On the boundaries of GPL enforcement
Ready to give LWN a try?With a subscription to LWN, you can stay current with what is happening in the Linux and free-software community and take advantage of subscriber-only site features. We are pleased to offer you a free trial subscription, no credit card required, so that you can see for yourself. Please, join us!
Last October, the Software Freedom Conservancy (SFC) and Free Software Foundation (FSF) jointly published "The Principles of Community-Oriented GPL Enforcement". That document described what those organizations believe the goal of enforcement efforts should be and how those efforts should be carried out. Several other organizations endorsed the principles, including the netfilter project earlier this month. It was, perhaps, a bit puzzling that the project would make that endorsement at that time, but a July 19 SFC blog post sheds some light on the matter.
There have been rumblings for some time about a kernel developer doing
enforcement in Germany that might not be particularly "community-oriented",
but public information was scarce. Based on the blog post by Bradley Kuhn
and Karen Sandler, though, it would seem that Patrick McHardy, who worked
on netfilter, is the kernel developer in question. McHardy has also recently been
suspended
from the netfilter core team pending his reply to "severe
allegations
" with regard to "the style of his license
enforcement activities
".
The SFC post is a bit more specific about what McHardy has been accused of:
There is, it seems, a subculture of GPL enforcement out there that is effectively doing enforcement for profit:
It is not clear whether McHardy is among the GPL monetizers or not, though there is seemingly no evidence that his efforts have led to any code being released. In addition, repeated attempts by both SFC and the netfilter team to discuss his enforcement efforts have not been answered—or even acknowledged. According to the blog post, the SFC invited McHardy to join in the drafting of the principles. That invitation went unanswered, as did another to endorse the principles after they were published. Amid the accusations from companies about his actions, some kind of response to SFC or the netfilter team would seem to make sense. The absence of that response speaks volumes, at least to some.
In fact, if McHardy disagrees with some parts of the principles,
the SFC has invited him (or others who are enforcing the GPL) to
"publicly propose updates or modifications to the
Principles
". There is a new mailing
list available to host those kinds of discussions.
But if, in fact, the enforcement actions taken by McHardy are being done as a for-profit exercise, it is hard to see what response he could make. He is under no real obligation to work with others who are also enforcing the license. If he disagrees with the principles, engaging with the community about his objections would certainly be welcome, but it is apparently not a priority for him.
It is a topic that should be discussed in our communities, however, and the release of the principles was partly meant to foster that discussion. What should the primary goal of enforcement be? Should companies be "punished" for violating the GPL and, if so, how? If compliance is the goal, how should enforcement activities be funded? And so on.
When the SFC began a fundraising campaign to support its GPL enforcement efforts late last year, some were incredulous that enforcement was not self-sustaining. But prioritizing sustainability has dangers of its own, from taking money to overlook compliance problems to holding up settlements even after the company has come into compliance over monetary issues. If the goal is to get the software released, as the philosophical underpinnings of the GPL imply, then compliance should clearly be the overarching consideration.
There are elements that would like to see the GPL not be enforced at all, of course. In effect, that turns the GPL into the BSD license, which has plenty of implications of its own. There is no real way to know how much the GPL has helped in the rise of Linux versus its non-copylefted alternatives, but it would be hard to argue that the license played no role whatsoever.
If enforcement were to stop, at least in the community-oriented sense, what would be the effect on the companies that work hard (and spend lots of money) to ensure their compliance with the license? They would largely be safe from any for-profit shakedown enforcement efforts, but those with deep pockets are generally already safe from those tactics.
As with many things in open-source communities, there are lots of different—sometimes conflicting—opinions about license enforcement, its benefits and drawbacks, and so forth. There is room for trying multiple approaches, but enforcement, at least under the principles that have been defined so far, is not an inexpensive proposition. That suggests that either some of the deep-pocketed organizations in our communities step up or that we continue muddling along on the current path.
The lack of any real consensus on license enforcement, especially within the commercial side of the community, does leave room for some to abuse the process. Some of that is already happening, but success in GPL shakedowns could lead to more participants. There is a risk of a huge wave of copyright trolls using the GPL to extract money from companies, which would not be a pleasant outcome.
In the end, license enforcement is up to the collective copyright holders; if most of those are happy with the current state of affairs, it is hard to see how things will change. The GPL is meant to level the playing field, so that all participants have the same rights—and responsibilities—to the code. But if that playing field is seen as "level enough", even while GPL violations abound, enforcement may well be seen by major players as more trouble than it is worth.
Posted Jul 21, 2016 3:44 UTC (Thu)
by bkuhn (subscriber, #58642)
[Link]
I think this article quite fairly explains the various sides of the issue. I obviously disagree with some parts of it, but I'm a known partisan on this issue, so that's no surprise. :) The only part I'm inclined to comment on in detail is that I don't think there is any ongoing risk of successful “GPL copyright trolls”. One of the reasons Karen and I wrote Conservancy's blog post is to create an easily net-findable article for newcomer violators, who perpetrated (easily resolvable) infractions of the GPL and have been approached by a “would-be GPL copyright troll”. In my experience, which I've verified by talking to a lot of company representatives, the trolling behavior only works when the violators targeted can't easily find accurate information about the GPL and how to repair violations quickly. Furthermore, so-called “GPL copyright trolling” only works against companies that fail to come into compliance. Even under GPLv2, German lawyers don't consider termination permanent. In the USA, where consensus is that termination is permanent, judges are unlikely to award huge damages for past violations that only exist due to termination (i.e., if compliance is almost achieved such that only GPLv2§4 remains violated due to past violations). GPL enforcement experts like myself generally believe that you can expect to get your costs back of enforcing the GPL, but huge monetary awards beyond that are really unlikely. (Conservancy's litigation experience has also confirmed that hypothesis.) Any early successes of troll-like behavior is thus short-lived and evaporates as soon as new Linux adopters learn to adapt quickly with compliant behaviors. Meanwhile, I think the big idea that Jake hints is absolutely correct: GPL as a strategy is at a complicated crossroads. We have a lot of work to do to adjudicate copyleft and verify that the strategy works. Linux has become GPL's ultimate test case. That's because — and even as an old-school GNU fan, I will admit this — Linux is the most important, useful and interesting GPL'd codebase ever created. Thus, it's no surprise that Linux became GPL's true testing ground. Finally, while discussions about GPL and its derivative/combined works requirements are basically “old hat” to our community, the discussion is completely new to the Courts. We'll have to bring the question to a lot of Courts in a lot of different ways to get clarity. But, once we do that, then we'll know, and everyone can proceed with more certainty.
Posted Jul 25, 2016 17:25 UTC (Mon)
by pauly (subscriber, #8132)
[Link] (3 responses)
In the mean time, SecureW2 BV had taken over the copyright of that software from Alfa & Ariss.
After our legal department had made clear that we would not easily give way, the whole thing fizzled out.
Cheers, Martin
Posted Jul 26, 2016 4:08 UTC (Tue)
by bkuhn (subscriber, #58642)
[Link]
Posted Jul 26, 2016 16:58 UTC (Tue)
by pauly (subscriber, #8132)
[Link] (1 responses)
At least the more recent case of the two will see an appeal trial.
Martin
Posted Jul 29, 2016 15:12 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
Can't you argue that, if you distribute the program AS RECEIVED FROM THE COPYRIGHT HOLDER, then this is pretty much automatic GPL compliance?
Either that, or it's entrapment. The copyright holder is distributing an allegedly GPL'd program that cannot be further distributed at all ...
Cheers,
Posted Jul 28, 2016 5:16 UTC (Thu)
by gwg (guest, #20811)
[Link] (7 responses)
[ And I think it is all a little weird anyway - there is no "community" you have to join to make your software available with a GPL - the license is between you and whoever agrees to it by making use of your software. There is no third party to answer to, or who's GPL enforcement rules you have agreed to. ]
Posted Jul 28, 2016 12:16 UTC (Thu)
by pizza (subscriber, #46)
[Link]
s/you/everyone who's contributed code/.
One can't unilaterally allow dual-licensing (after the fact) unless one also completely owns everything outright. That's pretty rare unless some sort of contribution agreement is utilized.
Posted Jul 28, 2016 19:27 UTC (Thu)
by bkuhn (subscriber, #58642)
[Link] (5 responses)
Even tough it is possible to generate revenue a particular way does not mean that method of revenue generation has a positive impact. Often, it has a negative impact. There are plenty of examples outside of software (fracking comes to mind). As long as proprietary software is legally permissible, which it admittedly is, there will be proprietary business models, and people who use them. The danger in proprietary relicensing is it is designed as a trick to convince people to rely on copylefted software, and actually hope that they fail to follow copyleft terms and gouge them. I deeply dislike Gitlab's business model, but it nevertheless honest and fair, and gives no special powers to Gitlab. Gitlab is not copylefted, and anyone who wants to can take their community edition and make the same business model Gitlab does. It's fair. Using copyleft for proprietary relicensing takes a tool designed to advance software freedom, and warps it in a nefarious way to turn it into a scare tactic and nearly a shareware-like system. The usage is by default unequal, because it has one of the same flaws that proprietary licensing: certain entities have more rights and powers that other entities do not. This is why I criticize proprietary relicensing almost as harshly as I criticize “mundane”proprietary licensing. As to your point about how much extra copylefted code is generated as part of the process, I'm not sure that's inherently good, if the tool of copyleft is actually being used to promote proprietary software adoption and creation instead. I don't believe copyleft is a moral good unto itself; it's a tool that can often be utilized to advance software freedom, but any tool can be used for a purpose not within its original intent. I believe the usage of copyleft for proprietary relicensing usually does just that. Finally, we're past the business model discussion: it's clear that one can earn a living doing only Free Software, but because proprietary software is still permitted, it's really difficult to do so — proprietary software has an unfair advantage over Free Software. Copyleft is a tool to help mitigate that problem, but it's not a perfect tool (as we're discussing). As such, making a living with only Free Software means you probably will be paid less for your work, but I know plenty of people who make a true living wage doing so. It's a question of commitment and values.
Posted Jul 28, 2016 21:19 UTC (Thu)
by josh (subscriber, #17465)
[Link] (4 responses)
I'd love to see some templated terms that effectively say "anyone who meets these conditions may ignore the copyleft terms of the license", with "these conditions" being anything from a one-time fee to a royalty model.
Posted Jul 29, 2016 15:16 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (3 responses)
Okay, if the source disappears then your recipients are up a gum tree, but so are you if you didn't download it ... :-)
Cheers,
Posted Jul 29, 2016 16:52 UTC (Fri)
by pizza (subscriber, #46)
[Link] (2 responses)
IIRC, the GPLv3 explicitly added this as an option.
Posted Jul 29, 2016 18:49 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (1 responses)
I can't find that option in the GPLv3 - there's section 4 referring to verbatim copies of source code, but section 6, which discusses non-source forms, does not appear to have an exception for "as-received".
Posted Jul 29, 2016 19:32 UTC (Fri)
by flussence (guest, #85566)
[Link]
On the efficacy of coyright trolls & testing copyleft in the Courts
Are there any "GPL enforcement trolls"?
A German lawfirm who has also been working for Harald Welte
had got themselves the Dutch company SecureW2 BV as a client.
Their claim was about SecureW2, an 802.1X supplicant for use with windows (and later, Android).
Originally started around 2000 as an open source project by the Dutch startup Alfa & Ariss,
it enabled the supplicant shipping with Windows XP to do EAP-TTLS-PAP instead of PEAP for 802.1X authentication.
The software was available for some year, as was the source code. To the best of my knowledge,
the last versions of this software (then called EAPsuite) were distributed binary only although they
were still _supposed_ to be GPL.
In 2007, we dropped it altogether and found a way to support PEAP directly, thus making life easier for
Windows users. But we continued to offer that software for download (binary, of course).
Little surprising, download numbers were tiny after that.
Their claim was that we distributed their GPL'd software without supplying the source code. Given
the historic lack of source availability on their own part, that claim was weak, of course.
What's more, educational use in Germany almost precludes any commercial use, a German
university is much more similar to a state-run authority than to any commercial entity.
It looks like the unclear state of that software had opened up a niche for dubious (or resourceful, as you like)
lawyers where they could at least try to "enforce" and monetize a Pseudo GPL copyright, contradicting
everything that GPL had been created for. To me, this is dangerous grounds.
If you're ever in that situation again, just ask them if they are willing to follow the Principles or not. If not, please do in touch with me, or my colleagues at Conservancy or the FSF, about it.
Are there any "GPL enforcement trolls"?
Are there any "GPL enforcement trolls"?
At least two cases went to court, and the universities both lost in first instance (before different local courts).
Currently, I only have this German article as a reference:
https://www.dfn.de/fileadmin/3Beratung/Recht/1infobriefea...
It basically states that SecureW2's claims were fully acknowledged by the first instance courts --
despite the fact that there is accepted evidence that SecureW2 themselves failed to provide the
source code along with the binary files for the last couple of sub-versions of their software.
I have no information on the payments that the rulings would enforce.
Are there any "GPL enforcement trolls"?
source code along with the binary files
Wol
On the boundaries of GPL enforcement
On the boundaries of GPL enforcement
proprietary relicensing & software freedom morality in revenue-generation
proprietary relicensing & software freedom morality in revenue-generation
proprietary relicensing & software freedom morality in revenue-generation
Wol
proprietary relicensing & software freedom morality in revenue-generation
proprietary relicensing & software freedom morality in revenue-generation
proprietary relicensing & software freedom morality in revenue-generation