Displaying posts by Denver Gingerich
Copyleft compliance misconception #1: Companies check their source builds before publishing
byon February 15, 2018
We often hear from people that are confused about why companies fail to meet their copyleft compliance obligations - it seems fairly straight-forward to do, so why don't they all do it? In its many years of experience attempting to help companies comply with the GPL and other copyleft licenses, Conservancy has seen first-hand how many of the expectations software users have about how a company would release source tend to not be met the majority of the time. This post is Conservancy's first in a series on these common misconceptions about copyleft compliance, which will hopefully provide some insight for people wondering why these expectations are seemingly seldom met.
Misconception #1: Companies check their source builds before publishing
If you use or develop free and open source software, you probably find it natural for software projects to make building and installing their software as easy as posssible (or at least to provide contact points in case it is not). This is because getting people to use or contribute to such projects depends on these projects being straight-forward to build and install, otherwise people would just use something else (since normally they would have little invested in a project they can't build or install).
As a result, when companies publish source code as a result of their obligation to comply with the copyleft licenses in the software they distribute (usually this is their primary motivation - in rare cases (so far as we see it) companies are motivated primarily by engaging with the free software community, which we naturally try to encourage as much as possible), they do not have the same incentives as you would normally expect of a project distributing free and open source software. Consequently, companies tend to spend most of their time ensuring that whatever product they're selling to you (be it a router, Blu-ray player, smartphone, etc.) performs the functions it's intended to perform and meeting their bare obligations when it's shipped. They don't spend very much time working on the build and installation experience for those who would like to modify the software running on it after they receive it.
Furthermore, determining which parts of the device's overall build and installation process a company considers to be confidential is often not done, or is done under pressure so close to release time that the company does not wish to try untangling the portions they consider confidential from the portions that they are required to release in order to fulfill their obligations under the copyleft licenses for the software they chose to use.
What we normally see as the outcome of this (in the hundreds of source releases we've evaluated) is that the source code companies provide is nowhere close to meeting the requirements of GPLv2 (which is the copyleft license we most often see being violated), which state that companies must provide "the complete corresponding machine-readable source code" for all the GPLv2-licensed software on the devices they distribute and that "The source code for a work means the preferred form of the work for making modifications to it [which includes] the scripts used to control compilation and installation of the executable."
There are a variety of reasons that a company's source release might fail to meet the above requirements. In many cases we find that the versions of the source packages they provide are nowhere close to the versions of the binaries they distribute. Or their source release is missing entire source packages - i.e. they distribute a binary for Copylefted Project A, but do not provide any source code for Copylefted Project A, even though they might include source for Copylefted Project B.
Even if the above issues are not present, most often we find that there are no scripts at all for installing the software on the device (either in machine- or human-readable form), and any scripts we might find for controlling compilation of the executable are little more than what the original maintainers of the source package provided (which normally means people outside the company shipping the device). As a result, the compilation does not succeed because any changes the company made to the original source package are not considered in the build instructions (the company likely got it to build at least once, in order to ship it on the device, but decided not to document or share that process in their source release). This is particularly frustrating to the people who report the violations to us, as they often want access to the source code to do something particular with the devices they own.
After seeing this pattern in dozens of different source releases from dozens of different companies, it is clear to us that companies do not normally check to see if the source they release can actually be built and installed. Rather than being motivated primarily by meeting the perceived legal requirements of copyleft licenses and thus releasing markedly incomplete source code, our hope is that more companies will start to see the primary motivation for source releases as a way of engaging with the free software community, from which correct build and installation instructions (and indeed fully compliant source releases!) will naturally follow. We've already seen community development projects like SamyGo and OpenWRT form around Samsung TVs and Linksys routers and we hope other companies will see the benefits and help build such communities right from the start.