSF has a strong policy never to publicize names of
GPL violators if they are negotiating in a friendly way and operating in
good faith toward compliance. Most violations are honest mistakes, and
FSF sees no reason to publicly admonish violators who genuinely see to
come into compliance with GPL and to work hard staying in compliance.
@ -758,19 +784,21 @@ regarding the problem.
during the acquisition process. While GPL compliance is not a
particularly difficult matter, it is an additional obligation that comes
along with the product line. When planning mergers and joint ventures,
include lists of GPL'd components contained in the products discussed.
one should include lists of GPL'd components contained in the products
discussed.
\item {\bf Compliance problems of upstream providers do not excuse a
violation for the downstream distributor.} To paraphrase \S 6, upstream
providers are not responsible for enforcing compliance of their
downstream, nor are downstream distributors responsible for compliance
problems of upstream providers. However, engaging in distribution of
GPL'd works out of compliance is still just that --- a compliance
problem. When FSF carries out enforcement, we are patient and
sympathetic when the problem appears to be upstream. In fact, we urge
the violator to point us to the upstream provider to talk to them, and
in this case we were happy to begin negotiations with Thesulac. However,
Polgara still has an obligation to bring their product into compliance.
GPL'd works out of compliance is still just that: a compliance problem.
When FSF carries out enforcement, we are patient and sympathetic when
the problem appears to be upstream. In fact, we urge the violator to
point us to the upstream provider so we may talk to them directly. In
this case we were happy to begin negotiations with Thesulac. However,
Polgara still has an obligation to bring their product into compliance,
regardless of Thesulac's response.
\item {\bf It behooves upstream providers to advise downstream
distributors about compliance matters.} FSF has encouraged Thesulac to
@ -779,7 +807,7 @@ regarding the problem.
product, and it is conceivable that such additions can introduce
compliance. In FSF's opinion, Thesulac is no way legally responsible
for such a violation introduced by their customer, but it behooves them
from a business standpoint to educate their customers about using the
from a marketing standpoint to educate their customers about using the
product. We can argue whether or not it is your coffee vendor's fault
if you burn yourself with their product, but (likely) no one on either
side would dispute the prudence of placing a ``caution: hot'' label on
@ -803,6 +831,7 @@ regarding the problem.
simple rule to follow, and following that rule to FSF's satisfaction
usually means you are following it to the satisfaction of the entire
Free Software community.
\end{enumerate}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@ -853,4 +882,4 @@ distribute products based on GPL'd software:
% LocalWords: Lessig Lessig's UCITA pre PDAs CDs reshifts GPL's Gentoo glibc
% LocalWords: TrollTech administrivia LGPL's MontaVista Davrik Davrik's Darvik
% LocalWords: Darvik's Slashdot sublicensed Vigorien Vigorien's Haxil Polgara
% LocalWords: Thesulac Polgara's Haxil's Thesulac's
% LocalWords: Thesulac Polgara's Haxil's Thesulac's SDK CD's

Binary file not shown.

View file

@ -41,7 +41,7 @@ Sponsored by the Free Software Foundation \\
Columbia Law School, New York, NY, USA \\
\vspace{.1in}
Tuesday 20 January 2003
Tuesday 20 January 2004
}
\vspace{.7in}
@ -125,6 +125,15 @@ learned the following:
works of software.
\end{itemize}
\bigskip
These course materials are merely a summary of the highlights of the
course presented. Readers of this material should assume that they have
missed the bulk of the material, as the detailed discussion of about these
issues is the true education about GPL and LPGL\@. Merely reading this
material is akin to matriculating into a college course and read only the
textbook instead of going to class.
\end{abstract}
\tableofcontents
@ -600,6 +609,8 @@ economy.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\chapter{Running Software And Verbatim Copying}
\label{run-and-verbatim}
This chapter begins the deep discussion of the details of the terms of
GPL\@. In this chapter, we consider the first two sections: GPL \S\S
@ -668,7 +679,7 @@ matter is left up to copyright law, not the licenses that utilize it.
It is certainly true that copyright law as a whole does not propose clear
and straightforward guidelines for what is and is not a derivative
software work under copyright law. However, no copyright license --- not
even the GNU GPL -- can be blamed for this. Legislators and court
even the GNU GPL --- can be blamed for this. Legislators and court
opinions must give us guidance to decide the border cases.
\section{GPL \S 1: Verbatim Copying}
@ -761,6 +772,7 @@ of a derivative work of software. However, the applicable provisions do
provide some, albeit quite cursory, guidance. Section 101 of the Copyright
Act sets forth the following definitions:
\begin{quotation}
A ``computer program'' is a set of statements or instructions to be used
directly or indirectly in a computer in order to bring about a certain
result.
@ -772,6 +784,7 @@ reproduction, abridgment, condensation, or any other form in which a work
may be recast, transformed, or adapted. A work consisting of editorial
revisions, annotations, elaborations, or other modifications which, as a
whole, represent an original work of authorship, is a ``derivative work''.
\end{quotation}
These are the only provisions in the Copyright Act relevant to the
determination of what constitutes a derivative work of a computer
@ -1041,6 +1054,7 @@ adopts norms avoiding such risk.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\chapter{Modified Source and Binary Distribution}
\label{source-and-binary}
In this chapter, we discuss the two core sections that define the rights
and obligations for those who modify, improve, and/or redistribute GPL'd
@ -1496,49 +1510,50 @@ with respect to the licensed software.
\newcommand{\compB}{$\mathcal{B}$}
\newcommand{\compA}{$\mathcal{A}$}
For example, if Company \compA has a patent on advanced web browsing, but
For example, if Company \compA{} has a patent on advanced web browsing, but
also licenses a web browsing software program under the GPL, then it
cannot assert the patent against any party that takes a license to its
program under the GPL. However, if a party uses that program without
complying with the GPL, then Company \compA can assert, not just copyright
complying with the GPL, then Company \compA{} can assert, not just copyright
infringement claims against the non-GPL-compliant party, but also
infringement of the patent, because the implied patent license only
extends to use of the software in accordance with the GPL. Further, if
Company \compB distributes a competitive advanced web browsing program,
Company \compA is free to assert its patent against any user or
Company \compB{} distributes a competitive advanced web browsing program,
Company \compA{} is free to assert its patent against any user or
distributor of that product. It is irrelevant whether Company \compB's
program is distributed under the GPL, as Company \compB can not grant
program is distributed under the GPL, as Company \compB{} can not grant
implied licenses to Company \compA's patent.
This result also reassures companies that they need not fear loosing their
proprietary value in patents to competitors through the GPL implied patent
license, as only those competitors who adopt and comply with the GPL's
terms can benefit from the implied patent license. To continue the
example above, Company \compB does not receive a free ride on Company
\compA's patent, as Company \compB has not licensed-in and then
example above, Company \compB{} does not receive a free ride on Company
\compA's patent, as Company \compB{} has not licensed-in and then
redistributed Company A's advanced web browser under the GPL. If Company
\compB does do that, however, Company \compA still has not lost
competitive advantage against Company \compB, as Company \compB must then,
\compB{} does do that, however, Company \compA{} still has not lost
competitive advantage against Company \compB{}, as Company \compB{} must then,
when it re-distributes Company \compA's program, grant an implied license
to any of its patents that cover the program. Further, if Company \compB
to any of its patents that cover the program. Further, if Company \compB{}
relicenses an improved version of Company A's program, it must do so under
the GPL, meaning that any patents it holds that cover the improved version
are impliedly licensed to any licensee. As such, the only way Company
\compB can benefit from Company \compA's implied patent license, is if it,
\compB{} can benefit from Company \compA's implied patent license, is if it,
itself, distributes Company \compA's software program and grants an
implied patent license to any of its patents that cover that program.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\chapter{Defending Freedom On Many Fronts}
The last chapter presented the core freedom-defending provisions of GPL\@,
which are in \S\S 0--3. \S\S 4--7 of the GPL are designed to ensure that
\S\S 0--3 are not infringed, are enforceable, are kept to the confines of
copyright law and are not trumped by other copyright agreements or
components of other entirely separate legal systems. In short, while \S\S
0--3 are the parts of the license that defend the freedoms of users and
programmers, \S\S 4--7 are the parts of the license that keep the playing
field clear so that \S\S 0--3 can do their jobs.
Chapters~\ref{run-and-verbatim} and ~\ref{source-and-binary} presented the
core freedom-defending provisions of GPL\@, which are in \S\S 0--3. \S\S
4--7 of the GPL are designed to ensure that \S\S 0--3 are not infringed,
are enforceable, are kept to the confines of copyright law and are not
trumped by other copyright agreements or components of other entirely
separate legal systems. In short, while \S\S 0--3 are the parts of the
license that defend the freedoms of users and programmers, \S\S 4--7 are
the parts of the license that keep the playing field clear so that \S\S
0--3 can do their jobs.
\section{GPL \S 4: Termination on Violation}
\label{GPLs4}
@ -1591,12 +1606,12 @@ That is FSF's steadfast position in a violation negotiation --- comply
with the license and respect freedom.
However, other entities who do not share the full ethos of software
freedom as institutionalized by FSF pursue GPL violations differently. MySQL
AB, a company that produces the GPL'd MySQL database, upon discovering
GPL violations typically negotiates a proprietary software license
separately for a fee. While this practice is not one that FSF would ever
consider undertaking or even endorsing, it is a legal way for copyright
holders to proceed.
freedom as institutionalized by FSF pursue GPL violations differently.
MySQL AB, a company that produces the GPL'd MySQL database, upon
discovering GPL violations typically negotiates a proprietary software
license separately for a fee. While this practice is not one that FSF
would ever consider undertaking or even endorsing, it is a legal way for
copyright holders to proceed.
\section{GPL \S 5: Acceptance, Copyright Style}
\label{GPLs5}
@ -1788,23 +1803,23 @@ as copyright law will allow is the most direct way to reach that goal.
However, while the strategic goal is to bring as much Free Software into
the world as possible, particular tactical situations of software freedom
dictate different means. Extending the copyleft effect as far as
copyright law allows is not always the most prudent course to the goal.
In particular situations, even those of us with the goal of building a
world where all published software is Free Software realize that full
copyleft does not best serve that goal. The GNU Lesser General Public
copyright law allows is not always the most prudent course in reaching the
goal. In particular situations, even those of us with the goal of
building a world where all published software is Free Software realize
that full copyleft does not best serve us. The GNU Lesser General Public
License (``GNU LGPL'') was designed as a solution for such situations.
\section{The First LGPL'd Program}
The first example that FSF encountered where such altered tactics were
needed was when work began on the GNU C Library. The GNU C Library would
be (and today, now is) a drop-in replacement for existing C Libraries. On
a Unix-like operating system, C is the lingua franca and the C library is
an essential component for all programs. It is extremely difficult to
become (and today, now is) a drop-in replacement for existing C Libraries.
On a Unix-like operating system, C is the lingua franca and the C library
is an essential component for all programs. It is extremely difficult to
construct a program that will run with ease on a Unix-like operating
system without making use of services provided by the GNU C Library --
even if the program is written in a language other than C\@. Effectively,
all user application programs that run on any modern Unix-like system must
system without making use of services provided by the C Library --- even
if the program is written in a language other than C\@. Effectively, all
user application programs that run on any modern Unix-like system must
make use of the C Library.
By the time work began on the GNU implementation of the C Library, there
@ -1812,15 +1827,15 @@ were already many C libraries in existence from a variety of vendors.
Every proprietary Unix vendor had one, and many third parties produced
smaller versions for special purpose use. However, our goal was to create
a C library that would provide equivalent functionality to these other C
Libraries on a Free Software operating system (which in fact happens today
in modern GNU/Linux systems, which all use the GNU C Library).
libraries on a Free Software operating system (which in fact happens today
on modern GNU/Linux systems, which all use the GNU C Library).
Unlike existing GNU application software, however, the licensing
implications of releasing the GNU C Library (``glibc'') under GPL were
somewhat different. Applications released under GPL would never
themselves become part of proprietary software. However, if glibc were
released under GPL, it would require that any application distributed for
the GNU/Linux platform be released under GPL.
the GNU/Linux platform be released under GPL\@.
Since all applications on a Unix-like system depend on the C library, it
means that they must link with that library to function on the system. In
@ -1837,18 +1852,18 @@ advocates, since it stops all proprietary software development on
GNU/Linux systems. However, the outcome is a bit more subtle. In a world
where many C Libraries already exist, many of which could easily be ported
to GNU/Linux, a GPL'd glibc would be unlikely to succeed. Proprietary
vendors would see the excellent opportunity to license their C libraries to
anyone who wished to write proprietary software for GNU/Linux systems.
The de-facto standard for C libraries on GNU/Linux would likely become not
vendors would see the excellent opportunity to license their C libraries
to anyone who wished to write proprietary software for GNU/Linux systems.
The de-facto standard for C libraries on GNU/Linux would likely be not
glibc, but the most popular proprietary one.
Meanwhile, the actual goal of releasing glibc under GPL --- to ensure no
proprietary applications on GNU/Linux --- would be unattainable in this
scenario. Furthermore, users of those proprietary applications would also
be users of a proprietary C library, not glibc.
be users of a proprietary C library, not the Free glibc.
The Lesser GPL was first conceived to handle this scenario. It was clear
that the existence of proprietary applications for GNU/Linux was
The Lesser GPL was initially conceived to handle this scenario. It was
clear that the existence of proprietary applications for GNU/Linux was
inevitable. Since there were so many C libraries already in existence, a
new one under GPL would not stop that tide. However, if the new C library
were released under a license that (a) permitted proprietary applications
@ -1860,25 +1875,23 @@ the C library.
There was no way the license of glibc could stop or even slow the creation
of proprietary applications on GNU/Linux. However, loosening the
restrictions on the licensing of glibc was able to ensure that nearly all
proprietary applications at least used a Free C library rather than a
proprietary one. This trade-off is central to the reasoning behind the
LGPL\@.
restrictions on the licensing of glibc ensured that nearly all proprietary
applications at least used a Free C library rather than a proprietary one.
This trade-off is central to the reasoning behind the LGPL\@.
Of course, many people who use the LGPL today are not thinking in these
terms. In fact, they are often choosing the GPL because they are looking
for a ``compromise'' between the GPL and the X11-style liberal licensing
that does not reserve any rights to ensure the future freedom of the
software. However, understanding FSF's reasoning behind the creation of
the LGPL is helpful when studying the license.
terms. In fact, they are often choosing the LGPL because they are looking
for a ``compromise'' between the GPL and the X11-style liberal licensing.
However, understanding FSF's reasoning behind the creation of the LGPL is
helpful when studying the license.
\section{What's the Same?}
Much of the text of the LGPL is identical to the GPL\@. As we begin our
discussion of the LGPL, we will first eliminate the sections that are
identical, or that have the minor change of changing the word ``Program''
to ``Library''.
identical, or that have the minor modifications of changing the word
``Program'' to ``Library''.
First, \S 1 of LGPL, the rules for verbatim copying of source, are
equivalent to those in GPL's \S 1.
@ -2025,14 +2038,14 @@ the library'', works as follows:
\end{itemize}
We will talk about the specific restrictions LGPL places on ``works that
use the library'' in detail in Section~\ref{FIXME}. For now, focus on the
logic related to how the LGPL places requirements on the license of
\lplusi{}. Note, first of all, the similarity between this explanation
and that in Section~\ref{separate-and-independent}, which discussed the
combining otherwise separate and independent works with GPL'd code.
Effectively, what LGPL is doing is saying that when a new work is
otherwise separate and independent, but has interface calls out to an
LGPL'd library, then it is considered a ``work that uses the library''.
use the library'' in detail in Section~\ref{lgpl-section-6}. For now,
focus on the logic related to how the LGPL places requirements on the
license of \lplusi{}. Note, first of all, the similarity between this
explanation and that in Section~\ref{separate-and-independent}, which
discussed the combination of otherwise separate and independent works with
GPL'd code. Effectively, what LGPL is doing is saying that when a new
work is otherwise separate and independent, but has interface calls out to
an LGPL'd library, then it is considered a ``work that uses the library''.
In addition, the only reason that LGPL has any control over the licensing
of a ``work that uses the library'' is for the same reason that GPL has
@ -2122,11 +2135,10 @@ the license only so that when such a border case is hit, the implications
of using LGPL continue in the expected way.
To understand this subtle point, we must recall the way that a compiler
operates, which we discussed in Section~\ref{FIXME}. The compiler first
generates object code, which are the binary representations of various
programming modules. Each of those modules is usually not useful by
itself; it becomes useful to a user a a full program when those modules
are {\em assembled\/} into a full binary executable.
operates. The compiler first generates object code, which are the binary
representations of various programming modules. Each of those modules is
usually not useful by itself; it becomes useful to a user a full program
when those modules are {\em assembled\/} into a full binary executable.
As we have discussed, the assembly of modules can happen at compile-time
or at runtime. Legally, there is no distinction between the two --- both
@ -2154,7 +2166,7 @@ based on the library''. However, since the compiler copies verbatim,
copyrighted portions of the library into the object code for the otherwise
separate and independent work, it would actually cause that object file a
``work based on the library''. It is not FSF's intent that a mere
compilation idiosyncrasy changes the requirements on the users of the
compilation idiosyncrasy would change the requirements on the users of the
LGPL'd software. This paragraph removes that restriction, allowing the
implications of the license to be the same regardless of the specific
mechanisms the compiler uses underneath to create the ``work that uses the
@ -2170,7 +2182,7 @@ them understand that the full implications of LGPL are the same regardless
of the details of the compilation progress.
\section{LGPL \S 6: Distributing Works that Use the Library}
\label{lgpl-section-6}
Now that we have a established a good working definition of works that
``use'' and works that ``are based on'' the library, we will consider the
rules for distributing these two different works.
@ -2184,10 +2196,10 @@ source form. However, there are also conditions in LGPL \S 6 to make sure
that a user who wishes to modify or update the library can do so.
LGPL \S 6 lists five choices with regard to supplying library source and
the freedom to modify that library source the users. We will first
consider the option given by \S 6(b), which describes the most common way
that is currently used for LGPL compliance on a ``work that uses the
library''.
granting the freedom to modify that library source to users. We will
first consider the option given by \S 6(b), which describes the most
common way that is currently used for LGPL compliance on a ``work that
uses the library''.
\S 6(b) allows the distributor of a ``work that uses the library'' to
simply use a dynamically linked, shared library mechanism to link with the
@ -2214,17 +2226,18 @@ based on the library'', so that the user can relink the application and
build a new binary.
The remaining options in \S 6 are very similar to the other choices
provided by GPL \S 3. There are some additions, and time does not permit
us in this course to go into those additional options. In almost all
cases of distribution under LGPL, either \S 6(a) or \S 6(b) are exercised.
provided by GPL \S 3. There are some additional options, and time does
not permit us in this course to go into those additional options. In
almost all cases of distribution under LGPL, either \S 6(a) or \S 6(b) are
exercised.
\section{Distribution of Works Based on the Library}
Essential, ``works based on the library'' must be distributed under the
same conditions as works under full GPL\@. In fact, we note that LGPL's \S
2 is nearly identical in its terms and requirements to GPL's \S 2. There
are again subtle differences and additions, which time does not permit us
to cover in this course.
Essentially, ``works based on the library'' must be distributed under the
same conditions as works under full GPL\@. In fact, we note that LGPL's
\S 2 is nearly identical in its terms and requirements to GPL's \S 2.
There are again subtle differences and additions, which time does not
permit us to cover in this course.
\section{And the Rest}
@ -3400,6 +3413,7 @@ That's all there is to it!
% LocalWords: proprietarize redistributors sublicense yyyy Gnomovision EULAs
% LocalWords: Yoyodyne FrontPage improvers Berne copyrightable Stallman's GPLs
% LocalWords: Lessig Lessig's UCITA pre PDAs CDs reshifts GPL's Gentoo glibc
% LocalWords: TrollTech administrivia LGPL's MontaVista OpenTV Mitek Arce
% LocalWords: unprotectable protectable Unfreedonia chipset CodeSourcery
% LocalWords: impermissibly
% LocalWords: TrollTech administrivia LGPL's MontaVista OpenTV Mitek Arce DVD
% LocalWords: unprotectable protectable Unfreedonia chipset CodeSourcery Iqtel
% LocalWords: impermissibly Bateman faire minimis Borland uncopyrightable Mgmt
% LocalWords: franca downloadable