Android and the GPLv2 death penalty
Ready to give LWN a try?Edward Naughton is at it again: he is now claiming that most or all Android vendors have lost their right to distribute the kernel as the result of GPL violations. Naturally Florian Mueller picked it up and amplified it; he is amusingly surprised to learn that there are GPL compliance problems in the Android world. As it happens, there is no immediate prospect of Android vendors being unable to ship their products - at least, not as a result of GPL issues - but there is a point here which is worth keeping in mind.With a subscription to LWN, you can stay current with what is happening in the Linux and free-software community and take advantage of subscriber-only site features. We are pleased to offer you a free trial subscription, no credit card required, so that you can see for yourself. Please, join us!
First: please bear in mind while reading the following that your editor is not a lawyer and couldn't even plausibly play one on television.
Earlier this year, Jeremy Allison gave a talk on why the Samba project moved to version 3 of the GNU General Public License. There were a number of reasons for the change, but near the top of his list was the "GPLv2 death penalty." Version 2 is an unforgiving license: any violation leads to an automatic termination of all rights to the software. A literal reading of this language leads to the conclusion that anybody who has violated the license must explicitly obtain a new license from the copyright holder(s) before they can exercise any of the rights given by the GPL. For a project that does not require copyright assignment, there could be a large number of copyright owners to placate before recovery from a violation would be possible.
The Samba developers have dealt with their share of GPL violations over the years. As has almost universally been the case in our community, the Samba folks have never been interested in vengeance or "punitive damages" from violators; they simply want the offending parties to respect the license and come back into compliance. When the GPL was written to become GPLv3, that approach was encoded into the license; violators who fix their problems in a timely manner automatically have their rights reinstated. There is no "death penalty" which could possibly shut violators down forever; leaving this provision behind was something that the Samba team was happy to do.
Android phones are capable devices, but they still tend not to be shipped with Samba servers installed. They do, however, contain the Linux kernel, which happens to be a GPLv2-licensed body of code with thousands of owners. Those who find it in their interest to create fear, uncertainty, and doubt around Android have been happy to seize on the idea that a GPL violation will force a vendor to locate and kowtow before all of those owners before they can ship the kernel again. There can be no doubt that this is a scary prospect.
One should look, though, at the history of how GPL violations have been resolved in the past. There is a fair amount of case history - and a much larger volume of "quietly resolved" cases - where coming into compliance has been enough. Those who have pursued GPL violations in the courts have asked for organizational changes (the appointment of a GPL compliance officer, perhaps), payment of immediate expenses, and, perhaps, a small donation to a worthy project. But the point has been license compliance, not personal gain or disruption of anybody's business; that is especially true of the kernel in particular.
Harald Welte and company won their first GPL court case in 2004; the practice of quietly bringing violators into compliance had been going on for quite some time previously. Never, in any of these cases, has a copyright-holding third party come forward and claimed that a former infringer lacks a license and is, thus, still in violation. The community as a whole has not promised that licenses for violators will be automatically restored when the guilty parties come back into compliance, but it has acted that way with great consistency for many years. Whether a former violator could use that fact to build a defense based on estoppel is a matter for lawyers and judges, but the possibility cannot be dismissed out of hand. Automatic reinstatement is not written into the license, but it's how things have really worked.
There is an interesting related question: how extensive is the termination of rights? Each kernel release is a different work; the chances that any given piece of code has been modified in a new release are pretty high. One could argue that each kernel release comes with its own license; the termination of one does not necessarily affect rights to other releases. Switching to a different release would obviously not affect any ongoing violations, but it might suffice to leave holdovers from previous violations behind. Should this naive, non-lawyerly speculation actually hold water, the death penalty becomes a minor issue at worst.
So Android vendors probably have bigger worries than post-compliance hassles from kernel copyright owners. Until they get around to that little detail of becoming a former violator, the question isn't even relevant, of course. Afterward, software patents still look like a much bigger threat.
That said, your editor has, in the past, heard occasional worries about the prospect of "copyright trolls." It's not too hard to imagine that somebody with a trollish inclination might come into possession of the copyright on some kernel code; that somebody could then go shaking down former violators with threats of lawsuits for ongoing infringement. This is not an outcome which would be beneficial to our community, to say the least.
One would guess that a copyright troll with a small ownership would succeed mostly in getting his or her code removed from the kernel in record time. Big holders could pose a bigger threat. Imagine a company like IBM, for example; IBM owns the copyright on a great deal of kernel code. IBM also has the look of one of those short-lived companies that doesn't hang around for long. As this flash-in-the-pan fades, its copyright portfolio could be picked up by a troll which would then proceed to attack prior infringers. Writing IBM's code out of the kernel would not be an easy task, so some other sort of solution would have to be found. It is not a pretty scenario.
It is also a relatively unlikely scenario. Companies that have built up ownership of large parts of the kernel have done so because they are committed to its success. It is hard to imagine them turning evil in such a legally uncertain way. But it's not a possibility which can be ignored entirely. The "death penalty" is written into the license; someday, somebody may well try to take advantage of that to our detriment.
What would happen then? Assuming that the malefactor is not simply
lawyered out of existence, other things would have to come into play.
Remember that the development community is currently adding more than one
million lines of code to the kernel every year. Even a massive rewrite job
could be done relatively quickly if the need were to arise. If things got
really bad, the kernel could conceivably follow Samba's example and move to
GPLv3 - though that move, clearly, would not affect the need to remove
problematic code. One way or another, the problem would be dealt with.
Copyright trolls probably do not belong at the top of the list of things we
lose sleep over at the moment.
Posted Aug 15, 2011 18:59 UTC (Mon)
by bkuhn (subscriber, #58642)
[Link] (15 responses)
The part that's missing in all this is the original violation by Google. I have never seen a report with facts that support that Google violated the GPL with regard to its distribution of Linux as part of Android/Linux. Sure, there are many downstream GPL violators, Matthew Garrett has identified plenty, but I don't see Google on that list. It's absolutely correct that under GPLv2§4 a violator loses their right to copy, modify and distribute the copyrighted work, but that presupposes some violation has occurred. As I said in the blog post I made the last time Naughton went off on this stuff, I am still waiting to see the actual GPL violation report.
Posted Aug 15, 2011 19:58 UTC (Mon)
by felipec (guest, #75494)
[Link] (12 responses)
I see more likely the kernel project coming up with it's own licence, probably based on GPLv2, or maybe the opportunity would be ceased to create an entirely new beast that would be completely independent from GNU.
Posted Aug 16, 2011 2:13 UTC (Tue)
by rusty (guest, #26)
[Link] (9 responses)
Now, that seems unlikely. Mainly because coders don't have the skills to read, let along write, a license. But also much of the "sky is falling" anti-GPLv3 stuff hasn't panned out; personally I'm happy that all my kernel stuff is v2 or later.
Posted Aug 16, 2011 4:27 UTC (Tue)
by dlang (guest, #313)
[Link] (3 responses)
Posted Aug 16, 2011 6:30 UTC (Tue)
by rusty (guest, #26)
[Link]
Agreed. And it *is* annoying that lawyers (on any side) won't publicly discuss details of how to circumvent the GPL, but I understand their reasons. I also don't know how many of these exploits were practical, rather than theoretical.
But those I know involved in the drafting, such as Harald Welte and Andrew Tridgell and various lawyers were reasonably happy with the overall result. Eventually, as a user, it's time to upgrade, and for me that time has come.
Cheers,
Posted Aug 16, 2011 13:55 UTC (Tue)
by bkuhn (subscriber, #58642)
[Link]
Can you please give backup for the claim that those promoting GPLv3 used I still think GPLv2 is a good license. GPLv3 is a better one.
Posted Aug 16, 2011 14:29 UTC (Tue)
by rahulsundaram (subscriber, #21946)
[Link]
Posted Aug 16, 2011 5:08 UTC (Tue)
by cmccabe (guest, #60281)
[Link] (3 responses)
> Also note that the only valid version of the GPL as far as the kernel
As far as I can see, the kernel can't be relicensed from GPLv2 without the consent of all the copyright holders.
Posted Aug 16, 2011 6:17 UTC (Tue)
by rusty (guest, #26)
[Link]
Indeed, but there *are* places where "or later" is explicitly stated. It would be a major PITA to relicense to anything, but GPLv3 would be slightly easier for that reason.
Cheers,
Posted Aug 16, 2011 20:29 UTC (Tue)
by dbruce (guest, #57948)
[Link] (1 responses)
IMHO, the reason the kernel is still GPLv2 is that Linus wants it that way. If he and the core kernel devs reached a consensus that they wanted to go to e.g. GPLv3 or later, any code belonging to those who refused to go along could be ripped out and replaced. Not so sure about the authors who don't reply or can't be reached, but if need be their code could be replaced as well. I just don't think there is any desire on Linus' part to switch, to put it mildly.
Posted Aug 20, 2011 16:21 UTC (Sat)
by BenHutchings (subscriber, #37955)
[Link]
Posted Aug 17, 2011 15:36 UTC (Wed)
by felipec (guest, #75494)
[Link]
Who says coders have to write a license? There's many organizations involved in Linux, some certainly must have the resources to undertake this endeavor. Who says GNU is the only organization capable of writing licenses?
Posted Aug 16, 2011 4:56 UTC (Tue)
by clacke (guest, #69542)
[Link] (1 responses)
Posted Aug 17, 2011 8:15 UTC (Wed)
by rahulsundaram (subscriber, #21946)
[Link]
http://web.archive.org/web/20060112162424/http://people.r...
Posted Aug 16, 2011 20:50 UTC (Tue)
by etrusco (guest, #4227)
[Link]
Posted Aug 18, 2011 21:36 UTC (Thu)
by mattl (guest, #56508)
[Link]
GPLv2 section 4 is as strict as they're saying, but nobody's enforcing it that strictly against cooperative violators. That wouldn't be good for free software, which is why GPLv3 has better termination provisions. http://www.fsf.org/news/android-termination-upgrade-gplv3
Posted Aug 15, 2011 19:05 UTC (Mon)
by martinfick (guest, #4455)
[Link] (3 responses)
Posted Aug 15, 2011 19:31 UTC (Mon)
by danieldk (subscriber, #27876)
[Link] (2 responses)
I guess it is a very difficult legal 'attack vector'. But we have been surprised by the creativity of legal departments/lawyers before ;).
Posted Aug 15, 2011 21:23 UTC (Mon)
by jengelh (subscriber, #33263)
[Link] (1 responses)
/me thinks of a CVE-like database of legal vulnerabilities, completely with AV score and all that
Posted Aug 15, 2011 21:36 UTC (Mon)
by martinfick (guest, #4455)
[Link]
Although, I am suggesting to view these not as vulnerabilities, but rather as defenses. Once a company violates the GPL2, they get stuck in a DB. Authors could search the db to correlate users/violators of their code with people suing them, or otherwise being malicious.
While I could see some bad uses of such a DB, it seems like mostly it could be used to attempt to police bad FLOSS citizens by FLOSS authors.
Posted Aug 15, 2011 19:14 UTC (Mon)
by bkuhn (subscriber, #58642)
[Link]
BTW, if folks want to hear Jeremy Allison's talk that Jon makes reference to in the article above, it's available as a Free as in Freedom oggcast.
Posted Aug 15, 2011 20:49 UTC (Mon)
by allan1015 (guest, #78373)
[Link]
Agree but didn't the SFLC signal a change to past performance?
"Simply coming into compliance now is not sufficient to settle the matter, because that would mean anyone can violate the license until caught, because the only punishment would be to come into compliance," Ravicher said, though he declined to say what other actions the SFLC is seeking.
And the SFLC doesn't want to be a pushover. "If you start getting a reputation for being a pansy, then people are going to conclude they don't have to do anything," Ravicher said."
I am not in disagreement with your point of the FUD being raised and the weirdness of copyright troll's - but as a open source compliancy person I cant just popo this stuff away either.
I do appreciate this place and the more levelheaded view it presents but it is a battle to stave off the headline grabbers and try to walk a balanced middle ground.
Posted Aug 15, 2011 23:20 UTC (Mon)
by kmself (guest, #11565)
[Link] (3 responses)
Since it's been mentioned previously, and Naughton's present professional bio doesn't include this information, it's at the very least interesting to note that he has worked extensively with Microsoft in the past. Criticisms of Naughton's work by Bradley Kuhn of the FSF and others would suggest his legal analysis isn't taken as credible by persons with significant interest and experience in Free Software and GPL matters.
Edward J. Naughton, Professional Biography, Internet Archive as of June 22, 2008.
...
Represented Microsoft in several dozen lawsuits against resellers and corporate end-users of counterfeit, infringing, and unlicensed software.
Posted Aug 16, 2011 10:19 UTC (Tue)
by jospoortvliet (guest, #33164)
[Link] (2 responses)
Ok, I don't know, but it's not really needed to explain his behavior and as such I simply go for the simplest explanation: he just wants attention. Which works exceptionally well. Realize that this is typical FUD: only those who know what they are talking about (the average LWN reader, for example) know it's bullshit but 90% of the readers of his blog will probably take it as an insightful article by a good and clearly smart lawyer ("let's hire him to defend us/check our legal situation/etc").
Frankly those who think MS is behind this (same as with SCO) imho greatly over-estimate the intelligence of large corporations. This is too cunning a plan to come out of a bureaucratic entity as big as MS.
Posted Aug 16, 2011 11:32 UTC (Tue)
by danieldk (subscriber, #27876)
[Link]
For instance, in 2006, Wasabi Systems argues that GPL Violations are Sarbanes-Oxley violations to discredit GPL-ed competition of their storage systems:
http://www.wasabisystems.com/pdf/GPLSarbanesOxley_Wasabi.pdf
I am not saying that Microsoft instructed him to spread fear, but it is possible that he picked this up in Microsoft channels.
Since this FUD is probably used a lot, it is important that it is shown to be theoretical or false. If it is true, the situation is best remedied.
Posted Aug 16, 2011 18:50 UTC (Tue)
by kmself (guest, #11565)
[Link]
Microsoft have certainly spread anti-GPL FUD for years, and this would be highly consistent with their previous behavior.
They've also worked at arms-length through astroturf campaigns, lobbying groups, and various companies (the Alexis de Toqueville Institute and Wang v. Netscape come to mind). Multiple times.
And the key personnel at Microsoft then and now remain.
I see it as an institutional disease, and view them with extreme skepticism and prejudice.
Of course, he could just be an attention-whoring, not-too-bright attorney.
But I repeat myself.
Posted Aug 16, 2011 6:24 UTC (Tue)
by spaetz (guest, #32870)
[Link] (4 responses)
1) Even if my license right is revoked, the "no-one may be excluded" GPL will always allow me to re-get the kernel code from anyone who offers it, and I'll have a new license.
2) As Corbet wrote, a new version might also be sufficient.
3) If Sony violates the GPL for its ebook readers and gets a gpl life time penalty, they just re-found themselves as a new legal entity to work around that ;).
Seriously, even for copyright trolls, I really don't see how this would play out in court. Contrary to the reports, the GPL does not say that you need explicit consent to heal your license violation, it is simply quiet about how the healing process would work. The most interesting part of the story is how all media outlets were eager to post this with an eye-catching headline, citing Florian Mueller. (First they had called him patent layer, then they called him patent expert, now at least they call him a patent-blogger).
Posted Aug 16, 2011 6:26 UTC (Tue)
by spaetz (guest, #32870)
[Link] (1 responses)
Sorry
Posted Aug 18, 2011 7:33 UTC (Thu)
by etrusco (guest, #4227)
[Link]
Posted Aug 17, 2011 14:08 UTC (Wed)
by mikov (guest, #33179)
[Link] (1 responses)
He is a very dangerous man because his posts and comments appear factual at first sight and apparently he is regarded as an "expert" by many tech journalists.
Posted Aug 17, 2011 20:31 UTC (Wed)
by rahvin (guest, #16953)
[Link]
IMO it's similar to corporations using established advocacy groups to petition for causes completely unrelated to their advocacy (for money). For example, several major national advocacy groups like the GLAAD (Gay Lesbian alliance) were paid advocates in support of ATT's purchase of T-Mobile. (in the case of GLAAD the membership revolted and fired the director for doing this).
Mueller is a plant who's being paid to create a campaign of FUD. He's been questioned numerous times about who is behind the campaign and if you read his responses carefully you will note that he never responds to the question. I'll at least give him credit for not lying about it, he just refuses to answer the question. But make no mistake, there is an organized campaign of FUD going on here and Mueller is at the front of it.
Personally I expect that his backers will walk away once the Google purchase of Motorola Mobility goes forward, with 17,500 patents and another 7,500 in process that are almost entirely mobile phone based Google will be the new heavyweight patent holder in the mobile sphere. Mueller will have to look for someone else to pay for his FUD.
Posted Aug 17, 2011 18:36 UTC (Wed)
by misiu_mp (guest, #41936)
[Link] (3 responses)
Posted Aug 18, 2011 7:29 UTC (Thu)
by etrusco (guest, #4227)
[Link] (1 responses)
Posted Aug 18, 2011 16:10 UTC (Thu)
by misiu_mp (guest, #41936)
[Link]
Posted Aug 22, 2011 19:24 UTC (Mon)
by jdv (guest, #712)
[Link]
But individual manufacturers may very well violate the GPL -- the fact that Google has source code available somewhere does not absolve them of offering the code as well (either on the CD you get with your phone, or with a 'written offer' to provide the source to you). It appears that many phone manufacturers do this rather well, but others don't. In the worst case, this might lead to those manufacturers having their license to distribute Android be revoked, and thus would not be able to sell Android phones anymore.
Posted Aug 19, 2011 21:30 UTC (Fri)
by malor (guest, #2973)
[Link]
I'm not sure this is really an issue. My take on it has always been that every time you make a new copy of GPL-licensed code, you automatically take out a new license. Even if you lost your right to distribute for a violation, as soon as you brought yourself back into compliance, you could simply download a new copy, and be back in business.
Everyone who has a copy of the GPL has the same rights, and those rights are inherently transitive, so they would, in my view, retransmit with a new copy. The rights must transfer with every copy, and I see no language that they only transfer once, ever.
As long as you remained in compliance with the license thereafter, I don't think you could be successfully sued.
Posted Aug 22, 2011 17:35 UTC (Mon)
by cdibona (guest, #13739)
[Link] (1 responses)
Chris DiBona with Google here. If anyone actually finds Google out of compliance with an open source license, I and my team really really would like to know this! Please feel free to email me at [email protected] or [email protected] if you have any questions.
Now, obviously I don't really care about concern trolls that try to gin up false issues around android, but I and Google actually do care about what open source developers whose code we use think about us. We want to know if we make a mistake so we can fix it and more importantly we want to know how we can help.
So again, if you think a google product is out of complaince, contact me any time. That's the last thing we want!
Posted Aug 22, 2011 18:55 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link]
Posted Sep 3, 2011 4:28 UTC (Sat)
by jcm (subscriber, #18262)
[Link]
Where was the original violation that kicked in GPLv2 Section 4?
Where was the original violation that kicked in GPLv2 Section 4?
Where was the original violation that kicked in GPLv2 Section 4?
>
> I see more likely the kernel project coming up with it's own licence,
> probably based on GPLv2, or maybe the opportunity would be ceased to
> create an entirely new beast that would be completely independent from GNU.
Where was the original violation that kicked in GPLv2 Section 4?
Where was the original violation that kicked in GPLv2 Section 4?
> was used to justify creating GPLv3
Rusty.
Please back up this claim.
sky is falling
anti-GPLv2 rhetoric? I don't think that FSF did, and I know I certainly didn't. There were some in the GPLv3 process who may have done so, I suppose, but I don't think you'll find that the majority of GPLv3 supporters agree with such people.Where was the original violation that kicked in GPLv2 Section 4?
Where was the original violation that kicked in GPLv2 Section 4?
> is concerned is _this_ particular version of the license (ie v2, not
> v2.2 or v3.x or whatever), unless explicitly otherwise stated.
>
> Linus Torvalds
Where was the original violation that kicked in GPLv2 Section 4?
> is concerned is _this_ particular version of the license (ie v2, not
> v2.2 or v3.x or whatever), unless explicitly otherwise stated.
Rusty.
Where was the original violation that kicked in GPLv2 Section 4?
Where was the original violation that kicked in GPLv2 Section 4?
Where was the original violation that kicked in GPLv2 Section 4?
Where was the original violation that kicked in GPLv2 Section 4?
Where was the original violation that kicked in GPLv2 Section 4?
Where was the original violation that kicked in GPLv2 Section 4?
Where was the original violation that kicked in GPLv2 Section 4?
Android and the GPLv2 death penalty
Android and the GPLv2 death penalty
Android and the GPLv2 death penalty
Android and the GPLv2 death penalty
Jeremy's Samba/GPL talk
Android and the GPLv2 death penalty
from: http://m.zdnet.com.au/open-source-legal-body-sues-over-gp...
Naughton's Microsoft bona fides
Co-counsel defending Microsoft against a putative consumer class action alleging that it had violated wiretapping statutes and common law privacy rights by designing Windows to permit third parties to place cookies on computers. Obtained dismissal of complaint.
(This would appear to be the "Fortune 50 software company" referenced in his current bio).
Naughton's Microsoft bona fides
Naughton's Microsoft bona fides
http://www.softwarefreedom.org/resources/2006/Sarbanes-Ox...
Naughton's Microsoft bona fides
Android and the GPLv2 death penalty
Android and the GPLv2 death penalty
Android and the GPLv2 death penalty
Sorry, I know this not slashdot but I couldn't resist :-$
Android and the GPLv2 death penalty
Android and the GPLv2 death penalty
Android and the GPLv2 death penalty
If they would violate the GPL and were stupid enough to insist on doing so, I would feel no compassion for them.
This Mueller type &co are obviously waging a dirty war against Android, but on behalf of whom exactly?
Android and the GPLv2 death penalty
Android and the GPLv2 death penalty
Android and the GPLv2 death penalty
Android and the GPLv2 death penalty
Automatic reinstatement is not written into the license, but it's how things have really worked.
Just for the record...
Just for the record...
Android and the GPLv2 death penalty