![[RSS]](/static/img/feed-icon-14x14.2168a573d0d4.png){kind=icon}
Conservancy BlogDisplaying posts
tagged licensing
by on May 17, 2026
Years ago, copyleft violations were often a mere misunderstanding; vendors intended to comply but made mistakes. In those “before times”, a simple request and short discussion often led to the complete, Corresponding Source (“CCS”) for the the distributed binary works (or, in the case of network-service copyleft, the deployed systems).
Today, nearly all copyleft violations are done with forethought (and frequently nefarious) intent. As such, the most common form of violation is not what we call “no-source-or-offer” or even “offer-fail”, but rather “incomplete-ccs”. That last form of violation is unforunately most complicated to resolve.
An “incomplete-ccs” violation means that the vendor has released some subset of required copylefted materials, but has purposely held back some necessary parts. For example, vendors sometimes provide byte-for-byte upstream source versions (absent their own changes entirely). Upstream sources obviously lack the vendors' “scripts used to control compilation and installation of the executable”. Even when some scripts are included, they are often not the actual scripts used to compile and install, but instead they're an alternative, incomplete version — often created specifically to thrwart efforts to recompile and install. Occasionally, vendors also withhold source code for some key modules, libraries, or other components governed by the copyleft license. Unsurprisingly — in general — vendors withhold the most interesting and most difficult to reimplement parts of the complete, Corresponding Source. Users are left with mere pieces of what the license agreement promises; users have immense difficulty reproducing the build and installing it. In network-service copyleft licenses (like the AGPLv3), users further struggle to properly deploy the service for self-hosting — a right that AGPLv3 guarantees.
These incomplete CCS “candidates” often exhibit “truthiness”. (Stephen Colbert wittily dubbed “truthiness” to refer to false or misleading material that appears to have the quality of truth at first glance — just enough that most won't bother to “trust but verify”.) When we enforce copyleft licenses in “incomplete-ccs” scenarios, we face a protracted argument with most vendors who insist — usually for some seemingly plausible but actually altogether specious reason — that the previous CCS candidate that they provided truly is complete and Corresponding Source. The average number of “rounds” of incompleteness reports that we send until reaching actual, valid CCS is approximately fifteen (on average).
We have spent many years pondering and refining advice for the users and consumers of these products. The users face the worst conundrum here: they sit confused with a copylefted binary and/or object code — yet they cannot effectively exercise their own rights under copyleft nor can they redistribute any object code to anyone else until they have proper CCS.
Fortunately, all is not lost. Here are a few simple facts (which apply to all known copyleft licenses — including the AGPL, LGPL, GPL, and copyleft-next):
For example,
AGPLv3§1
states You may make, run and propagate covered works that you do not
convey, without conditions … a "covered work" [is defined as]
either the unmodified Program or a work based on the Program
.
AGPLv3§4 goes on to state: [y]ou may convey verbatim copies of the
Program's source code as you receive it, in any medium
.
AGPLv3§5 grants that you may convey a work based on the Program, or
the modifications to produce it from the Program, in the form of source
code under the terms of section 4
. The list of requirements you must
meet when doing so under AGPLv3§5 are easy. (Summarizing AGPLv3§5(a-d): they
require that you add/maintain certain required textual notices,
and outbound-license the whole Covered Work under AGPLv3 itself.)
In short, there's no need to think twice if all you're doing is redistributing a copylefted work in pure Source Code form.
This License explicitly affirms your unlimited permission to run
the unmodified Program … You may make, run and propagate covered
works that you do not convey, without conditions
(AGPLv3§2). Other copyleft licenses have similar language.
Do take care not to give someone else direct access to the machine where you do this, and firewall the system so only you can access it via a network. If you distribute and/or convey the software to third parties (or deploy to others a network-service-copylefted system), there may be other parts of the copyleft license that will create obligations for you.
This concept can be counter-intuitive at first, but is extremely important when a vendor continues to provide incomplete/non-corresponding source code for a long time. If the vendor shipped portions of the work in non-source form only (for example, Linux modules in Object Code (i.e., .ko file) format), those files must be distributed under the copyleft license pursuant to its terms. While you face difficulty1 if you personally want to redistribute the non-source form of the software, your rights to analyze, modify, examine, reverse-engineer, or “figure out” those non-source components remain unimpeded due to your rights under the copyleft license.
Similarly, if the violator is withholding (all or some of) “the scripts used to control compilation and installation” — and you have the patience to painstakingly reproduce the build and install the software — you are fully permitted to try.
If you are lucky enough to succeed in your reverse-engineering effort and yield a non-source form that has clear and correct CCS that you can provide yourself, then you can make your own binary/Object Code distribution and redistribute2 all of it together (i.e., pursuant to AGPLv3§6).
These are three of the ways you can still exercise a few of your software freedoms and rights even when vendors have curtailed them by a copyleft violation. This isn't an exhaustive list; rather, it represents the most common “real world” scenarios that users and consumers face against badly behaved vendors.
Keep in mind that vendors will regularly bully users and inaccurately claim these rights don't exist. And it can get nasty!: we've seen violating vendors send DMCA takedown notices, get lawyers to send cease and desist letters, and even publicly shame the brave users who engage in the activities above. If this happens to you, keep your nerve, and remember that all copyleft licenses are irrevocable — vendors don't get to change their mind about your rights after the fact.
Finally, please never hesitate to reach out to us at SFC if you have other scenarios that you face and wonder what your rights are under copyleft, or if you face bullying, harassment, or other further bad behavior from vendors who refuse to grant users the rights they deserve under copyleft. ∎
As always, the usual disclaimers apply: Software Freedom Conservancy is not a law firm, I am not a lawyer, and the advice in this post is not legal advice. You may indeed face legal action by violators even if the rights and permissions that you exercise are obvious. You may wish to consult legal counsel in these situations, and we particularly recommend that you do so if you engage in any distribution and/or software deployment commercially.
1 Note that most copyleft licenses give extra rights to users who wish to non-commerically redistribute object code forms received from their upstream. With most copyleft licenses (and certainly with the GPL Agreements), if you want to redistribute Object Code components just as a vendor gave them to you, you are permitted to simply pass along the offer for CCS from the upstream commercial entity (e.g., see AGPLv3§6(c)). As such, we at SFC usually feel comfortable freely redistributing non-source forms of software that we know are violating; and, we simply point to the upstream violator. When we do so, we encourage users to demand source from the vendor. However, we at SFC do this kind of work every day. We urge anyone who wants to imitate our behavior in this regard to discuss privately with us first, and also consult legal counsel. (NB: Since we're not a law firm, we can't be your legal counsel).
2 The
OpenWrt origin story provides an
excellent historical example of a burgeoning
FOSS project following
these three guidelines. In early 2004, Cisco's Linksys
released incomplete and non-corresponding source code for its
WRT54G router (— following a six-month copyleft enforcement action that I led).
While that release was not CCS, it was juuust enough to allow the newly
formed OpenWrt project to reverse-engineer the build and installation
systems (by making their own with buildroot). Furthermore,
OpenWrt redistributed a binary Linux module (.ko file) for which Broadcom
(Linksys' vendor) refused to release CCS. To my knowledge,
Broadcom never took any action against OpenWrt on this matter —
likely because Broadcom itself violated GPLv2, and they did not want to draw attention
to their own nefarious behavior. Furthermore, OpenWrt's distribution was
non-commercial and therefore Broadcom had no “profits” to go
after. (By contrast, for SFC's OpenWrt One router, we made sure that no third-party
upstream non-compliant binaries were included — not only because we'd never
sell (or even encourage use) of a product that violated, but also because it's
very
risky to sell software that violates copyleft.)
by on April 2, 2026
Last week, the Federal Communications Commission in the United States (the FCC) banned the sale of all new models of home routers not made in the U.S., which is ... all of them. The stated reason for this is that routers "pose an unacceptable risk to the national security of the U.S. or the safety and security of U.S. persons." A router manufacturer can apply for a "Conditional Approval" exemption to try and convince U.S. government bodies that their router should be allowed into the U.S., but this requires "A detailed, time-bound plan to establish or expand manufacturing in the United States" and "A description of committed and planned capital expenditures, financing, or other investments dedicated to U.S.-based manufacturing and assembly", and "an update on the status of their onshoring plan once a quarter" among other impractical asks. Devices built in the U.S. generally cost at least twice as much as devices built in Asia (see the Librem 5 (USA) for example) because U.S. manufacturing facilities are not ready with the scale and efficiency required to enable competitive pricing. The reason we chose to build the OpenWrt One in Asia is that it makes sure the device is as feasible as possible for people around the world to purchase. We expect it will take decades before the U.S. is ready to produce competitively-priced devices - user freedom can't wait that long.
And, in case you were hoping to buy an OpenWrt One, don't worry: the One has already received FCC approval so there is no change to its availability in the U.S. Naturally, we are concerned about the effect this has on any new hardware that SFC might develop, but this decision by the FCC does not create any near-term problems for us, or for FOSS generally.
We do applaud the FCC for recognizing how important home routers are to people's security. While the rulemaking is misguided, it's absolutely correct that the proprietary router manufacturers be accountable in relation to the hardware and software that individuals bring into their homes and their lives. We believe that manufacturers of routers that are primarily FOSS are in a much better position to evaluate the security of their devices, and so we analyzed the rulemaking taking into specific account its software aspects.
While the FCC decision focuses mainly on hardware, there are also some requirements for software. In particular, the FCC has hinted that it may restrict updates to existing hardware, in particular that existing routers "may continue to receive software and firmware updates that mitigate harm to U.S. consumers at least until March 1, 2027".
Since software updates to already-FCC-approved devices do not require a new FCC approval, it appears the FCC is trying to move beyond its usual authorization procedures to restrict what manufacturers are allowed to push to existing routers. However, the FCC notably does not restrict software changes made by owners of routers in the U.S. In particular, there is no indication that updates people make to their own routers, using software they have sourced themselves, would run afoul of any past or present FCC rule.
As a result, we do not believe that this new FCC decision affects whether and how people can run OpenWrt or other user-selected firmware updates on routers they have already purchased. Not only is this an important right in relation to our ownership and control of our own devices, it also ensures that people can keep their routers secure for far longer than the manufacturer may choose to provide security updates, by allowing them to install up-to-date community software that supports routers for 10, 15, or even more years after their initial release date, as OpenWrt does for many devices.
This leads us back to the stated goal of the FCC in making these changes: to ensure that routers do not "pose an unacceptable risk to ... the safety and security of U.S. persons." We certainly agree that all persons (including U.S. persons) should use technology that is safe and secure. And there are standards that exist to ensure this is the case, such as NIST IR 8425A, which the U.S. government already paid to research and produce and, alongside NIST, is recommended by Consumer Reports and other right-to-repair groups already. We have been assessing our existing processes (for OpenWrt, and especially the OpenWrt One) against NIST IR 8425A, and are now accelerating those efforts to ensure we can show that routers using OpenWrt are indeed safe and secure, as determined by independent bodies. This not only helps U.S. persons, but everyone around the world, as OpenWrt is available to anyone regardless of whether they are in the U.S. or not. We strongly encourage any regulation targeting safety and security to take a holistic view, recognizing that safety and security in our technology does not depend on what country we are in, but rather on common properties of the hardware and software we use, and a shared understanding of what technological safety and security means for all humans.
We have reached out to the FCC for clarity on this topic, and look forward to updating this post with their reply.
by on October 31, 2024
This week, the Open Source Initiative (OSI) made their new Open Source Artificial Intelligence Definition (OSAID) official with its 1.0 release. With this announcement, we have reached the moment that software freedom advocates have feared for decades: the definition of “open source” — with which OSI was entrusted — now differs in significant ways from the views of most software freedom advocates.
There has been substantial acrimony during the drafting process of OSAID, and this blog post does not summarize all the community complaints about the OSAID and its drafting process. Other bloggers and the press have covered those. The TLDR here, IMO is simply stated: the OSAID fails to require reproducibility by the public of the scientific process of building these systems, because the OSAID fails to place sufficient requirements on the licensing and public disclosure of training sets for so-called “Open Source” systems. The OSI refused to add this requirement because of a fundamental flaw in their process; they decided that “there was no point in publishing a definition that no existing AI system could currently meet”. This fundamental compromise undermined the community process, and amplified the role of stakeholders who would financially benefit from OSI's retroactive declaration that their systems are “open source”. The OSI should have refrained from publishing a definition yet, and instead labeled this document as ”recommendations” for now.
As the publication date of the OSAID approached, I could not help but
remember a fascinating statement that Donald E. Knuth, one of the founders
of the field of computer
science, once
said: [M]y role is to be on the bottom of things. … I try to
digest … knowledge into a form that is accessible to people who don't
have time for such study
. If we wish to engage in the
highly philosophical (and easily politically corruptible) task
of defining what terms like “software freedom” and
“open source” mean, we must learn to be on the “bottom of
things”. OSI made an unforced error in this regard. While they could
have humbly announced this as “recommendations” or “guidelines”,
they instead formalized it as a “definition” — with equivalent authority to their
OSD.
Yet, OSI itself only turned its attention to AI only recently, when they announced their “deep dive” — for which Microsoft's GitHub was OSI's “Thought Leader”. OSI has responded too rapidly to this industry ballyhoo. Their celerity of response made OSI an easy target for regulatory capture.
By comparison, the original OSD was first published in February 1999. That was at least twelve years after the widespread industry adoption of various FOSS programs (such as the GNU C Compiler and BSD). The concept was explored and discussed publicly (under the moniker “Free Software”) for decades before it was officially “defined”. The OSI announced itself as the “marketing department for Free Software” and based the OSD in large part on the independently developed Debian Free Software Guidelines (DFSG). The OSD was thus the culmination of decades of thought and consideration, and primarily developed by a third-party (Debian) — which provided a balance on OSI's authority. (Interestingly, some folks from Debian are attempting to check OSI's authority again due to the premature publication of the OSAID.)
OSI claims that they must move quickly so that they can counter the software companies from coopting the term “open source” for their own aims. But OSI failed to pursue trademark protection for “open source” in the early days, so the OSI can't stop Mark Zuckerberg and his cronies in any event from using the “open source” moniker for his Facebook and Instagram products — let alone his new Llama product. Furthermore, OSI's insistence that the definition was urgently needed and that the definition be engineered as a retrofit to apply to an existing, available system has yielded troublesome results. Simply put, OSI has a tiny sample set to examine, in 2024, of what LLM-backed generative AI systems look like. To make a final decision about the software freedom and rights implications of such a nascent field led to an automatic bias to accept the actions of first movers as legitimate. By making this definition official too soon, OSI has endorsed demonstrably bad LLM-backed generative AI systems as “open source” by definition!
OSI also disenfranchised the users and content creators in this process. FOSS activists should be engaging with the larger discussions with impacted communities of content creators about what “open source” means to them, and how they feel about incorporation of their data in the training sets into these third-party systems. The line between data and code is so easily crossed with these systems that we cannot rely on old, rote conclusions that the “data is separate and can be proprietary (or even unavailable), and yet the system remains ‘open source’”. That adage fails us when analyzing this technology, and we must take careful steps — free from the for-profit corporate interest of AI fervor — as we decide how our well-established philosophies apply to these changes.
FOSS activists err when we unilaterally dictate and define what is ethical, moral, open and Free in areas outside of software. Software rights theorists can (and should) make meaningful contributions in these other areas, but not without substantial collaboration with those creative individuals who produce the source material. Where were the painters, the novelists, the actors, the playwrights, the musicians, and the poets in the OSAID drafting process? The OSD was (of course) easier because our community is mostly programmers and developers (or folks adjacent to those fields); software creators knew best how to consider philosophical implications of pure software products. The OSI, and the folks in its leadership, definitely know software well, but I wouldn't name any of them (or myself) as great thinkers in these many areas outside software that are noticeably impacted by the promulgation of LLMs that are trained on those creative works. The Open Source community remains consistently in danger of excessive insularity, and the OSAID is an unfortunate example of how insular we can be.
Meanwhile, I have spent literally months of time over the last 30 years trying to make sure the coalition of software freedom & rights activists remained in basic congruence (at least publicly) with those (like OSI) who are oriented towards a more for-profit and corporate open source approach. Until today, I was always able to say: “I believe that anything the OSI calls ‘open source’ gives you all the rights and freedoms that you deserve”. I now cannot say that again unless/until the OSI revokes the OSAID. Unfortunately, that Rubicon may have now been permanently crossed! OSI has purposely made it politically unviable for them to revoke the OSAID. Instead, they plan only incremental updates to the OSAID. Once entities begin to rely on this definition as written, OSI will find it nearly impossible to later declare systems that were “open source” under 1.0 as no longer so (under later versions). So, we are likely stuck with OSAID's key problems forever. OSI undermines its position as a philosophical leader in Open Source as long as OSAID 1.0 stands as a formal defintion.
I truly don't know for sure (yet) if the only way to respect user rights in an LLM-backed generative AI system is to only use training sets that are publicly available and licensed under Free Software licenses. I do believe that's the ideal and preferred form for modification of those systems. Nevertheless, a generally useful technical system that is built by collapsing data (in essence, via highly lossy compression) into a table of floating point numbers is philosophically much more complicated than binary software and its Corresponding Source. So, having studied the issue myself, I believe the Socratic Epiphany currently applies. Perhaps there is an acceptable spot for compromise regarding the issues of training set licensing, availability and similar reproducibility issues. My instincts, after 25 years as a software rights philosopher, lead me to believe that it will take at least a decade for our best minds to find a reasonable answer on where the bright line is of acceptable behavior with regard to these AI systems. While OSI claims their OSAID is humble, I beg to differ. The humble act now is to admit that it was just too soon to publish a “definition” and rebrand these the OSAID 1.0 as “current recommendations”. That might not grab as many headlines or raise as much money as the OSAID did, but it's the moral and ethical way out of this bad situation.
Finally, rather than merely be a pundit on this matter, I am instead today putting myself forward to try to be part of the solution. I plan to run for the OSI Board of Directors at the next elections on a single-issue platform: I will work arduously for my entire term to see the OSAID repealed, and republished not as a definition, but merely recommendations, and to also issue a statement that OSI published the definition sooner than was appropriate. I'll write further about the matter as the next OSI Board election approaches. I also call on other software rights activists to run with me on a similar platform; the OSI has myriad seats that are elected by different constituents, so there is opportunity to run as a ticket on this issue. (Please contact me privately if you'd like to be involved with this ticket at the next OSI Board election. Note, though, that election results are not actually binding, as OSI's by-laws allow the current Board to reject results of the elections.)
by on October 3, 2024
We were excited and very happy to participate in Linux Plumbers Conference this year, which happened last month (Sep 18-20) in Vienna. As one of the premiere programs using a software right to repair license (GPLv2), Linux is crucial for the future of software freedom in our devices, from those we use to develop and write new code, to the phones many of us carry with us, to the many appliances and even cars that bring conveniences to our lives. And so we were delighted to discuss Linux and its role in our connected future with Linux kernel developers and other enthusiasts who attended this technical conference.
We hosted a BoF, Let's talk about GPL and LGPL enforcement!, which brought dozens of developers together to discuss the hard questions of how we can ensure that Linux's license is enforced so people can get the code they're entitled to, and the current state of GPL and LGPL enforcement across the board. After some discussion of how often companies use software under the GPL and LGPL without honoring the license terms (it's unfortunately very very common), we fielded some questions about source candidates that people had received. The first example that a participant provided as a positive example of a company meeting its obligations turned out to actually be from a company that SFC had sued in the past, showing that SFC's prior enforcement efforts were helping to change behavior, causing companies to provide GPL/LGPL source code when they hadn't before.
The discussion moved on to how we can bring the next generation of developers into the Linux community, so they can keep improving the Linux kernel in the coming decades. It was noted that a lot of new computer users aren't getting the same computing environment that most Linux developers grew up with. In particular, most Linux developers today started computing with desktop or laptop computers that gave them a wide range of software options, and easy ways to switch operating systems and other key software. However, today most new computer users are getting less capable devices, not because they are less powerful, but because the devices don't have the same malleability and accessibility as they did two decades ago, which is due in part to GPL violations where the user is prevented from reinstalling modified Linux or other software onto their device.
This really struck me, as I had many conversations in the "hallway track" where I asked people how they got into FOSS, and the responses were invariably a version of "to do more interesting things with my computer". It was clear that the computing devices of the 90s and early 2000s really promoted this developer mindset, and that we would have to keep the momentum going to ensure that new developers would have the same opportunities. This leaves us with a mission to make sure that as computing platforms change, we retain the freedoms that enabled the current generation of technology to flourish.
While GPL enforcement isn't the only factor in ensuring people can access developer tools and make meaningful changes to their devices, it is certainly an important piece of the puzzle, given everything we heard at Plumbers this year. With large percentages of Linux devices still distributed without giving users the freedoms that Linux's license is designed to give them, GPL enforcement is immensely important, as our discussions at Plumbers and elsewhere remind us.
The feedback from the BoF was overwhelmingly positive, and we were so happy to be able to take questions, share information, connect with longtime contributors and meet newcomers with such a keen interest in copyleft and enforcement. As always, we invite feedback about this work. You can email us anytime at compliance@sfconservancy.org, and we'll be scheduling some synchronous sessions later in the year.
In the meantime, we are proud to continue the work to ensure that everyone can repair and modify the software on their Linux devices, and everything else using software right-to-repair licenses, for current and future generations of software users and developers.