How Additional Permissions (aka Exceptions) Impact a Project's License
byon October 20, 2017
When first learning about FLOSS (Free, Libre and Open Source) licenses,
most of us learned them by their specific names, and generally when someone
What license is your project under?, the answer is a short
GPLv3-or-later. However, since the
earliest advent of FLOSS licenses, the concept of “additional
permissions ” — or, the older term for it:
“exceptions” — have been an essential part of the
licensing infrastructure of our community.
The first additional permission for a copyleft license dates back to the Bison license. Since the 1980s, the GNU project gave an exception to the GPL for Bison to assure that typical uses of Bison — which copy some of Bison's own source code into the program's output — did not cause the GPL to apply to that output. This exception was simple, straightforward, and necessary. Users of parser generators would be surprised to learn that using Bison to generate their parser would cause their work to be governed by copyleft. Additional permissions are a scalpel-like tool for authors of copylefted software that carefully craft project policy to best fit their community. Indeed, these exceptions became such an important component of GPLv2 licensing that GPLv3 formalized the concept in the actual license text, defining the term “additional permission ” in GPLv3 itself.
This name better described the purpose of these clauses. Historically, the FSF called them “exceptions”. Throughout the 1990s and early 2000s, software authors deployed these solutions in creative ways, and it became clear that the phrase “license exception” was a poor descriptor (particularly given that “taking exception” is often considered a bad thing)! Slowly, the term “additional permission” became preferred.
Additional permissions are now quite prevalent. Some pursue esoteric policy goals, but most are simply stated and achieve a narrow goal. While additional permissions often make it impossible to name a project's license as simply “GPLv2-only”, the intended policy is usually clear by quickly reading the additional permission(s).
By way of example, despite our common shorthand of saying that Linux's
license is GPLv2-only, the details are more complicated. Linux's license has a
additional permission regarding syscalls. Specifically, this
additional permission states that the copyleft terms
do not cover user
programs that use kernel services by normal system calls. This means
that even though GPLv2 is a strong copyleft and seeks to apply to any
derivative and/or combined work with Linux under copyright, downstream may
license parts of combined works that
use kernel services by normal
system calls under terms other than GPLv2. While some contributors'
code in Linux is licenses without this additional permission (such as plain
GPLv2-only), most Linux contributors license their copyrights under
“GPLv2 with the syscall exception”.
This week, the Linux community began a process to add another additional permission to Linux's license. As with the syscall exception (and any other additional permission), copyright holders must opt-in to grant this additional permission (and a long list of copyright holders have already done so for the new Statement). Conservancy has lauded this effort, since this additional permission allows violators (in some cases) to officially receive permission from those copyright holders to operate under the GPLv3 termination provisions. Copyright holders who participate in Conservancy's GPL Compliance Project for Linux Developers have long followed this, anyway (first informally, and then more formally in adherence to our Principles of Community-Oriented GPL Enforcement). The Linux Kernel Enforcement Statement formalizes this practice as an opt-in additional permission for Linux's license.
Fortunately, copyleft-based additional permissions (aka license
exceptions) aggregate reasonably well. Specifically, additional
permissions are fully compatible with the main copyleft license. At their
option, downstream can usually remove the additional permission and
distribute under the main license. Sometimes, licensing experts will talk
effective license of a work. In practice this means:
given a codebase that combines copyrighted material under many different
licenses, and possibly many different additional permissions and
exceptions, what's the lowest common denominator licensing requirement
that, if met, will satisfy all the licensing requirements of all of the
relevant licenses? With most copylefted works, this often does simplify to those easier
This begs the question: what's the effective license of Linux? Well, more than likely, it's simply GPLv2-only. The reason is this: all the copyrighted code that comprises Linux is (at least) licensed under GPLv2-only. A overwhelming majority is under “GPLv2 with the syscall exception”, and (with this week's announcement) an ever-growing swath will be licensed under “GPLv2 with the syscall exception and with the Linux Kernel Statement additional permission”. Not every copyright holder whose code is in Linux will grant either exception. Thus, the abbreviation to GPLv2-only, as a moniker for Linux's effective license, remains accurate.
Additional permissions are handy tools when building a community around a codebase, particularly when some community members have reservations about some aspect of the standard copyleft license. Copyright holders can grant an additional permission — even one that isn't strictly necessary — to quell concerns and clarify the licensing infrastructure.
Finally, all this begs one more question: Why aren't additional
permissions to copyleft licensing (particularly after they were formalized
in detail as part of GPLv3 itself) more widely utilized? My anecdotal
theory is that licensing remains a difficult area of comprehension for
FLOSS contributors and adopters. Like everyone whose primary expertise
lies elsewhere, licensing novices prefer simple buckets that are easily
understood; difficult concepts often dive deeper than necessary for typical
daily work. While licensing geeks like me enjoy pondering and exploring
the flexibility provided by additional permissions, many developers prefer
a simple moniker to describe a project's license. As such, you'll even
hear licensing experts oversimplify to describe a project's license. As
one of my undergraduate Computer Science professors said to me,
professors will oversimplify until you're graduate students, because we've
yet to figure out the topological sort necessary to tell you the whole
story in proper order such that we avoid these oversimplications that make
Donor Spotlight: Mark Wielaard
byon October 2, 2017
Conservancy depends on our Supporters and Donors. We rely on their financial support, of course, but they are also valued ambassadors who spread the word about Conservancy and the work we do. We continue our series featuring the companies and individuals who support Conservancy. If you're a Supporter of Conservancy and would like to be featured here please let us know!
This time, we're interviewing Mark Wielaard. Mark is a long-time free software developer. He was very involved in the libre java community in the early 2000's, spending many years as the maintainer of GNU Classpath , GNU's implementation the standard library for the java programming language. It took a long time, but he is happy that these days the Java Trap has been mostly dismantled. He still helps with the infrastructure for the IcedTea project, a free software community and collection of tools around core libre java compilers, runtimes and libraries. But his current work is mainly focused on analyzing and debugging natively compiled code. He contributes to Valgrind and elfutils to help make that possible.
Why do you support Conservancy?
Software Freedom Conservancy provides free software projects with a home. I like that, and I think it's important. GNU Classpath had a home in GNU, and a community, and as the maintainer that made me really happy. It meant that we could concentrate on what we loved to do, hacking code together. But with the knowledge that we had a fallback if we needed to deal with anything that couldn't be solved by just adding a bit more code. A place for all the administration that doesn't just fit in the code repository. I hope it makes other free software developers happy too, to have a place for their projects they can call home.
What makes Conservancy a good home for free software projects?
I trust Conservancy to support communities in a way that respects both the developers and software freedom. Free software is a good basis for people to collaborate. The services that Conservancy provides allow communities to concentrate on improving software together. Freeing project leaders from the stress that is involved when being personally responsible for all the non-coding activities. Individuals (and companies) can then join on equal terms, making sure the project and community will work together for the public benefit (and just having fun together hacking on code).
Why do you trust Conservancy to do that work?
Conservancy consists of people with experience, who care. I know Bradley Kuhn because he was the Executive Director of the Free Software Foundation when I worked on GNU Classpath. Having someone who takes care of all the administrative paperwork, someone you could forward tricky legal questions to, had a big impact. It meant we could all just concentrate on coding together. And everyone involved with Conservancy, staff and directors have years of experience with various Free Software projects and foundations. They really know what communities need to keep focussed on doing the thing developers love most, hacking on code.
Conservancy is unique in that it allows projects to define their own terms and conditions for how the community works together. Projects aren't forced to adopt a particular license, governance structure or tools and they aren't controlled by corporate sponsors. And another unique feature of the Conservancy is that they prepare from the start for projects to leave again. If a projects outgrows its home at the Conservancy it has the freedom to leave and setup their home somewhere else.
Anything else?The Software Freedom Conservancy is now the home of a long list of diverse projects. I hope that more people will consider becoming a Conservancy Supporter so that more projects can call the Conservancy their home. With software controlling more and more of our daily lives it is important to provide a welcome home to communities that can provide us with more Software Freedom.
Late Summer Conference Report
byon September 29, 2017
I’ve been traveling quite a lot recently and have had the good fortune of participating in some dynamite conferences. Often we’re so busy with our work and travel that we aren’t able to make the time to report on it properly, which results in a lot of our acomplishments and activities happening silently1. August’s travel was intense, and while my inbox backlog continues to be a bit unnerving, I’ve got to tell you about where I’ve been before September is completely over too!
GUADEC: GNOME’s 20th Birthday!
As many readers probably know, I’m an enthusiastic user and fan of GNOME. And, as the former Executive Director of the GNOME Foundation, I was so thrilled when I was invited to give a keynote speech at the annual main GNOME conference, GUADEC. Given that this year is GNOME’s 20th birthday, it was a special year to be able to participate in the conference.
GUADEC was invigorating. With Ubuntu returning to GNOME and the success of Endless and other commercial initiatives around GNOME, the GNOME community is optimistic and focused on the future. There were many new contributors but also a great showing amongst folks who have been around the community for a long time.
My talk focused on the personal ethical responsibilities of free software contributors and how GNOME contributors can engage in the process of steering our technology in the direction of transparency and security. While I wasn’t intending to talk about medical devices very much in my talk, for a majority of the audience this was their first GUADEC or free software conference and the topic came up to illustrate some of my main points. As a society we’re building our critical infrastructure on proprietary software, entrusting single companies with some of our most important information and interactions. I strongly believe that we need technologists to stand up for ethical technology now, especially within the companies that are producing it. I recommended that contributors engage with management to discuss the long term business advantages of doing the right thing. As it turned out, there were also several young attendees in the audience who have implanted medical devices so it was a great opportunity to connect. Over time, these issues will impact more and more people.
I was excited to see Neil McGovern, the GNOME Foundation’s new Executive Director, in action. After I moved to Conservancy, I served on a Hiring Committee to help the Foundation find the right person for this role. There were many very impressive candidates, but Neil was the stand out. Neil gave an inspiring freedom-focused talk, revealing the great job he’s already doing.
There was also a big party for GNOME’s 20th birthday which was a lot of fun. I moderated a panel on the history of GNOME, and learned a lot of fun tidbits about GNOME’s past! I was also excited to see the “Pants Award” go to Bastian Ilso, who puts together awesome videos for GNOME releases (and ropes me into doing the voiceovers too).
Soon after I got back from GUADEC it was time to head to DebConf. I could only make it for part of DebConf, which definitely left me wishing I could have been there for the whole time.
This time the conference was in Montreal, and I had the privilege of giving a presentation about Outreachy. The talk was very well attended and I left plenty of time for questions. The best part was getting to meet a number of Outreachy alums, mentors and coordinators.
I also had the opportunity to talk to Debian folks about the copyright aggregation project and to participate as a Debian Developer. This was my first Debian event since I became an official non-uploading Debian Developer. While I felt more of a responsibility to work proactively on things that Debian needed to have done, I also felt a strong sense of belonging in the community. When DebConf was held in New York seven years ago, I went briefly for a screening of Patent Absurdity, which I was interviewed in, but was so intimidated by the conference that I basically ran away immediately after! (Somewhat relatedly, I recently recorded a brief video about Imposter Syndrome.) Being recognized as an official contributor to the project helps not only to feel like your contributions are appreciated (even if they aren’t code) but also that you are more than welcome in a community - that you are a part of it.
The last conference I got to this summer was FrOSCon. I hadn’t heard of this conference until recently and was surprised to learn how big it is. Primarily a local German conference, FrOSCon attracts almost 2000 people. Like FOSDEM, the event runs only over the weekend. Also like FOSDEM, the conference organization is extremely impressive. When I arrived the night before the conference, I went over to see if I could help get things set up but there were so many people there to help they actually had nothing for another person to do!
I was asked to do my standard medical devices talk as the first keynote of the conference, and I was glad I gave that particular talk - the room was full of people who hadn’t heard it. The questions I got were insightful and the enthusiasm in the discussions after I spoke was exciting. I also did a couple of interviews with local tech press reporters and met some fabulous people which led to great discussions. A few of us spontaneously gathered a working group on ethics for IoT and informed consent. Since then Emma Lilliestam, who also spoke at FrOSCon about issues related to software and cyborgs, has been writing up these issues and further developing thought on the topic.
I fully appreciated the organization of the event when I stuck around to help with takedown.
It was amazing to see everything get taken down, cataloged and organized for next year. FrOSCon is definitely a conference I would recommend to others in the future.
While the summer is over, it seems like it’s always conference season. This evening I’m delivering a keynote presentation at Ohio Linux Fest, a conference I’ve always wanted to attend. While it’s a lot of travel, I’m grateful to get the opportunity to meet with so many people interested in free an open source software and to have the chance to encourage folks to think about the important issues of our day. If you attend any conference that I’m at, please be sure to say hello!
1 Conservancy has a staff of four full time people, which includes no marketers, campaigns people or anyone focused on PR.
Karen Sandler Interviewed about Sexism and Imposter Syndrome
byon September 19, 2017
During an interview with mic.com, our executive Director Karen Sandler spoke about sexism in tech and imposter syndrome.