My History

• Worked my first GPL enforcement case in 1999 (as FSF volunteer).

• Started working for FSF in 2000 (was there until 2005).

• Now: President & Distinguished Technologist of Software Freedom Conservancy & on Board of Directors of the FSF.

• Both FSF and Conservancy have extensive GPL enforcement programs:
  • so, the plurality of my time since 1999 has been spent on GPL enforcement.

How GPL Works (Theoretically)

• Copyright: the internationalized standard for authors’ controls over works.

• Use copyright license to grant permission.

• Make permission conditional on giving your downstream the four freedoms.

• This is the copyright law hack of copyleft.

• Copyright rules require compliance with the license.

How GPL Works (In Reality)

• What do you do when someone violates?
  • (and social pressure for compliance fails)?
• Violation of the license means lost rights for distribution.
  • See GPLv2§4 & GPLv3§8
  • Further distribution thereafter (even in compliance) is copyright infringement.
• Copyright holders must use copyright enforcement:
  • … but for a good cause: the four freedoms.

Complexity of Modern Enforcement

• Not all GPL enforcement is software-freedom-motivated.

• Oracle, after all, holds MySQL’s copyrights now & enforces.
  • I call this the corrupt version of what I do.
• Compliance must be paramount …
  • … over all other interests.
  • Some call this “community enforcement”.
  • What’s that mean?

Who Reports Violations?

• Who reports violations to community enforcers?
  • Individual users.
• The user buys buy embedded products …
  • … (such as a TV, DVD Player, wireless router, mobile phone) …
  • … user tries to get the GPL’d sources and build them …
  • … and it doesn’t work.
• Conservancy gets a new report like this weekly.

Community Enforcement

• All community enforcement follows this rote procedure:
  • Receive a violation report from an end-user.
  • Verify it’s really a violation.
  • Send a letter to the violator.
  • CCS-Ask: Ask the violator to submit CCS candidates
  • Review and provide feedback on CCS.
  • If we know why CCS doesn’t work, give patches to violator.
  • If CCS still has issues, goto CCS-Ask.
  • Ask violator to inform past customers.
  • Ask violator to cover reasonable hourly cost of this work.
  • Restore copyright permissions.
• Let’s talk about the money issue first.

Money

• No community enforcer is getting rich.
  • 501(c)(3) non-profit charity enforcement == accountability.
  • On a Form 990, you can look up: …
  • … how much Conservancy spends on / receives from enforcement.
  • … my annual salary & compensation.
  • https://sfconservancy.org/about/filings/
• Anyway, who should pay for enforcement:
  • Those who comply or those who violate?
  • Individual donors to non-profits?

• There must be a deterrent.

• Confidentiality is something violators ask for.

What Conservancy Strives to Avoid

• Junking products:
  • That’s bad for the environment.
• Injunctions:
  • We’ve gotten them, but only after:
    • 1+ years of ongoing violation,
    • many warnings to the violator, &
    • explicitly warning the violator that’s our plan.
• Companies switching away from GPL’d software.
  • We all want them to use: just in compliance
• Lawsuits of any kind:
  • suing someone is always a last resort …
  • … usually after years & hundreds of hours of begging them to comply.

What’s CCS?

• The point of GPL is not merely to examine the source.

• GPLv2 requires what it calls “complete, corresponding source”: CCS

• The freedom to modify requires, as GPLv2 says:
  • “the scripts used to control compilation and installation of the executable”

• CCS check: verify these scripts actually do compile and install the executable.

• For embedded systems, this is not always easy.

• But, why is it important?

Coalition of the Willing

• Spring 2003: dozens of reports on WRT54G.

• Discussions begin with Cisco (who’d bought Linksys just weeks before)

• Story hits slashdot on 2003-06-08.

• FSF puts together group to do enforcement.
  • key members: Erik Andersen (BusyBox) & Harald Welte (Linux)

WRT54G Begat OpenWRT

• After years of complex negotiation, and many CCS “rounds”:
  • All CCS works (only two proprietary Linux modules held back).
  • First check-in of OpenWRT is that CCS release.
• OpenWRT project leaders to this day credit this as their start.
  • Source: Gregers Petersen on FLOSS Weekly Episode 265
• OpenWRT blossomed into the key replacement firmware for most wireless routers.

GPL-violations.org

• FSF was initially shy about lawsuits.

• Harald participated with FSF in WRT54G matter.
  • But Harald disagreed with FSF’s early 2000s “no litigation” strategy.
  • (in hindsight, Harald was right).

• Launches multiple lawsuits in Germany (about 8 between 2005-2008).

• Quite successful, but gpl-violations.org is now mostly defunct.
  • except for running the mailing lists.

Embedded Violations Prevalent

• Erik Andersen becomes exasperated by mid-2006.
  • post-WRT54G: router & NAS market is a violation haven.

• Erik asks for help.

• Conservancy becomes his enforcement agent (& receives some others’ © assignment)

• Conservancy has had > 100 GPL violations queued for action since 2007.
  • Conservancy’s list is now > 300
• Conservancy’s work in BusyBox enforcement has made a real difference.
  • both to BusyBox and Linux compliance.

Samsung: A Success Story

• Samsung has violated the GPL before.
  • Conservancy even had to sue them over TV products.
• Conservancy settled & the final CCS was really good!
  • That CCS launched SamyGo project
• More recently, Conservancy helped Samsung fix their exFAT module violation.

Why Do Violations Happen?

• As Samsung now knows:

• Compliance actually isn’t difficult.
  • & compliance problems are easily remedied.

• So, why are there so many violations?

The Upstream Problem

When I said that I was king of forwards, you got to understand that I don’t come up with this stuff. I just forward it along. You wouldn’t arrest a guy who was just passing drugs from one guy to another.

— Michael Scott, The Office (USA Version)

Suppliers Bully OEMs, AFAICT

• I’d be the worst police officer in the world.

• No one ever turns “states’ evidence”
  • … at least they don’t for me, anyway.

• Me: “Please, just tell me on the record your supplier violated when distributing to you.”

• Them: “We’ll work with our upstream to get into compliance.”

What Can You Do About This?

What Can You Do About This? (0)

• Make sure the suppliers’ base system builds/installs from sources.
  • Consider using Yocto (automated tools to help w/ compliance)
  • It’s better engineering to have reproducible builds anyway.
  • Convince your bosses the build/install process isn’t their value add.

What Can You Do About This? (1)

• Just put that CCS online & put URL in the manual.
  • No, GPLv2 doesn’t require this!
  • But, I don’t want to test your offers for source.
  • Your fulfillment department will screw this up.

What Can You Do About This? (2)

• If possible, help select the supplier.
  • Ask the supplier up front about CCS.
  • Demand legal indemnity from your upstream!

What Can You Do About This? (3)

• But, most importantly:

• Please join Conservancy’s Coalition.

• For context, a bit of the coalition’s history:

Historical BusyBox Enforcement

• Erik Andersen rewrote BusyBox from scratch (starting 2001).

• BusyBox slowly but surely became standard userspace for embedded systems.

• Linux plus BusyBox:
  • Standard for embedded systems.
  • Usually out of compliance.

Just Look Busy!

• BusyBox enforcement was de-facto for Linux.
  • The Tempest in a Toybox
  • BusyBox copyright holders request comprehensive GPL compliance.
  • Some Linux developers felt this was unfair…
  • …but other Linux developers supported it.
  • (i.e., community was already split on this question.)
• BusyBox copyright holders don’t stand alone.

Busybox is arguably the most litigated piece of GPL software in the world. … Litigants have sometimes requested remedies outside the scope of busybox itself…

— Tim Bird of Sony Corporation, in January 2012

Denys, The Voice of Reason

• Current BusyBox maintainer has that special skill of Free Software developers …
  • … to find the sane arguments hidden among troll-ish attacks.
• I walk through Brussels on the phone with Denys …
  • … the day before FOSDEM 2012 …
  • … and he convinces me:
• To continue with enforcement, Linux developers must be involved.

Garrett, Linux’s Freedom Fighter

• For years, Matthew Garrett had asked me to help him enforce the GPL on Linux.

• I’d told him that as it stood, it was easier to just work based on BusyBox.

• After so much had changed, it made sense to simply engage directly on behalf of Linux developers.
  • & there were many others who felt the same as Matthew did.

• GPL Compliance Project for Linux Developers gives structure to Linux compliance activity.

Expanding the Coalition

• On 2012-05-29, Conservancy announced expanded GPL enforcement efforts.

• Conservancy now actively enforces GPL for:
  • BusyBox, Linux, Samba, Mercurial
• Linux is not a full Conservancy member project:
  • Conservancy enforces for a coalition of about a dozen prominent copyright holders.
  • Matthew Garrett & David Woodhouse are the most public.
  • We expect to offer this service to more projects.

The Great Queue

• We’re aware of hundreds of embedded Linux GPL violations.
  • Each one takes 40-100 hours of work to resolve.
  • Over a period of usually 3-6 months.
• The CCS issue is the most difficult:
  • CCS candidates just don’t build.
• But, we’re facing a worse problem everywhere.

Linux’s GPL Elephant

• I used to avoid the elephant, but now it’s the central issue of compliance.

Linux’s GPL Elephant

• Are Linux modules derivative/combined works of/with Linux?
  • I & our lawyers believe they almost always are.
  • Many corporate lawyers disagree.
• Case law is limited:
  • Both sides believe they’re correct.
  • No general rule: the actual facts of a specific situation always matter.
  • This is the exact type of issue that becomes a big court case.
• My political opponents call this: “the ground war of GPL”
  • Maybe it’s time for that ground war.

Biggest Way You Can Help

• You’re all embedded Linux developers.
  • That means it’s likely your copyrighted work that violators infringe.
  • Only you can help your users.
• OTOH, maybe you don’t care about the GPL or the freedoms it protects.
  • I don’t blame you if you don’t …
  • … the GPL doesn’t require you to like the license.
• But, if you do care, you can join our coalition:
  • To join the GPL Compliance Project for Linux Developers …
  • … see me after the talk; I have blank forms with me. :)

More Info / Talk License

• URLs / Social Networking / Email:
  • Sign Up Today as part of the GPL Compliance Project for Linux Developers.
  • A Book I helped write: Copyleft and the GNU General Public License: A Comprehensive Tutorial is available.
  • Conservancy: sfconservancy.org & @conservancy
  • Me: faif.us & ebb.org/bkuhn
  • Slides: ebb.org/bkuhn/talks & gitorious.org/bkuhn/talks (source)
  • DONATE: https://sfconservancy.org/donate/