[personal profile] mjg59
GPL enforcement is a surprisingly difficult task. It's not just a matter of identifying an infringement - you need to make sure you have a copyright holder on your side, spend some money sending letters asking people to come into compliance, spend more money initiating a suit, spend even more money encouraging people to settle, spend yet more money actually taking them to court and then maybe, at the end, you have some source code. One of the (tiny) number of groups involved in doing this is the Software Freedom Conservancy, a non-profit organisation that offers various services to free software projects. One of their notable activities is enforcing the license of Busybox, a GPLed multi-purpose application that's used in many embedded Linux environments. And this is where things get interesting

GPLv2 (the license covering the relevant code) contains the following as part of section 4:

Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.

There's some argument over what this means, precisely, but GPLv3 adds the following paragraph:

However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation

which tends to support the assertion that, under V2, once the license is terminated you've lost it forever. That gives the SFC a lever. If a vendor is shipping products using Busybox, and is found to be in violation, this interpretation of GPLv2 means that they have no license to ship Busybox again until the copyright holders (or their agents) grant them another. This is a bit of a problem if your entire stock consists of devices running Busybox. The SFC will grant a new license, but on one condition - not only must you provide the source code to Busybox, you must provide the source code to all other works on the device that require source distribution.

The outcome of this is that we've gained access to large bodies of source code that would otherwise have been kept by companies. The SFC have successfully used Busybox to force the source release of many vendor kernels, ensuring that users have the freedoms that the copyright holders granted to them. Everybody wins, with the exception of the violators. And it seems that they're unenthusiastic about that.

A couple of weeks ago, this page appeared on the elinux.org wiki. It's written by an engineer at Sony, and it's calling for contributions to rewriting Busybox. This would be entirely reasonable if it were for technical reasons, but it's not - it's explicitly stated that companies are afraid that Busybox copyright holders may force them to comply with the licenses of software they ship. If you ship this Busybox replacement instead of the original Busybox you'll be safe from the SFC. You'll be able to violate licenses with impunity.

What can we do? The real problem here is that the SFC's reliance on Busybox means that they're only able to target infringers who use that Busybox code. No significant kernel copyright holders have so far offered to allow the SFC to enforce their copyrights, with the result that enforcement action will grind to a halt as vendors move over to this Busybox replacement. So, if you hold copyright over any part of the Linux kernel, I'd urge you to get in touch with them. The alternative is a strangely ironic world where Sony are simultaneously funding lobbying for copyright enforcement against individuals and tools to help large corporations infringe at will. I'm not enthusiastic about that.

Re: You?

Date: 2012-01-31 03:58 am (UTC)
From: (Anonymous)
And why doesn't your employer allow the use of their copyrights in GPL enforcement? If they think doing so would not align with their best interests, that sounds a lot like what you decried Google for doing.

Re: You?

Date: 2012-01-31 05:43 am (UTC)
From: (Anonymous)
Google does not directly make any money off of GPL infringement. They make money from Android, however it gets used. Some companies who use Android violate the GPL. If Google did anything about that, they'd potentially scare off users of Android, and add to the general irrational fear of "you can't use Linux without getting sued" (which mostly comes from the various litigious patent holders, such as the current patent extortion against Android vendors). That doesn't align with Google's best interests, so they have no good reason to do it.

Red Hat, similarly, does not directly make any money off of GPL infringement. They make money from Red Hat's Linux distributions, however they get used. Companies who use Red Hat's Linux distributions, and more to the point Red Hat's extensive contributions to numerous parts of the Linux stack, do violate the GPL. If Red Hat did anything about that, they'd potentially scare off users of Red Hat's Linux distributions and of Linux in general, which would not align with Red Hat's best interests, so they have no good reason to do it.

Have I missed something here? I don't mean to suggest that either Google or Red Hat has done anything wrong here; they've both acted in their own best interests. I just don't see a meaningful difference here.

Date: 2012-01-31 11:46 am (UTC)
From: [identity profile] ajaxxx.livejournal.com
(not speaking for my employer, etc)

When you buy a RHEL machine, you actually buy an RHN subscription that includes a full copy of the source corresponding to the binaries you installed. Okay technically there's copies up on ftp too, which is why there's a CentOS.

When you buy an Android machine, you don't buy a promise from Google to give you the source. In fact if you're Google you go out of your way to delay public source releases of Android. Your recourse is to the vendor who sold you the device, because the odds are good that stock Android isn't going to run on your phone. And we see how that's gone.

I'm not saying your argument is invalid. In both cases, you don't want to sue your customers. But one of these companies has made a good-faith effort to make GPL compliance trivial, and one has actively shirked that duty. Red Hat probably would pursue GPL infringement if it were losing them RHEL sales (you'll note CentOS and Scientific are squeaky clean here). Google probably would not pursue GPL infringement because the per-seat cost of Android is not where they make money.

Now if you're saying Red Hat should allow the use of its copyright on the kernel as leverage in all GPL enforcement cases, well, yes, probably it should, morally speaking. It's a little difficult to justify that to the shareholders, I expect, since that's a lot of lawyer time for no increase in revenue. But if you can come up with a way to do it I bet there's some counsel that would love to talk to you.

Date: 2012-01-31 12:15 pm (UTC)
From: (Anonymous)
I've worked with a giant pile of random embedded boards. Those boards often come with a CD of random Linux bits designated as a "board support package", and more often than not those random Linux bits represent a random snapshot of some subset of RHEL. It seems highly likely that at least some device vendors make the mistake of actually *using* those random Linux bits, and highly likely that at least one of them didn't bother satisfying their GPL obligations. Red Hat Network never comes into play.

Date: 2012-01-31 01:06 pm (UTC)
From: [identity profile] ajaxxx.livejournal.com
Red Hat's legal affairs department is -> that way. Assuming Raleigh is to your right, I guess.

Date: 2012-01-31 12:17 pm (UTC)
From: (Anonymous)
> Now if you're saying Red Hat should allow the use of its copyright on the kernel as leverage in all GPL enforcement cases, well, yes, probably it should, morally speaking. It's a little difficult to justify that to the shareholders, I expect, since that's a lot of lawyer time for no increase in revenue. But if you can come up with a way to do it I bet there's some counsel that would love to talk to you.

No need for Red Hat to spend any of its own lawyers' time. More than one organization exists which would happily spend its own lawyers' time on GPL enforcement on Red Hat's behalf. Any reason not to do that?

Date: 2012-01-31 12:59 pm (UTC)
From: [identity profile] ajaxxx.livejournal.com
That's not my call to make, but sure, I'm all for it.

Re: You?

Date: 2012-01-31 04:35 pm (UTC)
From: [identity profile] landley.livejournal.com
And iPhone is cleaning their clock anyway.

Nobody ever read the 64-bit transition paper Eric and I wrote:


The thesis was that network effects create a positive feedback loop around a de-facto standard, and the only time these standards get replaced is when hardware obsolescence forces a new standard. The switch between 8 bit, 16 bit, 32 bit, and 64 bit PCs went like clockwork according to Moore's Law, and we pointed out "hey, switch coming" just before the 64 bit PC software standard got locked down.

Here's the follow-up I wrote:


where I pointed out that the 32->64 bit PC transition gets trumped by the next step in "mainframe -> minicomputer -> microcomputer -> smartphone", and that smart phones are going to render PCs obsolete as soon as they become self-hosting.

I.E. Linux on the desktop _does_not_matter_ because the PC is going the way of the minicomputer. Windows is finally going away, and at the moment it looks like it'll be replaced with the iPhone. (Note: tablets that are small PCs fail, tablets that are big phones sell faster than Apple can make them.)

It _might_ still be android, but if we're paralyzed by infighting like last time we'll lock ourselves out of this transition the same way we got locked out of the last couple, EVEN IF ANDROID SUCCEEDS. (Right now android's userspace is a minimal stub to run Java, so the no gpl in userspace thing is still kinda secondary to that. Keep in mind they could have run busybox or the gnu tools 5 years ago: they chose not to, they still choose not to, and you're going to die of old age waiting for them to change their minds on this.)

But at this point, failing due to infighting is a hallowed Unix tradition...


Re: You?

Date: 2012-02-02 02:37 pm (UTC)
From: (Anonymous)
And iPhone is cleaning their clock anyway.

Do you mean iOS?

If you're talking about tablets, that's not even slightly true.

Apple marketshare is down 10% over the last year to 58%. Android is up 10% to 39% over the same period. Doesn't look like anyone's clocks are getting cleaned; looks like Apple just had a head start and an initial marketing bump.

(from the BBC (http://www.bbc.co.uk/news/business-16736609))

If you're talking about smartphones, it's an even more untrue claim. Android marketshare is at 53% for new sales, and iOS is down to 29% as of December 2011.

(from engadget (http://www.engadget.com/2011/12/14/shocker-android-grew-us-market-share-after-q2-ios-was-static/))

Re: You?

Date: 2012-01-31 05:07 am (UTC)
From: [personal profile] pehjota
Pursuant to 17 U.S.C. § 501(b), only the owner of a copyright may institute action for infringement of the copyright.

Red Hat, Inc. would therefore have to either bring enforcement action itself (which is probably not in Red Hat's best interests, as doing so is expensive and suing users doesn't always reflect well on a company) or transfer ownership of its copyrights to another person or entity (such as the Software Freedom Conservancy, Free Software Foundation, or Software Freedom Law Center).

Re: You?

Date: 2012-01-31 05:50 am (UTC)
From: (Anonymous)
You can delegate enforcement to someone else on your behalf. Nothing stops the Software Freedom Conservancy from acting as legal representation pro-bono, and enforcing the GPL with the copyright holders' permission.

Re: You?

Date: 2012-01-31 06:40 am (UTC)
From: (Anonymous)
No, you really can't "delegate" copyright enforcement. Look at Righthaven:


Some Righthaven suits have been dismissed due to "lack of standing". They don't *own* the copyrights, they just have the right to sue. And you can't transfer the right to sue to someone else while retaining ownership of the copyright.

Re: You?

Date: 2012-01-31 09:19 am (UTC)
From: (Anonymous)
I didn't say that you could fully delegate the right to sue. I said you could let someone else handle enforcement. The copyright holder's name still goes under "Plaintiff".

Re: You?

Date: 2012-01-31 07:28 am (UTC)
From: [personal profile] pehjota
No, only the owner of rights can institute legal action for infringement of those rights (see 17 U.S.C. § 501(b)). Other parties may be involved in the action, but only the owner of infringed rights is allowed to file the complaint.

The DMCA, however, does allow authorized agents (and under penalty of law they must indeed be authorized) to issue takedown notices for specific cases of infringement on a network service. Beyond that though, such agents are just about powerless.

Re: You?

Date: 2012-01-31 07:39 am (UTC)
From: [personal profile] pehjota
By the way, I think you're confusing the Software Freedom Conservancy (an umbrella organization for projects, similar to Software in the Public Interest, the Free Software Foundation, and the Apache Software Foundation) with the Software Freedom Law Center (an organization that provides legal services to developers and projects).

In some court cases (e.g. those involving BusyBox and some GNU software), the Software Freedom Law Center led the litigation without having ownership of relevant copyrights. However, that was only possible because the owners of those rights filed the complaints and sought the SFLC's legal representation.

Re: You?

Date: 2012-01-31 09:23 am (UTC)
From: (Anonymous)
No, I pointedly didn't confuse those two. The Software Freedom Conservancy owns the copyright on Busybox, and vigorously enforces it. They'll also happily enforce the copyrights of anyone else willing to work with them, which sadly includes relatively few people and projects.

The Software Freedom Law Center provides legal services, which could include GPL enforcement if desired, but they don't actively seek to do GPL enforcement on behalf of any particular project unless that project asks them to do so.

Re: You?

Date: 2012-01-31 06:54 pm (UTC)
From: [identity profile] landley.livejournal.com
The software freedom conservancy does NOT own the copyright on busybox, the copyrights are retained by the original contributors. The SFLC signed on to represent individual copyright holders (originally Erik and myself, later Erik and Denys). The conservancy then split off from the SFLC in some kind of falling out I never got the details of, and the gpl at busybox address goes to the conservancy now. The SFLC is essentially mothballed as far as I know (I think Eben Moglen went back to teaching) and the conservancy is... Bradley Kuhn, I think?

The lawsuits turned into a big self-financing thing where each settlement netted them somewhere around $20k and they used that to fund the next suit, and our involvement consisted of signing papers and mailing them back. (They decided to make an example of somebody once, and then we actually received a nice check. Most of the time, they just got expenses and we didn't get anything, but we weren't in it for the money. But as I said, I stopped being involved years ago, maybe the conservancy does things differently than SFLC did...)

There's nothing to stop other random contributors over the years (Manuel Nova, Glenn McGrath, etc) from getting their own legal representation and launching their own lawsuits, if they wanted to. Just like with the Linux kernel. (Although as project maintainers we had an easier time proving standing.) The fact is I withdrew my support from the lawsuits at the end of 2008 (when they attacked Cisco while I was _working_ with Cisco; my approach was effective, theirs threw a wrench in the works), but they continued with Erik and Denys as plaintiffs.

Re: You?

Date: 2012-02-01 01:42 am (UTC)
From: [identity profile] landley.livejournal.com
*shrug* After my time.

Re: You?

Date: 2012-02-01 06:43 am (UTC)
From: (Anonymous)
Software Freedom Law Center isn't mothballed at all. That is not correct info. They just submitted comments to the Copyright Office, for example. See: http://www.softwarefreedom.org/

Dan Ravicher is taking time off to write a book, and he took the lead
on the Busybox stuff, but the Center continues.

Getting upset because litigation continued despite Rob's personal
interest in Cisco isn't a reason to put them down. Maybe Rob.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags