[RSS] Conservancy Blog

Copyleft compliance misconception #1: Companies check their source builds before publishing

by Denver Gingerich on February 15, 2018

We often hear from people that are confused about why companies fail to meet their copyleft compliance obligations - it seems fairly straight-forward to do, so why don't they all do it? In its many years of experience attempting to help companies comply with the GPL and other copyleft licenses, Conservancy has seen first-hand how many of the expectations software users have about how a company would release source tend to not be met the majority of the time. This post is Conservancy's first in a series on these common misconceptions about copyleft compliance, which will hopefully provide some insight for people wondering why these expectations are seemingly seldom met.

Misconception #1: Companies check their source builds before publishing

If you use or develop free and open source software, you probably find it natural for software projects to make building and installing their software as easy as posssible (or at least to provide contact points in case it is not). This is because getting people to use or contribute to such projects depends on these projects being straight-forward to build and install, otherwise people would just use something else (since normally they would have little invested in a project they can't build or install).

As a result, when companies publish source code as a result of their obligation to comply with the copyleft licenses in the software they distribute (usually this is their primary motivation - in rare cases (so far as we see it) companies are motivated primarily by engaging with the free software community, which we naturally try to encourage as much as possible), they do not have the same incentives as you would normally expect of a project distributing free and open source software. Consequently, companies tend to spend most of their time ensuring that whatever product they're selling to you (be it a router, Blu-ray player, smartphone, etc.) performs the functions it's intended to perform and meeting their bare obligations when it's shipped. They don't spend very much time working on the build and installation experience for those who would like to modify the software running on it after they receive it.

Furthermore, determining which parts of the device's overall build and installation process a company considers to be confidential is often not done, or is done under pressure so close to release time that the company does not wish to try untangling the portions they consider confidential from the portions that they are required to release in order to fulfill their obligations under the copyleft licenses for the software they chose to use.

What we normally see as the outcome of this (in the hundreds of source releases we've evaluated) is that the source code companies provide is nowhere close to meeting the requirements of GPLv2 (which is the copyleft license we most often see being violated), which state that companies must provide "the complete corresponding machine-readable source code" for all the GPLv2-licensed software on the devices they distribute and that "The source code for a work means the preferred form of the work for making modifications to it [which includes] the scripts used to control compilation and installation of the executable."

There are a variety of reasons that a company's source release might fail to meet the above requirements. In many cases we find that the versions of the source packages they provide are nowhere close to the versions of the binaries they distribute. Or their source release is missing entire source packages - i.e. they distribute a binary for Copylefted Project A, but do not provide any source code for Copylefted Project A, even though they might include source for Copylefted Project B.

Even if the above issues are not present, most often we find that there are no scripts at all for installing the software on the device (either in machine- or human-readable form), and any scripts we might find for controlling compilation of the executable are little more than what the original maintainers of the source package provided (which normally means people outside the company shipping the device). As a result, the compilation does not succeed because any changes the company made to the original source package are not considered in the build instructions (the company likely got it to build at least once, in order to ship it on the device, but decided not to document or share that process in their source release). This is particularly frustrating to the people who report the violations to us, as they often want access to the source code to do something particular with the devices they own.

After seeing this pattern in dozens of different source releases from dozens of different companies, it is clear to us that companies do not normally check to see if the source they release can actually be built and installed. Rather than being motivated primarily by meeting the perceived legal requirements of copyleft licenses and thus releasing markedly incomplete source code, our hope is that more companies will start to see the primary motivation for source releases as a way of engaging with the free software community, from which correct build and installation instructions (and indeed fully compliant source releases!) will naturally follow. We've already seen community development projects like SamyGo and OpenWRT form around Samsung TVs and Linksys routers and we hope other companies will see the benefits and help build such communities right from the start.

Tags: conservancy, GPL

Remembering Shawn Pearce

by Jeff King on January 30, 2018

The Git project and Conservancy mourn the passing of Shawn Pearce, a long-time developer and member of the Git community.

Shawn joined the Git project in 20061, and over the past 12 years wore many hats.

He is the third most prolific contributor to Git by commit count, with over 1200 patches. His credits include many fundamental systems, such as the Git-over-HTTP protocol, the fast-import system (a format which has been adopted by many other version control systems!), and the concept of reflogs (including the beautiful hack of their @{} syntax).

Beyond individual technical contributions, Shawn had a knack for seeing what the greater ecosystem needed and wasn’t afraid to jump head-first into a new project. He wrote git-gui, the first graphical Git client. In order to provide Git support in the Eclipse IDE, he wrote JGit, a from-scratch Java re-implementation of Git. He also started the Gerrit Code Review project, which is used for all Android development.

But most of all, we will remember Shawn for his leadership in the project. He organized the first “GitTogether” of project developers in 2008. He served multiple tours as interim maintainer over the years. He was instrumental in getting the project involved in Google’s Summer of Code program. And since Git joined Software Freedom Conservancy in 2010, he has served on Git’s project leadership committee.

Shawn exemplified the kindness, patience, and technical excellence required of an open source contributor. And also the stubbornness and determination it takes to reimplement the entire project in Java, when that’s what’s called for. We’re grateful for his many years of service to the project, to the open source community, and to the field of programming.

We also know that his work on Git was just a small slice of who he was as a person, and our hearts goes out to his family. There’s a memorial fund, and his family has encouraged people to donate to cancer research in lieu of flowers.

Mostly, I really want people to understand the profound impact of the work Shawn did. There are many “unsung” heroes of open source, people who work behind the scenes that users never know about. A vast number of people use Git and without Shawn, Git would be really different. We will miss him.

1Shawn’s very first email to the list was the announcement of an alternate user interface for Git. The project ended up folding, but I’ll give him credit for ambition.

Thank you to all our donors and Supporters - we did it!

by Karen Sandler on January 17, 2018

On behalf of Conservancy's staff and all of our member projects, I am excited to thank all of the people who contributed to this year's match challenge. Thanks to your generosity, we exceeded the amounts offered by Private Internet Access and an anonymous donor set for this year's annual fundraising drive.

What inspires me the most about this success is that we could not have done it without a high level of engagement from our volunteers. You not only donated your money to help sustain Conservancy, but you also took time to become a promotion machine for us. You blogged about it, you tweeted and tooted about it, you wrote about it on chat forums and you put up banners on websites. One volunteer even forwent payment on a small consulting gig and asked instead that the amount be donated to us.

Two years ago, we decided to become an individual supported charity to ensure independence from large corporate donors.Your support demonstrates that we can succeed and be vibrantly independent. We are humbled by your commitment to our mission and your trust in us and our work. We will use the money as best as we can to advance software freedom. We're so excited for the work we can all do together in 2018!

Tags: conservancy, supporter

Why Scènes À Faire Should Apply to Command-Line Interfaces

by Bradley M. Kuhn on January 3, 2018

Today, Conservancy joined other amici in the Cisco v. Arista case. Specifically, the amicus brief discusses why the scènes à faire affirmative defense for copyright infringement is appropriate and actually necessary regarding imitation of command-line interfaces. I hope this blog post will convince you that software freedom contributors should care about the issue.

The easiest example to understand these issues is Unix. Most of us know the basics of Unix's user interface, which primarily consists of commands that live in /bin and /usr/bin, that each include various command-line options that we've memorized. When the GNU project started, as RMS has described in his talks, he chose to imitate this user interface. Many reasons were obvious, but the most important one was that Unix was already an industry standard and users already knew its interface.

At the time, no one would have considered that you'd be liable for copyright infringement merely writing some new programs — 100% from scratch — that happened to have the same names and the same command-line options that were found in Unix. That interface, in fact, has been reimplemented at least a hundred times — by many Unix vendors and by various software freedom projects (GNU of course, but also by Conservancy's BusyBox project and others). As developers, we'd be incredulous if told that GNU infringed Unix's original copyrights. But that's exactly the argument that Cisco made about Arista's imitation of Cisco's command-line interface.

I'm not a fan of either Cisco nor Arista; all the software in question is proprietary software. Indeed, GitHub, which is one of our joined amici here, produces much proprietary software around Git, and that's bothers me too. I don't like it when any company writes proprietary software to work along with FLOSS. However, I agree with GitHub and Arista that copyright restrictions should not extend too far; copyright should not stifle simple command-line interoperatiblity. Merely imitating a command-line interface of one program in another should not cause (by itself) a copyright infringement.

Now, the last part to discuss are the questions: What is an affirmative defense, and what is scènes à faire? So, to explain it roughly with as little legalese (IANAL) as possible, an affirmative defense is one that you must prove after you're accused, usually through a trial (which is what occurred here). The burden is on the Defendant to prove that affirmative defense. (By contrast, if Arista had shown that, in fact, their command-line interface bore no similarity to Cisco's, that would have been a “negating defense”. Such defenses are much more assured to win, as they don't place such a burden on the defense.)

So, what, specifically, is the affirmative defense of scènes à faire? It's a concept originally from fictional works that generally expresses this idea: “if you're going to tell this story at all, you need at least these elements”. In this example, the analogy works like this: if your users will give a router textual commands via the command-line, that user will expect certain commands to work. Cisco's commands are industry standard and expected by users, similar to those in Unix. The amicus brief argues that this is a reasonable application of scènes à faire, because there is great benefit to the public and users if such imitation is permitted on command-lines without copyright restriction. Remember, under the USA Constitution, copyright exists as an “exclusive Right to … Writings” only because such exclusive controls “promote the Progress of Science and useful Arts”. Copyright is not an absolute right of control over written works by the authors, and its tentacles must be shortened by the public interest.

Finally, I call on the Linux Foundation to publicly ask their platinum member, Cisco, to stop this aggressive litigation on an edge case of copyright. Such a request would be consistent with the Linux Foundation's public criticism of others for copyright enforcement. This case is one where we all should stand together in the interests of free innovation.

Tags: conservancy, law

Next page (older) » « Previous page (newer)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 [37] 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

Connect with Conservancy on Fediverse, X, Facebook, and YouTube.

Main Page | Contact | Sponsors | Privacy Policy | RSS Feed

Our privacy policy was last updated 22 December 2020.