diff --git a/enforcement-case-studies.tex b/enforcement-case-studies.tex index ed40b84a1a448c0bbffb426ee29366c1aa81f1d3..4c2f4a400de5de8b3d2da4c185065b3b73357bf6 100644 --- a/enforcement-case-studies.tex +++ b/enforcement-case-studies.tex @@ -41,7 +41,7 @@ Sponsored by the Free Software Foundation \\ Columbia Law School, New York, NY, USA \\ \vspace{.1in} -Wednesday 21 January 2003 +Wednesday 21 January 2004 } \vspace{.7in} @@ -85,7 +85,6 @@ any medium, provided this notice is preserved. \begin{abstract} - This one-day course presents the details of five different GPL compliance cases handled by FSF's GPL Compliance Laboratory. Each case offers unique insights into problems that can arise when the terms of GPL are not @@ -101,6 +100,15 @@ that deal with Free Software on a regular basis. However, technical managers and executives whose businesses use or distribute Free Software will also find the course very helpful. +\bigskip + +These course materials are merely a summary of the highlights of the +course presented. Readers of this material should assume that they have +missed the bulk of the material, as the detailed discussion of these case +studies is the most illuminating part about them. Merely reading this +material is akin to matriculating into a college course and read only the +textbook instead of going to class. + \end{abstract} \tableofcontents @@ -124,58 +132,61 @@ propagate throughout the distribution chain of the software. As we have learned, the assurance that Free Software under GPL remains Free Software is accomplished through various terms of GPL: \S 3 ensures that binaries are always accompanied with source; \S 2 ensures that the -sources are adequate, complete and usable; \S 6 and \S 7 ensures that the +sources are adequate, complete and usable; \S 6 and \S 7 ensure that the license of the software is always GPL for everyone, and that no other -legal agreements or licenses trump GPL; \S 4 ensures that the GPL can be -enforced. +legal agreements or licenses trump GPL. It is \S 4, however, that ensures +that the GPL can be enforced. -In fact, \S 4 is where we begin our discussion of GPL enforcement. This +Thus, \S 4 is where we begin our discussion of GPL enforcement. This clause is where the legal teeth of the license are rooted. As a copyright license, GPL governs only the activities governed by copyright law --- copying, modifying and redistributing computer software. Unlike most copyright licenses, GPL gives wide grants of permission for engaging with these activities. Such permissions continue and all parties may exercise -until such time as one party violates the terms of GPL\@. At the moment -of such a violation --- the engaging of copying, modifying or -redistributing in ways not permitted by GPL --- \S 4 is invoked. +them until such time as one party violates the terms of GPL\@. At the +moment of such a violation (i.e., the engaging of copying, modifying or +redistributing in ways not permitted by GPL) \S 4 is invoked. While other +parties may continue to operate under GPL, the violating party loses their +rights. -Specifically, \S 4 terminates the violators rights to continue engaging +Specifically, \S 4 terminates the violators' rights to continue engaging in the permissions that otherwise granted by GPL\@. Effectively, their -permission go back to the copyright defaults --- no permission to copy, -modify, or redistribute the work. Meanwhile, \S 5 points out that if -if the violator has no rights under GPL --- as they will not once they -have violated it --- then they otherwise have no right and are prohibited -by copyright law from engaging in the activities of copying, modifying -and distributing. +permissions go back to the copyright defaults --- no permission is granted +to copy, modify, nor redistribute the work. Meanwhile, \S 5 points out +that if if the violator has no rights under GPL --- as they will not once +they have violated it --- then they otherwise have no rights and are +prohibited by copyright law from engaging in the activities of copying, +modifying and distributing. \section{Ongoing Violations} In conjunction with \S 4's termination of violators' rights, there is one -final industry fact is added to the mix: rarely, does on engage in a -single, solitary act of copying, distributing or modifying software. -Almost always, a violator will have legitimately acquired a copy a GPL'd -program --- either made modifications or not --- and then begun a ongoing -activity of distributing that work. For example, the violator may have -put the software in boxes and sold them at stores. Or perhaps the -software was put up for download on the Internet. Regardless of the -delivery mechanism, violators almost always are engaged in {\em ongoing\/} +final industry fact added to the mix: rarely, does one engage in a single, +solitary act of copying, distributing or modifying software. Almost +always, a violator will have legitimately acquired a copy a GPL'd program, +either making modifications or not, and then began a ongoing activity of +distributing that work. For example, the violator may have put the +software in boxes and sold them at stores. Or perhaps the software was +put up for download on the Internet. Regardless of the delivery +mechanism, violators almost always are engaged in {\em ongoing\/} violation of GPL\@. In fact, when we discover a GPL violation that occurred only once --- for example, a user group who distributed copies of a GNU/Linux system without -source at a meeting once --- we rarely pursue it with a high degree of -diligence. In our minds, that is an educational problem, and unless the -user group becomes a repeat offender (as it turns out, the never do) we -simply send an FAQ entry that best explains how user groups can most -easily comply with GPL, and send them on there merry way. +source at one meeting --- we rarely pursue it with a high degree of +tenacity. In our minds, such a violation is an educational problem, and +unless the user group becomes a repeat offender (as it turns out, the +never do) we simply forward along an FAQ entry that best explains how user +groups can most easily comply with GPL, and send them on there merry way. It is only the cases of {\em ongoing\/} GPL violation that warrant our active attention. We vehemently pursue those cases where dozens, hundreds or thousands of customers are receiving software that is out of -compliance, and the company continually puts for sale (or distributes -gratis as a demo) software distributions that include GPL'd components out -of compliance. Our goal is to maximize the impact of enforcement and -educate industries who are making a mistake on a large scale. +compliance, and where the company continually puts for sale (or +distributes gratis as a demo) software distributions that include GPL'd +components out of compliance. Our goal is to maximize the impact of +enforcement and educate industries who are making such a mistake on a +large scale. In addition, such ongoing violation shows that a particular company is committed to a GPL'd product line. We are thrilled to learn that someone @@ -186,40 +197,41 @@ gives us an active opportunity to educate a new contributor the GPL'd commons about proper procedures to contribute to the community. Our central goal is not, in fact, to merely clear up particular violation. -Over time, we hope that our compliance lab will be out of business. We -seek to educate the businesses that engage in commerce related to GPL'd -software to obey the rules of the road and allow them to operate freely -under them. Just as a traffic officer would not revel in reminding people -which side of the road to drive in, so we do not revel in violations. By -contrast, we revel in the successes of educating an ongoing violator about -GPL so that GPL compliance becomes a second-nature matter, and they join -the GPL ecosystem as contributors. +In fact, over time, we hope that our compliance lab will be out of +business. We seek to educate the businesses that engage in commerce +related to GPL'd software to obey the rules of the road and allow them to +operate freely under them. Just as a traffic officer would not revel in +reminding people which side of the road to drive on, so we do not revel in +violations. By contrast, we revel in the successes of educating an +ongoing violator about GPL so that GPL compliance becomes a second-nature +matter, allowing that company to join the GPL ecosystem as a contributor. \section{How are Violations Discovered?} Our enforcement of GPL is not a fund-raising effort; in fact, FSF's GPL -compliance lab runs at a loss (in other words, it is subsided by our +Compliance Lab runs at a loss (in other words, it is subsided by our donors). Our violation reports come from volunteers, who have encountered in their business or personal life, a device or software product that -appears to contain GPL'd software; these reports are usually sent via -email to $<$license-violation@fsf.org$>$. +appears to contain GPL'd software. These reports are almost always sent +via email to $<$license-violation@fsf.org$>$. Our first order of business, upon receiving such a report, is to seek independent confirmation. When possible, we get a copy of the software product. For example, if it is an offering that is downloadable from a website, we download it and investigate ourselves. When it is not possible for us to actually get a copy of the software, we ask the -reporter to go through the same process we use in examining the software. +reporter to go through the same process we would use in examining the +software. By rough estimation, about 95\% of violations at this stage can be -confirmed by simple commands. Since almost all violators have merely made -an error, and have no nefarious intentions, they have made no attempt to -remove our copyright notices from the software. Given the third-party -binary, {\tt tpb}, usually, a simple command (on a GNU/Linux system) such -as the following will find an Free Software copyright notice and GPL -reference: +confirmed by simple commands. Almost all violators have merely made an +error and have no nefarious intentions. They have made no attempt to +remove our copyright notices from the software. Thus, given the +third-party binary, {\tt tpb}, usually, a simple command (on a GNU/Linux +system) such as the following will find a Free Software copyright notice +and GPL reference: \begin{quotation} -{\tt string tpb | grep Copyright} +{\tt strings tpb | grep Copyright} \end{quotation} In other words, it is usually more than trivial to confirm that GPL'd software is included. @@ -229,17 +241,17 @@ determine whose copyright has been violated. Contrary to popular belief, FSF does not have the power to enforce GPL in all cases. Since GPL operates under copyright law, the powers of enforcement --- to seek redress once \S 4 has been invoked --- lies with the copyright holder of -the software. FSF is one of the largest copyright holders in the world -of GPL'd software, but we are by no means the only one. Thus, we -sometimes discover that while GPL'd code is present in the software, -there is no software copyrighted by FSF. +the software. FSF is one of the largest copyright holders in the world of +GPL'd software, but we are by no means the only one. Thus, we sometimes +discover that while GPL'd code is present in the software, there is no +software copyrighted by FSF present. In cases where FSF does not hold copyright interest in the software, but we have confirmed a violation, we contact the copyright holders of the software, and encourage them to enforce GPL\@. We offer our good offices to help negotiate compliance on their behalf, and many times we help as a -third party to settle such GPL violations. However, what we will -describe in this course is FSF's first-hand experience enforcing its own +third party to settle such GPL violations. However, what we will describe +primarily in this course is FSF's first-hand experience enforcing its own copyrights and GPL\@. \section{First Contact} @@ -249,7 +261,7 @@ cooperation and mutual help. Our community has learned that cooperation works best when you assume the best of others, and only change policy, procedures and attitudes when some specific event or occurrence indicates that a change is necessary. We treat the process of GPL enforcement in -the same way; our goal is to encourage violators to join the cooperative +the same way. Our goal is to encourage violators to join the cooperative community of software sharing, so we want to open our hand in friendship to them. @@ -263,7 +275,7 @@ compliance work. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\chapter{Case Study: Davrik's Modified GCC} +\chapter{Davrik: Modified GCC SDK} In our first case study, we will consider Davrik, a company that produces software and hardware toolkits to assist OEM vendors who products consumer @@ -287,13 +299,13 @@ with specious GPL violation complaints. FSF shelved the matter until more evidence was discovered. FSF was later able to confirm the violation when two additional reports -surfaced from other violation reports, both of whom had used the product +surfaced from other violation reporters, both of whom had used the SDK professional and noticed clear similarities to FSF's GNU GCC\@. FSF's Compliance Engineer asked the reporters to run standard tests to confirm -the violation, and it was confirmed that the product was indeed a -derivative work of GCC, ported to Windows and with a number of features -added, including support for a specific consumer device chipset and -additional features to aid in the linking process (``LP'') for the +the violation, and it was confirmed that Davrik's SDK was indeed a +derivative work of GCC\@. Davrik had ported to Windows and added a number +of features, including support for a specific consumer device chipset and +additional features to aid in the linking process (``LP'') for those specific devices. FSF explained the rights that the GPL afforded these customers and pointed out, for example, that Davrik only needed to provide source to those in possession of the binaries, and that the users may need @@ -303,18 +315,18 @@ confirmed that such requests were not answered. FSF brought the matter to the attention of Davrik, who immediately escalated the matter to their attorneys. After a long negotiation, Davrik acknowledged that their SDK was indeed a derivative work of GCC\@. Davrik -released most of the source, but some disagreement occurred over whether LP -was a derivate work of GCC\@. After repeated FSF inquiries, Davrik +released most of the source, but some disagreement occurred over whether +LP was a derivate work of GCC\@. After repeated FSF inquiries, Davrik reaudited the source and discovered that FSF's analysis was correct and -determined that LP include a number of source files copied from the GCC +determined that LP included a number of source files copied from the GCC code-base. \label{davrik-build-problems} -Once the full software release was made available, FSF asked the -violation reporters if it addressed the problem. Reports came back that -in fact the source did not properly build. FSF asked Davrik to provide -better build instructions with the software, and such build instructions -were incorporated into the next software release. +Once the full software release was made available, FSF asked the violation +reporters if it addressed the problem. Reports came back that the source +did not properly build. FSF asked Davrik to provide better build +instructions with the software, and such build instructions were +incorporated into the next software release. At FSF's request as well, Davrik informed customers who had previously purchased the product that the source was now available, by announcing @@ -350,11 +362,11 @@ have under the GNU General Public License, Version 2. This quelled Davrik's concerns about other patent licensing they sought to do outside of the GPL'd software, and satisfied FSF's concerns that they -give no permissions to exercise teachings of patents that were not already +give proper permissions to exercise teachings of patents that were exercised in their GPL'd software release. Finally, a GPL Compliance Officer inside Davrik was appointed who is -responsible for all matters of GPL Compliance inside the company. Darvik +responsible for all matters of GPL compliance inside the company. Darvik is responsible for informing FSF if the position is given to someone else inside the company, and making sure that FSF has direct contact information with Darvik's Compliance Officer. @@ -371,22 +383,23 @@ This case introduces a number of concepts regarding GPL enforcement. GPL education, many users do not fully understand their rights and the obligations that companies have. By working through the investigation with reporters, the violation can be properly confirmed, and {\bf the - user of the software can be educated about what to expect as a user}. - When users and customers of GPL'd products know their rights, what to - expect, and how to properly exercise their rights (particularly under \S - 3(b)), it reduces the chances for user frustration and inappropriate - community outcry about an alleged GPL violation. - -\item {\bf GPL compliance requires friendly negotiation and - cooperation.} Often, attorneys and managers are legitimately surprised - to find out GPL'd software is included in their company's products. - Engineers sometimes include GPL'd software without understanding the - requirements. This does not excuse companies from their obligations - under the license, but it does mean that care and patience are - essential for reaching GPL compliance. We want companies to understand - that participating and benefiting from a collaborative Free Software - community is not a burden, so we strive to make the process of coming - into compliance when a problem occurs as smooth as possible. + user of the software can be educated about what to expect with GPL'd + software}. When users and customers of GPL'd products know their + rights, what to expect, and how to properly exercise their rights + (particularly under \S 3(b)), it reduces the chances for user + frustration and inappropriate community outcry about an alleged GPL + violation. + +\item {\bf GPL compliance requires friendly negotiation and cooperation.} + Often, attorneys and managers are legitimately surprised to find out + GPL'd software is included in their company's products. Engineers + sometimes include GPL'd software without understanding the requirements. + This does not excuse companies from their obligations under the license, + but it does mean that care and patience are essential for reaching GPL + compliance. We want companies to understand that participating and + benefiting from a collaborative Free Software community is not a burden, + so we strive to make the process of coming into compliance as smooth as + possible. \item {\bf Confirming compliance is a community effort.} The whole point of making sure that software distributors respect the terms of GPL is to @@ -404,21 +417,21 @@ This case introduces a number of concepts regarding GPL enforcement. violators to make some attempt --- such as via newsletters and the company's website --- to inform those who already have the products as to their rights under GPL\@. One of the key thrusts of GPL's \S 1 and - \S 3 is to {\em make sure the user knows he has these rights\/}. If a - product was received out of compliance by a customer, they may never - actually discover that they had such rights. Informing them, in a way - that is not burdensome but has a high probability of successfully + \S 3 is to {\em make sure the user knows she has these rights\/}. If a + product was received out of compliance by a customer, she may never + actually discover that she had such rights. Informing customers, in a + way that is not burdensome but has a high probability of successfully reaching those who would seek to exercise their freedoms, is essential to properly remedy the mistake. \item {\bf Lines between various copyright, patent, and other legal mechanisms must be precisely defined and considered.} The most - difficult negotiation point of this compliance case was drafting - language that simultaneously protected the Davrik's patent rights - outside of the GPL'd source, but was consistent with the implicit patent - grant in GPL\@. As we discussed in the first course in this series, - there is indeed an implicit patent grant with GPL, thanks to \S 6 and \S - 7. However, many companies become nervous and wish to make the grant + difficult negotiation point of the Davrik case was drafting language + that simultaneously protected the Davrik's patent rights outside of the + GPL'd source, but was consistent with the implicit patent grant in + GPL\@. As we discussed in the first course in this series, there is + indeed an implicit patent grant with GPL, thanks to \S 6 and \S 7. + However, many companies become nervous and wish to make the grant explicit to assure themselves that the grant is sufficiently narrow for their needs. We understand that there is no reasonable way to determine what patent claims read on a company's GPL holdings and which do not, so @@ -431,6 +444,11 @@ This case introduces a number of concepts regarding GPL enforcement. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \chapter{Bracken: a Minor Violation in a GNU/Linux Distribution} +In this case study, we consider a minor violation made by a company whose +knowledge of the Free Software community and it functions is deep. + +\section{The Facts} + Bracken produces a GNU/Linux operating system product that is sold primarily to OEM vendors to be placed in appliance devices that are used for a single purpose, such as an Internet-browsing-only device. The @@ -439,8 +457,8 @@ related Free Software licenses. FSF found out about this violation through a report first posted in a comment on a Slashdot\footnote{Slashdot is a popular news and discussion - site for technical readers.} comment, and then later brought to our -attention by another Free Software copyright holder who had discovered the + site for technical readers.} comment, and then was brought to attention +again by another Free Software copyright holder who had discovered the same violation. Bracken's GNU/Linux product is delivered directly from their website. @@ -458,7 +476,7 @@ online distribution: contradicted the permissions granted by GPL\@. \end{itemize} -FSF contacted Bracken and gave them the details of the violation. Bracken +FSF contacted Bracken and gave them the details of the violation. Bracken immediately ceased distribution of the product temporarily, and set forth a plan to bring themselves back into compliance. This plan included the following steps: @@ -473,14 +491,14 @@ following steps: ever they distributed that way). \item Bracken attorneys would run an internal seminar for its engineers - regarding GPL proper compliance, to help ensure that such oversights + regarding proper GPL compliance, to help ensure that such oversights regarding source releases would not occur in the future. \item Bracken would resume distribution of the product only after FSF formally restored Bracken's distribution rights. \end{itemize} -This work was completed in the matter of about a month. FSF approved the +This case was completed in the matter of about a month. FSF approved the new EULA text. They key portion in the EULA relating to GPL read as follows: @@ -511,7 +529,7 @@ completed as described. \section{Lessons Learned} -This case was probably them most quickly and easily resolved of all GPL +This case was probably the most quickly and easily resolved of all GPL violations in the history of FSF's Compliance Lab. The ease with which the problem was resolved shows a number of cultural factors that play a role in GPL compliance. @@ -520,13 +538,13 @@ role in GPL compliance. \item {\bf Companies that understand Free Software culture better have an easier time with compliance.} Bracken's products were designed and - build around the GNU/Linux system and Free Software components. Their + built around the GNU/Linux system and Free Software components. Their engineers were deeply familiar with the Free Software ecosystem, and their lawyers had seen and reviewed GPL before. The violation was - completely an honest mistake, and since the culture inside the company - had already adapted to the cooperative style of resolution to problems - in the Free Software world, there was very little work for either - party to bring the product into compliance. + completely an honest mistake. Since the culture inside the company had + already adapted to the cooperative style of resolution in the Free + Software world, there was very little work for either party to bring the + product into compliance. \item {\bf When people in key positions understand the Free Software nature of their software products, compliance concerns are as mundane as @@ -534,26 +552,26 @@ role in GPL compliance. its problems, and successful business often depends on agile response to the problems that do come up; avoiding problems altogether is a pipe dream. Minor GPL violations can and do happen even with well-informed - redistributors, but when the company --- and in particular, the lawyers, - managers, and engineers working on the Free Software product lines -- - have adapted to the cooperate Free Software culture, resolving such - problems are merely a mundane details of typical operation and resolved - just as easily. + redistributors. However, when the company --- and in particular, the + lawyers, managers, and engineers working on the Free Software product + lines --- have adapted to the cooperative Free Software culture, + resolving such problems is merely a mundane detail of typical operation + and resolution is reached quickly. \item {\bf Legally, distribution must stop when a violation is - identified.} In our opinion, Bracken went above and beyond the call by - ceasing distribution while the violation was being resolved. Under GPL - \S 4, the redistributor loses the right to distribute the software, and - thus they are in ongoing violation of copyright law as they distribute. - It is FSF's policy to temporarily allow distribution while compliance - negotiations are ongoing and only in the most extreme cases where the - other party appears to be negotiating in bad faith does FSF even - threaten an injunction on copyright grounds. However, Bracken --- as a - good Free Software citizen --- chose to be on the safe side and do the - legally correct thing while the violation case was pending. Since from - start to finish it took less than am month to resolve, this lapse in - distribute did not, to FSF's knowledge, impact their business in any - way. + identified.} In our opinion, Bracken went above and beyond the call of + duty by ceasing distribution while the violation was being resolved. + Under GPL \S 4, the redistributor loses the right to distribute the + software, and thus they are in ongoing violation of copyright law if + they distribute before rights are restored. It is FSF's policy to + temporarily allow distribution while compliance negotiations are ongoing + and only in the most extreme cases (where the other party appears to be + negotiating in bad faith) does FSF even threaten an injunction on + copyright grounds. However, Bracken --- as a good Free Software citizen + --- chose to be on the safe side and do the legally correct thing while + the violation case was pending. Since from start to finish it took less + than am month to resolve, this lapse in distribution did not, to FSF's + knowledge, impact Bracken's business in any way. \item {\bf EULAs are a common area for GPL problems.} Often, EULAs are drafted from boilerplate text that a company uses for all its products. @@ -562,8 +580,8 @@ role in GPL compliance. licenses. Drafting a EULA that accounts for such licenses is straightforward; the text quoted above works just fine. The EULA must be designed so that it does not trump and rights and permissions already - granted by GPL\@, and it must be certain that if there is a conflict - between EULA and GPL, with regard to GPL'd code, that the GPL is the + granted by GPL\@, and it clearly state that if there is a conflict + between the EULA and GPL, with regard to GPL'd code, that the GPL is the overriding license. \item {\bf Compliance Officers are rarely necessary when companies are @@ -601,15 +619,15 @@ a derivative work of GNU tar; the extraneous utilities merely made compliance with GPL by releasing the source of GNU tar, with the cryptographic modifications, to its customers. -Vigorien released the GNU tar sources, but kept the cryptographic library -proprietary. They argued that the security of their system depending on -keeping the software proprietary and that regardless, USA export -restrictions on cryptographic software prohibited such a release. FSF -disputed the claim on the first count, pointing out that Vigorien's had -only one option if they did not want to release the source: they would -have to remove GNU tar from the software and not distribute it further. -Vigorien rejected this suggestion, since GNU tar was an integral part of -the product and the security changes were useless without GNU tar. +Vigorien released the original GNU tar sources, but kept the cryptographic +modifications proprietary. They argued that the security of their system +depending on keeping the software proprietary and that regardless, USA +export restrictions on cryptographic software prohibited such a release. +FSF disputed the first claim, pointing out that Vigorien had only one +option if they did not want to release the source: they would have to +remove GNU tar from the software and not distribute it further. Vigorien +rejected this suggestion, since GNU tar was an integral part of the +product and the security changes were useless without GNU tar. Regarding the export control claims, FSF proposed a number of options, including release of the source from one of Vigorien's divisions overseas @@ -629,18 +647,26 @@ did so, and the violation was resolved. \item {\bf Removing the GPL'd portion of the product is always an option.} Many violators' first response is to simply refuse to release the source - code as GPL required. FSF offers the option to simply remove the GPL'd + code as GPL requires. FSF offers the option to simply remove the GPL'd portions from the product and continue along without them indefinitely. Every case where this has been suggested has led to the same conclusion. Like Vigorien, the violator argues that the product cannot function without the GPL'd components and they cannot effectively replace them. - Such an outcome of course is further evidence that the combined work in + Such an outcome is simply further evidence that the combined work in question is indeed a derivative work of the original GPL'd component. If the other components cannot stand on their own and be useful without the GPL'd portions, then one cannot effectively argue that the work as a whole is not a derivative of the GPL'd portions. +\item {\bf The whole product is not always covered.} In this case, + Vigorien had additional works aggregated. The backup system was a suite + of utilities, some of which were GPL and some of which were not. While + the cryptographic routines were tightly coupled with GNU tar and clearly + derivative works, the various GUI utilities were separate and + independent works merely aggregated with the distribution of the + GNU-tar-based product. + \item {\bf ``Security'' concerns do not exonerate a distributor from GPL obligations, and ``security through obscurity'' does not work anyway.} @@ -662,11 +688,11 @@ did so, and the violation was resolved. by identifying them early. \item {\bf External regulatory problems can be difficult to resolve.} - GPL, though copyright law, does not have the power to trump regulations - like export controls. While Vigorien's ``security concerns'' were - specious, their export control concerns were not. It is indeed a - difficult problem that FSF acknowledges. We want compliance with GPL - and respect for users' freedoms, but we certainly do not expect + GPL, though grounded in copyright law, does not have the power to trump + regulations like export controls. While Vigorien's ``security + concerns'' were specious, their export control concerns were not. It is + indeed a difficult problem that FSF acknowledges. We want compliance + with GPL and respect for users' freedoms, but we certainly do not expect companies to commit criminal offenses for the sake of compliance. We will see more about this issue in our next case study. \end{enumerate} @@ -676,8 +702,8 @@ did so, and the violation was resolved. \chapter{Haxil, Polgara, and Thesulac: Mergers, Upstream Providers and Radio Devices} This case study considers an ongoing (at the time of writing) violation -that occurred. By the end of the investigation period, three companies -were involved and many complex issues arose. +that has occurred. By the end of the investigation period, three +companies were involved and many complex issues arose. \section{The Facts} @@ -695,10 +721,10 @@ arms about the violation. Meanwhile, Haxil was in the midst of being acquired by Polgara. Polgara was as surprised as everyone else to discover the product was based on -GPL'd software; it had not been part of the disclosures made during +GPL'd software; this fact had not been part of the disclosures made during acquisition. FSF contacted both Haxil and Polgara, and product managers -who had transitioned into the ``Haxil division'' of newly merged Polgara -company worked and Polgara's General Counsel's office worked with FSF on +who had transitioned into the ``Haxil division'' of the newly-merged +Polgara company and Polgara's General Counsel's office worked with FSF on the matter. FSF meanwhile formed a coalition with the other primary copyright holders @@ -738,8 +764,8 @@ regarding the problem. \begin{enumerate} \item {\bf Community outrage, while justified, can often make negotiation - more difficult.} FSF has a strong policy to not publicized names of GPL - violators if they are negotiating in a friendly way and operating in + more difficult.} FSF has a strong policy never to publicize names of + GPL violators if they are negotiating in a friendly way and operating in good faith toward compliance. Most violations are honest mistakes, and FSF sees no reason to publicly admonish violators who genuinely see to come into compliance with GPL and to work hard staying in compliance. @@ -758,19 +784,21 @@ regarding the problem. during the acquisition process. While GPL compliance is not a particularly difficult matter, it is an additional obligation that comes along with the product line. When planning mergers and joint ventures, - include lists of GPL'd components contained in the products discussed. + one should include lists of GPL'd components contained in the products + discussed. \item {\bf Compliance problems of upstream providers do not excuse a violation for the downstream distributor.} To paraphrase \S 6, upstream providers are not responsible for enforcing compliance of their downstream, nor are downstream distributors responsible for compliance problems of upstream providers. However, engaging in distribution of - GPL'd works out of compliance is still just that --- a compliance - problem. When FSF carries out enforcement, we are patient and - sympathetic when the problem appears to be upstream. In fact, we urge - the violator to point us to the upstream provider to talk to them, and - in this case we were happy to begin negotiations with Thesulac. However, - Polgara still has an obligation to bring their product into compliance. + GPL'd works out of compliance is still just that: a compliance problem. + When FSF carries out enforcement, we are patient and sympathetic when + the problem appears to be upstream. In fact, we urge the violator to + point us to the upstream provider so we may talk to them directly. In + this case we were happy to begin negotiations with Thesulac. However, + Polgara still has an obligation to bring their product into compliance, + regardless of Thesulac's response. \item {\bf It behooves upstream providers to advise downstream distributors about compliance matters.} FSF has encouraged Thesulac to @@ -779,7 +807,7 @@ regarding the problem. product, and it is conceivable that such additions can introduce compliance. In FSF's opinion, Thesulac is no way legally responsible for such a violation introduced by their customer, but it behooves them - from a business standpoint to educate their customers about using the + from a marketing standpoint to educate their customers about using the product. We can argue whether or not it is your coffee vendor's fault if you burn yourself with their product, but (likely) no one on either side would dispute the prudence of placing a ``caution: hot'' label on @@ -803,6 +831,7 @@ regarding the problem. simple rule to follow, and following that rule to FSF's satisfaction usually means you are following it to the satisfaction of the entire Free Software community. + \end{enumerate} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -853,4 +882,4 @@ distribute products based on GPL'd software: % LocalWords: Lessig Lessig's UCITA pre PDAs CDs reshifts GPL's Gentoo glibc % LocalWords: TrollTech administrivia LGPL's MontaVista Davrik Davrik's Darvik % LocalWords: Darvik's Slashdot sublicensed Vigorien Vigorien's Haxil Polgara -% LocalWords: Thesulac Polgara's Haxil's Thesulac's +% LocalWords: Thesulac Polgara's Haxil's Thesulac's SDK CD's