8ee5f31779
I am relicensing these with verbal permission from John Sullivan, Executive Director of the FSF, which was given to me during a conference call on Wednesday 12 February 2014.
900 lines
44 KiB
TeX
900 lines
44 KiB
TeX
% case-study-ethics.tex -*- LaTeX -*-
|
|
|
|
% Tutorial Text for GPL Compliance Case Studies
|
|
% and Legal Ethics in Free Software Licensing
|
|
%
|
|
% Copyright (C) 2004 Free Software Foundation, Inc.
|
|
|
|
|
|
% License: CC-By-SA-4.0
|
|
|
|
% The copyright holders hereby grant the freedom to copy, modify, convey,
|
|
% Adapt, and/or redistribute this work under the terms of the Creative
|
|
% Commons Attribution Share Alike 4.0 International License.
|
|
|
|
% This text is distributed in the hope that it will be useful, but
|
|
% WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
% You should have received a copy of the license with this document in
|
|
% a file called 'CC-By-SA-4.0.txt'. If not, please visit
|
|
% https://creativecommons.org/licenses/by-sa/4.0/legalcode to receive
|
|
% the license text.
|
|
|
|
\documentclass[12pt]{report}
|
|
% FILTER_PS: \input{generate-ps-file}
|
|
% FILTER_PDF: \input{generate-pdf-file}
|
|
% FILTER_HTML: \input{generate-html-file}
|
|
\input{one-inch-margins}
|
|
|
|
%\setlength\parskip{0.7em}
|
|
%\setlength\parindent{0pt}
|
|
|
|
\newcommand{\defn}[1]{\emph{#1}}
|
|
|
|
%\pagestyle{empty}
|
|
|
|
\begin{document}
|
|
|
|
\begin{titlepage}
|
|
|
|
|
|
\begin{center}
|
|
|
|
\vspace{.5in}
|
|
|
|
{\Large {\sc GPL Compliance Case Studies} \\
|
|
|
|
\vspace{.7in}
|
|
|
|
Sponsored by the Free Software Foundation \\
|
|
|
|
|
|
\vspace{.3in}
|
|
|
|
Columbia Law School, New York, NY, USA \\
|
|
\vspace{.1in}
|
|
Wednesday 21 January 2004
|
|
}
|
|
|
|
\vspace{.7in}
|
|
|
|
{\large
|
|
Bradley M. Kuhn
|
|
|
|
Executive Director
|
|
|
|
Free Software Foundation
|
|
}
|
|
|
|
\vspace{.3in}
|
|
|
|
|
|
{\large
|
|
Daniel Ravicher
|
|
|
|
Senior Counsel
|
|
|
|
Free Software Foundation
|
|
}
|
|
|
|
\end{center}
|
|
|
|
\vfill
|
|
|
|
{\parindent 0in
|
|
Copyright \copyright{} 2004 \hspace{.2in} Free Software Foundation, Inc.
|
|
|
|
\vspace{.3in}
|
|
|
|
The copyright holders hereby grant the freedom to copy, modify, convey,
|
|
Adapt, and/or redistribute this work under the terms of the Creative Commons
|
|
Attribution Share Alike 4.0 International License. A copy of that license is
|
|
available at \verb=https://creativecommons.org/licenses/by-sa/4.0/legalcode=.
|
|
}
|
|
|
|
\end{titlepage}
|
|
|
|
\pagestyle{plain}
|
|
\pagenumbering{roman}
|
|
|
|
\begin{abstract}
|
|
|
|
This one-day course presents the details of five different GPL compliance
|
|
cases handled by FSF's GPL Compliance Laboratory. Each case offers unique
|
|
insights into problems that can arise when the terms of GPL are not
|
|
properly followed, and how diplomatic negotiation between the violator and
|
|
the copyright holder can yield positive results for both parties.
|
|
|
|
Attendees should have successfully completely the course, a ``Detailed
|
|
Study and Analysis of GPL and LGPL'', as the material from that course
|
|
forms the building blocks for this material.
|
|
|
|
The course is of most interest to lawyers who have clients or employers
|
|
that deal with Free Software on a regular basis. However, technical
|
|
managers and executives whose businesses use or distribute Free Software
|
|
will also find the course very helpful.
|
|
|
|
\bigskip
|
|
|
|
These course materials are merely a summary of the highlights of the
|
|
course presented. Readers of this material should assume that they have
|
|
missed the bulk of the material, as the detailed discussion of these case
|
|
studies is the most illuminating part about them. Merely reading this
|
|
material is akin to matriculating into a college course and read only the
|
|
textbook instead of going to class.
|
|
|
|
\end{abstract}
|
|
|
|
\tableofcontents
|
|
|
|
\pagebreak
|
|
|
|
\pagenumbering{arabic}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\chapter{Overview of FSF's GPL Compliance Lab}
|
|
|
|
The GPL is a Free Software license with legal teeth. Unlike licenses like
|
|
the X11-style or various BSD licenses, GPL (and by extension, the LGPL) is
|
|
designed to defend as well as grant freedom. We saw in the last course
|
|
that GPL uses copyright law as a mechanism to grant all the key freedoms
|
|
essential in Free Software, but also to ensure that those freedoms
|
|
propagate throughout the distribution chain of the software.
|
|
|
|
\section{Termination Begins Enforcement}
|
|
|
|
As we have learned, the assurance that Free Software under GPL remains
|
|
Free Software is accomplished through various terms of GPL: \S 3 ensures
|
|
that binaries are always accompanied with source; \S 2 ensures that the
|
|
sources are adequate, complete and usable; \S 6 and \S 7 ensure that the
|
|
license of the software is always GPL for everyone, and that no other
|
|
legal agreements or licenses trump GPL. It is \S 4, however, that ensures
|
|
that the GPL can be enforced.
|
|
|
|
Thus, \S 4 is where we begin our discussion of GPL enforcement. This
|
|
clause is where the legal teeth of the license are rooted. As a copyright
|
|
license, GPL governs only the activities governed by copyright law ---
|
|
copying, modifying and redistributing computer software. Unlike most
|
|
copyright licenses, GPL gives wide grants of permission for engaging with
|
|
these activities. Such permissions continue and all parties may exercise
|
|
them until such time as one party violates the terms of GPL\@. At the
|
|
moment of such a violation (i.e., the engaging of copying, modifying or
|
|
redistributing in ways not permitted by GPL) \S 4 is invoked. While other
|
|
parties may continue to operate under GPL, the violating party loses their
|
|
rights.
|
|
|
|
Specifically, \S 4 terminates the violators' rights to continue engaging
|
|
in the permissions that otherwise granted by GPL\@. Effectively, their
|
|
permissions go back to the copyright defaults --- no permission is granted
|
|
to copy, modify, nor redistribute the work. Meanwhile, \S 5 points out
|
|
that if if the violator has no rights under GPL --- as they will not once
|
|
they have violated it --- then they otherwise have no rights and are
|
|
prohibited by copyright law from engaging in the activities of copying,
|
|
modifying and distributing.
|
|
|
|
\section{Ongoing Violations}
|
|
|
|
In conjunction with \S 4's termination of violators' rights, there is one
|
|
final industry fact added to the mix: rarely, does one engage in a single,
|
|
solitary act of copying, distributing or modifying software. Almost
|
|
always, a violator will have legitimately acquired a copy a GPL'd program,
|
|
either making modifications or not, and then began a ongoing activity of
|
|
distributing that work. For example, the violator may have put the
|
|
software in boxes and sold them at stores. Or perhaps the software was
|
|
put up for download on the Internet. Regardless of the delivery
|
|
mechanism, violators almost always are engaged in {\em ongoing\/}
|
|
violation of GPL\@.
|
|
|
|
In fact, when we discover a GPL violation that occurred only once --- for
|
|
example, a user group who distributed copies of a GNU/Linux system without
|
|
source at one meeting --- we rarely pursue it with a high degree of
|
|
tenacity. In our minds, such a violation is an educational problem, and
|
|
unless the user group becomes a repeat offender (as it turns out, the
|
|
never do) we simply forward along an FAQ entry that best explains how user
|
|
groups can most easily comply with GPL, and send them on there merry way.
|
|
|
|
It is only the cases of {\em ongoing\/} GPL violation that warrant our
|
|
active attention. We vehemently pursue those cases where dozens, hundreds
|
|
or thousands of customers are receiving software that is out of
|
|
compliance, and where the company continually puts for sale (or
|
|
distributes gratis as a demo) software distributions that include GPL'd
|
|
components out of compliance. Our goal is to maximize the impact of
|
|
enforcement and educate industries who are making such a mistake on a
|
|
large scale.
|
|
|
|
In addition, such ongoing violation shows that a particular company is
|
|
committed to a GPL'd product line. We are thrilled to learn that someone
|
|
is benefiting from Free Software, and we understand that sometimes they
|
|
have become confused about the rules of the road. Rather than merely
|
|
giving us a post mortem to perform on a past mistake, an ongoing violation
|
|
gives us an active opportunity to educate a new contributor the GPL'd
|
|
commons about proper procedures to contribute to the community.
|
|
|
|
Our central goal is not, in fact, to merely clear up particular violation.
|
|
In fact, over time, we hope that our compliance lab will be out of
|
|
business. We seek to educate the businesses that engage in commerce
|
|
related to GPL'd software to obey the rules of the road and allow them to
|
|
operate freely under them. Just as a traffic officer would not revel in
|
|
reminding people which side of the road to drive on, so we do not revel in
|
|
violations. By contrast, we revel in the successes of educating an
|
|
ongoing violator about GPL so that GPL compliance becomes a second-nature
|
|
matter, allowing that company to join the GPL ecosystem as a contributor.
|
|
|
|
\section{How are Violations Discovered?}
|
|
|
|
Our enforcement of GPL is not a fund-raising effort; in fact, FSF's GPL
|
|
Compliance Lab runs at a loss (in other words, it is subsided by our
|
|
donors). Our violation reports come from volunteers, who have encountered
|
|
in their business or personal life, a device or software product that
|
|
appears to contain GPL'd software. These reports are almost always sent
|
|
via email to $<$license-violation@fsf.org$>$.
|
|
|
|
Our first order of business, upon receiving such a report, is to seek
|
|
independent confirmation. When possible, we get a copy of the software
|
|
product. For example, if it is an offering that is downloadable from a
|
|
website, we download it and investigate ourselves. When it is not
|
|
possible for us to actually get a copy of the software, we ask the
|
|
reporter to go through the same process we would use in examining the
|
|
software.
|
|
|
|
By rough estimation, about 95\% of violations at this stage can be
|
|
confirmed by simple commands. Almost all violators have merely made an
|
|
error and have no nefarious intentions. They have made no attempt to
|
|
remove our copyright notices from the software. Thus, given the
|
|
third-party binary, {\tt tpb}, usually, a simple command (on a GNU/Linux
|
|
system) such as the following will find a Free Software copyright notice
|
|
and GPL reference:
|
|
\begin{quotation}
|
|
{\tt strings tpb | grep Copyright}
|
|
\end{quotation}
|
|
In other words, it is usually more than trivial to confirm that GPL'd
|
|
software is included.
|
|
|
|
Once we have confirmed that a violation has indeed occurred, we must then
|
|
determine whose copyright has been violated. Contrary to popular belief,
|
|
FSF does not have the power to enforce GPL in all cases. Since GPL
|
|
operates under copyright law, the powers of enforcement --- to seek
|
|
redress once \S 4 has been invoked --- lies with the copyright holder of
|
|
the software. FSF is one of the largest copyright holders in the world of
|
|
GPL'd software, but we are by no means the only one. Thus, we sometimes
|
|
discover that while GPL'd code is present in the software, there is no
|
|
software copyrighted by FSF present.
|
|
|
|
In cases where FSF does not hold copyright interest in the software, but
|
|
we have confirmed a violation, we contact the copyright holders of the
|
|
software, and encourage them to enforce GPL\@. We offer our good offices
|
|
to help negotiate compliance on their behalf, and many times we help as a
|
|
third party to settle such GPL violations. However, what we will describe
|
|
primarily in this course is FSF's first-hand experience enforcing its own
|
|
copyrights and GPL\@.
|
|
|
|
\section{First Contact}
|
|
|
|
The Free Software community is built on a structure of voluntary
|
|
cooperation and mutual help. Our community has learned that cooperation
|
|
works best when you assume the best of others, and only change policy,
|
|
procedures and attitudes when some specific event or occurrence indicates
|
|
that a change is necessary. We treat the process of GPL enforcement in
|
|
the same way. Our goal is to encourage violators to join the cooperative
|
|
community of software sharing, so we want to open our hand in friendship
|
|
to them.
|
|
|
|
Therefore, once we have confirmed a violation, our first assumption is
|
|
that the violation is an oversight or otherwise a mistake due to confusion
|
|
about the terms of the license. We reach out to the violator and ask them
|
|
to work with us in a collaborative way to bring the product into
|
|
compliance. We have received the gamut of possible reactions to such
|
|
requests, and in this course, we examine four specific examples of such
|
|
compliance work.
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\chapter{Davrik: Modified GCC SDK}
|
|
|
|
In our first case study, we will consider Davrik, a company that produces
|
|
software and hardware toolkits to assist OEM vendors who products consumer
|
|
electronic devices.
|
|
|
|
\section{Facts}
|
|
|
|
One of Davrik's key products is a Software Development Kit (``SDK'')
|
|
designed to assist developers building software for a specific class of
|
|
consumer electronics devices.
|
|
|
|
FSF received a report that the SDK may be based on the GNU Compiler
|
|
Collection (which is an FSF-copyrighted collection of tools for software
|
|
development in C, C++ and other popular languages). FSF investigated the
|
|
claim, but was unable to confirm the violation. The violation reporter
|
|
was unresponsive to follow-up requests for more information.
|
|
|
|
Since FSF was unable to confirm the violation, we did not pursue it any
|
|
further. Bogus reports do happen, and we do not want to burden companies
|
|
with specious GPL violation complaints. FSF shelved the matter until
|
|
more evidence was discovered.
|
|
|
|
FSF was later able to confirm the violation when two additional reports
|
|
surfaced from other violation reporters, both of whom had used the SDK
|
|
professional and noticed clear similarities to FSF's GNU GCC\@. FSF's
|
|
Compliance Engineer asked the reporters to run standard tests to confirm
|
|
the violation, and it was confirmed that Davrik's SDK was indeed a
|
|
derivative work of GCC\@. Davrik had ported to Windows and added a number
|
|
of features, including support for a specific consumer device chipset and
|
|
additional features to aid in the linking process (``LP'') for those
|
|
specific devices. FSF explained the rights that the GPL afforded these
|
|
customers and pointed out, for example, that Davrik only needed to provide
|
|
source to those in possession of the binaries, and that the users may need
|
|
to request that source (if \S 3(b) was exercised). The violators
|
|
confirmed that such requests were not answered.
|
|
|
|
FSF brought the matter to the attention of Davrik, who immediately
|
|
escalated the matter to their attorneys. After a long negotiation, Davrik
|
|
acknowledged that their SDK was indeed a derivative work of GCC\@. Davrik
|
|
released most of the source, but some disagreement occurred over whether
|
|
LP was a derivate work of GCC\@. After repeated FSF inquiries, Davrik
|
|
reaudited the source and discovered that FSF's analysis was correct and
|
|
determined that LP included a number of source files copied from the GCC
|
|
code-base.
|
|
|
|
\label{davrik-build-problems}
|
|
Once the full software release was made available, FSF asked the violation
|
|
reporters if it addressed the problem. Reports came back that the source
|
|
did not properly build. FSF asked Davrik to provide better build
|
|
instructions with the software, and such build instructions were
|
|
incorporated into the next software release.
|
|
|
|
At FSF's request as well, Davrik informed customers who had previously
|
|
purchased the product that the source was now available, by announcing
|
|
the available on its website and via a customer newsletter.
|
|
|
|
Davrik did have some concerns regarding patents. They wished to include a
|
|
statement with the software release that made sure they were not granting
|
|
any patent permission other than what was absolutely required by GPL\@.
|
|
They understood that their patent assertions could not trump any rights
|
|
granted by GPL\@. The following language was negotiated to be included
|
|
with the release:
|
|
|
|
\begin{quotation}
|
|
Subject to the qualifications stated below, Davrik, on behalf of itself
|
|
and its Subsidiaries, agrees not to assert the Claims against you for your
|
|
making, use, offer for sale, sale, or importation of the Davrik's GNU
|
|
Utilities or derivative works of the Davrik's GNU Utilities
|
|
("Derivatives"), but only to the extent that any such Derivatives are
|
|
licensed by you under the terms of the GNU General Public License. The
|
|
Claims are the claims of patents that Davrik or its Subsidiaries have
|
|
standing to enforce that are directly infringed by the making, use, or
|
|
sale of an Davrik Distributed GNU Utilities in the form it was distributed
|
|
by Davrik and that do not include any limitation that reads on hardware;
|
|
the Claims do not include any additional patent claims held by Davrik that
|
|
cover any modifications of, derivative works based on or combinations with
|
|
the Davrik's GNU Utilities, even if such a claim is disclosed in the same
|
|
patent as a Claim. Subsidiaries are entities that are wholly owned by
|
|
Davrik.
|
|
|
|
This statement does not negate, limit or restrict any rights you already
|
|
have under the GNU General Public License, Version 2.
|
|
\end{quotation}
|
|
|
|
This quelled Davrik's concerns about other patent licensing they sought to
|
|
do outside of the GPL'd software, and satisfied FSF's concerns that they
|
|
give proper permissions to exercise teachings of patents that were
|
|
exercised in their GPL'd software release.
|
|
|
|
Finally, a GPL Compliance Officer inside Davrik was appointed who is
|
|
responsible for all matters of GPL compliance inside the company. Darvik
|
|
is responsible for informing FSF if the position is given to someone else
|
|
inside the company, and making sure that FSF has direct contact
|
|
information with Darvik's Compliance Officer.
|
|
|
|
\section{Lessons}
|
|
|
|
This case introduces a number of concepts regarding GPL enforcement.
|
|
|
|
\begin{enumerate}
|
|
|
|
\item {\bf Enforcement should not begin until the evidence is confirmed.}
|
|
Most companies who distribute GPL'd software do so in compliance, and at
|
|
times, violation reports are mistaken. Even with extensive efforts in
|
|
GPL education, many users do not fully understand their rights and the
|
|
obligations that companies have. By working through the investigation
|
|
with reporters, the violation can be properly confirmed, and {\bf the
|
|
user of the software can be educated about what to expect with GPL'd
|
|
software}. When users and customers of GPL'd products know their
|
|
rights, what to expect, and how to properly exercise their rights
|
|
(particularly under \S 3(b)), it reduces the chances for user
|
|
frustration and inappropriate community outcry about an alleged GPL
|
|
violation.
|
|
|
|
\item {\bf GPL compliance requires friendly negotiation and cooperation.}
|
|
Often, attorneys and managers are legitimately surprised to find out
|
|
GPL'd software is included in their company's products. Engineers
|
|
sometimes include GPL'd software without understanding the requirements.
|
|
This does not excuse companies from their obligations under the license,
|
|
but it does mean that care and patience are essential for reaching GPL
|
|
compliance. We want companies to understand that participating and
|
|
benefiting from a collaborative Free Software community is not a burden,
|
|
so we strive to make the process of coming into compliance as smooth as
|
|
possible.
|
|
|
|
\item {\bf Confirming compliance is a community effort.} The whole point
|
|
of making sure that software distributors respect the terms of GPL is to
|
|
allow a thriving software sharing community to benefit and improve the
|
|
work. FSF are not the experts on how a compiler for consumer electronic
|
|
devices should work. We therefore inform the community who originally
|
|
brought the violation to our attention and ask them to assist in
|
|
evaluation and confirmation of the product's compliance. Of course, FSF
|
|
coordinates and oversees the process, but we do not want compliance for
|
|
compliance's sake; rather, we wish to foster a cooperating community of
|
|
development around the Free Software in question, and encourage the
|
|
once-violator to begin participating in that community.
|
|
|
|
\item {\bf Informing the harmed community is part of compliance.} FSF asks
|
|
violators to make some attempt --- such as via newsletters and the
|
|
company's website --- to inform those who already have the products as
|
|
to their rights under GPL\@. One of the key thrusts of GPL's \S 1 and
|
|
\S 3 is to {\em make sure the user knows she has these rights\/}. If a
|
|
product was received out of compliance by a customer, she may never
|
|
actually discover that she had such rights. Informing customers, in a
|
|
way that is not burdensome but has a high probability of successfully
|
|
reaching those who would seek to exercise their freedoms, is essential
|
|
to properly remedy the mistake.
|
|
|
|
\item {\bf Lines between various copyright, patent, and other legal
|
|
mechanisms must be precisely defined and considered.} The most
|
|
difficult negotiation point of the Davrik case was drafting language
|
|
that simultaneously protected the Davrik's patent rights outside of the
|
|
GPL'd source, but was consistent with the implicit patent grant in
|
|
GPL\@. As we discussed in the first course in this series, there is
|
|
indeed an implicit patent grant with GPL, thanks to \S 6 and \S 7.
|
|
However, many companies become nervous and wish to make the grant
|
|
explicit to assure themselves that the grant is sufficiently narrow for
|
|
their needs. We understand that there is no reasonable way to determine
|
|
what patent claims read on a company's GPL holdings and which do not, so
|
|
we do not object to general language that explicitly narrows the patent
|
|
grant to only those patents that were, in fact, exercised by the GPL'd
|
|
software as released by the company.
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\chapter{Bracken: a Minor Violation in a GNU/Linux Distribution}
|
|
|
|
In this case study, we consider a minor violation made by a company whose
|
|
knowledge of the Free Software community and it functions is deep.
|
|
|
|
\section{The Facts}
|
|
|
|
Bracken produces a GNU/Linux operating system product that is sold
|
|
primarily to OEM vendors to be placed in appliance devices that are used
|
|
for a single purpose, such as an Internet-browsing-only device. The
|
|
product is almost 100\% Free Software, mostly licensed under GPL and
|
|
related Free Software licenses.
|
|
|
|
FSF found out about this violation through a report first posted in a
|
|
comment on a Slashdot\footnote{Slashdot is a popular news and discussion
|
|
site for technical readers.} comment, and then was brought to attention
|
|
again by another Free Software copyright holder who had discovered the
|
|
same violation.
|
|
|
|
Bracken's GNU/Linux product is delivered directly from their website.
|
|
This allowed FSF engineers to directly download and confirm the violation
|
|
quickly. It was discovered that there were two primary problems with the
|
|
online distribution:
|
|
|
|
\begin{itemize}
|
|
|
|
\item No source code nor offer for source code was provided for a number
|
|
of components for the distributed GNU/Linux system; only binaries were
|
|
available.
|
|
|
|
\item An End User License Agreement (``EULA'') was included that
|
|
contradicted the permissions granted by GPL\@.
|
|
\end{itemize}
|
|
|
|
FSF contacted Bracken and gave them the details of the violation. Bracken
|
|
immediately ceased distribution of the product temporarily, and set forth
|
|
a plan to bring themselves back into compliance. This plan included the
|
|
following steps:
|
|
|
|
\begin{itemize}
|
|
|
|
\item Bracken attorneys would rewrite the EULA to comply with GPL, and
|
|
would vet the new EULA through FSF before use.
|
|
|
|
\item Bracken engineers would provide source side-by-side with the
|
|
binaries for the GNU/Linux distribution on the site (and on CD's, if
|
|
ever they distributed that way).
|
|
|
|
\item Bracken attorneys would run an internal seminar for its engineers
|
|
regarding proper GPL compliance, to help ensure that such oversights
|
|
regarding source releases would not occur in the future.
|
|
|
|
\item Bracken would resume distribution of the product only after FSF
|
|
formally restored Bracken's distribution rights.
|
|
\end{itemize}
|
|
|
|
This case was completed in the matter of about a month. FSF approved the
|
|
new EULA text. They key portion in the EULA relating to GPL read as
|
|
follows:
|
|
|
|
\begin{quotation}
|
|
Many of the Software Programs included in Bracken Software are distributed
|
|
under the terms of agreements with Third Parties (``Third Party
|
|
Agreements'') which may expand or limit the Licensee's rights to use
|
|
certain Software Programs as set forth in [this EULA]. Certain Software
|
|
Programs may be licensed (or sublicensed) to Licensee under the GNU
|
|
General Public License and other similar license agreements listed in part
|
|
in this section which, among other rights, permit the Licensee to copy,
|
|
modify and redistribute certain Software Programs, or portions thereof,
|
|
and have access to the source code of certain Software Programs, or
|
|
portions thereof. In addition, certain Software Programs, or portions
|
|
thereof, may be licensed (or sublicensed) to Licensee under terms stricter
|
|
than those set forth in [this EULA]. The Licensee must review the
|
|
electronic documentation that accompanies certain Software Programs, or
|
|
portions thereof, for the applicable Third Party Agreements. To the
|
|
extent any Third Party Agreements require that Bracken provide rights to
|
|
use, copy or modify a Software Program that are broader than the rights
|
|
granted to the Licensee in [this EULA], then such rights shall take
|
|
precedence over the rights and restrictions granted in this Agreement
|
|
solely for such Software Programs.
|
|
\end{quotation}
|
|
|
|
FSF restored Bracken's distribution rights shortly after the work was
|
|
completed as described.
|
|
|
|
\section{Lessons Learned}
|
|
|
|
This case was probably the most quickly and easily resolved of all GPL
|
|
violations in the history of FSF's Compliance Lab. The ease with which
|
|
the problem was resolved shows a number of cultural factors that play a
|
|
role in GPL compliance.
|
|
|
|
\begin{enumerate}
|
|
|
|
\item {\bf Companies that understand Free Software culture better have an
|
|
easier time with compliance.} Bracken's products were designed and
|
|
built around the GNU/Linux system and Free Software components. Their
|
|
engineers were deeply familiar with the Free Software ecosystem, and
|
|
their lawyers had seen and reviewed GPL before. The violation was
|
|
completely an honest mistake. Since the culture inside the company had
|
|
already adapted to the cooperative style of resolution in the Free
|
|
Software world, there was very little work for either party to bring the
|
|
product into compliance.
|
|
|
|
\item {\bf When people in key positions understand the Free Software
|
|
nature of their software products, compliance concerns are as mundane as
|
|
minor software bugs.} Even the most functional system or structure has
|
|
its problems, and successful business often depends on agile response to
|
|
the problems that do come up; avoiding problems altogether is a pipe
|
|
dream. Minor GPL violations can and do happen even with well-informed
|
|
redistributors. However, when the company --- and in particular, the
|
|
lawyers, managers, and engineers working on the Free Software product
|
|
lines --- have adapted to the cooperative Free Software culture,
|
|
resolving such problems is merely a mundane detail of typical operation
|
|
and resolution is reached quickly.
|
|
|
|
\item {\bf Legally, distribution must stop when a violation is
|
|
identified.} In our opinion, Bracken went above and beyond the call of
|
|
duty by ceasing distribution while the violation was being resolved.
|
|
Under GPL \S 4, the redistributor loses the right to distribute the
|
|
software, and thus they are in ongoing violation of copyright law if
|
|
they distribute before rights are restored. It is FSF's policy to
|
|
temporarily allow distribution while compliance negotiations are ongoing
|
|
and only in the most extreme cases (where the other party appears to be
|
|
negotiating in bad faith) does FSF even threaten an injunction on
|
|
copyright grounds. However, Bracken --- as a good Free Software citizen
|
|
--- chose to be on the safe side and do the legally correct thing while
|
|
the violation case was pending. Since from start to finish it took less
|
|
than am month to resolve, this lapse in distribution did not, to FSF's
|
|
knowledge, impact Bracken's business in any way.
|
|
|
|
\item {\bf EULAs are a common area for GPL problems.} Often, EULAs are
|
|
drafted from boilerplate text that a company uses for all its products.
|
|
Even the most diligent attorneys forget or simply do not know that a
|
|
product contains software licensed under GPL and other Free Software
|
|
licenses. Drafting a EULA that accounts for such licenses is
|
|
straightforward; the text quoted above works just fine. The EULA must
|
|
be designed so that it does not trump and rights and permissions already
|
|
granted by GPL\@, and it clearly state that if there is a conflict
|
|
between the EULA and GPL, with regard to GPL'd code, that the GPL is the
|
|
overriding license.
|
|
|
|
\item {\bf Compliance Officers are rarely necessary when companies are
|
|
educated about GPL compliance.} As we saw in the Davrik case, FSF asks
|
|
that a formal ``GPL Compliance Officer'' be appointed inside a
|
|
previously violating organization to shepherd the organization to a
|
|
cooperative approach with regard to GPL compliance. However, when FSF
|
|
sees that an organization already has such an approach, there is no
|
|
need to request that such an officer be appointed.
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\chapter{Vigorien: Security, Export Controls, and GPL Compliance}
|
|
|
|
This case study introduces how concerns of ``security through obscurity''
|
|
and regulatory problems can impact GPL compliance matters.
|
|
|
|
\section{The Facts}
|
|
|
|
Vigorien distributes a backup solution product that allows system
|
|
administrators to create encrypted backups of file-systems on Unix-like
|
|
computers. The product is based on GNU tar, a backup utility that
|
|
replaces the standard Unix utility, ``tar'', but has additional features.
|
|
|
|
Vigorien's backup solution added cryptographic features to GNU tar, and
|
|
included a suite of utilities and graphical user interfaces surrounding
|
|
GNU tar to make backups convenient.
|
|
|
|
FSF discovered the violation from a user report, and determined that the
|
|
cryptographic features were the only part of the product that constituted
|
|
a derivative work of GNU tar; the extraneous utilities merely made
|
|
``shell'' calls out to GNU tar. FSF requested that Vigorien come into
|
|
compliance with GPL by releasing the source of GNU tar, with the
|
|
cryptographic modifications, to its customers.
|
|
|
|
Vigorien released the original GNU tar sources, but kept the cryptographic
|
|
modifications proprietary. They argued that the security of their system
|
|
depending on keeping the software proprietary and that regardless, USA
|
|
export restrictions on cryptographic software prohibited such a release.
|
|
FSF disputed the first claim, pointing out that Vigorien had only one
|
|
option if they did not want to release the source: they would have to
|
|
remove GNU tar from the software and not distribute it further. Vigorien
|
|
rejected this suggestion, since GNU tar was an integral part of the
|
|
product and the security changes were useless without GNU tar.
|
|
|
|
Regarding the export control claims, FSF proposed a number of options,
|
|
including release of the source from one of Vigorien's divisions overseas
|
|
where no such restrictions occurred, but Vigorien argued that the problem
|
|
was insoluble because they operated primarily in the USA\@.
|
|
|
|
The deadlock on the second issue was resolved when those cryptographic
|
|
export restrictions were lifted shortly thereafter, and FSF again raised
|
|
the matter with Vigorien. At that point, they dropped the first claim and
|
|
agreed to release the remaining source module to their customers. They
|
|
did so, and the violation was resolved.
|
|
|
|
|
|
\section{Lessons Learned}
|
|
|
|
\begin{enumerate}
|
|
|
|
\item {\bf Removing the GPL'd portion of the product is always an option.}
|
|
Many violators' first response is to simply refuse to release the source
|
|
code as GPL requires. FSF offers the option to simply remove the GPL'd
|
|
portions from the product and continue along without them indefinitely.
|
|
Every case where this has been suggested has led to the same conclusion.
|
|
Like Vigorien, the violator argues that the product cannot function
|
|
without the GPL'd components and they cannot effectively replace them.
|
|
|
|
Such an outcome is simply further evidence that the combined work in
|
|
question is indeed a derivative work of the original GPL'd component.
|
|
If the other components cannot stand on their own and be useful without
|
|
the GPL'd portions, then one cannot effectively argue that the work as a
|
|
whole is not a derivative of the GPL'd portions.
|
|
|
|
\item {\bf The whole product is not always covered.} In this case,
|
|
Vigorien had additional works aggregated. The backup system was a suite
|
|
of utilities, some of which were GPL and some of which were not. While
|
|
the cryptographic routines were tightly coupled with GNU tar and clearly
|
|
derivative works, the various GUI utilities were separate and
|
|
independent works merely aggregated with the distribution of the
|
|
GNU-tar-based product.
|
|
|
|
|
|
\item {\bf ``Security'' concerns do not exonerate a distributor from GPL
|
|
obligations, and ``security through obscurity'' does not work anyway.}
|
|
The argument that ``this is security software, so it cannot be released
|
|
in source form'' is not a valid defense for explaining why the terms of
|
|
the GPL are ignored. If companies do not want to release source code
|
|
for some reason, then they should not base the work on GPL'd software.
|
|
No external argument for non-compliance can hold weight if the work as
|
|
whole is indeed a derivative work of a GPL'd program.
|
|
|
|
The ``security concerns'' argument is often floated as a reason to keep
|
|
software proprietary, but the computer security community has on
|
|
numerous occasions confirmed that such arguments are entirely specious.
|
|
Security experts have found --- since the beginnings of the field of
|
|
cryptography in the ancient word --- that sharing results about systems
|
|
and having such systems withstand peer review and scrutiny builds the
|
|
most secure systems. While full disclosure may help some who wish to
|
|
compromise security, it helps those who want to fix problems even more
|
|
by identifying them early.
|
|
|
|
\item {\bf External regulatory problems can be difficult to resolve.}
|
|
GPL, though grounded in copyright law, does not have the power to trump
|
|
regulations like export controls. While Vigorien's ``security
|
|
concerns'' were specious, their export control concerns were not. It is
|
|
indeed a difficult problem that FSF acknowledges. We want compliance
|
|
with GPL and respect for users' freedoms, but we certainly do not expect
|
|
companies to commit criminal offenses for the sake of compliance. We
|
|
will see more about this issue in our next case study.
|
|
\end{enumerate}
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\chapter{Haxil, Polgara, and Thesulac: Mergers, Upstream Providers and Radio Devices}
|
|
|
|
This case study considers an ongoing (at the time of writing) violation
|
|
that has occurred. By the end of the investigation period, three
|
|
companies were involved and many complex issues arose.
|
|
|
|
\section{The Facts}
|
|
|
|
Haxil produced a consumer electronics device which included a mini
|
|
GNU/Linux distribution to control the device. The device was of interest
|
|
to many technically minded consumers, who purchased the device and very
|
|
quickly discovered that Free Software was included without source.
|
|
Mailing lists throughout the Free Software community erupted with
|
|
complaints about the problem, and FSF quickly investigated.
|
|
|
|
FSF confirmed that FSF-copyrighted GPL'd software was included. In
|
|
addition, the whole distribution included GPL'd works from hundreds of
|
|
individual copyright holders, many of whom were, at this point, up in
|
|
arms about the violation.
|
|
|
|
Meanwhile, Haxil was in the midst of being acquired by Polgara. Polgara
|
|
was as surprised as everyone else to discover the product was based on
|
|
GPL'd software; this fact had not been part of the disclosures made during
|
|
acquisition. FSF contacted both Haxil and Polgara, and product managers
|
|
who had transitioned into the ``Haxil division'' of the newly-merged
|
|
Polgara company and Polgara's General Counsel's office worked with FSF on
|
|
the matter.
|
|
|
|
FSF meanwhile formed a coalition with the other primary copyright holders
|
|
to pursue the enforcement effort on their behalf. FSF communicated
|
|
directly with Polgara's representatives to begin working through the
|
|
issues on behalf of FSF itself and the Free Software community at large.
|
|
|
|
Polgara pointed out that the software distribution they used was mostly
|
|
contributed by an upstream provider, Thesulac, and Haxil's changes to that
|
|
code base were minimal. Polgara negotiated with Thesulac to obtain the
|
|
source, although the issue was moving very slowly in the channels between
|
|
Polgara and Thesulac.
|
|
|
|
FSF encouraged a round-table meeting so that high bandwidth communication
|
|
could occur between FSF, Polgara and Thesulac. Polgara and Thesulac
|
|
agreed, and that discussion began. Thesulac provided nearly complete
|
|
sources to Polgara, and Polgara made a full software release on their
|
|
website. At the time of writing, that software still has some build
|
|
problems (similar those that occurred with Davrik, as described in
|
|
Section~\ref{davrik-build-problems}). FSF continues to negotiate with
|
|
Polgara and Thesulac to resolve these problems, which have a clear path to
|
|
solution and are expected to resolve.
|
|
|
|
Similar to the Vigorien case, Thesulac has regulatory concerns. In this
|
|
case, it is not export controls --- an issue that has since been resolved
|
|
--- but radio spectrum regulation. Since this consumer electronic device
|
|
contains a software-programmable radio transmitter, regulations in (at
|
|
least) the USA and Japan prohibit release of those portions of the code
|
|
that operate the device. Since this is a low-level programming issue, the
|
|
changes to operate the device are a derivative work of the kernel named
|
|
Linux. This situation remains unresolved at the time of writing, although
|
|
FSF continues to negotiation with Thesulac and the Linux community
|
|
regarding the problem.
|
|
|
|
\section{Lessons Learned}
|
|
|
|
\begin{enumerate}
|
|
|
|
\item {\bf Community outrage, while justified, can often make negotiation
|
|
more difficult.} FSF has a strong policy never to publicize names of
|
|
GPL violators if they are negotiating in a friendly way and operating in
|
|
good faith toward compliance. Most violations are honest mistakes, and
|
|
FSF sees no reason to publicly admonish violators who genuinely see to
|
|
come into compliance with GPL and to work hard staying in compliance.
|
|
|
|
This case was so public in the Free Software community that both Haxil's
|
|
and Polgara's representatives were nearly shell-shocked by the time FSF
|
|
began negotiations. There was much work required to diffuse the
|
|
situation. We empathize with our community and their outrage about GPL
|
|
violations, but we also want to follow a path that leads expediently
|
|
to compliance. In our experience, public outcry works best as a last
|
|
resort, not the first.
|
|
|
|
\item {\bf For software companies, GPL compliance belongs on a corporate
|
|
acquisition checklist. } Polgara was truly amazed that Haxil had used
|
|
GPL'd software in a major new product line but never informed Polgara
|
|
during the acquisition process. While GPL compliance is not a
|
|
particularly difficult matter, it is an additional obligation that comes
|
|
along with the product line. When planning mergers and joint ventures,
|
|
one should include lists of GPL'd components contained in the products
|
|
discussed.
|
|
|
|
\item {\bf Compliance problems of upstream providers do not excuse a
|
|
violation for the downstream distributor.} To paraphrase \S 6, upstream
|
|
providers are not responsible for enforcing compliance of their
|
|
downstream, nor are downstream distributors responsible for compliance
|
|
problems of upstream providers. However, engaging in distribution of
|
|
GPL'd works out of compliance is still just that: a compliance problem.
|
|
When FSF carries out enforcement, we are patient and sympathetic when
|
|
the problem appears to be upstream. In fact, we urge the violator to
|
|
point us to the upstream provider so we may talk to them directly. In
|
|
this case we were happy to begin negotiations with Thesulac. However,
|
|
Polgara still has an obligation to bring their product into compliance,
|
|
regardless of Thesulac's response.
|
|
|
|
\item {\bf It behooves upstream providers to advise downstream
|
|
distributors about compliance matters.} FSF has encouraged Thesulac to
|
|
distribute a ``good practices for GPL compliance'' document with their
|
|
product. Polgara added various software components to Thesulac's
|
|
product, and it is conceivable that such additions can introduce
|
|
compliance. In FSF's opinion, Thesulac is no way legally responsible
|
|
for such a violation introduced by their customer, but it behooves them
|
|
from a marketing standpoint to educate their customers about using the
|
|
product. We can argue whether or not it is your coffee vendor's fault
|
|
if you burn yourself with their product, but (likely) no one on either
|
|
side would dispute the prudence of placing a ``caution: hot'' label on
|
|
the cup.
|
|
|
|
\item {\bf FSF enforcement often avoids redundant enforcement cases from
|
|
many parties.} Most Free Software systems have hundreds of copyright
|
|
holders. Some have thousands. FSF is in a unique position as one of
|
|
the largest single copyright holders on GPL'd software and as a
|
|
respected umpire in the community neutrally enforcing the rules of the
|
|
GPL road. FSF works hard in the community to convince copyright
|
|
holders that consolidating GPL claims through FSF is better for them,
|
|
and more likely to yield positive compliance results.
|
|
|
|
A few copyright holders engage in the ``proprietary relicensing''
|
|
business, so they use GPL enforcement as a sales channel for that
|
|
business. FSF, as a community-oriented not-for-profit organization,
|
|
seeks only to preserve the freedom of Free Software in its enforcement
|
|
efforts. As it turns out, most of the community of copyright holders
|
|
of Free Software want the same thing. Share and share alike is a
|
|
simple rule to follow, and following that rule to FSF's satisfaction
|
|
usually means you are following it to the satisfaction of the entire
|
|
Free Software community.
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\chapter{Good Practices for Compliance}
|
|
|
|
Generally, from the experience of GPL enforcement, we glean the following
|
|
general practices that can help in GPL compliance for organizations that
|
|
distribute products based on GPL'd software:
|
|
|
|
\begin{enumerate}
|
|
|
|
\item Talk to your software engineers and ask them where they got the
|
|
components they use in the products they build. Find out if GPL'd
|
|
components are present.
|
|
|
|
\item Teach your engineering staff to pay attention to license documents.
|
|
Give them easy-to-follow policies to get approval for using a Free
|
|
Software component.
|
|
|
|
\item Build a ``Free Software Licensing'' committee that handles requests
|
|
and questions about GPL and other Free Software licenses.
|
|
|
|
\item Add ``What parts of your products are under GPL or other Free
|
|
Software licenses?'' to your checklist of questions to ask when you
|
|
consider mergers, acquisitions, or joint ventures.
|
|
|
|
\item Encourage your engineers to participate collaboratively with GPL'd
|
|
software development. The more knowledge about the Free Software world
|
|
your organization has, the better equipped it is to deal with this
|
|
rapidly changing field.
|
|
|
|
\item When someone points out a potential GPL violation in one of your
|
|
products, do not assume the product line is doomed. GPL is not a virus;
|
|
merely having GPL'd code in one part of a product does not necessarily
|
|
mean that every related product must also be GPL'd. And, even if some
|
|
software needs to be released that was not before, the product will
|
|
surely still survive. In FSF's enforcement efforts, we have not yet
|
|
seen a product line die because source was released to customers in
|
|
compliance with GPL.
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\end{document}
|
|
|
|
% LocalWords: proprietarize redistributors sublicense yyyy Gnomovision EULAs
|
|
% LocalWords: Yoyodyne FrontPage improvers Berne copyrightable Stallman's GPLs
|
|
% LocalWords: Lessig Lessig's UCITA pre PDAs CDs reshifts GPL's Gentoo glibc
|
|
% LocalWords: TrollTech administrivia LGPL's MontaVista Davrik Davrik's Darvik
|
|
% LocalWords: Darvik's Slashdot sublicensed Vigorien Vigorien's Haxil Polgara
|
|
% LocalWords: Thesulac Polgara's Haxil's Thesulac's SDK CD's
|