Displaying posts tagged GPL
Why Your Project Doesn't Need a Contributor Licensing Agreement
byon June 9, 2014
For nearly a decade, a battle has raged between two distinct camps regarding something called Contributor Licensing Agreements (CLAs). In my personal capacity, I've written extensively on the issue. This article below is a summary on the basics of why CLA's aren't necessary, and on Conservancy's typical recommendations to its projects regarding the issue.
In the most general sense, a CLA is a formal legal contract between a contributor to a FLOSS project and the “project” itself0. Ostensibly, this agreement seeks to assure the project, and/or its governing legal entity, has the appropriate permissions to incorporate contributed patches, changes, and/or improvements to the software and then distribute the resulting larger work.
In practice, most CLAs in use today are (at best) overkill for that purpose. CLAs simply shift legal blame for any patent infringement, copyright infringement, or other bad acts from the project (or its legal entity) back onto its contributors. Meanwhile, since vetting every contribution for copyright and/or patent infringement is time-consuming and expensive, no existing organization actually does that work. Thus, no one knows (in the general case) if the contributors' assurances in the CLA are valid. Indeed, since it's so difficult to determine if a given work of software infringes a patent, it's highly likely that any contributor submitting a patent-infringing patch did so inadvertently and without any knowledge that the patent even existed — even regarding patents controlled by their own company1.
The undeniable benefit to CLAs relates to contributions from for-profit companies who likely do hold patents that read on the software. It's useful to receive from such companies (whenever possible) a patent license for any patents exercised in making, using or selling the FLOSS containing that company's contributions. I agree that such an assurance is nice to have, and I might consider supporting CLAs if there was no other cost associated with using them. However, maintenance of CLA-assent records requires massive administrative overhead.
More importantly, CLAs require the first interaction between a FLOSS project and a new contributor to involve a complex legal negotiation and a formal legal agreement. CLAs twist the empowering, community-oriented, enjoyable experience of FLOSS contribution into an annoying exercise in pointless bureaucracy, which (if handled properly) requires a business-like, grating haggle between necessarily adverse parties. And, that's the best possible outcome. Admittedly, few contributors actually bother to negotiate about the CLA. CLAs frankly rely on our “Don't Read & Click ‘Agree’” culture — thereby tricking contributors into bearing legal risk. FLOSS project leaders shouldn't rely on “gotcha” fine print like car salespeople.
Thus, I encourage those considering a CLA to look past the “nice assurances we'd like to have — all things being equal” and focus on the “what legal assurances our FLOSS project actually needs to assure its thrives”. We at Conservancy have spent years doing that analysis; we concluded quite simply: in this regard, all a project and its legal home actually need is a clear statement and/or assent from the contributor that they offer the contribution under the project's known FLOSS license. Long ago, the now famous Open Source lawyer Richard Fontana dubbed this legal policy with the name “inbound=outbound”. It's a powerful concept that shows clearly the redundancy of CLAs.
Most importantly, “inbound=outbound” makes a strong and correct statement about the FLOSS license the project chooses. FLOSS licenses must contain all the legal terms that are necessary for a project to thrive. If the project is unwilling to accept (inbound) contribution of code under the terms of the license it chose, that's a clear indication that the project's (outbound) license has serious deficiencies that require immediate remedy. This is precisely why Conservancy advises2 that our projects select a FLOSS license with a strong patent clause, such as the GPLv3 or the Apache License, Version 2.0. With a license like those, Conservancy believes that CLAs are unnecessary.
Meanwhile, the issue of requesting the contributors' assent to the projects' license is orthogonal to the issue of CLAs. Conservancy does encourage use of clear systems (either formal or informal) for that purpose. One popular option is called the Developer Certificate of Origin (DCO). Originally designed for the Linux project and published by the OSDL under the CC-By-SA license, the DCO is a mechanism to assure contributors have confirmed their right to license their contribution under the project's license. Typically, developers indicate their agreement to the DCO with a specially-formed tag in their DVCS commit log. Conservancy's Evergreen, phpMyAdmin, and Samba projects all use modified versions of the DCO.
Conservancy's Selenium project uses a license assent mechanism somewhat closer to a formal CLA. In this method, the contributors must complete a special online form wherein they formally assent to the license of the project. The project keeps careful records of all assents separately from the code repository itself. This mechanism is a bit heavy-weight, but ultimately simply formally implements the same inbound=outbound concept.
However, most Conservancy projects use the same time-honored and successful mechanism used throughout the 35 year history of the Free Software community. Simply, they publish clearly in their developer documentation and/or other key places (such as mailing list subscription notices) that submissions using the normal means to contribute to the project — such as patches to the mailing list or pull and merge requests — indicate the contributors' assent for inclusion of that software in the canonical version under the project's license.
Ultimately, CLAs are much ado about nothing. Lawyers are trained to zealously represent their clients, and as such they often seek to an outcome that maximizes leverage of clients' legal rights, but they typically ignore the other important benefits that are outside of their profession. The most ardent supporters of CLAs have yet to experience first-hand the arduous daily work required to manage a queue of incoming FLOSS contributions. Those of us who have done the latter easily see that avoiding additional barriers to entry is paramount. While a beautifully crafted CLA — jam-packed with legalese that artfully shifts all the blame off to the contributors — may make some corporate attorneys smile, but I've never seen such bring anything but a frown and a sigh from FLOSS developers.
0Only rarely does an unincorporated, unaffiliated project request CLAs. Typically, CLAs name a corporate entity — a non-profit charity (like Conservancy), a trade association (like OpenStack Foundation), or a for-profit company, as its ultimate beneficiary. On rare occasions, the beneficiary of a CLA is a single individual developer.
1I've yet to meet any FLOSS developer who has read their own employer's entire patent portfolio.
2Conservancy doesn't mandate any specific Open Source and Free Software license for our projects. That's just not our style. Any license that appears as both an Open Source license on the OSI-approved list and as a Free Software license on FSF's license list is good enough for Conservancy.
Conservancy's Coordinated Compliance Efforts
byon May 29, 2012
Conservancy announced today its new coordinated Free Software license compliance effort. As you might guess, in between getting things together for Conservancy conferences, making sure developers get reimbursed on time, and all the other primary work of Conservancy that I'm up to each day, I've been spending what hours that I can coordinating this new effort.
This new program is an outgrowth of the debate that happened over the last few months regarding Conservancy's GPL compliance efforts. Specifically, I noticed that, buried in the FUD over the last four months regarding GPL compliance, there was one key criticism that was valid and couldn't be ignored: Linux copyright holders should be involved in compliance actions on embedded systems. Linux is a central component of such work, and the BusyBox developers agreed wholeheartedly that having some Linux developers involved with compliance would be very helpful. Conservancy has addressed this issue by building a broad coalition of copyright holders in many different projects who seek to work on compliance with Conservancy, including not just Linux and BusyBox, but other projects as well.
I'm looking forward to working collaboratively with copyright holders of many different projects to uphold the rights guaranteed by GPL. I'm also elated at the broad showing of support by other Conservancy projects. In addition to the primary group in the announcement (i.e., copyright holders in BusyBox, Samba and Linux), a total of seven other GPL'd and/or LGPL'd projects have chosen Conservancy to handle compliance efforts. It's clear that Conservancy's compliance efforts are widely supported by many projects.
The funniest part about all this, though, is that while there has been
no end of discussion of Conservancy's and other's compliance efforts
this year, most Free Software users never actually have to deal with
the details of compliance. Requirements of most copyleft licenses like
GPL generally trigger on distribution of the software —
particularly distribution of binaries. Since most users simply receive
distribution of binaries, and run them locally on their own computer,
rarely do they face complex issues of compliance. As the GPLv2
The act of running the Program is not restricted.
Some Thoughts on Conservancy's GPL Enforcement
byon February 1, 2012
As most of those who know me are aware, I've been involved in GPL enforcement for more than 12 years, across three different organizations, the most recent one being here at the Software Freedom Conservancy. Since 2001, I've written dozens of articles, blog posts, and given at least fifty talks and CLE classes about how to do GPL compliance, and how enforcement actions tend to occur.
This weekend at SCALE, I gave a version of a talk I've given many times (also available as an oggcast), which I've usually entitled something like 12 Years of Copyleft Compliance: A Historical Perspective. I decided to retire this talk last weekend at SCALE (in part because it's now coming up on 13 years), but before I put that material aside, I thought I'd write a blog post summarizing the more salient points that I make in that talk.
Indeed, After all these years of speaking about, writing about, and doing GPL enforcement, I'm occasionally surprised at how much confusion still exists about how and why it's done. I've focused solely on doing GPL enforcement via 501(c)(3) not-for-profit entities, which means I do it only in the public good. I hope this blog post will give a sense of how it works and why I do it.
Copyleft Through Copyright
The primary goal of every GPL enforcement action is to gain compliance, which means getting to users complete and corresponding source code so they can copy, share, modify and install improved versions. The GPL itself is a copyright license that does a weird hack on copyright: it uses the copyright rules to turn them around, and require people to share software freely (as in freedom) in exchange for permission to copy, modify and distribute the software. A GPL violation occurs when someone fails to meet the license requirements and thereby infringes copyright. The copyright rules themselves then are the only remedy to enforce the license — requiring that the violator come into compliance with the license if they want permission to continue distribution.
Up until now, almost all the enforcement I've done has been purely under GPL version 2 (GPLv2). GPLv2§4 says that upon violation, the violator loses permission to engage in those activities governed by copyright: including copying, modifying and distributing the software. The only way to get those permissions back is for the copyright holder to grant them back.
Speaking For the Users
Copyleft's unique way of using copyright means the parties who may
enforce are copyright holders (and their designated agents). However,
the victims of the violation are typically thousands of users who have
bought a product that included the GPL'd program. The goal, therefore,
is to get source code that these users can actually use to compile and
install the software. In GPLv2-speak, the goal is to get the all
complete source code, which includes
used to control compilation and installation of the
Releases of complete and corresponding source have been instrumental in inspiring new user-driven software development communities like OpenWRT and SamyGo, both of which built upon source releases that came from prior BusyBox GPL enforcement efforts.
The Standard Requests
The goal of every enforcement action is to yield a license-compliant source release that works for the users. Every enforcement action opens as a conversation, asking the violator to meet a few simple requests so that their permission to engage in copyright-governed activity can be restored, and they can go about their new business as a fine, upstanding, compliant Free Software redistributor. The typical requests are:
- Compliance with all Open Source and Free Software licenses in
I started using this request regularly around 2002 because violators express a concern that, if they come into compliance due to my efforts, what stops others from coming to complain, in sequence, and wasting their time? I suggested that if they came into compliance all at once, on all FLOSS licenses involved, it would be easy for me to be on their side, should someone else complain. Namely, I'd come to their defense and say:
Yes, they were out of compliance, but we've checked everything and they're now in compliance throughout this product. Those who are now complaining are being unfair, since — while this violator had trouble initially — their compliance with all FLOSS licenses is now adequate.
Of course, the detailed license requirements are different for different licenses, so I've had to become an expert on the specific requirements of all FLOSS licenses over the years. For example, for permissive, BSD-like licenses, the only compliance required is typically that copyright notices be displayed appropriately on proprietarized versions. Meanwhile, the LGPL permits some types of proprietary combinations, but not others. GPLv2 and GPLv3, of course, have different requirements when it gets down to some details. The goal is to make sure that whatever each license requires is what's being done for the program under that license.
Meanwhile, particularly with embedded systems, requiring compliance on everything is basically a de-facto necessity anyway. Most embedded firmwares are built with a single build system (or, a set of steps that expect all relevant sources to be present), and as such, asking for the GPLv2-required
scripts used to control compilation and installation of the executablefor one program means asking for them for other programs too, since it's the same scripts.
- Appoint a Compliance Officer.
This is a requirement that actually predates my involvement in enforcement. I believe it was instituted at other organizations back in the 1990s. The goal is simple: have a single point of contact who can be reached regarding any future violations.
The goal, as always, is to help a violator become a productive member of the Free Software business community. Ideally, future violation matters should never be escalated very much: the company should have a person that has some expertise about GPL compliance who can work with anyone who might have concerns about any later product.
- Pay Our Cost of Bringing You Into Compliance.
This was the toughest requirement for me to institute, and I struggled for years about whether it was the right thing to do. I avoided it until someone pointed out to me:
If you're doing GPL enforcement for a non-profit, who should pay the cost of doing enforcement: the folks who send you charitable donations to support your other non-compliance work, or the violators who actually violated the license? Indeed, those who donate probably always comply with GPL themselves, so if violators aren't charged the cost of enforcement, compliant people end up subsidizing violations with their donations.
Ultimately, that was a compelling enough argument for me, but there's one other argument: there must be a deterrent. If the cost of violating the GPL is: “you must merely come into compliance when you're caught violating”, then very few companies would comply voluntarily. How many people would always violate the automobile speed limits if, when the driver is pulled over for speeding, all that ever happened was a stern warning?
A few sometimes ask:
well, where does the money go?. This question is why I think it's essential for GPL enforcement to be done by a 501(c)(3) not-for-profit entity like Conservancy. As I wrote in my previous Conservancy blog post, Conservancy's financial documents are publicly disclosed. So, you want to know the details of the enforcement money from FY 2010? Download Conservancy's FY 2010 Form 990, and take a look at Line 4(c) on page 2, Line 2(b) on page 9, and Line 11(b) on page 10. It's as simple as that.
Conservancy's Enforcement Plans
Of course, I encourage everyone to read the rest of the Form 990 too, and note in particular that GPL enforcement is only third on the list of major activities at Conservancy. I've no interest in making license enforcement the primary activity of Conservancy — indeed, it's but one item on Conservancy's extensive list of services, and Conservancy has 27 (and growing) projects to care for. Many of those projects are GPL'd and LGPL'd, and many of them want Conservancy to handle their enforcement, but that work is always balanced with all the other work going on at this thinly staffed organization.
I strongly expect that Free Software license compliance and enforcement
will always be a part of my work. I once heard Larry Wall, founder of
Perl, say (when I was still merely a
Computer Science graduate student):
You can never entirely stop being
what you once were. That's why it's important to be the right person
today, and not put it off till tomorrow. Ever since I heard him say
that, I've held it as a fundamental tenet of what I do in the Free
Software community. I believe GPL enforcement is right and necessary
for the advancement of software freedom. So, I'm glad for the
enforcement I've done, and I'm glad to continue doing GPL enforcement
for as long as projects come to me and ask me to take care of it for
them. Like everything else at Conservancy: I'm glad to do the boring
work so Free Software developers can focus on writing code. GPL
enforcement surely qualifies there.
I admit, though, that I do find litigation particularly annoying, time-consuming, and litigation also makes GPL compliance take longer than it should. That's why litigation has always been a last resort, and that 99.999% of GPL enforcement matters get resolved without a lawsuit. Lawsuits are only an option, in my view, when a violation is egregious, and multiple attempts to begin a friendly conversation with the violator are consistently ignored. Every lawsuit I've been involved with met these criteria. I hope no violation matters ever meet them again, but that depends on how well the violators respond when someone asks them for the complete and corresponding source code for the GPL'd and LGPL'd components in the product.
I hope that someday, everyone just complies voluntarily with the GPL, so I can go do other things — I used to be a software developer, once upon a time, and I'd love to do that again. But, in the meantime, I'm here to enforce the GPL, to defend software freedom.