GPLv3~\S6 clarifies and revises GPLv2~\S3.  It requires distributors of GPL'd

object code to provide access to the corresponding source code, in one of

four specified ways.  As noted in \S~\ref{GPLv3s0}, ``object code'' in GPLv3

is defined broadly to mean any non-source version of a work.

% FIXME:  probably mostly still right, needs some updates, though.

GPLv3~\S6(a--b) now apply specifically to distribution of object code in a

physical product.  Physical products include embedded systems, as well as

physical software distribution media such as CDs.  As in GPLv2~\S3 (discussed

in \S~\ref{GPLv2s3} of this tutorial), the distribution of object code may

either be accompanied by the machine-readable source code, or it may be

accompanied by a valid written offer to provide the machine-readable source

code.  However, unlike in GPLv2, that offer cannot be exercised by any third

party; rather, only those ``who possesses the object code'' it can exercised

the offer.  (Note that this is a substantial narrowing of requirements of

offer fulfillment, and is a wonderful counterexample to dispute claims that

the GPLv3 has more requirements than GPLv2.)

% FIXME:  probably mostly still right, needs some updates, though.

GPLv3~\S6(b) further revises the requirements for the written offer to

provide source code. As before, the offer must remain valid for at least

three years. In addition, even after three years, a distributor of a product

containing GPL'd object code must offer to provide source code for as long as

the distributor also continues to offer spare parts or customer support for

the product model.  This is a reasonable and appropriate requirement; a

distributor should be prepared to provide source code if he or she is

prepared to provide support for other aspects of a physical product.

GPLv3~\S6(a--b) clarifies that the medium for software interchange on which

the machine-readable source code is provided must be a durable physical

medium.  GPLv3~\S6(b)(2), however, permits a distributor to instead offer to

provide source code from a network server instead, which is yet another

example GPLv3 looser in its requirements than GPLv2 (see

\S~\ref{GPLv2s3-medium-customarily} for details).

% FIXME-LATER: more information about source provision, cost of physically

% performing, reasonable fees, medium customary clearly being said durable

% connecting back to previous text

GPLv3\S6(c) gives narrower permission than GPLv2\S3(c).  The ``pass along''

option for GPLv3\S6(c)(1) offers is now available only for individual

distribution of object code; moreover, such individual distribution can occur

only ``occasionally and noncommercially.''  A distributor cannot comply with

the GPL merely by making object code available on a publicly-accessible

network server accompanied by a copy of the written offer to provide source

code received from an upstream distributor.

%FIXME-LATER: tie back to the discussion of the occasional offer pass along

%             stuff in GPLv2 this tutorial.

GPLv3~\S6(d) revises and improves GPLv2~\S3's final paragraph.  When object

code is provided by offering access to copy the code from a designated place

(such as by enabling electronic access to a network server), the distributor

must merely offer equivalent access to copy the source code ``in the same way

through the same place''.  This wording also permits a distributor to offer a

third party access to both object code and source code on a single network

portal or web page, even though the access may include links to different

physical servers.  For example, a downstream distributor may provide a link

to an upstream distributor's server and arrange with the operator of that

server to keep the source code available for copying for as long as the

downstream distributor enables access to the object code.  This codifies

formally typical historical interpretation of GPLv2.

% FIXME-LATER: perhaps in enforcement section, but maybe here, note about

% ``slow down'' on source downloads being a compliance problem. 

Furthermore, under GPLv3~\S6(d), distributors may charge for the conveyed

object code; however, those who pay to obtain the object code must be given

equivalent and gratis access to obtain the CCS.  (If distributors convey the

object code gratis, distributors must likewise make CCS available without

charge.)  Those who do not obtain the object code from that distributors

(perhaps because they choose not to pay the fee for object code) are outside

the scope of the provision; distributors are under no specific obligation to

give CCS to someone who has not purchased an object code download under

GPLv3~\S6(d).  (Note: this does not change nor impact any obligations under

GPLv3~\S6(b)(2); GPLv3~\S6(d) is a wholly different provision.)

\subsection{GPLv3~\S6(e): Peer-to-Peer Sharing Networks}

Certain decentralized forms of peer-to-peer file sharing present a challenge

to the unidirectional view of distribution that is implicit in GPLv2 and

Draft 1 of GPLv3.  Identification of an upstream/downstream link in

BitTorrent distribution is neither straightforward nor reasonable; such

distribution is multidirectional, cooperative and anonymous.  In peer-to-peer

distribution systems, participants act both as transmitters and recipients of

blocks of a particular file, but they perceive the experience merely as users

and receivers, and not as distributors in any conventional sense.  At any

given moment of time, most peers will not have the complete file.

Meanwhile, GPLv3~\S6(d) permits distribution of a work in object code form

over a network, provided that the distributor offers equivalent access to

copy the Corresponding Source Code ``in the same way through the same

place''.  This wording might be interpreted to permit peer-to-peer

distribution of binaries \textit{if} they are packaged together with the CCS,

but such packaging impractical, for at least three reasons.  First, even if

the CCS is packaged with the object code, it will only be available to a

non-seeding peer at the end of the distribution process, but the peer will

already have been providing parts of the binary to others in the network.

Second, in practice, peer-to-peer forms of transmission are poorly suited

means for distributing CCS.  In large distributions, packaging CCS with the

object code may result in a substantial increase in file size and

transmission time.  Third, in current practice, CCS packages themselves tend

\textit{not} to be transmitted through BitTorrent --- owing to reduced demand

-- thus, there generally will be too few participants downloading the same

source package at the same time to enable effective seeding and distribution.

GPLv3~\S6(e) addresses this issues.  If a licensee conveys such a work of

object code using peer-to-peer transmission, that licensee is in compliance

with GPLv3~\S6 if the licensee informs other peers where the object code and

its CCS are publicly available at no charge under subsection GPLv3~\S6(d).

The CCS therefore need not be provided through the peer-to-peer system that

was used for providing the binary.

Second, GPLv3\S9 also clarifies that ancillary propagation of a covered work

that occurs as part of the process of peer-to-peer file transmission does not

require acceptance, just as mere receipt and execution of the Program does

not require acceptance.  Such ancillary propagation is permitted without

limitation or further obligation.

% FIXME-LATER: Would be nice to explain much more about interactions between

% the various options of GPLv3~\S6(a-e), which might all be in play at once!

\subsection{User Products, Installation Information and Device Lock-Down}

As discussed in \S~\ref{GPLv3-drm} of this tutorial, GPLv3 seeks thwart

technical measures such as signature checks in hardware to prevent

modification of GPLed software on a device.

To address this issue, GPLv3~\S6 requires that parties distributing object

code provide recipients with the source code through certain means.  When

those distributors pass on the CCS, they are also required to pass on any

information or data necessary to install modified software on the particular

device that included it.  (This strategy is not unlike that used in LGPLv2.1

to enable users to link proprietary programs to modified libraries.)

% FIXME-LATER: LGPLv2.1 section should talk about this explicitly and this

%              should be a forward reference here

\label{user-product}

The scope of these requirements are narrow.  GPLv3~\S6 introduces the concept

of a ``User Product'', which includes devices that are sold for personal,

family, or household use.  Distributors are only required to provide

Installation Information when they convey object code in a User Product.

In brief, the right to convey object code in a defined class of ``User

Products,'' under certain circumstances, on providing whatever information is

required to enable a recipient to replace the object code with a functioning

modified version.

This was a compromise that was difficult for the FSF to agree to during the

GPLv3 drafting process.  However, companies and governments that use

specialized or enterprise-level computer facilities reported that they

actually \textit{want} their systems not to be under their own control.

Rather than agreeing to this as a concession, or bowing to pressure, they ask

for this as a \texit{preference}.  It is not clear that GPL should interfere

here, since the main problem lies elsewhere.

While imposing technical barriers to modification is wrong regardless of

circumstances, the areas where restricted devices are of the greatest

practical concern today fall within the User Product definition.  Most, if

not all, technically-restricted devices running GPL-covered programs are

consumer electronics devices.  Moreover, the disparity in clout between the

manufacturers and these users makes it difficult for the users to reject

technical restrictions through their weak and unorganized market power.  Even

limited to User Products, this provision addresses the fundamental problem.

% FIXME-LATER: link \href to USC 2301

The core of the User Product definition is a subdefinition of ``consumer

product'' taken verbatim from the Magnuson-Moss Warranty Act, a federal

consumer protection law in the USA found in 15~USC~\S2301: ``any tangible

personal property which is normally used for personal, family, or household

purposes.''  The United States has had three decades of experience of liberal

judicial and administrative interpretation of this definition in a manner

favorable to consumer rights.\footnote{The Magnuson-Moss consumer product

  definition itself has been influential in the USA and Canada, having been

  adopted in several state and provincial consumer protection laws.}

Ideally, this body of interpretation\footnote{The FSF, however, was very

  clear that incorporation of such legal interpretation was in no way

  intended work as a general choice of USA law for GPLv3.} will guide

interpretation of the consumer product subdefinition in GPLv3~\S6, and this

will hopefully provide a degree of legal certainty advantageous to device

manufacturers and downstream licensees alike.

One well-established interpretive principle under Magnuson-Moss is that

ambiguities are resolved in favor of coverage.  That is, in cases where

it is not clear whether a product falls under the definition of consumer

product, the product will be treated as a consumer product.\footnote{16

``normally used'' is understood to refer to the typical use of that type

of product, rather than a particular use by a particular buyer.

Products that are commonly used for personal as well as commercial

purposes are consumer products, even if the person invoking rights is a

commercial entity intending to use the product for commercial

interpreting Magnuson-Moss are in accord; see, e.g., \textit{Stroebner

Motors, Inc.~v.~Automobili Lamborghini S.p.A.}, 459 F.~Supp.2d 1028,

1033 (D.~Hawaii 2006).}  Even a small amount of ``normal'' personal use

is enough to cause an entire product line to be treated as a consumer

Industries, Inc.}, 213 U.S.P.Q.~702 (S.D.~Tex.~1981). In this case, the

court concluded that TRS-80 microcomputers were consumer products, where

such computers were designed and advertised for a variety of users,

including small businesses and schools, and had only recently been

We do not rely solely on the definition of consumer product, however,

because in the area of components of dwellings we consider the settled

interpretation under Magnuson-Moss underinclusive.  Depending on how

such components are manufactured or sold, they may or may not be

considered Magnuson-Moss consumer products.\footnote{Building materials

that are purchased directly by a consumer from a retailer, for improving

or modifying an existing dwelling, are consumer products under

Magnuson-Moss, but building materials that are integral component parts

of the structure of a dwelling at the time that the consumer buys the

dwelling are not consumer products. 16 C.F.R.~\S\S~700.1(c)--(f);

Federal Trade Commission, Final Action Concerning Review of

Interpretations of Magnuson-Moss Warranty Act, 64 Fed.~Reg.~19,700

(April 22, 1999); see also, e.g., \textit{McFadden}, 54

U.C.C.~Rep.~Serv.2d at 934.}  Therefore, we define User Products as a

superset of consumer products that also includes ``anything designed or

sold for incorporation into a dwelling.''

Although the User Products rule of Draft 3 reflects a special concern

for individual purchasers of devices, we wrote the rule to cover a

category of products, rather than categorizing users.  Discrimination

against organizational users has no place in a free software license.

Moreover, a rule that applied to individual use, rather than to use of

products normally used by individuals, would have too narrow an

effect. Because of its incorporation of the liberal Magnuson-Moss

interpretation of ``consumer product,'' the User Products rule benefits

not only individual purchasers of User Products but also all

organizational purchasers of those same kinds of products, regardless of

their intended use of the products.

we have replaced the Magnuson-Moss

reference with three sentences that encapsulate the judicial and

administrative principles established over the past three decades in the

United States concerning the Magnuson-Moss consumer product definition.

First, we state that doubtful cases are resolved in favor of coverage

under the definition.  Second, we indicate that the words ``normally

used'' in the consumer product definition refer to a typical or common

use of a class of product, and not the status of a particular user or

expected or actual uses by a particular user.  Third, we make clear that

the existence of substantial non-consumer uses of a product does not

negate a determination that it is a consumer product, unless such

non-consumer uses represent the only significant mode of use of that

product.

It should be clear from these added sentences that it is the general

mode of use of a product that determines objectively whether or not it

is a consumer product.  One could not escape the effects of the User

Products provisions by labeling what is demonstrably a consumer product

in ways that suggest it is ``for professionals,'' for example, contrary

to what some critics of Draft 3 have suggested.

We have made one additional change to the User Products provisions of

section 6.  In Draft 3 we made clear that the requirement to provide

Installation Information implies no requirement to provide warranty or

support for a work that has been modified or installed on a User

Product.  The Final Draft adds that there is similarly no requirement to

provide warranty or support for the User Product itself.

% FIXME: this needs integration

In Draft 3 we instead use a definition of ``Installation Information'' in

section 6 that is as simple and clear as that goal.  Installation Information

is information that is ``required to install and execute modified versions of

a covered work \dots from a modified version of its Corresponding Source,''

in the same User Product for which the covered work is conveyed.  We provide

guidance concerning how much information must be provided: it ``must suffice

to ensure that the continued functioning of the modified object code is in no

case prevented or interfered with solely because modification has been

made.''  For example, the information provided would be insufficient if it

enabled a modified version to run only in a disabled fashion, solely because

of the fact of modification (regardless of the actual nature of the

modification).  The information need not consist of cryptographic keys;

Installation Information may be ``any methods, procedures, authorization

keys, or other information.''

%FIXME: This probably needs work to be brought into clarity with tutorial,

%next three paragarphs.

Why do distributors only have to provide Installation Information for User

Products?

Some companies effectively outsource their entire IT department to another

company. Computers and applications are installed in the company's offices,

but managed remotely by some service provider. In some of these situations,

the hardware is locked down; only the service provider has the key, and the

customers consider that to be a desirable security feature.

We think it's unfortunate that people would be willing to give up their

freedom like this.  But they should be able to fend for themselves, and the

market provides plenty of alternatives to these services that would not lock

them down. As a result, we have introduced this compromise to the draft:

distributors are only required to provide Installation Information when

they're distributing the software on a User Product, where the customers'

buying power is likely to be less organized.

This is a compromise of strategy, and not our ideals. Given the environment

we live in today --- where Digital Restrictions Management is focused largely

in consumer devices, and everyone, including large companies, is becoming

increasingly worried about the effects of DRM thanks to recent developments

like the release of Microsoft's Windows Vista --- we think that the proposed

language will still provide us with enough leverage to effectively thwart

DRM. We still believe you have a fundamental right to modify the software on

all the hardware you own; the preamble explains, ``If such problems [as

  locked-down hardware] arise substantially in other domains, we stand ready

to extend this provision to those domains in future versions of the GPL, as

needed to protect the freedom of users.''

The definition of Installation Information states that the information

provided ``must suffice to ensure that the continued functioning of the

modified object code is in no case prevented or interfered with solely

because modification has been made.''  We did not consider it necessary to

define ``continued functioning'' further. However, we believed it would be

appropriate to provide some additional guidance concerning the scope of

GPLv3-compliant action or inaction that distributors of

technically-restricted User Products can take with respect to a downstream

recipient who replaces the conveyed object code with a modified version.  We

make clear that GPLv3 implies no obligation ``to continue to provide support

service, warranty, or updates'' for such a work.

Most technically-restricted User Products are designed to communicate across

networks.  It is important for both users and network providers to know when

denial of network access to devices running modified versions becomes a GPL

violation.  We settled on a rule that permits denial of access in two cases:

``when the modification itself materially and adversely affects the operation

of the network,'' and when the modification itself ``violates the rules and

protocols for communication across the network.''  The second case is

deliberately drawn in general terms.  We intend it to serve as a foundation

for development of reasonable enforcement policies that respect recipients'

right to modify while recognizing the legitimate interests of network

providers.

% FIXME: This needs merged in somewhere in here

The mere fact that use of the work implies that the user \textit{has} the key

may not be enough to ensure the user's freedom in using it.  The user must

also be able to read and copy the key; thus, its presence in a special

register inside the computer does not satisfy the requirement. In an

application in which the user's personal key is used to protect privacy or

limit distribution of personal data, the user clearly has the ability to read

and copy the key, which therefore is not included in the Corresponding

Source. On the other hand, if a key is generated based on the object code, or

is present in hardware, but the user cannot manipulate that key, then the key

must be provided as part of the Corresponding Source.

% FIXME: this came from Section 1 but is now mostly in Section 6

In section 1, we have tried to limit as precisely as possible the situation

in which an encryption or signing key is part of the Corresponding Source

Code of a GPL'd work.  Where someone is provided a GPL'd work, he must

receive the whole of the power to use and modify the work that was available

to preceding licensors whose permissions he automatically receives.  If a key

would be necessary to install a fully functional version of the GPL'd work

from source code, the user who receives the binary must receive the key along

with the source.  The requirement of full functionality, which we have

illustrated with examples, is no more optional than it would be if GPL'd

software were redistributed with an additional license condition, rather than

a technical limitation, on the uses to which modified versions could be

put.\footnote{There is a clear distinction between this situation and the

  situation of authenticated modules or plug-ins distributed as part of a

  multi-component software system, so that instances of the software can

  verify for the user the integrity of the collection.  So long as the

  decision about whether to run a modified version is the user's decision,

  not controlled by a preceding licensor or a third party, the vendor's

  authentication key would also not qualify as part of the Corresponding

  Source under the language we have adopted for Draft 2.}

% FIXME: this needs the right place.

We do not object to the practice of conveying object code in a mode not

practically susceptible to modification by any party, such as code burned in

ROM or embedded in silicon.  What we find ethically objectionable is the

refusal to pass on to the downstream licensee the real right to modify,

coupled with the retention of that right in the device manufacturer or some

other party.  Our text has never prohibited distribution in ROM, but we have

decided to make the point explicitly, for clarity's sake. Accordingly, our

text states that the requirement to provide Installation Information ``does

not apply if neither you nor any third party retains the ability to install

modified object code on the User Product.''

%FIXME: publicly documented format.  This might work as a start on that:

Our primary objective here was to ensure that the

distributor use a generally-recognized mechanism for packaging source

code.

\section{Understanding License Compatibility}

\label{license-compatibility}

% FIXME: more about license compatibility here.

A challenge that faced the Free Software community heavily through out the

early 2000s was the proliferation of incompatible Free Software licenses.  Of