July 19, 2016 by Bradley M. Kuhn and Karen M. Sandler
The GNU General Public License (GPL) was designed to grant clear permissions for sharing software and to defend that freedom for users. GPL'd code now appears in so many devices that it is fundamental to modern technology. While we believe that following the GPL's requirements is neither burdensome nor unreasonable, many fail to do so. GPL enforcement — the process to encourage those who fail to correct problems and join our open software development community — is difficult diplomacy.
Our community learned together over the last 20 years how to do this work well. Last year, Conservancy published the concise but comprehensive Principles of Communited-Oriented GPL Enforcement. The Principles were immediately endorsed by Conservancy, FSF and gpl-violations.org — the three historic community-oriented GPL enforcement organizations, as well as other non-enforcing organizations such as OSI. Recently, these principles were also endorsed by the Netfilter team, a core and essential group of Linux developers. However, despite our best efforts, we have been unable to convince all enforcers to endorse these Principles. Here, we express our concern and desire to ameliorate that situation as best we can. Furthermore, we also bring some transparency and context where enforcers seem unlikely to ever endorse the Principles.
One impetus in drafting the Principles was our discovery of ongoing enforcement efforts that did not fit with the GPL enforcement community traditions and norms established for the last two decades. Publishing the previously unwritten guidelines has quickly separated the wheat from the chaff. Specifically, we remain aware of multiple non-community-oriented GPL enforcement efforts, where none of those engaged in these efforts have endorsed our principles nor pledged to abide by them. These “GPL monetizers”, who trace their roots to nefarious business models that seek to catch users in minor violations in order to sell an alternative proprietary license, stand in stark contrast to the work that Conservancy, FSF and gpl-violations.org have done for years.
Most notably, a Linux developer named Patrick McHardy continues ongoing GPL enforcement actions but has not endorsed the community Principles. When Patrick began his efforts, Conservancy immediately reached out to him. After a promising initial discussion (even contemplating partnership and Patrick joining our coalition) in mid-2014, Patrick ceased answering our emails and text messages, and never cooperated with us. Conservancy has had no contact with Patrick nor his attorney since, other than a somewhat cryptic and off-topic response we received over a year ago. In the last two years, we've heard repeated rumors about Patrick's enforcement activity, as well as some reliable claims by GPL violators that Patrick failed to follow the Principles.
In one of the many attempts we made to contact Patrick, we urged him to join us in co-drafting the Principles, and then invited him to endorse them after their publication. Neither communication received a response. We informed him that we felt the need to make this public statement, and gave him almost three months to respond. He still has not responded.
Patrick's enforcement occurs primarily in Germany. We know well the difficulties of working transparently in that particular legal system, but both gpl-violations.org and Conservancy have done transparent enforcement in that jurisdiction and others. Yet, Patrick's actions are not transparent.
In private and semi-private communications, many have criticized Patrick for his enforcement actions. Patrick McHardy has also been suspended from work on the Netfilter core team. While the Netfilter team itself publicly endorsed Conservancy's principles of enforcement, Patrick has not. Conservancy agrees that Patrick's apparent refusal to endorse the Principles leaves suspicion and concern, since the Principles have been endorsed by so many other Linux copyright holders, including Conservancy.
Conservancy built a coalition of many copyright holders for Linux enforcement so that we as copyright holders in Linux could share with each other our analysis, strategy, plans and diplomacy. Much like Linux development itself, enforcement functions best when copyright holders collaborate as equals to achieve the desired result. In coding, Linux copyright holders seek to create together the best operating system kernel in history, and in an enforcement coalition like ours, we seek to achieve proper compliance in the best possible way for the community. (More collaboration is always better for various reasons, and we always urge copyright holders in Linux, Debian, Samba, and BusyBox to join our coalitions.)
Nevertheless, Conservancy does not object to individual copyright holders who wish to enforce alone; this is their legal prerogative, and with such limited resources for (and political opposition against) GPL enforcement on Linux, everyone who wants to help is welcome. However, Conservancy must denounce anyone who refuses to either endorse the Principles, or (at least) publicly explain why the Principles are not consistent with their efforts to advance software freedom.
There are few public facts on Patrick's enforcement actions, though there are many rumors. That his enforcement work exists is indisputable, but its true nature, intent, and practice remains somewhat veiled. The most common criticism that we hear from those who have been approached by Patrick is an accusation that he violates one specific Principle: prioritizing financial gain over compliance. Meanwhile, some who criticize Conservancy's enforcement efforts ironically believe we are “too nice” — because we don't seek to maximize financial gain, and therefore we ultimately fund some license compliance work with donations from the general public. Despite that criticism, and the simple fact that Conservancy's settlement funds from GPL enforcement usually fail to cover even the staffing costs associated with our enforcement efforts, we continue to abide by the Principle that compliance is paramount over monetary damages. While we sympathize with those who wish GPL enforcement would fund itself, we also see clear problems if an enforcer prioritizes financial gain over compliance — even if the overarching goal is more comprehensive enforcement in other areas.
Conservancy does all our enforcement specifically through a USA 501(c)(3) charity, precisely because that makes us transparently financially accountable. The IRS requires that our work benefit the general public and never bestow private inurement to anyone. Success in enforcement should never personally benefit one individual financially, and a charity structure for GPL enforcement ensures that never happens. Furthermore, the annual Form 990 filings of charities allows for public scrutiny of both enforcement revenue and expenditure1.
Conservancy, as a charity in the center of GPL enforcement, seeks to make enforcement transparent. We devised the Principles in part to clarify long-standing, community-accepted enforcement procedures in a formalized way, so that violators and GPL-compliant adopters alike can discern whether enforcement behavior is acceptable under community norms. We welcome public debate about any enforcement action's compliance with the Principles (i.e., its meta-compliance with the Principles). We encourage all those who enforce GPL to come forward to either endorse the Principles, or publicly propose updates or modifications to the Principles. (We've created the mailing list, principles-discuss, as a public place for that discussion.) We urge developers to state that they support enforcement undertaken in a principled manner, including litigating only as a necessary last resort and to never prioritize financial gain.
We chose the phrase “meta-compliance with the Principles” carefully. Applying the Principles themselves to compliance with those Principles seems apt to us. For example, we publicized the concerns about Patrick's enforcement only after two years of good-faith attempts to discuss the problems with him, and we waited for more than a year before publicizing the problem, and only after both ample warning to Patrick, and discussion and coordination with the Netfilter team. Just as we would with a GPL violator, we exhausted every path we could find before making this statement publicly.
Thus, we now call on Patrick to endorse the Principles or publicly engage in good faith with the community to discuss proper methods of enforcement. We further welcome anyone who does not currently abide by these Principles to join us anew in our coordinated community-oriented GPL enforcement work.
In conclusion, to contrast GPL enforcement with the much more common proprietary software litigation, violators should always have a simple and solid method to quickly resolve the rare legal action around the GPL: compliance. GPL enforcers should always seek compliance as the primary and paramount resolution to any enforcement matter. In this manner, where community-oriented enforcement exists and thrives, the risk for danger from lawsuits diminishes. Today's violators can then become tomorrow's contributors.
Finally, if you are in a situation where you are unsure what your obligations are under GPL, we urge you to read and study the Copyleft Guide to learn more about how to properly comply with GPL and other copyleft licenses.
1 Looking at Conservancy's Form 990s, you can see by examining Page 2 (Part III) (in FY 2011, see Page 25, Schedule O, for continuation) each year how much revenue Conservancy received from enforcement settlements, and how much Conservancy spends on license compliance activity. Most notably, Conservancy has not received a single dollar in GPL enforcement revenue since FY 2012.
Posted by Bradley M. Kuhn and Karen M. Sandler on July 19, 2016
June 6, 2016 by Karen Sandler
Today I submitted comments to the OpenChain specification. OpenChain is a working group formed under the Linux Foundation by companies to collaboratively come up with standards and shared materials around compliance. As community-oriented GPL enforcers, we applaud efforts to improve compliance and have been following the effort with interest to the extent we can with our limited resources. The working group recently put out a public call for comment on the OpenChain specification, which is open until June 17. We encourage people to take a look, perhaps echo our comments if they agree, and even join the calls if they are interested (there's a call today).
Here are the comments I submitted:
- I think text should be added in the introductory section about the value of compliance, generally. Perhaps something like:
Complying with the terms of the free and open source licenses used in industry is not only important for minimizing risk to individual companies, but is also a necessary step towards the preservation, collaboration and improvement of the software infrastructure we all rely on.
- Text should also be added to clarify that completely following the spec does not guarantee full compliance and that the (obvious) intention is that companies need to tailor the guidelines to their own procedures. I think this would fit well in the second to last paragraph on page 3 and perhaps should also be added to G6.1.
- In the definitions, I think the term
OpenChain Compliantis confusing, and can be fixed by using a term other than
compliant. We don't want people to think that following these recommendations is any attestation as to actual compliance (though of course I agree that they will help if followed fully). Calling it
OpenChain Accordantwould work, for example.
- G4.1 should refer to
complete and corresponding source codeinstead of just
- Also in G4.1, a bullet point should be added saying
scripts used to control compilation and installation, as per GPLv2 Section 3 and GPLv3 Section 1 (we may also want to include some reference to this in G3.2, along with a reference to complete and corresponding source code as well). Even though scripts are included in CCS under GPL I think it makes sense to give this its own bullet point to highlight the requirement which is sometimes overlooked. GPLv2 and GPLv3 ensure not only that users receive software freedom in the abstract, but have the technically necessary information to make practical use of those freedoms. Ability to rebuild the binaries from source code, and knowing that everything necessary to produce the binary are present is what matters most in copyleft compliance (this is why, for example, copyleft and security go hand in hand).
- In G5.2, it may be appropriate to recommend considering a Code of Conduct for a company's participation in any community (right now the language is weak anyway and says
might include). This is becoming increasingly common in companies, as I understand it, as a way to limit liability for inappropriate communications by employees in the public and is something they should actively consider.
These comments, like all contributions to OpenChain, are under Creative Commons CC0 1.0 Universal license.
Posted by Karen Sandler on June 6, 2016
May 28, 2016 by Karen Sandler
Last week was OSCON 2016, and the first year that the conference was held in Austin, Texas. OSCON has always been an important conference for Conservancy and for me personally. In 2011, it was the first conference I ever keynoted (I was also on a keynote panel in 2008, which was the closest I'd gotten before then), and where I really started talking about my heart condition and medical devices. OSCON was also the conference where we had the first Conservancy booth and debuted Conservancy t-shirts and stickers.
Austin seems to really suit OSCON. The feel of the conference was comparable to Portland, but there seemed to be a lot of new local participation resulting in a much more diverse conference. I met a lot of great people for whom it was their first time at the conference and made a lot of good connections. Conferences, and OSCON in particular, are always short on time and often I was in a dead run from one thing to the next.
I participated in two sessions on Thursday. One was a talk I gave on employment agreements. I outlined basic issues to look for in signing an employment agreement but my main point was that employment agreements can often be negotiated. Companies have standard contracts that they use for all employees, but in many areas they may be prepared to edit the agreement as part of an onboarding negotiation. After you receive your offer, but before you sign the employment agreement, you are likely to have more power in the relationship than you will again. The company has expended resources in recruiting and interviewing you, and has come to the decision that you're the best person for the job. Just as you negotiate your salary and other important terms of employment, some of the contractual provisions are also likely to be flexible. I've seen a lot of agreements over the years, and every time I've talked to someone about this issue they've been able to get *some* change.
Because of this, and because it's so hard to know what to ask for if you're not a lawyer like me, Conservancy is working on a project of standard employment agreement provisions that could be worth asking for. If many prospective employees ask for this, some companies may start to give this as a perk to attract top talent.
The second session was a panel about free and open software foundations. Moderated by Deb Bryant, the panel discussed issues around foundation formation, fiscal sponsorship and revenue models. I was really excited that multiple people in the session recommended Conservancy as a nonprofit home, and also encouraged audience members to become Supporters of Conservancy! There are a lot of great organizations in free and open source software and it was so interesting to see how many roles the panelists serve in them.
Conservancy had a booth, so I spent most of the rest of the time there. It was great to be in one of the nonprofit areas with so many other awesome nonprofits in our field. It was also the first time we had multiple stickers, including the very first Outreachy stickers.
I was also able to catch a panel on patents that Bradley was a part of, eloquently reminding everyone how deeply problematic software patents are.
Lastly, it was great to meet with other Outreachy organizers! We don't have a chance to meet in person very often and we always have so much to discuss.
After the conference ended on Thursday, we had a chance to relax and talk about the conference with Conservancy Supporters at our pool party. I'm always struck by how impressive our Supporters are. While walking around the party, I caught conversations about the future of free software, copyleft, enforcement, patents, conferences and even one where we recruited someone great to apply for the GNOME Executive Director job! I was so excited by the enthusiasm of our Supporters. Aside from the financial aspect, which is critical for us, with such a small staff it would otherwise be impossible to do all of our work and tell people about it without their help. While it's taken me all week to recover from the conference and try to catch up on the backlog of work that piled up, I feel reinvigorated and recharged!
Posted by Karen Sandler on May 28, 2016
April 11, 2016 by Bradley M. Kuhn and Karen M. Sandler
FSF Confirms Conservancy's Analysis & Urges ZFS Copyright Holders to License Under GPL
In a statement today, the Free Software Foundation (FSF), the charity that publishes all versions of the GNU General Public License (GPL), issued a statement regarding GPL-incompatible licenses and their interactions with strong copyleft licenses. The statement, written by Richard M. Stallman, President of the FSF and author of all versions of the GPL, confirms various points that we made previously in our blog post on the matter in late February.
The FSF's statement covers various topics, but most importantly, it confirms that distribution of software created by combining GPL-incompatibly licensed copyrighted works with GPL'd works violates GPL, stating:
The only permissible way to make available a binary (non-source) work that includes GPL'd material is under the GPL. … Code under GPL-incompatible licenses cannot be added, neither in source nor binary form, without violating the GPL.
The FSF's statement also reiterates many important points that are central to Conservancy's work on GPL compliance, particularly as it relates to combined works, such as Linux modules, which are “dynamically linked”:
[I]f you distribute modules meant to be linked together by the user, you have made them into a combined work, and you must release the entire combined work under the GNU GPL.
Specifically regarding the ZFS matter, the FSF has joined Conservancy in calling on Oracle to also license their ZFS copyrights under GPL, so that combinations with Linux are permitted:
[T]he copyright holders of ZFS … can give permission to use it under the GNU GPL, version 2 or later, in addition to any other license. This would make it possible to combine that version with Linux without violating the license of Linux. This would be the ideal resolution and we urge the copyright holders of ZFS to do so.
The FSF does point out that as stewards of the GNU project, they look to organizations like Conservancy, with a direct relationship with substantial Linux copyright holders, to assure compliance with the GPL for Linux. The FSF lauded our efforts to enforce the GPL, concluding with:
[W]e enthusiastically encourage enforcement of the GPL on Linux in accord with the Principles of Community-Oriented GPL Enforcement, and we wish the enforcers success in bringing violators into compliance, thus maintaining the GPL's integrity so it can defend users' freedom.
Both of us, in addition to our work in our day jobs with Conservancy, also volunteer our time to help the FSF — Bradley has been an FSF volunteer (focused primarily on licensing issues) since 1997 and Karen since 2006. We have been grateful to have a fruitful collaborative relationship with the FSF, and we appreciate that both John Sullivan and Richard Stallman actively sought our direct feedback and input on the FSF's statement over the last month.
Conservancy has also engaged in many more formal collaborations with the FSF in the past two years. Most notably, Conservancy and FSF co-published the aforementioned Principles of Community-Oriented GPL Enforcement. Conservancy and the FSF also jointly manage the copyleft.org effort, which publishes the most comprehensive guide ever created on the use of and compliance with GPL and copyleft.
In the six weeks since publication of our blog post about the license compliance problems with Canonical, Ltd.'s inclusion of ZFS in Ubuntu, some have opined with statements that do not fit with the interpretations and analysis that the FSF has carefully created over the last 30 years regarding how copyleft works. We believe the FSF's statement definitively settles this issue, showing that the FSF position remains consistent. We're glad the FSF has clarified the confusion created by the many pundits who have published inaccurate licensing advice.
Conservancy, now joined by the FSF, continue to call on copyright holders of ZFS to end the licensing problems and simply grant permission under GPL for ZFS' inclusion in Linux. Without such permission, users who seek to combine Linux and ZFS live in a precarious situation without the necessary copyright permissions to exercise their software freedom. The easiest path to resolution is a responsible and community-friendly licensing action by ZFS's copyright holders. Oracle should lead the way, as the largest single copyright holder in the ZFS codebase, to either relicense ZFS, or, if they prefer, publish an updated CDDL that is compatible with the GPLv2 and GPLv3 (which would be another viable route to solve the same problem).
Posted by Bradley M. Kuhn and Karen M. Sandler on April 11, 2016