Displaying posts by Bradley M. Kuhn
Conservancy's Coordinated Compliance Efforts
byon May 29, 2012
Conservancy announced today its new coordinated Free Software license compliance effort. As you might guess, in between getting things together for Conservancy conferences, making sure developers get reimbursed on time, and all the other primary work of Conservancy that I'm up to each day, I've been spending what hours that I can coordinating this new effort.
This new program is an outgrowth of the debate that happened over the last few months regarding Conservancy's GPL compliance efforts. Specifically, I noticed that, buried in the FUD over the last four months regarding GPL compliance, there was one key criticism that was valid and couldn't be ignored: Linux copyright holders should be involved in compliance actions on embedded systems. Linux is a central component of such work, and the BusyBox developers agreed wholeheartedly that having some Linux developers involved with compliance would be very helpful. Conservancy has addressed this issue by building a broad coalition of copyright holders in many different projects who seek to work on compliance with Conservancy, including not just Linux and BusyBox, but other projects as well.
I'm looking forward to working collaboratively with copyright holders of many different projects to uphold the rights guaranteed by GPL. I'm also elated at the broad showing of support by other Conservancy projects. In addition to the primary group in the announcement (i.e., copyright holders in BusyBox, Samba and Linux), a total of seven other GPL'd and/or LGPL'd projects have chosen Conservancy to handle compliance efforts. It's clear that Conservancy's compliance efforts are widely supported by many projects.
The funniest part about all this, though, is that while there has been
no end of discussion of Conservancy's and other's compliance efforts
this year, most Free Software users never actually have to deal with
the details of compliance. Requirements of most copyleft licenses like
GPL generally trigger on distribution of the software —
particularly distribution of binaries. Since most users simply receive
distribution of binaries, and run them locally on their own computer,
rarely do they face complex issues of compliance. As the GPLv2
The act of running the Program is not restricted.
Some Thoughts on Conservancy's GPL Enforcement
byon February 1, 2012
As most of those who know me are aware, I've been involved in GPL enforcement for more than 12 years, across three different organizations, the most recent one being here at the Software Freedom Conservancy. Since 2001, I've written dozens of articles, blog posts, and given at least fifty talks and CLE classes about how to do GPL compliance, and how enforcement actions tend to occur.
This weekend at SCALE, I gave a version of a talk I've given many times (also available as an oggcast), which I've usually entitled something like 12 Years of Copyleft Compliance: A Historical Perspective. I decided to retire this talk last weekend at SCALE (in part because it's now coming up on 13 years), but before I put that material aside, I thought I'd write a blog post summarizing the more salient points that I make in that talk.
Indeed, After all these years of speaking about, writing about, and doing GPL enforcement, I'm occasionally surprised at how much confusion still exists about how and why it's done. I've focused solely on doing GPL enforcement via 501(c)(3) not-for-profit entities, which means I do it only in the public good. I hope this blog post will give a sense of how it works and why I do it.
Copyleft Through Copyright
The primary goal of every GPL enforcement action is to gain compliance, which means getting to users complete and corresponding source code so they can copy, share, modify and install improved versions. The GPL itself is a copyright license that does a weird hack on copyright: it uses the copyright rules to turn them around, and require people to share software freely (as in freedom) in exchange for permission to copy, modify and distribute the software. A GPL violation occurs when someone fails to meet the license requirements and thereby infringes copyright. The copyright rules themselves then are the only remedy to enforce the license — requiring that the violator come into compliance with the license if they want permission to continue distribution.
Up until now, almost all the enforcement I've done has been purely under GPL version 2 (GPLv2). GPLv2§4 says that upon violation, the violator loses permission to engage in those activities governed by copyright: including copying, modifying and distributing the software. The only way to get those permissions back is for the copyright holder to grant them back.
Speaking For the Users
Copyleft's unique way of using copyright means the parties who may
enforce are copyright holders (and their designated agents). However,
the victims of the violation are typically thousands of users who have
bought a product that included the GPL'd program. The goal, therefore,
is to get source code that these users can actually use to compile and
install the software. In GPLv2-speak, the goal is to get the all
complete source code, which includes
used to control compilation and installation of the
Releases of complete and corresponding source have been instrumental in inspiring new user-driven software development communities like OpenWRT and SamyGo, both of which built upon source releases that came from prior BusyBox GPL enforcement efforts.
The Standard Requests
The goal of every enforcement action is to yield a license-compliant source release that works for the users. Every enforcement action opens as a conversation, asking the violator to meet a few simple requests so that their permission to engage in copyright-governed activity can be restored, and they can go about their new business as a fine, upstanding, compliant Free Software redistributor. The typical requests are:
- Compliance with all Open Source and Free Software licenses in
I started using this request regularly around 2002 because violators express a concern that, if they come into compliance due to my efforts, what stops others from coming to complain, in sequence, and wasting their time? I suggested that if they came into compliance all at once, on all FLOSS licenses involved, it would be easy for me to be on their side, should someone else complain. Namely, I'd come to their defense and say:
Yes, they were out of compliance, but we've checked everything and they're now in compliance throughout this product. Those who are now complaining are being unfair, since — while this violator had trouble initially — their compliance with all FLOSS licenses is now adequate.
Of course, the detailed license requirements are different for different licenses, so I've had to become an expert on the specific requirements of all FLOSS licenses over the years. For example, for permissive, BSD-like licenses, the only compliance required is typically that copyright notices be displayed appropriately on proprietarized versions. Meanwhile, the LGPL permits some types of proprietary combinations, but not others. GPLv2 and GPLv3, of course, have different requirements when it gets down to some details. The goal is to make sure that whatever each license requires is what's being done for the program under that license.
Meanwhile, particularly with embedded systems, requiring compliance on everything is basically a de-facto necessity anyway. Most embedded firmwares are built with a single build system (or, a set of steps that expect all relevant sources to be present), and as such, asking for the GPLv2-required
scripts used to control compilation and installation of the executablefor one program means asking for them for other programs too, since it's the same scripts.
- Appoint a Compliance Officer.
This is a requirement that actually predates my involvement in enforcement. I believe it was instituted at other organizations back in the 1990s. The goal is simple: have a single point of contact who can be reached regarding any future violations.
The goal, as always, is to help a violator become a productive member of the Free Software business community. Ideally, future violation matters should never be escalated very much: the company should have a person that has some expertise about GPL compliance who can work with anyone who might have concerns about any later product.
- Pay Our Cost of Bringing You Into Compliance.
This was the toughest requirement for me to institute, and I struggled for years about whether it was the right thing to do. I avoided it until someone pointed out to me:
If you're doing GPL enforcement for a non-profit, who should pay the cost of doing enforcement: the folks who send you charitable donations to support your other non-compliance work, or the violators who actually violated the license? Indeed, those who donate probably always comply with GPL themselves, so if violators aren't charged the cost of enforcement, compliant people end up subsidizing violations with their donations.
Ultimately, that was a compelling enough argument for me, but there's one other argument: there must be a deterrent. If the cost of violating the GPL is: “you must merely come into compliance when you're caught violating”, then very few companies would comply voluntarily. How many people would always violate the automobile speed limits if, when the driver is pulled over for speeding, all that ever happened was a stern warning?
A few sometimes ask:
well, where does the money go?. This question is why I think it's essential for GPL enforcement to be done by a 501(c)(3) not-for-profit entity like Conservancy. As I wrote in my previous Conservancy blog post, Conservancy's financial documents are publicly disclosed. So, you want to know the details of the enforcement money from FY 2010? Download Conservancy's FY 2010 Form 990, and take a look at Line 4(c) on page 2, Line 2(b) on page 9, and Line 11(b) on page 10. It's as simple as that.
Conservancy's Enforcement Plans
Of course, I encourage everyone to read the rest of the Form 990 too, and note in particular that GPL enforcement is only third on the list of major activities at Conservancy. I've no interest in making license enforcement the primary activity of Conservancy — indeed, it's but one item on Conservancy's extensive list of services, and Conservancy has 27 (and growing) projects to care for. Many of those projects are GPL'd and LGPL'd, and many of them want Conservancy to handle their enforcement, but that work is always balanced with all the other work going on at this thinly staffed organization.
I strongly expect that Free Software license compliance and enforcement
will always be a part of my work. I once heard Larry Wall, founder of
Perl, say (when I was still merely a
Computer Science graduate student):
You can never entirely stop being
what you once were. That's why it's important to be the right person
today, and not put it off till tomorrow. Ever since I heard him say
that, I've held it as a fundamental tenet of what I do in the Free
Software community. I believe GPL enforcement is right and necessary
for the advancement of software freedom. So, I'm glad for the
enforcement I've done, and I'm glad to continue doing GPL enforcement
for as long as projects come to me and ask me to take care of it for
them. Like everything else at Conservancy: I'm glad to do the boring
work so Free Software developers can focus on writing code. GPL
enforcement surely qualifies there.
I admit, though, that I do find litigation particularly annoying, time-consuming, and litigation also makes GPL compliance take longer than it should. That's why litigation has always been a last resort, and that 99.999% of GPL enforcement matters get resolved without a lawsuit. Lawsuits are only an option, in my view, when a violation is egregious, and multiple attempts to begin a friendly conversation with the violator are consistently ignored. Every lawsuit I've been involved with met these criteria. I hope no violation matters ever meet them again, but that depends on how well the violators respond when someone asks them for the complete and corresponding source code for the GPL'd and LGPL'd components in the product.
I hope that someday, everyone just complies voluntarily with the GPL, so I can go do other things — I used to be a software developer, once upon a time, and I'd love to do that again. But, in the meantime, I'm here to enforce the GPL, to defend software freedom.
It May Be Boring, But Worth Reading Anyway
byon January 16, 2012
For the last few months, I've had the same primary action item on my agenda every single day: finish Conservancy's FY 2010 audit and Form 990. Those who exchange email with me regularly have probably noticed a slowly increasing lag because of this. Fortunately, as for this past Saturday, this work is finally done. Conservancy has publicly posted our FY 2010 Form 990, FY 2010 Independent Auditor's report and our FY 2010 NYS CHAR-500. I know these documents might seem as boring as reading your own tax filings, but I hope in this blog post to convince you that Form 990s are worth reading, by drawing attention to the interesting parts of Conservancy's filings.
What's a Fiscal Year (FY)?
When I first started working in non-profit management years ago, it took me a while to get used to the idea of a fiscal year (often abbreviated FY). The concept, however, is relatively simple. Conservancy was founded in March 2006. As such, Conservancy's first year of operation ended on 28 February 2007, and every year thereafter, Conservancy completes another year of operation on the last day of February.
Therefore, when you take a look at Conservancy's 2010 Form 990, you'll find that the period described is 1 March 2010 until 28 February 2011. So, when you analyze the documents, you have to put your mindset into that period.
What's a Form 990, and Why Is It Public?
I often point out that 501(c)(3) non-profit charities are a form of a government grant. Think of it this way: 501(c)(3)'s not only pay no taxes on any of their income, but also, donors who give to a 501(c)(3) don't (usually) have to pay taxes on the money they give. The USA government (and by extension, the public), in essence, is subsidizing these organizations in two different ways: the government collects no tax money from these organizations, and the donors don't pay any taxes on their donations.
The government permits this because organizations like Conservancy must meet a high burden: they must advance the public good through pursuit of their mission. Conservancy does this by facilitating, fostering, promoting, developing, and defending Free, Libre and Open Source Software (FLOSS) for the general public.
To make sure organizations carry out their mission for the public good, and to allow the public itself to verify this occurs, the USA Internal Revenue Service (IRS) requires that, each year, every 501(c)(3) organization file the Form 990, which outlines all the funds received and spent by the organization, and how the organization used those funds to promote its mission. My hope is that if you read the rest of this blog post alongside Conservancy's Form 990 and Auditor's Report, you might be able to better use it as a tool to figure out what Conservancy was up to between the dates of 1 March 2010 and 28 February 2011.
Quick View of Mission, Revenue and Expenses
The first page of the Form 990 has a brief statement of the mission of the organization, and presents the fiscal overview. The most interesting lines related to income are lines 8 and 9, which contain the total contributions, and total service revenue. For a 501(c)(3), “contributions” are gifts and donations given to the organization by donors. That's the type of income with which those who give to non-profits are most familiar.
Program service revenue, which is also sometimes called “related business income”, refers to income that an organization receives while pursuing its mission. Conservancy's most common program service revenue is registration fees for conferences. Those who attend the conference get something in return (e.g., getting to see the talks live), but these conferences are still within Conservancy's mission (e.g., educating the public about Open Source and Free Software). Thus, the IRS considers the income related to Conservancy's mission.
The interesting lines on expenses are probably lines 15 and 17. Line 15 is salaries, which I'll talk about later, and line 17 is all the other expenses. The best places to get more information on what goes into this line is to jump to Part IX of the Form 990 (page 10), or to look at Page 5 (PDF page 6) of the Independent Auditor's Report.
Expenses By Mission Work
On Page 2 of the Form 990, you'll find Part III. This is perhaps the most interesting part. Specifically, it matches up specific expense totals with parts of Conservancy's mission. Included are texts describing the work that was done with those funds. I think this page is particular interesting, because it provides an easy overview of specific mission work and how much the organization spent on that specific work. In other words, it's a cross-section of the expenses totaled against specific mission work, rather than types of expenses (the latter of which is the default elsewhere on the Form 99).
The Public Support Test
In Schedule A, Part II of the Form 990 (PDF page 14), you'll find the public support test. Since this is Conservancy's fifth year of operation, for the first time, Conservancy must take a public support test. There are various ways of calculating the public support test. Conservancy used the 33⅓% test, which requires that at least 33⅓% of the organization's support come from the public. Conservancy's public support percentage is 45.3%.
Earmarked Funds Summary
I've focused here mostly on the Form 990. However, it's worth noting that FY 2010 was the first year in which Conservancy was required to have an independent audit. This is a New York State Requirement (you can see the detail of this requirements on page 4 of the CHAR-500), but even when it's not mandated, it's good for non-profits to have an independent audit anyway. Despite the amazing amount of work our first audit took (it'll get easier in future years, fortunately, now that Conservancy is used to it), I'm very glad that NYS required us to do it, as there's always the temptation to avoid something that's difficult and not mandatory.
Anyway, the most interesting page of the audit's report, in my view, is page 6 (PDF page 7), which shows the exact totals of all earmarked project funds in Conservancy. Individual Conservancy member projects will probably like to be able to see a third-party confirmation on the amount that was given, spent, and remains for their projects.
Yes, You Can See How Much I'm Paid
Part of public filings include the salaries paid to officers, directors, and key employees of the organization. Part VII of the Form 990 (Page 7) has these details. As you can see, I was the only person that Conservancy paid in FY 2010. When you look at the numbers in this section, note that my role changed over the course of the fiscal year: From 2010-03-01 through 2010-09-30, I was a nights/weekends part-time volunteer. From 2010-10-01 to 2010-12-31, I was a full-time volunteer. For the last two months of the fiscal year, from 2011-01-01 until 2011-02-28, I was a full-time employee.
Feel Free to Ask Me Questions
I've started a thread on identi.ca to discuss Conservancy's Form 990. Feel free to ask me any questions that you have there.
What's a Free Software Non-Profit For?
byon November 28, 2011
Much was written last week that speculated about the role of foundations and the always-changing ways that developers write Free Software. I must respectfully point out that I believe this discussion doesn't address the key purpose of doing Free Software work as part of a non-profit organization.
Conservancy always avoids making any technical recommendations. Indeed, Conservancy counts among its members Darcs, Git and Mercurial, all of whom likely disagree on the preferred distributed version control system. Conservancy, for its part, doesn't have a recommended version control system, nor a recommended hosting site, nor anything else like that. I even grit my teeth and just live with it when Conservancy's member projects choose Github over Gitorious (since the latter is Free Software itself and the former is not — an issue that concerns me deeply).
In short, Conservancy's job isn't to tell projects how to do what they do best: write and develop Free Software. Of course, our members must license their software under a license that's both FSF- and OSI-approved, and all official project activities (including development) must fit Conservancy's not-for-profit mission. But beyond oversight on that issue, Conservancy doesn't interfere with the development of our projects' software.
Instead, Conservancy handles all the aspects of running a non-profit software project that don't involve actually developing software. Conservancy's service plan includes many things, from handling donations, reimbursing developers for conference travel, to holding domain names, copyrights, and trademarks, to enforcing those copyrights and trademarks, to basic legal services. These items are the role for the non-profit organization in the life of a Free Software project. Conservancy's goal is to ensure that the software project continues to improve and benefit the public good, and to handle all the mundane aspects of non-profit activity.
Nevertheless, Conservancy's way of operating doesn't fit every project's culture. In the past, I've even recommended to Conservancy applicants that Apache Software Foundation, Free Software Foundation or Software in the Public Interest was a better home for their project, merely because the project seemed to have a culture that fit better with those organizations.
Upon finding the right cultural fit, a non-profit home can promote the
advancement of a Free Software project in ways the project can't do
merely as a band of part-time volunteer developers. By contrast to
those who are asking whether these non-profits
still make sense,
I argue that more than ever, developers need as much time as they
can spare to keep up with the rapid changes in technology and community
development methodologies. A non-profit home can take care of the
other, non-software-development tasks, leaving the projects' volunteers
to focus on what they do best.
As for adherence to the rules, while Conservancy is liberal on rules related to development methodologies, we remain somewhat conservative on the areas of the organization's expertise. Namely, Conservancy carefully oversees the financial spending and asset management of Conservancy's projects to ensure they continue to operate in a not-for-profit way to advance the public good. This is the most important standing agenda item on my daily schedule, and I believe that's the center of my job in providing services to our member projects. While I once was a software developer (and I sometimes can't resist giving my technical opinion to one of Conservancy's member projects), I constantly focus my role on the stuff that developers hate doing, so that they keep doing the work the love that helps the whole community.