GPL Compliance Is Easier Than You Think

Bradley M. Kuhn

Wednesday 9 May 2012

My History

• Worked my first GPL enforcement case in 1999 (as FSF volunteer).

• FSF Executive Director, 2000–2005. Now an FSF Director.

• President, Software Freedom Conservancy, 2006-present.

• Plurality of my time since 1999 has been spent on GPL enforcement.
  • I’m the key person “responsible” for nearly every major USA GPL enforcement action.

• Conservancy & FSF are responsible for nearly all GPL enforcement in USA.

They Say Compliance is Hard …

• FUD says: compliance is difficult.

• FUD says: you should fear enforcement.

The “Compliance” Industry

• I’m disturbed Harald Welte & I’ve inspired creation of the “compliance” industry.

• Ironically, this industry wants enforcement to seem worse than it is.

• FUD aids their mission.

FUD Becomes Marketing

• Salespeople sell things you don’t need.

• Most talking of “compliance” wanna sell you proprietary junk.

• Educate yourself:
  • Ask people who do enforcement, not sales people.

Coca-Cola’s by far the world’s number one soft drink, and they spend more money than anybody on advertising.

— Tracy Flick, character in the 1999 film, Election

On Requirement By License

• GPL == Constitution of Software Freedom Land.
  • a “written down” embodiment of core principles.
• GPL’s a detailed implementation of the four freedoms:
  • freedom to run and study.
  • freedom to improve.
  • freedom to share.
  • freedom to share improvements.
• Any strict rules in copyleft licenses are designed to uphold these freedoms.

Ever Ignored One of These?

How Badly?

• Routinely 10 over limit?

• Routinely 20 over limit?

• Routinely 30 over limit?

• Routinely 40 over limit?

What About Commercial Vehicles?

• Nearly all GPL violations are by for-profit companies.

• They absolutely increase their profits by failing to comply …
  • … just like truckers who deliver faster by speeding.

• Both undercut those who comply.

• But it’s still a matter of degree:
  • should speeding trucks get pulled over when they go 53 km/h in 50 zone?

Angels Dancing on Heads of Pins

And Schibler with others, maketh the difference of extension to be this, that Angels can contract their whole substance into one part of space, and therefore have not partes extra partes. Whereupon it is that the Schoolmen have questioned how many Angels may fit upon the point of a Needle?

Not All Violations Are Equal

• It’s fun to debate esoteric licensing situations & details …

• … but it doesn’t address the fundamental problem:

• hundreds of egregious violations are ongoing and mostly ignored …
  • … (except by me, Harald, and FSF).

Egregious Violations

• The primary point of any copyleft license:
  • … is to make sure source code is available.
  • … and make sure it is the right source code.
• Nearly all the violations I handle are:
  • no-source-nor-offer: complete disregard for GPLv2§3 / GPLv3§6
  • offer-fail: bogus offer for source under GPLv2§3(b) / GPLv3§6(b)
• I’ve been doing this 13 years & the “egregious” queue has never been near empty.

I Know They Won’t Be Perfect

• Believe it or not, I’m a pragmatist.

• But I’m oft-accused of wanting perfect compliance.
  • (Mainly by people who don’t like copyleft much.)
• Oddly, the compliance industry seek perfection:
  • Probably because perfection costs companies more …
  • … than one of my enforcement actions.

FUD Overheard on LWN

“It is possible for a mistake made by an ODM (like providing the wrong busybox source version) could result in the recall of millions of unrelated products.”

• Sure, this is possible in theory …

• … but who doing enforce asks for this in practice?

• I’ve accepted disgusting settlement terms just to avoid disrupting a violator’s business.

FUD Overheard on LWN

“[I’ve] heard … worries about … “copyright trolls” It’s not too hard to imagine that somebody with a trollish inclination might come into possession of … © on some kernel code … shak[e] down former violators with threats of lawsuits”

• You need to read the statutes.

• You can’t get rich suing for © infringement …
  • … particularly if broad license was available.
• even if NPO enforcement “inspired” © trolls
  • … it’s already too late on that.

A Radical Statement

• Copyleft compliance isn’t a legal problem …

• … or even a “knowledge” problem …

• … it’s an engineering problem.

• Everything else is trivially fixed!

The Easy Parts of Compliance

• Fixing copyright notices.

• Clarifying contradictory license texts.

• Other informational requirements.

The Only Hard Part of Compliance

• C&CS: complete and corresponding source code.

• Bulk of all enforcement time is spent on this.

• It’s hard b/c violators won’t let me talk to engineers …

• … or they don’t know who they are.

• … and the engineering problems aren’t even interesting!

On Asking for Complete Compliance

• All GPL enforcers ask for this (including Harald).

• Indeed, most violators ask for this.

• As an engineering question, this is easier!

• Build scripts are usually for the whole system, not just one program.

• Universal compliance means:
  • the enforcer becomes your expert witness …
  • … should those mythical “copyright trolls” show up.

Other Requests (They’re Easy)

• Notification to past recipients.

• Appoint GPL Compliance Officer.

• Periodic compliance reports.

• Yes, we do ask for some money.

Money

• No one in non-profits is getting rich from this.

• Who should pay for enforcement:
  • Those who comply or those who violate?
  • Individual donors?

• There must be a deterrent.

• Non-profit enforcement == accountability.

• Confidentiality is something violators ask for.

Why Keep Doing Enforcement?

Why Keep Doing Enforcement?

• It’s very simple:
  • an unenforced GPL is the ISC license.
  • If the world prefers ISC, they will switch to it.
  • It’s still Free Software, I’m not against it.
• When no software developers are left who want to enforce GPL …
  • I’ll of course stop.
  • Won’t be soon:
  • two more Samba developers signed Conservancy enforcement agreements over breakfast today.

Samba Enforcement Plans

• Samba has a long history of GPL enforcement.
  • More developer-run enforcement efforts than any project in history.
  • Jeremy & Tridge dealt with one of the earliest nefarious violators in history.
  • Simo has led compliance efforts for years.

Samba Enforcement Plans

• Sadly, enforcement isn’t an interesting technical problem:
  • Rarely are violators smart enough to write useful new code …
  • … they just punish their users by prohibiting upgrade of Samba.
  • … no interesting engineering problems.
• Use Conservancy to get the job done: it’s always here to to do Samba’s boring work.

Why Enforce on Samba w/ Conservancy?

• BusyBox stands by itself right now.
  • Criticism of BusyBox acting alone has some moral validity.

• Samba should stand with its co-projects in the embedded space.

• low-end embedded market needs attention.
  • undercutting those who do real innovation (in compliance).
  • a market opportunity for many GPL projects to stand together.

A Brief Reminder

• I talk about enforcement because (sadly) it’s the most interesting thing Conservancy does.

• Most of what Conservancy does for Samba is really boring:
  • flight reimbursements for developers.
  • invoicing donors for their finanical donations.
  • handling other random logistical bulls*.

• Enforcement is just a small part of Conservancy’s work.

More Info / Talk License

• URLs / Social Networking / Email:
  • Conservancy: sfconservancy.org & @conservancy
  • Me: faif.us, ebb.org/bkuhn & @bkuhn (identi.ca only)
  • FSF Licensing Site: fsf.org/licensing
  • Report GPL violations: <compliance@sfconservancy.org>
  • Slides at: ebb.org/bkuhn/talks & gitorious.org/bkuhn/talks (source)