Some Thoughts on Conservancy's GPL Enforcement
byon February 1, 2012
As most of those who know me are aware, I've been involved in GPL enforcement for more than 12 years, across three different organizations, the most recent one being here at the Software Freedom Conservancy. Since 2001, I've written dozens of articles, blog posts, and given at least fifty talks and CLE classes about how to do GPL compliance, and how enforcement actions tend to occur.
This weekend at SCALE, I gave a version of a talk I've given many times (also available as an oggcast), which I've usually entitled something like 12 Years of Copyleft Compliance: A Historical Perspective. I decided to retire this talk last weekend at SCALE (in part because it's now coming up on 13 years), but before I put that material aside, I thought I'd write a blog post summarizing the more salient points that I make in that talk.
Indeed, After all these years of speaking about, writing about, and doing GPL enforcement, I'm occasionally surprised at how much confusion still exists about how and why it's done. I've focused solely on doing GPL enforcement via 501(c)(3) not-for-profit entities, which means I do it only in the public good. I hope this blog post will give a sense of how it works and why I do it.
Copyleft Through Copyright
The primary goal of every GPL enforcement action is to gain compliance, which means getting to users complete and corresponding source code so they can copy, share, modify and install improved versions. The GPL itself is a copyright license that does a weird hack on copyright: it uses the copyright rules to turn them around, and require people to share software freely (as in freedom) in exchange for permission to copy, modify and distribute the software. A GPL violation occurs when someone fails to meet the license requirements and thereby infringes copyright. The copyright rules themselves then are the only remedy to enforce the license — requiring that the violator come into compliance with the license if they want permission to continue distribution.
Up until now, almost all the enforcement I've done has been purely under GPL version 2 (GPLv2). GPLv2§4 says that upon violation, the violator loses permission to engage in those activities governed by copyright: including copying, modifying and distributing the software. The only way to get those permissions back is for the copyright holder to grant them back.
Speaking For the Users
Copyleft's unique way of using copyright means the parties who may
enforce are copyright holders (and their designated agents). However,
the victims of the violation are typically thousands of users who have
bought a product that included the GPL'd program. The goal, therefore,
is to get source code that these users can actually use to compile and
install the software. In GPLv2-speak, the goal is to get the all
complete source code, which includes
used to control compilation and installation of the
Releases of complete and corresponding source have been instrumental in inspiring new user-driven software development communities like OpenWRT and SamyGo, both of which built upon source releases that came from prior BusyBox GPL enforcement efforts.
The Standard Requests
The goal of every enforcement action is to yield a license-compliant source release that works for the users. Every enforcement action opens as a conversation, asking the violator to meet a few simple requests so that their permission to engage in copyright-governed activity can be restored, and they can go about their new business as a fine, upstanding, compliant Free Software redistributor. The typical requests are:
- Compliance with all Open Source and Free Software licenses in
I started using this request regularly around 2002 because violators express a concern that, if they come into compliance due to my efforts, what stops others from coming to complain, in sequence, and wasting their time? I suggested that if they came into compliance all at once, on all FLOSS licenses involved, it would be easy for me to be on their side, should someone else complain. Namely, I'd come to their defense and say:
Yes, they were out of compliance, but we've checked everything and they're now in compliance throughout this product. Those who are now complaining are being unfair, since — while this violator had trouble initially — their compliance with all FLOSS licenses is now adequate.
Of course, the detailed license requirements are different for different licenses, so I've had to become an expert on the specific requirements of all FLOSS licenses over the years. For example, for permissive, BSD-like licenses, the only compliance required is typically that copyright notices be displayed appropriately on proprietarized versions. Meanwhile, the LGPL permits some types of proprietary combinations, but not others. GPLv2 and GPLv3, of course, have different requirements when it gets down to some details. The goal is to make sure that whatever each license requires is what's being done for the program under that license.
Meanwhile, particularly with embedded systems, requiring compliance on everything is basically a de-facto necessity anyway. Most embedded firmwares are built with a single build system (or, a set of steps that expect all relevant sources to be present), and as such, asking for the GPLv2-required
scripts used to control compilation and installation of the executablefor one program means asking for them for other programs too, since it's the same scripts.
- Appoint a Compliance Officer.
This is a requirement that actually predates my involvement in enforcement. I believe it was instituted at other organizations back in the 1990s. The goal is simple: have a single point of contact who can be reached regarding any future violations.
The goal, as always, is to help a violator become a productive member of the Free Software business community. Ideally, future violation matters should never be escalated very much: the company should have a person that has some expertise about GPL compliance who can work with anyone who might have concerns about any later product.
- Pay Our Cost of Bringing You Into Compliance.
This was the toughest requirement for me to institute, and I struggled for years about whether it was the right thing to do. I avoided it until someone pointed out to me:
If you're doing GPL enforcement for a non-profit, who should pay the cost of doing enforcement: the folks who send you charitable donations to support your other non-compliance work, or the violators who actually violated the license? Indeed, those who donate probably always comply with GPL themselves, so if violators aren't charged the cost of enforcement, compliant people end up subsidizing violations with their donations.
Ultimately, that was a compelling enough argument for me, but there's one other argument: there must be a deterrent. If the cost of violating the GPL is: “you must merely come into compliance when you're caught violating”, then very few companies would comply voluntarily. How many people would always violate the automobile speed limits if, when the driver is pulled over for speeding, all that ever happened was a stern warning?
A few sometimes ask:
well, where does the money go?. This question is why I think it's essential for GPL enforcement to be done by a 501(c)(3) not-for-profit entity like Conservancy. As I wrote in my previous Conservancy blog post, Conservancy's financial documents are publicly disclosed. So, you want to know the details of the enforcement money from FY 2010? Download Conservancy's FY 2010 Form 990, and take a look at Line 4(c) on page 2, Line 2(b) on page 9, and Line 11(b) on page 10. It's as simple as that.
Conservancy's Enforcement Plans
Of course, I encourage everyone to read the rest of the Form 990 too, and note in particular that GPL enforcement is only third on the list of major activities at Conservancy. I've no interest in making license enforcement the primary activity of Conservancy — indeed, it's but one item on Conservancy's extensive list of services, and Conservancy has 27 (and growing) projects to care for. Many of those projects are GPL'd and LGPL'd, and many of them want Conservancy to handle their enforcement, but that work is always balanced with all the other work going on at this thinly staffed organization.
I strongly expect that Free Software license compliance and enforcement
will always be a part of my work. I once heard Larry Wall, founder of
Perl, say (when I was still merely a
Computer Science graduate student):
You can never entirely stop being
what you once were. That's why it's important to be the right person
today, and not put it off till tomorrow. Ever since I heard him say
that, I've held it as a fundamental tenet of what I do in the Free
Software community. I believe GPL enforcement is right and necessary
for the advancement of software freedom. So, I'm glad for the
enforcement I've done, and I'm glad to continue doing GPL enforcement
for as long as projects come to me and ask me to take care of it for
them. Like everything else at Conservancy: I'm glad to do the boring
work so Free Software developers can focus on writing code. GPL
enforcement surely qualifies there.
I admit, though, that I do find litigation particularly annoying, time-consuming, and litigation also makes GPL compliance take longer than it should. That's why litigation has always been a last resort, and that 99.999% of GPL enforcement matters get resolved without a lawsuit. Lawsuits are only an option, in my view, when a violation is egregious, and multiple attempts to begin a friendly conversation with the violator are consistently ignored. Every lawsuit I've been involved with met these criteria. I hope no violation matters ever meet them again, but that depends on how well the violators respond when someone asks them for the complete and corresponding source code for the GPL'd and LGPL'd components in the product.
I hope that someday, everyone just complies voluntarily with the GPL, so I can go do other things — I used to be a software developer, once upon a time, and I'd love to do that again. But, in the meantime, I'm here to enforce the GPL, to defend software freedom.
It May Be Boring, But Worth Reading Anyway
byon January 16, 2012
For the last few months, I've had the same primary action item on my agenda every single day: finish Conservancy's FY 2010 audit and Form 990. Those who exchange email with me regularly have probably noticed a slowly increasing lag because of this. Fortunately, as for this past Saturday, this work is finally done. Conservancy has publicly posted our FY 2010 Form 990, FY 2010 Independent Auditor's report and our FY 2010 NYS CHAR-500. I know these documents might seem as boring as reading your own tax filings, but I hope in this blog post to convince you that Form 990s are worth reading, by drawing attention to the interesting parts of Conservancy's filings.
What's a Fiscal Year (FY)?
When I first started working in non-profit management years ago, it took me a while to get used to the idea of a fiscal year (often abbreviated FY). The concept, however, is relatively simple. Conservancy was founded in March 2006. As such, Conservancy's first year of operation ended on 28 February 2007, and every year thereafter, Conservancy completes another year of operation on the last day of February.
Therefore, when you take a look at Conservancy's 2010 Form 990, you'll find that the period described is 1 March 2010 until 28 February 2011. So, when you analyze the documents, you have to put your mindset into that period.
What's a Form 990, and Why Is It Public?
I often point out that 501(c)(3) non-profit charities are a form of a government grant. Think of it this way: 501(c)(3)'s not only pay no taxes on any of their income, but also, donors who give to a 501(c)(3) don't (usually) have to pay taxes on the money they give. The USA government (and by extension, the public), in essence, is subsidizing these organizations in two different ways: the government collects no tax money from these organizations, and the donors don't pay any taxes on their donations.
The government permits this because organizations like Conservancy must meet a high burden: they must advance the public good through pursuit of their mission. Conservancy does this by facilitating, fostering, promoting, developing, and defending Free, Libre and Open Source Software (FLOSS) for the general public.
To make sure organizations carry out their mission for the public good, and to allow the public itself to verify this occurs, the USA Internal Revenue Service (IRS) requires that, each year, every 501(c)(3) organization file the Form 990, which outlines all the funds received and spent by the organization, and how the organization used those funds to promote its mission. My hope is that if you read the rest of this blog post alongside Conservancy's Form 990 and Auditor's Report, you might be able to better use it as a tool to figure out what Conservancy was up to between the dates of 1 March 2010 and 28 February 2011.
Quick View of Mission, Revenue and Expenses
The first page of the Form 990 has a brief statement of the mission of the organization, and presents the fiscal overview. The most interesting lines related to income are lines 8 and 9, which contain the total contributions, and total service revenue. For a 501(c)(3), “contributions” are gifts and donations given to the organization by donors. That's the type of income with which those who give to non-profits are most familiar.
Program service revenue, which is also sometimes called “related business income”, refers to income that an organization receives while pursuing its mission. Conservancy's most common program service revenue is registration fees for conferences. Those who attend the conference get something in return (e.g., getting to see the talks live), but these conferences are still within Conservancy's mission (e.g., educating the public about Open Source and Free Software). Thus, the IRS considers the income related to Conservancy's mission.
The interesting lines on expenses are probably lines 15 and 17. Line 15 is salaries, which I'll talk about later, and line 17 is all the other expenses. The best places to get more information on what goes into this line is to jump to Part IX of the Form 990 (page 10), or to look at Page 5 (PDF page 6) of the Independent Auditor's Report.
Expenses By Mission Work
On Page 2 of the Form 990, you'll find Part III. This is perhaps the most interesting part. Specifically, it matches up specific expense totals with parts of Conservancy's mission. Included are texts describing the work that was done with those funds. I think this page is particular interesting, because it provides an easy overview of specific mission work and how much the organization spent on that specific work. In other words, it's a cross-section of the expenses totaled against specific mission work, rather than types of expenses (the latter of which is the default elsewhere on the Form 99).
The Public Support Test
In Schedule A, Part II of the Form 990 (PDF page 14), you'll find the public support test. Since this is Conservancy's fifth year of operation, for the first time, Conservancy must take a public support test. There are various ways of calculating the public support test. Conservancy used the 33⅓% test, which requires that at least 33⅓% of the organization's support come from the public. Conservancy's public support percentage is 45.3%.
Earmarked Funds Summary
I've focused here mostly on the Form 990. However, it's worth noting that FY 2010 was the first year in which Conservancy was required to have an independent audit. This is a New York State Requirement (you can see the detail of this requirements on page 4 of the CHAR-500), but even when it's not mandated, it's good for non-profits to have an independent audit anyway. Despite the amazing amount of work our first audit took (it'll get easier in future years, fortunately, now that Conservancy is used to it), I'm very glad that NYS required us to do it, as there's always the temptation to avoid something that's difficult and not mandatory.
Anyway, the most interesting page of the audit's report, in my view, is page 6 (PDF page 7), which shows the exact totals of all earmarked project funds in Conservancy. Individual Conservancy member projects will probably like to be able to see a third-party confirmation on the amount that was given, spent, and remains for their projects.
Yes, You Can See How Much I'm Paid
Part of public filings include the salaries paid to officers, directors, and key employees of the organization. Part VII of the Form 990 (Page 7) has these details. As you can see, I was the only person that Conservancy paid in FY 2010. When you look at the numbers in this section, note that my role changed over the course of the fiscal year: From 2010-03-01 through 2010-09-30, I was a nights/weekends part-time volunteer. From 2010-10-01 to 2010-12-31, I was a full-time volunteer. For the last two months of the fiscal year, from 2011-01-01 until 2011-02-28, I was a full-time employee.
Feel Free to Ask Me Questions
I've started a thread on identi.ca to discuss Conservancy's Form 990. Feel free to ask me any questions that you have there.
What's a Free Software Non-Profit For?
byon November 28, 2011
Much was written last week that speculated about the role of foundations and the always-changing ways that developers write Free Software. I must respectfully point out that I believe this discussion doesn't address the key purpose of doing Free Software work as part of a non-profit organization.
Conservancy always avoids making any technical recommendations. Indeed, Conservancy counts among its members Darcs, Git and Mercurial, all of whom likely disagree on the preferred distributed version control system. Conservancy, for its part, doesn't have a recommended version control system, nor a recommended hosting site, nor anything else like that. I even grit my teeth and just live with it when Conservancy's member projects choose Github over Gitorious (since the latter is Free Software itself and the former is not — an issue that concerns me deeply).
In short, Conservancy's job isn't to tell projects how to do what they do best: write and develop Free Software. Of course, our members must license their software under a license that's both FSF- and OSI-approved, and all official project activities (including development) must fit Conservancy's not-for-profit mission. But beyond oversight on that issue, Conservancy doesn't interfere with the development of our projects' software.
Instead, Conservancy handles all the aspects of running a non-profit software project that don't involve actually developing software. Conservancy's service plan includes many things, from handling donations, reimbursing developers for conference travel, to holding domain names, copyrights, and trademarks, to enforcing those copyrights and trademarks, to basic legal services. These items are the role for the non-profit organization in the life of a Free Software project. Conservancy's goal is to ensure that the software project continues to improve and benefit the public good, and to handle all the mundane aspects of non-profit activity.
Nevertheless, Conservancy's way of operating doesn't fit every project's culture. In the past, I've even recommended to Conservancy applicants that Apache Software Foundation, Free Software Foundation or Software in the Public Interest was a better home for their project, merely because the project seemed to have a culture that fit better with those organizations.
Upon finding the right cultural fit, a non-profit home can promote the
advancement of a Free Software project in ways the project can't do
merely as a band of part-time volunteer developers. By contrast to
those who are asking whether these non-profits
still make sense,
I argue that more than ever, developers need as much time as they
can spare to keep up with the rapid changes in technology and community
development methodologies. A non-profit home can take care of the
other, non-software-development tasks, leaving the projects' volunteers
to focus on what they do best.
As for adherence to the rules, while Conservancy is liberal on rules related to development methodologies, we remain somewhat conservative on the areas of the organization's expertise. Namely, Conservancy carefully oversees the financial spending and asset management of Conservancy's projects to ensure they continue to operate in a not-for-profit way to advance the public good. This is the most important standing agenda item on my daily schedule, and I believe that's the center of my job in providing services to our member projects. While I once was a software developer (and I sometimes can't resist giving my technical opinion to one of Conservancy's member projects), I constantly focus my role on the stuff that developers hate doing, so that they keep doing the work the love that helps the whole community.
Conservancy Activity Summary, October-December 2010
byon January 2, 2011
I had hoped to blog more regularly about my work at Conservancy, and hopefully I'll do better in the coming year. But now seems a good time to summarize what has happened with Conservancy since I started my full-time volunteer stint as Executive Director from 2010-10-01 until 2010-12-31.
We excitedly announced in the last few months two new Conservancy member projects, PyPy and Git. Thinking of PyPy connects me back to my roots in Computer Science: in graduate school, I focused on research about programming language infrastructure and, in particular, virtual machines and language runtimes. PyPy is a project that connects Conservancy to lots of exciting programming language research work of that nature, and I'm glad they've joined.
For its part, Git rounds out a group of three DVCS projects that are now Conservancy members; Conservancy is now the home of Darcs, Git, and Mercurial. Amusingly, when I reminded the Git developers when they applied that their “competition” were members, the Git developers told me that they were inspired to apply because these other DVCS' had been happy in Conservancy. That's a reminder that the software freedom community remains a place where projects — even that might seem on the surface as competitors — seek to get along and work together whenever possible. I'm glad Conservancy now hosts all these projects together.
Meanwhile, I remain in active discussions with five projects that have been offered membership in Conservancy. As I always tell new projects, joining Conservancy is a big step for a project, so it often takes time for communities to discuss the details of Conservancy's Fiscal Sponsorship Agreement. It may be some time before these five projects join, and perhaps they'll ultimately decide not to join. However, I'll continue to help them make the right decision for their project, even if joining a different fiscal sponsor (or not joining one at all) is the ultimately right choice.
Also, about once every two weeks, another inquiry about joining Conservancy comes in. We won't be able to accept all the projects that are interested, but hopefully many can become members of Conservancy.
In the late fall, I finished up Conservancy's 2010 filings. Annual filings for a non-profit can be an administrative rat-hole at times, but the level of transparency they create for an organization makes them worth it. Conservancy's FY 2009 Federal Form 990 and FY 2009 New York CHAR-500 are up on Conservancy's filing page. I always make the filings available on our own website; I wish other non-profits would do this. It's so annoying to have to go to a third-party source to grab these documents. (Although New York State, to its credit, makes all the NY NPO filings available on its website.)
Conservancy filed a Form 990-EZ in FY 2009. If you take a look, I'd encourage you to direct the most attention to Part III (which is on the top of page 2) to see most of Conservancy's program activities between 2008-03-01 to 2009-02-28.
In FY 2010, Conservancy will move from the New York State requirement of “limited financial review” to “full audit“ (see page 4 of the CHAR-500 for the level requirements). Conservancy had so little funds in FY 2007 that it wasn't required to file a Form 990 at all. Now, just three years later, there is enough revenue to warrant a full audit. However, I've already begun preparing myself for all the administrative work that will entail.
Project Growth and Funding
Those increases in revenue are related to growth in many of Conservancy's projects. 2010 marked the beginning of the first full-time funding of a developer by Conservancy. Specifically, since June, Matt Mackall has been funded through directed donations to Conservancy to work full-time on Mercurial. Matt blogs once a month (under topic of Mercurial Fellowship Update) about his work, but, more directly, the hundreds of changesets that Matt's committed really show the advantages of funding projects through Conservancy.
Conservancy is also collecting donations and managing funding for various part-time development initiatives by many developers. Developers of jQuery, Sugar Labs, and Twisted have all recently received regular development funding through Conservancy. An important part of my job is making sure these developers receive funding and report the work clearly and fully to the community of donors (and the general public) that fund this work.
But, as usual with Conservancy, it's handling of the “many little things” for projects that make a big difference and sometimes takes the most time. In late 2010, Conservancy handled funding for Code Sprints and conferences for the Mercurial, Darcs, and jQuery. In addition, jQuery held a conference in Boston in October, for which Conservancy handled all the financial details. I was fortunate to be able to attend the conference and meet many of the jQuery developers in person for the first time. Wine also held their annual conference in November 2010, and Conservancy handled the venue details and reimbursements to many of travelers to the conference.
Also, as always, Conservancy project contributors regularly attend other conferences related to their projects. At least a few times a month, Conservancy reimburses developers for travel to speak and attend important conferences related to their projects.
Google Summer of Code
Since its inception, Google's Summer of Code (SoC) program has been one of the most important philanthropy programs for Open Source and Free Software projects. In 2010, eight Conservancy projects (and 5% of the entire SoC program) participated in SoC. The SoC program funds college students for the summer to contribute to the projects, and an experienced contributor to project mentors each student. A $500 stipend is paid to the non-profit organization of the project for each project contributor who mentors a student.
Furthermore, there's an annual conference, in October, of all the mentors, with travel funded by Google. This is a really valuable conference, since it's one of the few places where very disparate Free Software projects that usually wouldn't interact can meet up in one place. I attended this year's Soc Mentor Summit and hope to attend again next year.
I'm really going to be urging all Conservancy's projects to take advantage of the SoC program in 2011. The level of funding given out by Google for this program is higher than any other open-application funding program for FLOSS. While Google's selfish motives are clear (the program presumably helps them recruit young programmers to hire), the benefit to Free Software community of the program can nevertheless not be ignored.
GPL Enforcement, primarily for our BusyBox member project, remains an active focus of Conservancy. Work regarding the lawsuit continues. It's been more than a year since Conservancy filed a lawsuit against fourteen defendants who manufacture embedded devices that included BusyBox without source nor an offer for source. Some of those have come into compliance with the GPL and settled, but a number remain and are out of compliance; our litigation efforts continue. Usually, our lawyers encourage us not to comment on ongoing litigation, but we did put up a news item in August when the Court granted Conservancy a default judgment against one of the defendants, Westinghouse.
Meanwhile, in the coming year, Conservancy hopes to expand efforts to enforce the GPL. New violation reports on BusyBox arrive almost daily that need attention.
More Frequent Blogging
As noted at the start of this post, my hope is to update Conservancy's blog more regularly with information about our activities.