The ongoing fight against GPL enforcement
Jan. 30th, 2012 06:10 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59GPL enforcement is a surprisingly difficult task. It's not just a matter of identifying an infringement - you need to make sure you have a copyright holder on your side, spend some money sending letters asking people to come into compliance, spend more money initiating a suit, spend even more money encouraging people to settle, spend yet more money actually taking them to court and then maybe, at the end, you have some source code. One of the (tiny) number of groups involved in doing this is the Software Freedom Conservancy, a non-profit organisation that offers various services to free software projects. One of their notable activities is enforcing the license of Busybox, a GPLed multi-purpose application that's used in many embedded Linux environments. And this is where things get interesting
GPLv2 (the license covering the relevant code) contains the following as part of section 4:
Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.
There's some argument over what this means, precisely, but GPLv3 adds the following paragraph:
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation
which tends to support the assertion that, under V2, once the license is terminated you've lost it forever. That gives the SFC a lever. If a vendor is shipping products using Busybox, and is found to be in violation, this interpretation of GPLv2 means that they have no license to ship Busybox again until the copyright holders (or their agents) grant them another. This is a bit of a problem if your entire stock consists of devices running Busybox. The SFC will grant a new license, but on one condition - not only must you provide the source code to Busybox, you must provide the source code to all other works on the device that require source distribution.
The outcome of this is that we've gained access to large bodies of source code that would otherwise have been kept by companies. The SFC have successfully used Busybox to force the source release of many vendor kernels, ensuring that users have the freedoms that the copyright holders granted to them. Everybody wins, with the exception of the violators. And it seems that they're unenthusiastic about that.
A couple of weeks ago, this page appeared on the elinux.org wiki. It's written by an engineer at Sony, and it's calling for contributions to rewriting Busybox. This would be entirely reasonable if it were for technical reasons, but it's not - it's explicitly stated that companies are afraid that Busybox copyright holders may force them to comply with the licenses of software they ship. If you ship this Busybox replacement instead of the original Busybox you'll be safe from the SFC. You'll be able to violate licenses with impunity.
What can we do? The real problem here is that the SFC's reliance on Busybox means that they're only able to target infringers who use that Busybox code. No significant kernel copyright holders have so far offered to allow the SFC to enforce their copyrights, with the result that enforcement action will grind to a halt as vendors move over to this Busybox replacement. So, if you hold copyright over any part of the Linux kernel, I'd urge you to get in touch with them. The alternative is a strangely ironic world where Sony are simultaneously funding lobbying for copyright enforcement against individuals and tools to help large corporations infringe at will. I'm not enthusiastic about that.
GPLv2 (the license covering the relevant code) contains the following as part of section 4:
Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.
There's some argument over what this means, precisely, but GPLv3 adds the following paragraph:
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation
which tends to support the assertion that, under V2, once the license is terminated you've lost it forever. That gives the SFC a lever. If a vendor is shipping products using Busybox, and is found to be in violation, this interpretation of GPLv2 means that they have no license to ship Busybox again until the copyright holders (or their agents) grant them another. This is a bit of a problem if your entire stock consists of devices running Busybox. The SFC will grant a new license, but on one condition - not only must you provide the source code to Busybox, you must provide the source code to all other works on the device that require source distribution.
The outcome of this is that we've gained access to large bodies of source code that would otherwise have been kept by companies. The SFC have successfully used Busybox to force the source release of many vendor kernels, ensuring that users have the freedoms that the copyright holders granted to them. Everybody wins, with the exception of the violators. And it seems that they're unenthusiastic about that.
A couple of weeks ago, this page appeared on the elinux.org wiki. It's written by an engineer at Sony, and it's calling for contributions to rewriting Busybox. This would be entirely reasonable if it were for technical reasons, but it's not - it's explicitly stated that companies are afraid that Busybox copyright holders may force them to comply with the licenses of software they ship. If you ship this Busybox replacement instead of the original Busybox you'll be safe from the SFC. You'll be able to violate licenses with impunity.
What can we do? The real problem here is that the SFC's reliance on Busybox means that they're only able to target infringers who use that Busybox code. No significant kernel copyright holders have so far offered to allow the SFC to enforce their copyrights, with the result that enforcement action will grind to a halt as vendors move over to this Busybox replacement. So, if you hold copyright over any part of the Linux kernel, I'd urge you to get in touch with them. The alternative is a strangely ironic world where Sony are simultaneously funding lobbying for copyright enforcement against individuals and tools to help large corporations infringe at will. I'm not enthusiastic about that.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
You?
Date: 2012-01-31 12:04 am (UTC)Re: You?
Date: 2012-01-31 12:09 am (UTC)no subject
Date: 2012-01-31 12:26 am (UTC)While the underlying reasons are lame and undesirable from an OSS perspective, I'm having a hard time finding fault here. It's like the old joke about Doctor's advice that says, if it hurts when they do something, they should probably stop doing it. In this case, if using GPLed code is getting them sued, one possible solution is to comply with the license, the other solution is to simply stop using GPLed code. Both are equally valid choices, even if one is less desirable from an OSS advocacy perspective.
The onus is on the OSS community to clearly articulate the value provided by compliance that exceeds the value achieved by going back to a mix of proprietary and BSD licensed code.
Re: You?
Date: 2012-01-31 12:28 am (UTC)no subject
Date: 2012-01-31 12:30 am (UTC)Um...
Date: 2012-01-31 12:51 am (UTC)Re: You?
Date: 2012-01-31 12:51 am (UTC)The only benefit is that *if* you can get hold of their proprietary source code, the company can't do anything about it either.
Re: Um...
Date: 2012-01-31 12:53 am (UTC)no subject
Date: 2012-01-31 03:00 am (UTC)no subject
Date: 2012-01-31 03:10 am (UTC)They're basically saying: "we know full well what the implications are of the GPL, but hey, that GPL code is so darn dandy. Let's just avoid this bit here, so it's less likely someone will force us to open up."
This tells me that companies have no intention to abide by the terms of the GPL in the first place. They only grudgingly do it if someone shows up and litigates.
Honestly, if I had embedded GPL code that was likely used (ie. kernel), I'd make it a point to a) proclaim on that wiki that anyone participating in such an endeavor would get extra close attention. And b) simply not reinstate their license, so they'd stuck with a lot of bricks they can't sell.
Maybe I'm a bit petty. But really - abide by the license. There's a lot of BSD/MIT/ISC code out there, there's nothing wrong with it, and as a developer there are sometimes good reasons to prefer one of these over the GPL. But that's up to the developer!
no subject
Date: 2012-01-31 03:17 am (UTC)Corporate Copyright Scofflaws
Date: 2012-01-31 03:27 am (UTC)Wayne
no subject
Date: 2012-01-31 03:32 am (UTC)Re: You?
Date: 2012-01-31 03:56 am (UTC)Re: You?
Date: 2012-01-31 03:58 am (UTC)Re: You?
Date: 2012-01-31 04:01 am (UTC)Re: You?
Date: 2012-01-31 04:47 am (UTC)Re: You?
Date: 2012-01-31 04:58 am (UTC)No it doesn't. What you're calling licenses (what are often called "End User License Agreements") are not licenses – they are contracts. Licenses give rights that the law otherwise denies (e.g. the right to distribute copies of a copyrighted work or the right to drive on public roadways). The GNU GPL is a license – specifically, it is a copyright license that gives the licensee rights (reproduction of copies, preparation of derivative works, distribution of copies, etc.) that otherwise are exclusively owned by the copyright holder. Contracts on the other hand are agreements between parties in which one or both parties might give up some otherwise legally-granted rights (e.g. the right to pay an employee very small wages). "End User License Agreements" are contracts in which the user agrees to give up rights such as the right to reverse engineer a program or the right to use more than five Microsoft Windows XP systems on one's home network.
I know of no law that forbids the use of software without authorization. It is not an infringement of copyright law to run a program, period. No license is necessary to use any software, free or proprietary (which is why copyright licenses like the GNU GPL come into play only when modifying or distributing so-licensed programs, not when running them). "End User License Agreements" (or "End User Contracts" as I prefer to call them) have little to nothing to do with copyright law and give the agreeing party (the user) no rights to copyrighted software.
Even if copyright law were abolished, these contracts would still apply (unless contract law were also abolished, which would be a bad thing). Users would still be forbidden from studying, modifying, and sharing proprietary programs. Abolition of copyright law would have absolutely no effect on proprietary software, except that non-free programs could swallow up many previously free programs due to the absence of copyleft licenses. Without the advent of either "copyleft contracts" or a law that requires distribution of software in source form, abolition of copyright law would instead be a strong and dangerous blow to free software.
Re: You?
Date: 2012-01-31 05:07 am (UTC)Red Hat, Inc. would therefore have to either bring enforcement action itself (which is probably not in Red Hat's best interests, as doing so is expensive and suing users doesn't always reflect well on a company) or transfer ownership of its copyrights to another person or entity (such as the Software Freedom Conservancy, Free Software Foundation, or Software Freedom Law Center).
no subject
Date: 2012-01-31 05:23 am (UTC)Isn't the core issue here apathetic pursuit of copyright infringement from all the other copyright holders being infringed? If the Busybox code being constantly litigated prompts them to stop infringing against it... that is a win. It can't being anything but, assuming that their replacement is genuinely unencumbered and appropriate for use.
There is a bigger (and separate issue) that is getting confused however. I'm not trying to paint them as good guys... but targeting this action and calling it wrong... is wrong; factually, if not morally.
no subject
Date: 2012-01-31 05:30 am (UTC)Sorry, replying to myself here. I didn't state the obvious, but perhaps I should have. There is the much larger issue of general infringement as well, but that's not what the OP was about, nor my comments.
no subject
Date: 2012-01-31 05:30 am (UTC)This actually infuriates me.
These companies seem to not understand how copyright law works. By default, they aren't allowed to distribute BusyBox in their products. However, the authors of BusyBox have offered the fruits of their hard labor at no charge along with a license that grants companies the rights to distribute and modify BusyBox. The primary condition of the license is simply that anyone who modifies the software must also release the fruits of their (significantly less) hard labor. The end result of course is that companies are forced to return a favor and to treat their customers with respect. I find this more than fair for everyone, and any company that doesn't agree should instead spend at least twice the cost of hardware on copies of a proprietary program that they can't improve.
I'm reminded of Sony's XCP rootkit (an infringement of free software copyrights designed to fight infringement of Sony BMG copyrights) and the MPAA's infringing use of Ubuntu GNU/Linux to fight copyright infringement in universities.
Re: You?
Date: 2012-01-31 05:43 am (UTC)Red Hat, similarly, does not directly make any money off of GPL infringement. They make money from Red Hat's Linux distributions, however they get used. Companies who use Red Hat's Linux distributions, and more to the point Red Hat's extensive contributions to numerous parts of the Linux stack, do violate the GPL. If Red Hat did anything about that, they'd potentially scare off users of Red Hat's Linux distributions and of Linux in general, which would not align with Red Hat's best interests, so they have no good reason to do it.
Have I missed something here? I don't mean to suggest that either Google or Red Hat has done anything wrong here; they've both acted in their own best interests. I just don't see a meaningful difference here.
Re: You?
Date: 2012-01-31 05:50 am (UTC)Re: You?
Date: 2012-01-31 05:51 am (UTC)