Matthew Garrett ([personal profile] mjg59) wrote2012-01-30 06:10 pm
  • Add Memory
  • Share This Entry
Entry tags:

The ongoing fight against GPL enforcement

GPL enforcement is a surprisingly difficult task. It's not just a matter of identifying an infringement - you need to make sure you have a copyright holder on your side, spend some money sending letters asking people to come into compliance, spend more money initiating a suit, spend even more money encouraging people to settle, spend yet more money actually taking them to court and then maybe, at the end, you have some source code. One of the (tiny) number of groups involved in doing this is the Software Freedom Conservancy, a non-profit organisation that offers various services to free software projects. One of their notable activities is enforcing the license of Busybox, a GPLed multi-purpose application that's used in many embedded Linux environments. And this is where things get interesting

GPLv2 (the license covering the relevant code) contains the following as part of section 4:

Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.

There's some argument over what this means, precisely, but GPLv3 adds the following paragraph:

However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation

which tends to support the assertion that, under V2, once the license is terminated you've lost it forever. That gives the SFC a lever. If a vendor is shipping products using Busybox, and is found to be in violation, this interpretation of GPLv2 means that they have no license to ship Busybox again until the copyright holders (or their agents) grant them another. This is a bit of a problem if your entire stock consists of devices running Busybox. The SFC will grant a new license, but on one condition - not only must you provide the source code to Busybox, you must provide the source code to all other works on the device that require source distribution.

The outcome of this is that we've gained access to large bodies of source code that would otherwise have been kept by companies. The SFC have successfully used Busybox to force the source release of many vendor kernels, ensuring that users have the freedoms that the copyright holders granted to them. Everybody wins, with the exception of the violators. And it seems that they're unenthusiastic about that.

A couple of weeks ago, this page appeared on the elinux.org wiki. It's written by an engineer at Sony, and it's calling for contributions to rewriting Busybox. This would be entirely reasonable if it were for technical reasons, but it's not - it's explicitly stated that companies are afraid that Busybox copyright holders may force them to comply with the licenses of software they ship. If you ship this Busybox replacement instead of the original Busybox you'll be safe from the SFC. You'll be able to violate licenses with impunity.

What can we do? The real problem here is that the SFC's reliance on Busybox means that they're only able to target infringers who use that Busybox code. No significant kernel copyright holders have so far offered to allow the SFC to enforce their copyrights, with the result that enforcement action will grind to a halt as vendors move over to this Busybox replacement. So, if you hold copyright over any part of the Linux kernel, I'd urge you to get in touch with them. The alternative is a strangely ironic world where Sony are simultaneously funding lobbying for copyright enforcement against individuals and tools to help large corporations infringe at will. I'm not enthusiastic about that.
Flat | Top-Level Comments Only

please do your homework first

(Anonymous) 2012-01-31 11:31 am (UTC)(link)
What SFC is doing (leveraging the busybox copyright to open up other software, you said so yourself) would be a criminal act in many parts of the world (well, at least in Italy). You CANNOT claim things outside of your own direct copyright or it is copyright abuse.

Please read the article first

(Anonymous) 2012-01-31 12:37 pm (UTC)(link)
When a company breaks the GPL they lose the right to use it - they then have to renegotiate the rights from the owner leaving the owner able to specify whatever conditions they like. It doesn't even need to have anything to do with copyright, let alone who the copyright owner of the other pieces is.

Re: Please read the article first

(Anonymous) 2012-01-31 12:42 pm (UTC)(link)
No, they can't. It is called "tying".

Re: Please read the article first

(Anonymous) 2012-01-31 01:20 pm (UTC)(link)
(Disclaimer: speaking only for the legal jurisdictions with which I have familiarity, and acknowledging that any random jurisdiction can codify arbitrarily insane restrictions that I haven't accounted for.) "tying" doesn't apply here for numerous reasons. Most importantly, the GPL licenses of the third-party software in question *already* apply the same conditions regardless of the involvement of Busybox, and the companies already choose to use that software independently of their choice of Busybox, which means they need to satisfy the license on that software. That alone makes this in no way "tying". Apart from that: 1) this only applies to companies violating copyright on both Busybox and other GPLed programs, which puts those companies in the position of violating the law to begin with; 2) Busybox has no obligation to grant a new license at all, and could just say "stop using Busybox in all your products and take them off the market"; 3) this represents a legal settlement agreed to by the company violating the GPL, in lieu of risking the remedies applied by a court, which would not typically include the release of source code; and 4) this doesn't represent a "sale" of either Busybox or other GPLed programs, but a grant of permissions the company in question would not otherwise have, namely to redistribute (and potentially modify) the programs in question.

Re: Please read the article first

(Anonymous) 2012-02-01 01:06 am (UTC)(link)
That's not how tying works, buddy.

Re: Please read the article first

[identity profile] landley.livejournal.com 2012-02-01 12:25 am (UTC)(link)
This is kind of laying saying "If one person in your company is found with a pirated copy of MS paint, your entire company loses all rights to use windows and word and excel on any machine forevermore, worldwide at every site your company has in every country, until and unless it does whatever unspecified thing Microsoft feels is necessary to rectify the violation, up to and including handing over ownership of the entire ocmpany."

Personally, I don't think the BSA is a _good_ model for us to follow.

Re: Please read the article first

(Anonymous) 2012-02-01 01:01 am (UTC)(link)
Uh, no it isn't. It's like them saying "comply with these crazy demands OR remove all our material from your machines".

The violators are free at any time to choose to reengineer their devices and sell them without busybox, but as mjg said, they probably have a few tens of thousands of units already sitting in a warehouse with that firmware on them.

Re: please do your homework first

[personal profile] mjg59 2012-01-31 12:54 pm (UTC)(link)
They're not required to re-grant a license at all. The vendor could choose to pay whatever damages the court awarded and replace Busybox entirely.

Re: please do your homework first

[identity profile] landley.livejournal.com 2012-01-31 04:49 pm (UTC)(link)
And yet when an EX-BUSYBOX MAINTAINER proposes doing exactly that, you freak out.

Re: please do your homework first

[personal profile] mjg59 2012-01-31 05:00 pm (UTC)(link)
Yeah, except that's not actually what's happening.

Re: please do your homework first

[identity profile] landley.livejournal.com 2012-01-31 07:13 pm (UTC)(link)
Is it that you don't believe I'm who I say I am, that you believe I'm lying, or that you're calling me an idiot?

I'm not seeing a fourth option there.

Re: please do your homework first

[personal profile] mjg59 2012-01-31 07:36 pm (UTC)(link)
You have your motives for what you're doing. Tim has different motives. I'm criticising the latter.

Re: please do your homework first

[identity profile] landley.livejournal.com 2012-01-31 08:44 pm (UTC)(link)
Tim is writing code:

http://landley.net/hg/toybox/rev/12add511705e

You're complaining about what other people are doing. You didn't contribute code to busybox, you didn't contribute code to toybox, you weren't a party to the busybox lawsuits, you apparently haven't enforced the license on your own copyrights in court.

You're complaining that somebody who objects to the license on one project, and is personally contributing code to a replacement, and writing wiki pages to document and explain the project may have reasons for doing so.

You're not writing any code, you're criticizing people who do.

Re: please do your homework first

(Anonymous) 2012-02-01 01:05 am (UTC)(link)
"You're not writing any code, you're criticizing people who do."

...in order to undermine the development model of (much more important) software surrounding it. Great high ground, there!

Re: please do your homework first

(Anonymous) 2012-01-31 08:50 pm (UTC)(link)
Matthew - I'm really tired of you ascribing motive to me that I don't have. I've told you on this thread, and on LWN.net what my motives are. You have chosen to ignore me. Your characterization of the text on the wiki page in the article is just plain wrong. It does NOT say that the purpose of this project is to avoid license compliance for the kernel, yet you have repeated this assertion many times. I have not modified the wording on the wiki page, although I just added some FAQ entries to address issues raised by you and others in the LWN.net thread. You can re-read it if you need to. I encourage you to do so.

I have the same problem here that Rob has. Are you saying I'm lying about my motive? How could you possibly know my intent? On LWN.net you lay out the logic for your belief that I want to do this because of the kernel. It's a nice bit of logic, but that's not what went through my mind when I made the decision to pursue this. My reasons for pursing this project are on the wiki page. I have ensured that Sony is compliant with it's kernel source release obligations for the last 8 years, and frankly its offensive for you to suggest that I'm trying to avoid my GPL obligations.

Also, I'm doing this, not as a Sony employee (although they pay for my time), and especially not with any kind of directive from Sony. No one else at Sony told me to do this, and only a scant few people know I'm involved.

I'm doing this because it pains me to see this legal issue disrupt the adoption of Linux in embedded systems. I believe the busybox litigation has had a net negative effect on the adoption of GPL software. Apparently you believe otherwise. Reasonable people seeing different examples of the effects on different companies, can disagree on this point.

You have your method of encouraging Linux adoption and GPL compliance, and I have mine. I see you don't agree with mine, but please don't question my motives.

Re: please do your homework first

[personal profile] mjg59 2012-01-31 09:15 pm (UTC)(link)
There are four possibilities here:

1) People who follow all licenses. There's no reason for them to prefer a BSD-licensed Busybox over a GPL one.
2) People who infringe the Linux license but not the Busybox one. There's no reason for them to prefer a BSD-licensed Busybox over a GPL one.
3) People who infringe the Busybox license but not the Linux license. You haven't provided any examples of these people existing, so they're not a significant concern.
4) People who infringe the Busybox license and the Linux license. These people benefit the most from having a BSD-licensed Busybox, because it reduces the risk that they'll be sued over their other violations.

I can't believe that you're unaware of who gains the most from a BSD-licensed Busybox. You must know that the people most interested in having one are the companies that are actively engaged in infringement. So yes, I think you're either lying or painfully unaware of why there's corporate interest in having a BSD-licensed Busybox.

I'm out....

(Anonymous) 2012-01-31 11:37 pm (UTC)(link)
You're a smart guy, but you've been blinded by your own zealotry. Your categorization of compliance violations matters not one wit. The easiness of compliance matters not at all. The history or future intention of compliance or non-compliance matters not at all. You have no idea how large companies are run, and I don't have the time to educate you.

In particular, people who follow all licenses, Sony among them, are most definitely negatively affected by this litigation (or at least the people who want to work on Linux in them are, myself included).

It's not possible to have a rational discussion with you, if you won't take me at my word. You are too busy trying to make your points to listen. So I'm out...
-- Tim

Re: I'm out....

[personal profile] mjg59 2012-02-01 12:53 am (UTC)(link)
You're not going to solve a social problem (companies who use GPLed code are afraid of compliance suits) with a technical solution (rewrite a subset of that GPLed code under a liberal license). The problem isn't Busybox. The problem is that companies are either unwilling to comply, or are afraid that their attempts at compliance will be inadequate.

The risk of being sued for accidental infringement is just as real for the kernel as it is for Busybox. Unless you're proposing to replace Linux (which would be a strange thing for the head of CELF to do) then a year or so down the line you're going to be just as vulnerable as you were before. You could spend the time working on a replacement for Busybox, or you could spend the time working out how to convince companies that the only long-term solution is for them to ensure that compliance checking is present at every stage of the procurement and development process.

The first of those choices helps infringers more than it helps compliant companies. The latter helps compliant companies more than it helps infringers. You've chosen the first, and then seem surprised that people are assuming malicious intent. But, whatever. The good news is that it's spurred increased interest in enforcing the kernel's license, which was an entirely predictable outcome.

Re: I'm out....

(Anonymous) 2012-02-01 01:14 am (UTC)(link)
> You have no idea how large companies are run, and I don't have the time to educate you.

How about educating the rest of us, at least a bit? I will freely admit that I have no idea how any company, large or small, could possibly find it difficult to comply with GPL licenses, other than in the particular case of using a low-bid supplier and not checking the result. More generally, I don't understand how any company can think it wise to use a pile of FOSS-licensed software without educating people on how to handle FOSS code properly, just as large companies have people specifically responsible for licensing the proprietary software they use. It still mystifies me how companies continue to screw this up when it takes to little to get it right.

And quite frankly, I'd rather see slower adoption of Linux and more GPL compliance than rapid adoption of Linux and widespread GPL violations. While some companies might shy away from using Linux because they've figured out that they might actually have to comply with the licenses, I keep seeing more and more companies actually shipping Linux and getting the details right. I see little GPL notices and offers of source code in numerous products that I use, which never used to appear before, and I can't help but credit some of the organizations enforcing the GPL for that.

Re: I'm out....

(Anonymous) - 2012-02-02 03:39 (UTC) - Expand

Re: I'm out....

(Anonymous) - 2012-02-03 09:21 (UTC) - Expand

Re: please do your homework first

[identity profile] landley.livejournal.com 2012-02-01 12:21 am (UTC)(link)
I know there's corporate interest in a bsd licensed single binary SUSv4 command line implementation. That's part of the appeal of doing it. I _want_ people to use my code. I want to write code that people find useful.

There's no point publishing it otherwise. (I write all sorts of stuff that never sees the light of day because nobody else cares, usually I lose track of it after I'm done and have to reimplement it later.)

None of the engineers at the company I currently work for is allowed to use busybox in the products we ship. Not because they're not compliant with the license, but because they don't want the _risk_ that a single mistake could shut down the entire production line and force a product recall.

Instead we have to use toolbox, which is crap. (And is intentionally crap because Google just made enough of a stub to launch Dalvik, and ignored the rest of userspace. It is _crying_out_ to be replaced.) I have to write tortured shell scripts that are limited to what toolbox can do, and implement things in C that should be grep/sed/sort but I haven't got 'em.

Writing busybox was scratching my own itch. I cannot use busybox to scratch my own itch anymore, and don't expect to be able to in future in any professional context, because the SFLC poisoned it.

To quote the second doctor, "That thing out there's become a killer. It's _my_ fault, and I'm _sorry_."

And like The Doctor, I gotta go fix it now...

Re: please do your homework first

(Anonymous) - 2014-02-12 15:31 (UTC) - Expand

Re: please do your homework first

(Anonymous) - 2014-02-13 11:51 (UTC) - Expand

Re: please do your homework first

[identity profile] landley.livejournal.com 2012-02-01 12:33 am (UTC)(link)
> 1) People who follow all licenses. There's no reason for them to prefer a
> BSD-licensed Busybox over a GPL one.

http://mimiandeunice.com/2011/09/01/trigger/

Rob

Re: please do your homework first

[personal profile] mjg59 - 2012-02-01 00:55 (UTC) - Expand

Re: please do your homework first

[identity profile] landley.livejournal.com 2012-01-31 04:13 pm (UTC)(link)
Since I'm not the only copyright holder of busybox, I can't STOP the SFLC suing people over it. I added affirmative defenses to the BusyBox license page:

http://busybox.net/license.html

But that didn't stop them from creating a self-funding legal machine where they NEVER found any actual useful code that should have gone upstream, but they still demanded $15k or so in legal fees each time so they could go sue the NEXT company.

My current employer is doing videoconferencing systems based on Android, and has specifically forbid its engineers from shipping any GPL code in userspace, because it's just too legally dangerous. After the SFLC went _back_ after Cisco five years after the first settlement, no amount of "compliance" effort is considered sufficient. The GPL has been _poisoned_ by the actions of the FSF and the SFLC.

http://landley.net/notes-2011.html#16-12-2011

I'm sad this happened, but I'm not going to put on a "Han Shot First!" T-shirt and defend the glorious past. I'm going to distance myself from the crazy and rebuild.

Re: please do your homework first

(Anonymous) 2012-01-31 04:36 pm (UTC)(link)
Why did you agree to license your contributions under the GPL? Seems like the BSD or MIT licenses would have been a better choice for you.

Re: please do your homework first

[identity profile] landley.livejournal.com 2012-01-31 07:15 pm (UTC)(link)
Nobody ever reads my blog:

http://landley.net/notes-2011.html#16-12-2011

http://landley.net/notes-2011.html#13-11-2011

Re: please do your homework first

(Anonymous) 2012-02-01 01:09 am (UTC)(link)
Your legal department must be pretty mentally defective if they can't figure out how to use GPL software without breaking the license for it.
Flat | Top-Level Comments Only