Copyleft/guide Changeset - 0bbf9ec882d0

Changeset - 0bbf9ec882d0

Parent rev.

Child rev.

[Not reviewed]

0 2 0

Martin Michlmayr (tbm) - 10 years ago 2014-04-24 23:12:21
tbm@cyrius.com

Misc copy editing

2 files changed with 21 insertions and 21 deletions:

compliance-guide.tex

enforcement-case-studies.tex

0 comments (0 inline, 0 general)

compliance-guide.tex

➞

Show inline comments

 % compliance-guide.tex                            -*- LaTeX -*-
 \part{A Practical Guide to GPL Compliance}
 \label{gpl-compliance-guide}
 {\parindent 0in
 This part is: \\
 \begin{tabbing}
 Copyright \= \copyright{} 2014 \= \hspace{.2in} Bradley M. Kuhn. \\
 Copyright \> \copyright{} 2008 \> \hspace{.2in} Software Freedom Law Center. \\
 \end{tabbing}
 \vspace{1in}
 \begin{center}
 Authors of this part are: \\
 Bradley M. Kuhn \\
 Aaron Williamson \\
 Karen M. Sandler \\
 \vspace{3in}
 The copyright holders of this part hereby grant the freedom to copy, modify,
 convey, Adapt, and/or redistribute this work under the terms of the Creative
 Commons Attribution Share Alike 4.0 International License.  A copy of that
 license is available at
 \verb=https://creativecommons.org/licenses/by-sa/4.0/legalcode=.
 \end{center}
+}
 \bigskip
 \chapter*{Executive Summary}
 This is a guide to effective compliance with the GNU General Public
 License (GPL) and related licenses.  Copyleft advocates
 usually seek to assist the community with
 GPL compliance cooperatively.   This guide focuses on complying from the
 start, so that readers can learn to avoid enforcement actions entirely, or, at
 least, minimize  the negative impact when enforcement actions occur.
 This guide  introduces and explains basic legal concepts related to the GPL and its
 enforcement by copyright holders. It also outlines business practices and
 methods that lead to better GPL compliance.  Finally, it recommends proper
 post-violation responses to the concerns of copyright holders.
 \chapter{Background}
 Early GPL enforcement efforts began soon after the GPL was written by
 Richard M.~Stallman (RMS) in 1989, and consisted of informal community efforts,
 often in public Usenet discussions.\footnote{One example is the public
   outcry over NeXT's attempt to make the Objective-C front-end to GCC
   proprietary.  RMS, in fact, handled this enforcement action personally and
   the Objective-C front-end is still part of upstream GCC today.}  Over the next decade, the Free Software Foundation (FSF),
 which holds copyrights in many GNU programs, was the only visible entity
 actively enforcing its GPL'd copyrights on behalf of the software freedom
 community.
 FSF's enforcement
 was generally a private process; the FSF contacted violators
 confidentially and helped them to comply with the license.  Most
 violations were pursued this way until the early 2000's.
 By that time, Linux-based systems such as GNU/Linux and BusyBox/Linux had become very common, particularly in
 embedded devices such as wireless routers.  During this period, public
 ridicule of violators in the press and on Internet fora supplemented
 ongoing private enforcement and increased pressure on businesses to
 comply.  In 2003, the FSF formalized its efforts into the GPL Compliance
 Lab, increased the volume of enforcement, and built community coalitions
 to encourage copyright holders to together settle amicably with violators.
 Beginning in 2004, Harald Welte took a more organized public enforcement
 approach and launched \verb0gpl-violations.org0, a website and mailing
 list for collecting reports of GPL violations.  On the basis of these
 reports, Welte successfully pursued many enforcements in Europe, including
 formal legal action.  Harald earns the permanent fame as the first copyright
-holder to bring legal action in a Court regarding GPL compliance.
+holder to bring legal action in a court regarding GPL compliance.
 In 2007, two copyright holders in BusyBox, in conjunction with the
 Software Freedom Conservancy (``Conservancy''), filed the first copyright infringement lawsuit
 based on a violation of the GPL\@ in the USA. While  lawsuits are of course
 quite public, the vast majority of Conservancy's enforcement actions
 are resolved privately via
-cooperative communications with violators.  As both FSF and Conservancy has worked to bring
+cooperative communications with violators.  As both FSF and Conservancy have worked to bring
 individual companies into compliance, both organizations have encountered numerous
 violations resulting from preventable problems such as inadequate
 attention to licensing of upstream software, misconceptions about the
 GPL's terms, and poor communication between software developers and their
 management.  This document highlights these problems and describe
 best practices to encourage corporate Free Software users to reevaluate their
 approach to GPL'd software and avoid future violations.
 Both FSF and Conservancy continue GPL enforcement and compliance efforts
 for software under the GPL, the GNU Lesser
 Public License (LGPL) and other copyleft licenses.  In doing so, both organizations have
 found that most violations stem from a few common mistakes that can be,
 for the most part, easily avoided.  All copyleft advocates  hope to educate the community of
 commercial distributors, redistributors, and resellers on how to avoid
 violations in the first place, and to respond adequately and appropriately
 when a violation occurs.
 \chapter{Best Practices to Avoid Common Violations}
 \label{best-practices}
 Unlike highly permissive licenses (such as the ISC license), which
 typically only require preservation of copyright notices, licensees face many
 important requirements from the GPL.  These requirements are
 carefully designed to uphold certain values and standards of the software
-freedom community.  While the GPL's requirements may appear initially
+freedom community.  While the GPL's requirements may initially appear
 counter-intuitive to those more familiar with proprietary software
 licenses, by comparison, its terms are in fact clear and quite favorable to
 licensees.  Indeed, the GPL's terms actually simplify compliance when
 violations occur.
 GPL violations occur (or, are compounded) most often when companies lack sound
 practices for the incorporation of GPL'd components into their
 internal development environment.  This section introduces some best
 practices for software tool selection, integration and distribution,
 inspired by and congruent with software freedom methodologies.  Companies should
 establish such practices before building a product based on GPL'd
 software.\footnote{This document addresses compliance with GPLv2,
   GPLv3, LGPLv2, and LGPLv3.  Advice on avoiding the most common
   errors differs little for compliance with these four licenses.
   \S~\ref{lgpl} discusses the key differences between GPL and LGPL
   compliance.}
 \section{Evaluate License Applicability}
 \label{derivative-works}
 Political discussion about the GPL often centers around the ``copyleft''
 requirements of the license.  Indeed, the license was designed primarily
 to embody this licensing feature.  Most companies adding non-trivial
 features (beyond mere porting and bug-fixing) to GPL'd software (and
 thereby invoking these requirements) are already well aware of their
 more complex obligations under the license.\footnote{While, there has been much legal
   discussion regarding copyleft and derivative works.  In practical
   reality, this issue is not relevant to the vast majority of companies
   distributing GPL'd software.  Those interested in this issue should study
   \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related
       Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of
     this tutorial}.}
 However, experienced  GPL enforcers find that few redistributors'
 compliance challenges relate directly to the copyleft provisions; this is
 particularly true for most embedders.  Instead, the distributions of GPL'd
 systems most often encountered typically consist of a full operating system
 including components under the GPL (e.g., Linux, BusyBox) and components
 under the LGPL (e.g., the GNU C Library).  Sometimes, these programs have
 been patched or slightly improved by direct modification of their sources,
 resulting unequivocally in a derivative work.  Alongside these programs,
 companies often distribute fully independent, proprietary programs,
 developed from scratch, which are designed to run on the Free Software operating
 system but do not combine with, link to, modify, derive from, or otherwise
 create a combined work with
 the GPL'd components.\footnote{However, these programs do often combine
   with LGPL'd libraries. This is discussed in detail in \S~\ref{lgpl}.}
 In the latter case, where the work is unquestionably a separate work of
 creative expression, no copyleft provisions are invoked.
 Admittedly, a tiny
-minority of situations which lie outside these two categories, and thus
 minority of situations lie outside these two categories, and thus
 do involve close questions about derivative and combined works.  Those
 situations admittedly do require a highly
 fact-dependent analysis and cannot be addressed in a general-purpose
 document, anyway.
 \medskip
 Most companies accused of violations lack a basic understanding
 of how to comply even in the former straightforward scenario.  This document
 provides those companies with the fundamental and generally applicable prerequisite knowledge.
 For answers to rarer and more complicated legal questions, such as whether
 your software is a derivative or combined work of some copylefted software, consult
 with an attorney.\footnote{If you would like more information on the
   application of derivative works doctrine to software, a detailed legal
   discussion is presented in our colleague Dan Ravicher's article,
   \textit{Software Derivative Work: A Circuit Dependent Determination} and in
   \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related
       Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of
     this tutorial}.}
 This discussion thus assumes that you have already identified the
 ``work'' covered by the license, and that any components not under the GPL
 (e.g., applications written entirely by your developers that merely happen
 to run on a Linux-based operating system) distributed in conjunction with
 those works are separate works within the meaning of copyright law and the GPL\@.  In
 such a case, the GPL requires you to provide complete corresponding
 source (CCS)\footnote{For more on CCS,  see
 \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related
       Licenses}'s Section on GPLv2~\S2 and GPLv3~\S1.}{\S~\ref{GPLv2s2} and \S~\ref{GPLv3s1} of
     this tutorial}.}
 for the GPL'd components and your modifications thereto, but not
 for independent proprietary applications.  The procedures described in
 this document address this typical scenario.
 \section{Monitor Software Acquisition}
 Software engineers deserve the freedom to innovate and import useful
 software components to improve products.  However, along with that
 freedom should come rules and reporting procedures to make sure that you
 are aware of what software that you include with your product.
 The most typical response to an initial enforcement action is: ``We
 didn't know there was GPL'd stuff in there''.  This answer indicates
 failure in the software acquisition and procurement process.  Integration
 of third-party proprietary software typically requires a formal
 arrangement and management/legal oversight before the developers
 incorporate the software.  By contrast, developers often obtain and
 integrate Free Software without intervention nor oversight. That ease of acquisition, however,
 does not mean the oversight is any less necessary.  Just as your legal
 and/or management team negotiates terms for inclusion of any proprietary
 software, they should gently facilitate all decisions to bring Free Software into your
 product.
 Simple, engineering-oriented rules help provide a stable foundation for
 Free Software integration.  For example, simply ask your software developers to send an email to a
 standard place describing each new Free Software component they add to the system,
 and have them include a brief description of how they will incorporate it
 into the product.  Further, make sure developers use a revision control
-system (such as Git or Mercurial), and have
 system (such as Git or Mercurial), and
 store the upstream versions of all software in a ``vendor branch'' or
 similar mechanism, whereby they can easily track and find the main version
 of the software and, separately, any local changes.
 Such procedures are best instituted at your project's launch.  Once
 chaotic and poorly-sourced development processes begin, cataloging the
 presence of GPL'd components  becomes challenging.
 Such a situation often requires use of a tool to ``catch up'' your knowledge
 about what software your product includes.  Most commonly, companies choose
 some software licensing scanning tool to inspect the codebase.  However,
 there are few tools that are themselves Free Software.  Thus, GPL enforcers
 usually recommend the GPL'd
-\href{http://fossology.org/}{Fossology system}, which analyzes a
+\href{http://fossology.org/}{FOSSology system}, which analyzes a
 source code base and produces a list of Free Software licenses that may apply to
-the code.  Fossology can help you build a catalog of the sources you have
+the code.  FOSSology can help you build a catalog of the sources you have
 already used to build your product.  You can then expand that into a more
 structured inventory and process.
 \section{Track Your Changes and Releases}
 As explained in further detail below, the most important component of GPL
 compliance is the one most often ignored: proper inclusion of CCS in all
 distributions  of GPL'd
 software.  To comply with GPL's CCS requirements, the distributor
 \textit{must} always know precisely what sources generated a given binary
 distribution.
 In an unfortunately large number of our enforcement cases, the violating
 company's engineering team had difficulty reconstructing the CCS
 for binaries distributed by the company.  Here are three simple rules to
 follow to decrease the likelihood of this occurrence:
 \begin{itemize}
 \item Ensure that your
 developers are using revision control systems properly.
 \item Have developers mark or ``tag'' the full source tree corresponding to
   builds distributed to customers
+  builds distributed to customers.
 \item Check that your developers store all parts of the software
 development in the revision control system, including {\sc readme}s, build
 scripts, engineers' notes, and documentation.
 \end{itemize}
 Your developers will benefit anyway from these rules.  Developers will be
 happier in their jobs if their tools already track the precise version of
 source that corresponds to any deployed binary.
 \section{Avoid the ``Build Guru''}
 Too many software projects rely on only one or a very few team members who
 know how to build and assemble the final released product.  Such knowledge
 centralization not only creates engineering redundancy issues, but also
 thwarts GPL compliance.  Specifically, CCS does not just require source code,
 but scripts and other material that explain how to control compilation and
 installation of the executable and object code.
 Thus, avoid relying on a ``build guru'', a single developer who is the only one
 who knows how to produce your final product. Make sure the build process
 is well defined.  Train every developer on the build process for the final
 binary distribution, including (in the case of embedded software)
 generating a final firmware image suitable for distribution to the
 customer.  Require developers to use revision control for build processes.
 Make a rule that adding new components to the system without adequate
 build instructions (or better yet, scripts) is unacceptable engineering
 practice.
 \chapter{Details of Compliant Distribution}
 This section explains the specific requirements placed upon
 distributors of GPL'd software.  Note that this section refers heavily to
 specific provisions and language in
 \href{http://www.gnu.org/licenses/old-licenses/gpl-2.0.html#section3}{GPLv2}
 and \href{http://www.fsf.org/licensing/licenses/gpl.html#section6}{GPLv3}.
 It may be helpful to have a copy of each license open while reading this
 section.
 \section{Binary Distribution Permission}
 \label{binary-distribution-permission}
 % be careful below, you cannot refill the \if section, so don't refill
 % this paragraph without care.
 The various versions of the GPL are copyright licenses that grant
 permission to make certain uses of software that are otherwise restricted
 by copyright law.  This permission is conditioned upon compliance with the
 GPL's requirements.
 This section walks through the requirements (of both GPLv2 and GPLv3) that
 apply when you distribute GPL'd programs in binary (i.e., executable or
 object code) form, which is typical for embedded applications.  Because a
 binary application derives from a program's original sources, you need
 permission from the copyright holder to distribute it.  \S~3 of GPLv2 and
 \S~6 of GPLv3 contain the permissions and conditions related to binary
 distributions of GPL'd programs.\footnote{These sections cannot be fully
   understood in isolation; read the entire license thoroughly before
   focusing on any particular provision.  However, once you have read and
   understood the entire license, look to these sections to guide
   compliance for binary distributions.}
 GPL's binary distribution sections offer a choice of compliance methods,
 each of which we consider in turn.  Each option refers to the
 ``Corresponding Source'' code for the binary distribution, which includes
 the source code from which the binary was produced.  This abbreviated and
 simplified definition is sufficient for the binary distribution discussion
 in this section, but you may wish to refer back to this section after
 reading the thorough discussion of ``Corresponding Source'' that appears
 in \S~\ref{corresponding-source}.
 \subsection{Option (a): Source Alongside Binary}
 GPLv2~\S~3(a) and v3~\S~6(a) embody the easiest option for providing
 source code: including Corresponding Source with every binary
 distribution.  While other options appear initially less onerous, this
 option invariably minimizes potential compliance problems, because when
 you distribute Corresponding Source with the binary, \emph{your GPL
   obligations are satisfied at the time of distribution}.  This is not
 true of other options, and for this reason, we urge you to seriously
 consider this option.  If you do not, you may extend the duration of your
 obligations far beyond your last binary distribution.
 Compliance under this option is straightforward.  If you ship a product
 that includes binary copies of GPL'd software (e.g., in firmware, or on a
 hard drive, CD, or other permanent storage medium), you can store the
 Corresponding Source alongside the binaries.  Alternatively, you can
 include the source on a CD or other removable storage medium in the box
 containing the product.
 GPLv2 refers to the various storage mechanisms as ``medi[a] customarily
 used for software interchange''.  While the Internet has attained primacy
 as a means of software distribution where super-fast Internet connections
 are available, GPLv2 was written at a time when downloading software was
 not practical (and was often impossible).  For much of the world, this
 condition has not changed since GPLv2's publication, and the Internet
@@ ... / @@ -417,206 +417,206 @@ payment. @@
 You may also find a copy of the source at
 \verb0http://www.example.com/sources/Y/0.
 This offer is valid to anyone in receipt of this information.
 \end{quote}
 There are a few important details about this offer.  First, it requires a
 copying fee.  GPLv2 permits ``a charge no more than your cost of
 physically performing source distribution''.  This fee must be reasonable.
 If your cost of copying and mailing a CD is more than around \$10, you
 should perhaps find a cheaper CD stock and shipment method.  It is simply
 not in your interest to try to overcharge the community.  Abuse of this
 provision in order to make a for-profit enterprise of source code
 provision will likely trigger enforcement action.
 Second, note that the last line makes the offer valid to anyone who
 requests the source.  This is because v2~\S~3(b) requires that offers be
 ``to give any third party'' a copy of the Corresponding Source.  GPLv3 has
 a similar requirement, stating that an offer must be valid for ``anyone
 who possesses the object code''.  These requirements indicated in
 v2~\S~3(c) and v3~\S~6(c) are so that noncommercial redistributors may
 pass these offers along with their distributions.  Therefore, the offers
 must be valid not only to your customers, but also to anyone who received
 a copy of the binaries from them.  Many distributors overlook this
 requirement and assume that they are only required to fulfill a request
 from their direct customers.
 The option to provide an offer for source rather than direct source
 distribution is a special benefit to companies equipped to handle a
 fulfillment process.  GPLv2~\S~3(c) and GPLv3~\S~6(c) avoid burdening
 noncommercial, occasional redistributors with fulfillment request
 obligations by allowing them to pass along the offer for source as they
 received it.
 Note that commercial redistributors cannot avail themselves of the option
 (c) exception, and so while your offer for source must be good to anyone
 who receives the offer (under v2) or the object code (under v3), it
 \emph{cannot} extinguish the obligations of anyone who commercially
 redistributes your product.  The license terms apply to anyone who
 distributes GPL'd software, regardless of whether they are the original
 distributor.  Take the example of Vendor $V$, who develops a software
 platform from GPL'd sources for use in embedded devices.  Manufacturer $M$
 contracts with $V$ to install the software as firmware in $M$'s device.
 $V$ provides the software to $M$, along with a compliant offer for source.
 In this situation, $M$ cannot simply pass $V$'s offer for source along to
 its customers.  $M$ also distributes the GPL'd software commercially, so
 $M$ too must comply with the GPL and provide source (or $M$'s \emph{own}
 offer for source) to $M$'s customers.
 This situation illustrates that the offer for source is often a poor
 choice for products that your customers will likely redistribute.  If you
 include the source itself with the products, then your distribution to
 your customers is compliant, and their (unmodified) distribution to their
 customers is likewise compliant, because both include source.  If you
 include only an offer for source, your distribution is compliant but your
 customer's distribution does not ``inherit'' that compliance, because they
 have not made their own offer to accompany their distribution.
 The terms related to the offer for source are quite different if you
 distribute under GPLv3.  Under v3, you may make source available only over
 a network server, as long as it is available to the general public and
 remains active for three years from the last distribution of your product
 or related spare part.  Accordingly, you may satisfy your fulfillment
 obligations via Internet-only distribution.  This makes the ``offer for
 source'' option less troublesome for v3-only distributions, easing
 compliance for commercial redistributors.  However, before you switch to a
 purely Internet-based fulfillment process, you must first confirm that you
 can actually distribute \emph{all} of the software under GPLv3.  Some
 programs are indeed licensed under ``GPLv2, \emph{or any later version}''
 (often abbreviated ``GPLv2-or-later'').  Such licensing gives you the
 option to redistribute under GPLv3.  However, a few popular programs are
 only licensed under GPLv2 and not ``or any later version''
 (``GPLv2-only'').  You cannot provide only Internet-based source request
 fulfillment for the latter programs.
 If you determine that all GPL'd works in your whole product allow upgrade
 to GPLv3 (or were already GPLv3'd to start), your offer for source may be
 as simple as this:
 \begin{quote}
 The software included in this product contains copyrighted software that
 is licensed under the GPLv3\@.  A copy of that license is included in this
 document on page $X$\@.  You may obtain the complete Corresponding Source
 code from us for a period of three years after our last shipment of this
 product and/or spare parts therefor, which will be no earlier than
 -08-01, on our website at
 \verb0http://www.example.com/sources/productnum/0.
 \end{quote}
 \medskip
 Under both GPLv2 and GPLv3, source offers must be accompanied by a copy of
 the license itself, either electronically or in print, with every
 distribution.
 Finally, it is unacceptable to use option (b) merely because you do not have
-Corresponding Source ready.  We find that some companies chose this option
+Corresponding Source ready.  We find that some companies choose this option
 because writing an offer is easy, but producing a source distribution as
 an afterthought to a hasty development process is difficult.  The offer
 for source does not exist as a stop-gap solution for companies rushing to
 market with an out-of-compliance product.  If you ship an offer for source
 with your product but cannot actually deliver \emph{immediately} on that
-offer when your customers receive it, you should expect an enforcement
+offer when your customers request it, you should expect an enforcement
 action.
 \subsection{Option (c): Noncommercial Offers}
 As discussed in the last section, GPLv2~\S~3(c) and GPLv3~\S~6(c) apply
 only to noncommercial use.  These options are not available to businesses
-distributing GPL'd software.  Consequently, companies who redistribute
+distributing GPL'd software.  Consequently, companies that redistribute
 software packaged for them by an upstream vendor cannot merely pass along
 the offer they received from the vendor; they must provide their own offer
 or corresponding source to their distributees.  We talk in detail about
 upstream software providers in \S~\ref{upstream}.
 \subsection{Option 6(d) in GPLv3: Internet Distribution}
 Under GPLv2, your formal provisioning options for Corresponding Source
 ended with \S~3(c).  But even under GPLv2, pure Internet source
 distribution was a common practice and generally considered to be
 compliant.  GPLv2 mentions Internet-only distribution almost as aside in
 the language, in text at the end of the section after the three
 provisioning options are listed.  To quote that part of GPLv2~\S~3:
 \begin{quote}
 If distribution of executable or object code is made by offering access to
 copy from a designated place, then offering equivalent access to copy the
 source code from the same place counts as distribution of the source code,
 even though third parties are not compelled to copy the source along with
 the object code.
 \end{quote}
 When that was written in 1991, Internet distribution of software was the
 exception, not the rule.  Some FTP sites existed, but generally software
 was sent on magnetic tape or CDs.  GPLv2 therefore mostly assumed that
 binary distribution happened on some physical media.  By contrast,
 GPLv3~\S~6(d) explicitly gives an option for this practice that the
 community has historically considered GPLv2-compliant.
 Thus, you may fulfill your source-provision obligations by providing the
 source code in the same way and from the same location.  When exercising
 this option, you are not obligated to ensure that users download the
 source when they download the binary, and you may use separate servers as
 needed to fulfill the requests as long as you make the source as
 accessible as the binary.  However, you must ensure that users can easily
 find the source code at the time they download the binary. GPLv3~\S~6(d)
 thus clarifies a point that has caused confusion about source provision in
 v2.  Indeed, many such important clarifications are included in v3 which
 together provide a compelling reason for authors and redistributors alike
 to adopt GPLv3.
 \subsection{Option 6(e) in GPLv3: Software Torrents}
 Peer-to-peer file sharing arose well after GPLv2 was written, and does not
 easily fit any of the v2 source provision options.  GPLv3~\S~6(e)
 addresses this issue, explicitly allowing for distribution of source and
 binary together on a peer-to-peer file sharing network.  If you distribute
 solely via peer-to-peer networks, you can exercise this option.  However,
 peer-to-peer source distribution \emph{cannot} fulfill your source
 provision obligations for non-peer-to-peer binary distributions.  Finally,
 you should ensure that binaries and source are equally seeded upon initial
 peer-to-peer distribution.
 \section{Preparing Corresponding Source}
 \label{corresponding-source}
 Most enforcement cases involve companies that have unfortunately not
 implemented procedures like our \S~\ref{best-practices} recommendations
 and have no source distribution arranged at all.  These companies must
 work backwards from a binary distribution to come into compliance.  Our
 recommendations in \S~\ref{best-practices} are designed to make it easy to
 construct a complete and Corresponding Source release from the outset.  If
 you have followed those principles in your development, you can meet the
 following requirements with ease.  If you have not, you may have
 substantial reconstruction work to do.
 \subsection{Assemble the Sources}
 For every binary that you produce, you should collect and maintain a copy
 of the sources from which it was built.  A large system, such as an
 embedded firmware, will probably contain many GPL'd and LGPL'd components
 for which you will have to provide source.  The binary distribution may
 also contain proprietary components which are separate and independent
 works that are covered by neither the GPL nor LGPL\@.
 The best way to separate out your sources is to have a subdirectory for
 each component in your system.  You can then easily mark some of them as
 required for your Corresponding Source releases.  Collecting
 subdirectories of GPL'd and LGPL'd components is the first step toward
 preparing your release.
 \subsection{Building the Sources}
 Few distributors, particularly of embedded systems, take care to read the
 actual definition of Corresponding Source in the GPL\@.  Consider
 carefully the definition, from GPLv3:
 \begin{quote}
   The ``Corresponding Source'' for a work in object code form means all
   the source code needed to generate, install, and (for an executable
   work) run the object code and to modify the work, including scripts to
   control those activities.
 \end{quote}
 and the definition from GPLv2:
 \begin{quote}
 The source code for a work means the preferred form of the work for making
 modifications to it.  For an executable work, complete source code means
@@ ... @@
 clear path from your sources to binaries similar to the ones you ship.  If
 you ship a firmware (kernel plus filesystem), and the filesystem contains
 binaries of GPL'd programs, then you should provide whatever is necessary
 to enable a reasonably skilled user to build any given GPL'd source
 program (and modified versions thereof), and replace the given binary in
 your filesystem.  If the kernel is Linux, then the users must have the
 instructions to do the same with the kernel.  The best way to achieve this
 is to make available to your users whatever scripts or process your
 engineers would use to do the same.
 These are the general details for how installation instructions work.
 Details about what differs when the work is licensed under LGPL is
 discussed in \S~\ref{lgpl}, and specific details that are unique to
 GPLv3's installation instructions are in \S~\ref{user-products}.
 \subsection{What About the Compiler?}
 The GPL contains no provision that requires distribution of the compiler
 used to build the software.  While companies are encouraged to make it as
 easy as possible for their users to build the sources, inclusion of the
 compiler itself is not normally considered mandatory.  The Corresponding
 Source definition -- both in GPLv2 and GPLv3 -- has not been typically
 read to include the compiler itself, but rather things like makefiles,
 build scripts, and packaging scripts.
 Nonetheless, in the interest of goodwill and the spirit of the GPL, most
 companies do provide the compiler itself when they are able, particularly
 when the compiler is based on GCC\@ or another copylefted compiler.  If you have
 a GCC-based system, it is your prerogative to redistribute that GCC
 version (binaries plus sources) to your customers.  We in the software freedom
 community encourage you to do this, since it often makes it easier for
 users to exercise their software freedom.  However, if you chose to take
 this recommendation, ensure that your GCC distribution is itself
 compliant.
 If you have used a proprietary, third-party compiler to build the
 software, then you probably cannot ship it to your customers.  We consider
 the name of the compiler, its exact version number, and where it can be
 acquired as information that \emph{must} be provided as part of the
 Corresponding Source.  This information is essential to anyone who wishes
 to produce a binary.  It is not the intent of the GPL to require you to
 distribute third-party software tools to your customer (provided the tools
 themselves are not based on the GPL'd software shipped), but we do believe
 it requires that you give the user all the essential non-proprietary facts
 that you had at your disposal to build the software.  Therefore, if you
 choose not to distribute the compiler, you should include a {\sc readme}
 about where you got it, what version it was, and who to contact to acquire
 it, regardless of whether your compiler is Free Software, proprietary, or
 internally developed.
 \section{Best Practices and Corresponding Source}
 \S~\ref{best-practices} and \S~\ref{corresponding-source} above are
 closely related.  If you follow the best practices outlined above, you
 will find that preparing your Corresponding Source release is an easier
 task, perhaps even a trivial one.
 Indeed, the enforcement process itself has historically been useful to
 software development teams.  Development on a deadline can lead
 organizations to cut corners in a way that negatively impacts its
 development processes.  We have frequently been told by violators that
 they experience difficulty when determining the exact source for a binary
 in production (in some cases because their ``build guru'' quit during the
 release cycle).  When management rushes a development team to ship a
 release, they are less likely to keep release sources tagged and build
 systems well documented.
 We suggest that, if contacted about a violation, product builders use GPL
 enforcement as an opportunity to improve their development practices.  No
 developer would argue that their system is better for having a mysterious
 build system and no source tracking.  Address these issues by installing a
 revision system, telling your developers to use it, and requiring your
 build guru to document his or her work!
 \chapter{When The Letter Comes}
 Unfortunately, many GPL violators ignore their obligations until they are
 contacted by a copyright holder or the lawyer of a copyright holder.  You
 should certainly contact your own lawyer if you have received a letter
 alleging that you have infringed copyrights that were licensed to you
 under the GPL\@.  This section outlines a typical enforcement case and
 provides some guidelines for response.  These discussions are
 generalizations and do not all apply to every alleged violation.
 \section{Understanding Who's Enforcing}
 \label{compliance-understanding-whos-enforcing}
 % FIXME-LATER: this text needs work.
 Both  FSF and Conservancy has, as part their mission,  to spread software
 freedom. When FSF or Conservancy
 enforces GPL, the goal is to bring the violator back into compliance as
 quickly as possible, and redress the damage caused by the violation.
 That is FSF's steadfast position in a violation negotiation --- comply
 with the license and respect freedom.
 However, other entities who do not share the full ethos of software freedom
 as institutionalized by FSF pursue GPL violations differently.  Oracle, a
+as institutionalized by FSF and Conservancy pursue GPL violations differently.  Oracle, a
 company that produces the GPL'd MySQL database, upon discovering GPL
 violations typically negotiates a proprietary software license separately for
 a fee.  While this practice is not one that FSF nor Conservancy would ever
-consider undertaking or even endorsing, it is a legally way for copyright
+consider undertaking or even endorsing, it is a legal way for copyright
 holders to proceed.
 Generally, GPL enforcers come in two varieties.  First, there are
-Conservancy, FSF, and other ``community enforcers'', who primary seek the
+Conservancy, FSF, and other ``community enforcers'', who primarily seek the
 policy goals of GPL (software freedom), and see financial compensation as
 ultimately secondary to those goals.  Second, there are ``for-profit
-enforcers'' who use the GPL as a either a crippleware license, or sneakily
+enforcers'' who use the GPL either as a crippleware license, or sneakily
 induce infringement merely to gain proprietary licensing revenue.
-Note that the latter model \textit{only} works for companies who hold 100\% of
+Note that the latter model \textit{only} works for companies that hold 100\% of
 the copyrights in the infringed work.  As such, multi-copyright-held works
 are fully insulated from these tactics.
 \section{Communication Is Key}
 GPL violations are typically only escalated when a company ignores the
 copyright holder's initial communication or fails to work toward timely
 compliance.  Accused violators should respond very promptly to the
 initial request.  As the process continues, violators should follow up weekly with the
 copyright holders to make sure everyone agrees on targets and deadlines
 for resolving the situation.
 Ensure that any staff who might receive communications regarding alleged
 GPL violations understands how to channel the communication appropriately
 within your organization.  Often, initial contact is addressed for general
 correspondence (e.g., by mail to corporate headquarters or by e-mail to
 general informational or support-related addresses).  Train the staff that
 processes such communications to escalate them to someone with authority
 to take action.  An unknowledgable response to such an inquiry (e.g., from
 a first-level technical support person) can cause negotiations to fail
 prematurely.
 Answer promptly by multiple means (paper letter, telephone call, and
 email), even if your response merely notifies the sender that you are
 investigating the situation and will respond by a certain date.  Do not
 let the conversation lapse until the situation is fully resolved.
 Proactively follow up with synchronous communication means to be sure
 communications sent by non-reliable means (such as email) were received.
 Remember that the software freedom community generally values open communication and
 cooperation, and these values extend to GPL enforcement.  You will
 generally find that software freedom developers and their lawyers are willing to
 have a reasonable dialogue and will work with you to resolve a violation
 once you open the channels of communication in a friendly way.
 \section{Termination}
 Many redistributors overlook the GPL's termination provision (GPLv2~\S~4 and
 GPLv3~\S~8).  Under v2, violators forfeit their rights to redistribute and
 modify the GPL'd software until those rights are explicitly reinstated by
 the copyright holder.  In contrast, v3 allows violators to rapidly resolve
 some violations without consequence.
 If you have redistributed an application under GPLv2\footnote{This applies
   to all programs licensed to you under only GPLv2 (``GPLv2-only'').
   However, most so-called GPLv2 programs are actually distributed with
   permission to redistribute under GPLv2 \emph{or any later version of the
     GPL} (``GPLv2-or-later'').  In the latter cases, the redistributor can
   choose to redistribute under GPLv2, GPLv3, GPLv2-or-later or even
   GPLv3-or-later.  Where the redistributor has chosen v2 explicitly, the
   v2 termination provision will always apply.  If the redistributor has
   chosen v3, the v3 termination provision will always apply.  If the
   redistributor has chosen GPLv2-or-later, then the redistributor may want
   to narrow to GPLv3-only upon violation, to take advantage of the
   termination provisions in v3.}, but have violated the terms of GPLv2,
 you must request a reinstatement of rights from the copyright holders
 before making further distributions, or else cease distribution and
 modification of the software forever.  Different copyright holders
 condition reinstatement upon different requirements, and these
 requirements can be (and often are) wholly independent of the GPL\@.  The
 terms of your reinstatement will depend upon what you negotiate with the
 copyright holder of the GPL'd program.
 Since your rights under GPLv2 terminate automatically upon your initial
 violation, \emph{all your subsequent distributions} are violations and
 infringements of copyright.  Therefore, even if you resolve a violation on
 your own, you must still seek a reinstatement of rights from the copyright
 holders whose licenses you violated, lest you remain liable for
 infringement for even compliant distributions made subsequent to the
 initial violation.
 GPLv3 is more lenient.  If you have distributed only v3-licensed programs,
 you may be eligible under v3~\S~8 for automatic reinstatement of rights.
 You are eligible for automatic reinstatement when:
 \begin{itemize}
 \item you correct the violation and are not contacted by a copyright
   holder about the violation within sixty days after the correction, or
 \item you receive, from a copyright holder, your first-ever contact
   regarding a GPL violation, and you correct that violation within thirty
   days of receipt of copyright holder's notice.
 \end{itemize}
 In addition to these permanent reinstatements provided under v3, violators
 who voluntarily correct their violation also receive provisional
 permission to continue distributing until they receive contact from the
 copyright holder.  If sixty days pass without contact, that reinstatement
 becomes permanent.  Nonetheless, you should be prepared to cease
 distribution during those initial sixty days should you receive a
 termination notice from the copyright holder.
 Given that much discussion of v3 has focused on its so-called more
 complicated requirements, it should be noted that v3 is, in this regard,
 more favorable to violators than v2.
@@ ... @@
 set their own requirements outside the license before reinstatement of
 rights.  We have collected below a list of reinstatement demands that
 copyright holders often require.
 \begin{itemize}
 \item {\bf Compliance on all Free Software copyrights}.  Copyright holders of Free Software
   often want a company to demonstrate compliance for all GPL'd software in
   a distribution, not just their own.  A copyright holder may refuse to
   reinstate your right to distribute one program unless and until you
   comply with the licenses of all Free Software in your distribution.
 \item {\bf Notification to past recipients}.  Users to whom you previously
   distributed non-compliant software should receive a communication
   (email, letter, bill insert, etc.) indicating the violation, describing
   their rights under the GPL, and informing them how to obtain a gratis source
   distribution.  If a customer list does not exist (such as in reseller
   situations), an alternative form of notice may be required (such as a
   magazine advertisement).
 \item {\bf Appointment of a GPL Compliance Officer.}  The software freedom community
   values personal accountability when things go wrong.  Copyright holders
   often require that you name someone within the violating company
   officially responsible for Free Software license compliance, and that this
   individual serve as the key public contact for the community when
   compliance concerns arise.
 \item {\bf Periodic Compliance Reports.}  Many copyright holders wish to
   monitor future compliance for some period of time after the violation.
   For some period, your company may be required to send regular reports on
   how many distributions of binary and source have occurred.
 \end{itemize}
 These are just a few possible requirements for reinstatement.  In the
 context of a GPL violation, and particularly under v2's termination
 provision, the copyright holder may have a range of requests in exchange
 for reinstatement of rights.  These software developers are talented
 professionals from whose work your company has benefited.  Indeed, you are
 unlikely to find a better value or more generous license terms for similar
 software elsewhere.  Treat the copyright holders with the same respect you
 treat your corporate partners and collaborators.
 \chapter{Special Topics in Compliance}
 There are several other issues that are less common, but also relevant in
 a GPL compliance situation.  To those who face them, they tend to be of
 particular interest.
 \section{LGPL Compliance}
 \label{lgpl}
 GPL compliance and LGPL compliance mostly involve the same issues.  As we
 discussed in \S~\ref{derivative-works}, questions of modified versions of
 software are highly fact-dependant and cannot be easily addressed in any
 overview document.  The LGPL adds some additional complexity to the
 analysis.  Namely, the various LGPL versions permit proprietary licensing
 of certain types of modified versions.  These issues are well beyond the
 scope of this document, but as a rule of thumb, once you have determined
 (in accordance with LGPLv3) what part of the work is the ``Application''
 and what portions of the source are ``Minimal Corresponding Source'', then
 you can usually proceed to follow the GPL compliance rules that we
 discussed, replacing our discussion of ``Corresponding Source'' with
 ``Minimal Corresponding Source''.
 LGPL also requires that you provide a mechanism to combine the Application
 with a modified version of the library, and outlines some options for
 this.  Also, the license of the whole work must permit ``reverse
 engineering for debugging such modifications'' to the library.  Therefore,
 you should take care that the EULA used for the Application does not
 contradict this permission.
 \section{Upstream Providers}
 \label{upstream}
 With ever-increasing frequency, software development (particularly for
 embedded devices) is outsourced to third parties.  If you rely on an
 upstream provider for your software, note that you \emph{cannot ignore
   your GPL compliance requirements} simply because someone else packaged
 the software that you distribute.  If you redistribute GPL'd software
 (which you do, whenever you ship a device with your upstream's software in
 it), you are bound by the terms of the GPL\@.  No distribution (including
 redistribution) is permissible absent adherence to the license terms.
 Therefore, you should introduce a due diligence process into your software
 acquisition plans.  This is much like the software-oriented
 recommendations we make in \S~\ref{best-practices}.  Implementing
 practices to ensure that you are aware of what software is in your devices
 can only improve your general business processes.  You should ask a clear
 list of questions of all your upstream providers and make sure the answers
 are complete and accurate.  The following are examples of questions you
 should ask:
 \begin{itemize}
 \item What are all the licenses that cover the software in this device?
 \item From which upstream vendors, be they companies or individuals, did
-  \emph{you} receive your software from before distributing it to us?
   \emph{you} receive your software before distributing it to us?
 \item What are your GPL compliance procedures?
 \item If there is GPL'd software in your distribution, we will be
   redistributors of this GPL'd software.  What mechanisms do you have in
   place to aid us with compliance?
 \item If we follow your recommended compliance procedures, will you
   formally indemnify us in case we are nonetheless found to be in
   violation of the GPL?
 \end{itemize}
 This last point is particularly important.  Many GPL enforcements are
 escalated because of petty finger-pointing between the distributor and its
 upstream.  In our experience, agreements regarding GPL compliance issues
 and procedures are rarely negotiated up front.  However, when they are,
 violations are resolved much more smoothly (at least from the point of
 view of the redistributor).
 Consider the cost of potential violations in your acquisition process.
 Using Free Software allows software vendors to reduce costs significantly, but be
 wary of vendors who have done so without regard for the licenses.  If your
 vendor's costs seem ``too good to be true,'' you may ultimately bear the
 burden of the vendor's inattention to GPL compliance.  Ask the right
 questions, demand an account of your vendors' compliance procedures, and
 seek indemnity from them.
 \section{User Products and Installation Information}
 \label{user-products}
 GPLv3 requires you to provide ``Installation Information'' when v3
 software is distributed in a ``User Product.''  During the drafting of v3,
 the debate over this requirement was contentious.  However, the provision
 as it appears in the final license is reasonable and easy to understand.
 If you put GPLv3'd software into a User Product (as defined by the
 license) and \emph{you} have the ability to install modified versions onto
 that device, you must provide information that makes it possible for the
 user to install functioning, modified versions of the software.  Note that
 if no one, including you, can install a modified version, this provision
 does not apply.  For example, if the software is burned onto an
 non-field-upgradable ROM chip, and the only way that chip can be upgraded
 is by producing a new one via a hardware factory process, then it is
 acceptable that the users cannot electronically upgrade the software
 themselves.
 Furthermore, you are permitted to refuse support service, warranties, and
 software updates to a user who has installed a modified version.  You may
 even forbid network access to devices that behave out of specification due
 to such modifications.  Indeed, this permission fits clearly with usual
 industry practice.  While it is impossible to provide a device that is
 completely unmodifiable\footnote{Consider that the iPhone, a device
   designed primarily to restrict users' freedom to modify it, was unlocked
   and modified within 48 hours of its release.}, users are generally on
 notice that they risk voiding their warranties and losing their update and
 support services when they make modifications.\footnote{A popular t-shirt
   in the software freedom community reads: ``I void warranties.''.  Our community is
   well-known for modifying products with full knowledge of the
   consequences.  GPLv3's ``Installation Instructions'' section merely
   confirms that reality, and makes sure GPL rights can be fully exercised,
   even if users exercise those rights at their own peril.}
 GPLv3 is in many ways better for distributors who seek some degree of
 device lock-down.  Technical processes are always found for subverting any
 lock-down; pursuing it is a losing battle regardless.  With GPLv3, unlike
 with GPLv2, the license gives you clear provisions that you can rely on
 when you are forced to cut off support, service or warranty for a customer
 who has chosen to modify.
 \chapter{Conclusion}
 GPL compliance need not be an onerous process.  Historically, struggles
 have been the result of poor development methodologies and communications,
 rather than any unexpected application of the GPL's source code disclosure
 requirements.
 Compliance is straightforward when the entirety of your enterprise is
 well-informed and well-coordinated.  The receptionists should know how to
 route a GPL source request or accusation of infringement.  The lawyers
 should know the basic provisions of Free Software licenses and your source
 disclosure requirements, and should explain those details to the software
 developers.  The software developers should use a version control system
 that allows them to associate versions of source with distributed
 binaries, have a well-documented build process that anyone skilled in the
 art can understand, and inform the lawyers when they bring in new
 software.  Managers should build systems and procedures that keep everyone
 on target.  With these practices in place, any organization can comply
 with the GPL without serious effort, and receive the substantial benefits
 of good citizenship in the software freedom community, and lots of great code
 ready-made for their products.
 \vfill
 % LocalWords:  redistributors NeXT's Slashdot Welte gpl ISC embedders BusyBox
 % LocalWords:  someone's downloadable subdirectory subdirectories filesystem
-% LocalWords:  roadmap README upstream's Ravicher's Fossology readme CDs iPhone
+% LocalWords:  roadmap README upstream's Ravicher's FOSSology readme CDs iPhone
 % LocalWords:  makefiles violator's

enforcement-case-studies.tex

➞

Show inline comments

@@ ... @@
 \vspace{1in}
 \begin{center}
 Authors of this part are: \\
 Bradley M. Kuhn \\
 John Sullivan
 \vspace{3in}
 The copyright holders hereby grant the freedom to copy, modify, convey,
 Adapt, and/or redistribute this work under the terms of the Creative Commons
 Attribution Share Alike 4.0 International License.  A copy of that license is
 available at \verb=https://creativecommons.org/licenses/by-sa/4.0/legalcode=.
 \end{center}
+}
 % =====================================================================
 % START OF SECOND DAY SEMINAR SECTION
 % =====================================================================
 \chapter*{Preface}
 This one-day course presents the details of five different GPL
 compliance cases handled by FSF's GPL Compliance Laboratory. Each case
 offers unique insights into problems that can arise when the terms of
 the GPL are not properly followed, and how diplomatic negotiation between
 the violator and the copyright holder can yield positive results for
 both parties.
 Attendees should have successfully completely the course, a ``Detailed
 Study and Analysis of the GPL and LGPL,'' as the material from that
 course forms the building blocks for this material.
 This course is of most interest to lawyers who have clients or
 employers that deal with Free Software on a regular basis. However,
 technical managers and executives whose businesses use or distribute
 Free Software will also find the course very helpful.
 \bigskip
 These course materials are merely a summary of the highlights of the
 course presented. Please be aware that during the actual GPL course, class
 discussion supplements this printed curriculum. Simply reading it is
 not equivalent to attending the course.
 %FIXME-LATER: write these
 %\chapter{Not All GPL Enforcement is Created Equal}
 %\section{For-Profit Enforcement}
 %\section{Community and Non-Profit Enforcement}
 \chapter{Overview of Community Enforcement}
 The GPL is a Free Software license with legal teeth. Unlike licenses like
 the X11-style or various BSD licenses, the GPL (and by extension, the LGPL) is
 designed to defend as well as grant freedom. We saw in the last course
 that the GPL uses copyright law as a mechanism to grant all the key freedoms
 essential in Free Software, but also to ensure that those freedoms
 propagate throughout the distribution chain of the software.
 \section{Termination Begins Enforcement}
 As we have learned, the assurance that Free Software under the GPL remains
 Free Software is accomplished through various terms of the GPL: \S 3 ensures
 that binaries are always accompanied with source; \S 2 ensures that the
 sources are adequate, complete and usable; \S 6 and \S 7 ensure that the
 license of the software is always the GPL for everyone, and that no other
 legal agreements or licenses trump the GPL. It is \S 4, however, that ensures
 that the GPL can be enforced.
 Thus, \S 4 is where we begin our discussion of GPL enforcement. This
 clause is where the legal teeth of the license are rooted. As a copyright
 license, the GPL governs only the activities governed by copyright law ---
 copying, modifying and redistributing computer software. Unlike most
 copyright licenses, the GPL gives wide grants of permission for engaging with
 these activities. Such permissions continue, and all parties may exercise
 them until such time as one party violates the terms of the GPL\@. At the
 moment of such a violation (i.e., the engaging of copying, modifying or
 redistributing in ways not permitted by the GPL) \S 4 is invoked. While other
 parties may continue to operate under the GPL, the violating party loses their
 rights.
 Specifically, \S 4 terminates the violators' rights to continue
 engaging in the permissions that are otherwise granted by the GPL\@.
 Effectively, their rights revert to the copyright defaults ---
 no permission is granted to copy, modify, nor redistribute the work.
 Meanwhile, \S 5 points out that if the violator has no rights under
 the GPL, they are prohibited by copyright law from engaging in the
 activities of copying, modifying and distributing. They have lost
 these rights because they have violated the GPL, and no other license
 gives them permission to engage in these activities governed by copyright law.
 \section{Ongoing Violations}
 In conjunction with \S 4's termination of violators' rights, there is
-one final industry fact added to the mix: rarely, does one engage in a
 one final industry fact added to the mix: rarely does one engage in a
 single, solitary act of copying, distributing or modifying software.
 Almost always, a violator will have legitimately acquired a copy of a
 GPL'd program, either making modifications or not, and then begun
 distributing that work. For example, the violator may have put the
 software in boxes and sold them at stores. Or perhaps the software
 was put up for download on the Internet. Regardless of the delivery
 mechanism, violators almost always are engaged in {\em ongoing\/}
 violation of the GPL\@.
 In fact, when we discover a GPL violation that occurred only once --- for
 example, a user group who distributed copies of a GNU/Linux system without
 source at one meeting --- we rarely pursue it with a high degree of
 tenacity. In our minds, such a violation is an educational problem, and
 unless the user group becomes a repeat offender (as it turns out, they
 never do), we simply forward along a FAQ entry that best explains how user
 groups can most easily comply with the GPL, and send them on their merry way.
 It is only the cases of {\em ongoing\/} GPL violation that warrant our
 active attention. We vehemently pursue those cases where dozens, hundreds
 or thousands of customers are receiving software that is out of
 compliance, and where the company continually offers for sale (or
 distributes gratis as a demo) software distributions that include GPL'd
 components out of compliance. Our goal is to maximize the impact of
 enforcement and educate industries who are making such a mistake on a
 large scale.
 In addition, such ongoing violation shows that a particular company is
 committed to a GPL'd product line. We are thrilled to learn that someone
 is benefiting from Free Software, and we understand that sometimes they
 become confused about the rules of the road. Rather than merely
 giving us a postmortem to perform on a past mistake, an ongoing violation
 gives us an active opportunity to educate a new contributor to the GPL'd
 commons about proper procedures to contribute to the community.
 Our central goal is not, in fact, to merely clear up a particular violation.
 In fact, over time, we hope that our compliance lab will be out of
 business. We seek to educate the businesses that engage in commerce
 related to GPL'd software to obey the rules of the road and allow them to
 operate freely under them. Just as a traffic officer would not revel in
 reminding people which side of the road to drive on, so we do not revel in
 violations. By contrast, we revel in the successes of educating an
 ongoing violator about the GPL so that GPL compliance becomes a second-nature
 matter, allowing that company to join the GPL ecosystem as a contributor.
 \section{How are Violations Discovered?}
 Our enforcement of the GPL is not a fund-raising effort; in fact, FSF's GPL
 Compliance Lab runs at a loss (in other words, it is subsided by our
 donors). Our violation reports come from volunteers, who have encountered,
 in their business or personal life, a device or software product that
 appears to contain GPL'd software. These reports are almost always sent
 via email to $<$license-violation@fsf.org$>$.
 Our first order of business, upon receiving such a report, is to seek
 independent confirmation. When possible, we get a copy of the software
 product. For example, if it is an offering that is downloadable from a
 Web site, we download it and investigate ourselves. When it is not
 possible for us to actually get a copy of the software, we ask the
 reporter to go through the same process we would use in examining the
 software.
 By rough estimation, about 95\% of violations at this stage can be
 confirmed by simple commands. Almost all violators have merely made an
 error and have no nefarious intentions. They have made no attempt to
 remove our copyright notices from the software. Thus, given the
 third-party binary, {\tt tpb}, usually, a simple command (on a GNU/Linux
 system) such as the following will find a Free Software copyright notice
 and GPL reference:
 \begin{quotation}
 {\tt strings tpb | grep Copyright}
 \end{quotation}
 In other words, it is usually more than trivial to confirm that GPL'd
 software is included.
 Once we have confirmed that a violation has indeed occurred, we must then
 determine whose copyright has been violated. Contrary to popular belief,
 FSF does not have the power to enforce the GPL in all cases. Since the GPL
 operates under copyright law, the powers of enforcement --- to seek
 redress once \S 4 has been invoked --- lie with the copyright holder of
 the software. FSF is one of the largest copyright holders in the world of
 GPL'd software, but we are by no means the only one. Thus, we sometimes
 discover that while GPL'd code is present in the software, there is no
 software copyrighted by FSF present.
 In cases where FSF does not hold copyright interest in the software, but
 we have confirmed a violation, we contact the copyright holders of the
 software, and encourage them to enforce the GPL\@. We offer our good offices
 to help negotiate compliance on their behalf, and many times, we help as a
 third party to settle such GPL violations. However, what we will describe
 primarily in this course is FSF's first-hand experience enforcing its own
 copyrights and the GPL\@.
 \section{First Contact}
 The Free Software community is built on a structure of voluntary
 cooperation and mutual help. Our community has learned that cooperation
@@ ... / @@ -244,193 +244,193 @@ of consumer electronic devices. @@
 \section{Facts}
 One of Bortez's key products is a Software Development Kit (``SDK'')
 designed to assist developers building software for a specific class of
 consumer electronics devices.
 FSF received a report that the SDK may be based on the GNU Compiler
 Collection (which is an FSF-copyrighted collection of tools for software
 development in C, C++ and other popular languages). FSF investigated the
 claim, but was unable to confirm the violation. The violation reporter
 was unresponsive to follow-up requests for more information.
 Since FSF was unable to confirm the violation, we did not pursue it any
 further. Bogus reports do happen, and we do not want to burden companies
 with specious GPL violation complaints. FSF shelved the matter until
 more evidence was discovered.
 FSF was later able to confirm the violation when two additional reports
 surfaced from other violation reporters, both of whom had used the SDK
 professionally and noticed clear similarities to FSF's GNU GCC\@. FSF's
 Compliance Engineer asked the reporters to run standard tests to confirm
 the violation, and it was confirmed that Bortez's SDK was indeed a
 derivative work of GCC\@. Bortez had ported to Windows and added a number
 of features, including support for a specific consumer device chipset and
 additional features to aid in the linking process (``LP'') for those
 specific devices. FSF explained the rights that the GPL afforded these
 customers and pointed out, for example, that Bortez only needed to provide
 source to those in possession of the binaries, and that the users may need
 to request that source (if \S 3(b) was exercised). The violators
 confirmed that such requests were not answered.
 FSF brought the matter to the attention of Bortez, who immediately
 escalated the matter to their attorneys. After a long negotiation,
 Bortez acknowledged that their SDK was indeed a derivative work of
 GCC\@. Bortez released most of the source, but some disagreement
 occurred over whether LP was a derivative work of GCC\@. After repeated
 FSF inquiries, Bortez reaudited the source to discover that FSF's
 analysis was correct. Bortez determined that LP included a number of
 source files copied from the GCC code-base.
 \label{davrik-build-problems}
 Once the full software release was made available, FSF asked the violation
 reporters if it addressed the problem. Reports came back that the source
 did not properly build. FSF asked Bortez to provide better build
 instructions with the software, and such build instructions were
 incorporated into the next software release.
 At FSF's request as well, Bortez informed customers who had previously
 purchased the product that the source was now available by announcing
 the availability on its Web site and via a customer newsletter.
 Bortez did have some concerns regarding patents. They wished to include a
 statement with the software release that made sure they were not granting
 any patent permission other than what was absolutely required by the GPL\@.
 They understood that their patent assertions could not trump any rights
 granted by the GPL\@. The following language was negotiated into the release:
 \begin{quotation}
 Subject to the qualifications stated below, Bortez, on behalf of itself
 and its Subsidiaries, agrees not to assert the Claims against you for your
 making, use, offer for sale, sale, or importation of the Bortez's GNU
 Utilities or derivative works of the Bortez's GNU Utilities
 (``Derivatives''), but only to the extent that any such Derivatives are
 licensed by you under the terms of the GNU General Public License. The
 Claims are the claims of patents that Bortez or its Subsidiaries have
 standing to enforce that are directly infringed by the making, use, or
 sale of an Bortez Distributed GNU Utilities in the form it was distributed
 by Bortez and that do not include any limitation that reads on hardware;
 the Claims do not include any additional patent claims held by Bortez that
 cover any modifications of, derivative works based on or combinations with
 the Bortez's GNU Utilities, even if such a claim is disclosed in the same
 patent as a Claim. Subsidiaries are entities that are wholly owned by
 Bortez.
 This statement does not negate, limit or restrict any rights you already
 have under the GNU General Public License version 2.
 \end{quotation}
 This quelled Bortez's concerns about other patent licensing they sought to
 do outside of the GPL'd software, and satisfied FSF's concerns that Bortez
 give proper permissions to exercise teachings of patents that were
 exercised in their GPL'd software release.
 Finally, a GPL Compliance Officer inside Bortez was appointed to take
 responsibility for all matters of GPL compliance inside the company.
 Darvik is responsible for informing FSF if the position is given to
 someone else inside the company, and making sure that FSF has direct
 contact with Darvik's Compliance Officer.
 \section{Lessons}
 This case introduces a number of concepts regarding GPL enforcement.
 \begin{enumerate}
 \item {\bf Enforcement should not begin until the evidence is confirmed.}
-  Most companies who distribute GPL'd software do so in compliance, and at
+  Most companies that distribute GPL'd software do so in compliance, and at
   times, violation reports are mistaken. Even with extensive efforts in
   GPL education, many users do not fully understand their rights and the
   obligations that companies have. By working through the investigation
   with reporters, the violation can be properly confirmed, and {\bf the
     user of the software can be educated about what to expect with GPL'd
     software}. When users and customers of GPL'd products know their
   rights, what to expect, and how to properly exercise their rights
   (particularly under \S 3(b)), it reduces the chances for user
   frustration and inappropriate community outcry about an alleged GPL
   violation.
 \item {\bf GPL compliance requires friendly negotiation and cooperation.}
   Often, attorneys and managers are legitimately surprised to find out
   GPL'd software is included in their company's products. Engineers
   sometimes include GPL'd software without understanding the requirements.
   This does not excuse companies from their obligations under the license,
   but it does mean that care and patience are essential for reaching GPL
   compliance. We want companies to understand that participating and
   benefiting from a collaborative Free Software community is not a burden,
   so we strive to make the process of coming into compliance as smooth as
   possible.
 \item {\bf Confirming compliance is a community effort.}  The whole point
   of making sure that software distributors respect the terms of the GPL is to
   allow a thriving software sharing community to benefit and improve the
   work. FSF is not the expert on how a compiler for consumer electronic
   devices should work. We therefore inform the community who originally
   brought the violation to our attention and ask them to assist in
   evaluation and confirmation of the product's compliance. Of course, FSF
   coordinates and oversees the process, but we do not want compliance for
   compliance's sake; rather, we wish to foster a cooperating community of
   development around the Free Software in question, and encourage the
   once-violator to begin participating in that community.
 \item {\bf Informing the harmed community is part of compliance.} FSF asks
   violators to make some attempt --- such as via newsletters and the
   company's Web site --- to inform those who already have the products as
   to their rights under the GPL\@. One of the key thrusts of the GPL's \S 1 and
   \S 3 is to {\em make sure the user knows she has these rights\/}. If a
   product was received out of compliance by a customer, she may never
   actually discover that she has such rights. Informing customers, in a
   way that is not burdensome but has a high probability of successfully
   reaching those who would seek to exercise their freedoms, is essential
   to properly remedy the mistake.
 \item {\bf Lines between various copyright, patent, and other legal
   mechanisms must be precisely defined and considered.}  The most
   difficult negotiation point of the Bortez case was drafting language
   that simultaneously protected Bortez's patent rights outside of the
   GPL'd source, but was consistent with the implicit patent grant in
   the GPL\@. As we discussed in the first course of this series, there is
   indeed an implicit patent grant with the GPL, thanks to \S 6 and \S 7.
   However, many companies become nervous and wish to make the grant
   explicit to assure themselves that the grant is sufficiently narrow for
   their needs. We understand that there is no reasonable way to determine
   what patent claims read on a company's GPL holdings and which do not, so
   we do not object to general language that explicitly narrows the patent
   grant to only those patents that were, in fact, exercised by the GPL'd
   software as released by the company.
 \end{enumerate}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{Bracken: a Minor Violation in a GNU/Linux Distribution}
 In this case study, we consider a minor violation made by a company whose
 knowledge of the Free Software community and its functions is deep.
 \section{The Facts}
 Bracken produces a GNU/Linux operating system product that is sold
 primarily to OEM vendors to be placed in appliance devices used for a
 single purpose, such as an Internet-browsing-only device. The product
 is almost 100\% Free Software, mostly licensed under the GPL and related
 Free Software licenses.
 FSF found out about this violation through a report first posted on a
   Slashdot\footnote{Slashdot is a popular news and discussion site for
   technical readers.} comment, and then it was brought to our attention again
   by another Free Software copyright holder who had discovered the
   same violation.
 Bracken's GNU/Linux product is delivered directly from their Web site.
 This allowed FSF engineers to directly download and confirm the
 violation quickly. Two primary problems were discovered with the
 online distribution:
 \begin{itemize}
 \item No source code nor offer for source code was provided for a number
   of components for the distributed GNU/Linux system; only binaries were
   available
 \item An End User License Agreement (``EULA'') was included that
   contradicted the permissions granted by the GPL\@
@@ ... / @@ -543,193 +543,193 @@ role in GPL compliance. @@
   that if there is a conflict between it and the GPL, with regard to GPL'd
   code, the GPL is the overriding license.
 \item {\bf Compliance Officers are rarely necessary when companies are
   educated about GPL compliance.}  As we saw in the Bortez case, FSF asks
   that a formal ``GPL Compliance Officer'' be appointed inside a
   previously violating organization to shepherd the organization to a
   cooperative approach to GPL compliance. However, when FSF
   sees that an organization already has such an approach, there is no
   need to request that such an officer be appointed.
 \end{enumerate}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{Vigorien: Security, Export Controls, and GPL Compliance}
 This case study introduces how concerns of ``security through obscurity''
 and regulatory problems can impact GPL compliance matters.
 \section{The Facts}
 Vigorien distributes a back-up solution product that allows system
 administrators to create encrypted backups of file-systems on
 Unix-like computers. The product is based on GNU tar, a backup utility
 that replaces the standard Unix utility simply called tar, but has
 additional features.
 Vigorien's backup solution added cryptographic features to GNU tar, and
 included a suite of utilities and graphical user interfaces surrounding
 GNU tar to make backups convenient.
 FSF discovered the violation from a user report, and determined that the
 cryptographic features were the only part of the product that constituted
 a derivative work of GNU tar; the extraneous utilities merely made
 shell calls out to GNU tar. FSF requested that Vigorien come into
 compliance with the GPL by releasing the source of GNU tar, with the
 cryptographic modifications, to its customers.
 Vigorien released the original GNU tar sources, but kept the cryptographic
 modifications proprietary. They argued that the security of their system
 depending on keeping the software proprietary and that regardless, USA
 export restrictions on cryptographic software prohibited such a release.
 FSF disputed the first claim, pointing out that Vigorien had only one
 option if they did not want to release the source: they would have to
 remove GNU tar from the software and not distribute it further. Vigorien
 rejected this suggestion, since GNU tar was an integral part of the
 product, and the security changes were useless without GNU tar.
 Regarding the export control claims, FSF proposed a number of options,
 including release of the source from one of Vigorien's divisions overseas
 where no such restrictions occurred, but Vigorien argued that the problem
 was insoluble because they operated primarily in the USA\@.
 The deadlock on the second issue was resolved when those cryptographic
 export restrictions were lifted shortly thereafter, and FSF again raised
 the matter with Vigorien. At that point, they dropped the first claim and
 agreed to release the remaining source module to their customers. They
 did so, and the violation was resolved.
 \section{Lessons Learned}
 \begin{enumerate}
 \item {\bf Removing the GPL'd portion of the product is always an
   option.}  Many violators' first response is to simply refuse to
   release the source code as the GPL requires. FSF offers the option to
   simply remove the GPL'd portions from the product and continue along
   without them. Every case where this has been suggested has led to
   the same conclusion. Like Vigorien, the violator argues that the
   product cannot function without the GPL'd components, and they
   cannot effectively replace them.
   Such an outcome is simply further evidence that the combined work in
   question is indeed a derivative work of the original GPL'd component.
   If the other components cannot stand on their own and be useful without
   the GPL'd portions, then one cannot effectively argue that the work as a
   whole is not a derivative of the GPL'd portions.
 \item {\bf The whole product is not always covered.}  In this case,
   Vigorien had additional works aggregated. The backup system was a suite
   of utilities, some of which were the GPL and some of which were not. While
   the cryptographic routines were tightly coupled with GNU tar and clearly
   derivative works, the various GUI utilities were separate and
   independent works merely aggregated with the distribution of the
   GNU-tar-based product.
 \item {\bf ``Security'' concerns do not exonerate a distributor from GPL
   obligations, and ``security through obscurity'' does not work anyway.}
   The argument that ``this is security software, so it cannot be released
   in source form'' is not a valid defense for explaining why the terms of
   the GPL are ignored. If companies do not want to release source code
   for some reason, then they should not base the work on GPL'd software.
   No external argument for noncompliance can hold weight if the work as
   whole is indeed a derivative work of a GPL'd program.
+  a whole is indeed a derivative work of a GPL'd program.
   The ``security concerns'' argument is often floated as a reason to keep
   software proprietary, but the computer security community has on
   numerous occasions confirmed that such arguments are entirely specious.
   Security experts have found --- since the beginnings of the field of
   cryptography in the ancient world --- that sharing results about systems
   and having such systems withstand peer review and scrutiny builds the
   most secure systems. While full disclosure may help some who wish to
   compromise security, it helps those who want to fix problems even more
   by identifying them early.
 \item {\bf External regulatory problems can be difficult to resolve.}
   The GPL, though grounded in copyright law, does not have the power to trump
   regulations like export controls. While Vigorien's ``security
   concerns'' were specious, their export control concerns were not. It is
   indeed a difficult problem that FSF acknowledges. We want compliance
   with the GPL and respect for users' freedoms, but we certainly do not expect
   companies to commit criminal offenses for the sake of compliance. We
   will see more about this issue in our next case study.
 \end{enumerate}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{Haxil, Polgara, and Thesulac: Mergers, Upstream Providers and Radio Devices}
 This case study considers an ongoing (at the time of writing) violation
 that has occurred. By the end of the investigation period, three
 companies were involved and many complex issues arose.
 \section{The Facts}
 Haxil produced a consumer electronics device which included a mini
 GNU/Linux distribution to control the device. The device was of interest
 to many technically-minded consumers, who purchased the device and very
 quickly discovered that Free Software was included without source.
 Mailing lists throughout the Free Software community erupted with
 complaints about the problem, and FSF quickly investigated.
 FSF confirmed that FSF-copyrighted GPL'd software was included. In
 addition, the whole distribution included GPL'd works from hundreds of
 individual copyright holders, many of whom were, at this point, up in
 arms about the violation.
 Meanwhile, Haxil was in the midst of being acquired by Polgara. Polgara
 was as surprised as everyone else to discover the product was based on
 GPL'd software; this fact had not been part of the disclosures made during
 acquisition. FSF contacted Haxil, Polgara, and the product managers
 who had transitioned into the ``Haxil division'' of the newly-merged
 Polgara company. Polgara's General Counsel's office worked with FSF on
 the matter.
 FSF formed a coalition with the other primary copyright holders
 to pursue the enforcement effort on their behalf. FSF communicated
 directly with Polgara's representatives to begin working through the
 issues on behalf of itself and the Free Software community at large.
 Polgara pointed out that the software distribution they used was mostly
 contributed by an upstream provider, Thesulac, and Haxil's changes to that
 code base were minimal. Polgara negotiated with Thesulac to obtain the
 source, although the issue moved very slowly in the channels between
 Polgara and Thesulac.
 FSF encouraged a round-table meeting so that high bandwidth communication
 could occur between FSF, Polgara and Thesulac. Polgara and Thesulac
 agreed, and that discussion began. Thesulac provided nearly complete
 sources to Polgara, and Polgara made a full software release on their
 Web site. At the time of writing, that software still has some build
 problems (similar to those that occurred with Bortez, as described in
 Section~\ref{davrik-build-problems}). FSF continues to negotiate with
 Polgara and Thesulac to resolve these problems, which have a clear path to
 a solution and are expected to resolve.
 Similar to the Vigorien case, Thesulac has regulatory concerns. In this
 case, it is not export controls --- an issue that has since been resolved
 --- but radio spectrum regulation. Since this consumer electronic device
 contains a software-programmable radio transmitter, regulations in (at
 least) the USA and Japan prohibit release of those portions of the code
 that operate the device. Since this is a low-level programming issue, the
 changes to operate the device are a derivative work of the kernel named
 Linux. This situation remains unresolved at the time of writing, although
 FSF continues to negotiation with Thesulac and the Linux community
 regarding the problem.
 \section{Lessons Learned}
 \begin{enumerate}
 \item {\bf Community outrage, while justified, can often make negotiation
   more difficult.}  FSF has a strong policy never to publicize names of
   GPL violators if they are negotiating in a friendly way and operating in
   good faith toward compliance. Most violations are honest mistakes, and
   FSF sees no reason to publicly admonish violators who genuinely want to
   come into compliance with the GPL and to work hard staying in compliance.
   This case was so public in the Free Software community that both Haxil's
   and Polgara's representatives were nearly shell-shocked by the time FSF

0 comments (0 inline, 0 general)