[personal profile] mjg59
My post yesterday on how Google gains financial benefit from vendor GPL violations contained an assertion that some people have questioned - namely, "unscrupulous hardware vendors save money by ignoring their GPL obligations". And, to be fair, as written it's true but not entirely convincing. So instead, let's consider "unscrupulous hardware vendors have economic incentives to ignore their GPL obligations".

The direct act of compliance costs money

Complying with the GPL means having the source code that built the binaries you ship. This is easy if your workflow involves putting source in at one end and getting binaries out at the other, but getting to that workflow means having a certain degree of engineering rigour. If your current build process involves mixing a bunch of known good binaries you got from somewhere but you can't remember where with a hacked up source tree that exists on someone's hard drive and then pushing all of these into a tool that only runs on Windows ME, before taking the resulting image and replacing chunks of it by hand, compliance is effectively impossible.

We all know that this is against all kinds of best practices and probably causes so many problems that it's more expensive in the long term, but retooling and hiring someone to oversee all of this takes time and money, and given the margins on many of these devices that's probably enough to make you uncompetitive for a couple of product cycles. Maybe you'll be in a better position afterwards, but you don't know that there'll be an afterwards.

Suppliers who don't provide you with the source code may be cheaper than those who do

You can't be in compliance if you don't have the source code in the first place. The same arguments that apply to the hardware vendors also apply to the people selling you your chips, so there's also an economic incentive for them to avoid complying. And there's an obvious incentive for you to choose the cheaper chipset, even if they don't comply.

Getting the source may cost money

Buying a chipset doesn't necessarily get you the software that makes it work - several silicon vendors will charge you for the SDK. But many of these devices are effectively reference platforms, so are basically identical from a hardware perspective. So if one of your competitors paid for the SDK, you can just dump the binaries off their machine, flash them onto your own boards and save yourself a decent amount of money. You obviously don't get the source, and nor do you have the standing to insist that the vendor whose binaries you misappropriated give you the source.

In the absence of enforcement, GPL compliance only works if it's the norm

Let's imagine two companies, A and B. Both build a tablet device, and buy the full SDK including source code. Both find a bunch of bugs in the vendor SDK and fix a different subset of them. They ship. A provides source code. B doesn't. B can now take A's bugfixes and incorporate them, resulting in a more compelling product without any significant extra cost. You now have two products that can sell for the same price, but B's is better. A would need to prove that B copied their bugfixes rather than simply fixing them themselves , which probably isn't going to happen.

In a larger market, if B is the only vendor who does this then their advantage isn't large - some of A's work is misappropriated by B, but A does benefit from the engineering work contributed by C, D, E, F and G. A combination of social pressure and legal threats may bring B into compliance. But if infringement is the norm, A has no incentive at all to release the source - by doing so they'll be helping not only B, but also C, D, E, F and G. Everyone undercuts A and they go out of business quite quickly.

Moral: In the absence of enforcement, if everyone else is infringing, a single company who complies is at a disadvantage.

If compliance cost nothing then everyone would do it

You can argue that cheap tablets from China are infringing simply because nobody knows better. But what's HTC's excuse? They've clearly decided that there's a benefit in holding back their source code releases[1], balancing this against the risk of being sued. They know full well what they're doing. If compliance was free they'd ship the source at the same time as they shipped the binaries. Other significant vendors are also fully aware of their obligations but choose to ignore them anyway.


There are economic incentives to infringe the GPL, and therefore (all else being equal) an infringing device can be sold for less money. All else being equal, a cheaper device will sell more units. More sales means more devices selling adverts for Google. Google makes more money because Android vendors infringe the GPL.

Edited to add:

But don't just take my word for it - Jean-Baptiste Queru says the same here (search for "scrubbing" - is there any way to link directly to a Google plus comment?)

[1] The usual argument is "We will release the source code within 120 days", implying that it's a process that takes time and we should just be patient. Every single time I've started making threatening noises, the source has appeared within a week.

It is a "Prisoner's Dilemma" scenario

Date: 2012-01-04 08:52 pm (UTC)
From: (Anonymous)
This sounds like a classic Prisoner's Dilemma.

If one company "defects" by being the only one that doesn't follow the GPL rules, they benefit big and the rest get screwed a little bit.

The more companies defect, the less benefit each defector gets and eventually the net is a loss. If everyone defects and keeps their source guarded, everyone gets screwed big by not benefiting from sharing the effort of development.

If everyone stayed GPL compliant, then everyone benefits a little bit and that benefit increases with the more companies that are being compliant.

Just like the criminals in the original dilemma, short term thinking and lack of trust/communication between companies lead to the defection and the net result being a loss rather than a gain for all.
From: (Anonymous)
not really. you can link to #[id of the containing div] so the browser jumps down - but then the top searchbar will be above the comment and presumably the user does not know which comment was linked...

Can't be arsed to re-set my OpenID passwd

Date: 2012-01-05 02:03 am (UTC)
From: (Anonymous)
This is utterly ludicrous, idiotic sophistry.
Point one can be summerised thus: "If you're a total idiot, you can fuck things up"
If getting the source costs money, then the other side is in violation of the gpl. You can't use violation as an argument for violation.
"In the absence of enforcement..." Moot. It is enforced, and has been tested in court.
Many (most?) companies that use gpl-licensed software are compliant. The ones that aren't are tiny, often make poor-quality products, and aren't targeted because they don't matter much in the grand scheme of things.

Seriously, this is such horse dung that I had to comment.

Re: Can't be arsed to re-set my OpenID passwd

Date: 2012-02-03 10:11 am (UTC)
From: (Anonymous)
Where do you get the idea that only tiny companies aren't complying with the GPL ?

Barnes and Noble, Lenovo, Sony, Bosch, Western Digital, Zyxel have at some point or are currently in violation and that's just from the top of my head.

Also why does the quality of the final product have any bearing on whether the GPL should be enforced or not ? Surely enforcement shouldn't be selective...well beyond perhaps ordering the backlog in terms of number of units distributed but in that case since when does the quality of the final product have any bearing on number of units sold ?

Still Google loose at next release...

Date: 2012-01-05 09:58 am (UTC)
From: (Anonymous)
If company A, B, C, D, E, F and G do not release their fixes, a lot of things are not fixed in the following Android release from Google.
The simple fact that people have fixed stuff not working on Linux and given those fixes to the main branch is what has made Linux.
Obviously if you just have short term targets...
From: (Anonymous)
You said: "If compliance cost nothing then everyone would do it".

That's really an extraordinary statement. Assuming that everyone is a rational actor is a major fallacy.

Most things involving human behavior are either partially or entirely irrational, in my length experience. Individual humans are irrational within fairly strictured and predictable domains, but groups of humans are unpredictably irrational.

I enjoy your blogging very much, Matthew. Thanks for sharing your technical adventures!

Date: 2012-01-13 10:16 pm (UTC)
reddragdiva: (Default)
From: [personal profile] reddragdiva
"We all know that this is against all kinds of best practices and probably causes so many problems that it's more expensive in the long term, but retooling and hiring someone to oversee all of this takes time and money"

This is key, I think: commercial software is fucked up shit. I work in an office with really very smart geeks who know what the Right Thing is, but the pressures to cut corners are ever-present. Shit's gotta be done now. So to build half our stuff needs you to know a couple of years' magical incantations. (One of my big projects at this moment is to actually clean this up.)

It's really true: the reason commercial source code isn't released is shame.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags