% compliance-guide.tex                            -*- LaTeX -*-

\part{A Practical Guide to GPL Compliance}

\label{gpl-compliance-guide}

{\parindent 0in

This part is: \\

\begin{tabbing}

Copyright \= \copyright{} 2014 \= \hspace{.2in} Bradley M. Kuhn. \\

Copyright \= \copyright{} 2014 \= \hspace{.2in} Free Software Foundation, Inc. \\

Copyright \> \copyright{} 2008 \> \hspace{.2in} Software Freedom Law Center. \\

\end{tabbing}

\vspace{1in}

\begin{center}

Authors of this part are: \\

Bradley M. Kuhn \\

Aaron Williamson \\

Karen M. Sandler \\

\vspace{1in}

Copy editors of this part include: \\

Martin Michlmayr

\vspace{3in}

The copyright holders of this part hereby grant the freedom to copy, modify,

convey, Adapt, and/or redistribute this work under the terms of the Creative

Commons Attribution Share Alike 4.0 International License.  A copy of that

license is available at

\end{center}

}

\bigskip

\chapter*{Executive Summary}

This is a guide to effective compliance with the GNU General Public

License (GPL) and related licenses.  Copyleft advocates

usually seek to assist the community with

GPL compliance cooperatively.   This guide focuses on complying from the

start, so that readers can learn to avoid enforcement actions entirely, or, at

least, minimize  the negative impact when enforcement actions occur.

This guide  introduces and explains basic legal concepts related to the GPL and its

enforcement by copyright holders. It also outlines business practices and

methods that lead to better GPL compliance.  Finally, it recommends proper

post-violation responses to the concerns of copyright holders.

\chapter{Background}

Early GPL enforcement efforts began soon after the GPL was written by

Richard M.~Stallman (RMS) in 1989, and consisted of informal community efforts,

often in public Usenet discussions.\footnote{One example is the public

  outcry over NeXT's attempt to make the Objective-C front-end to GCC

  proprietary.  RMS, in fact, handled this enforcement action personally and

  the Objective-C front-end is still part of upstream GCC today.}  Over the next decade, the Free Software Foundation (FSF),

which holds copyrights in many GNU programs, was the only visible entity

actively enforcing its GPL'd copyrights on behalf of the software freedom

community.

FSF's enforcement

was generally a private process; the FSF contacted violators

confidentially and helped them to comply with the license.  Most

violations were pursued this way until the early 2000's.

By that time, Linux-based systems such as GNU/Linux and BusyBox/Linux had become very common, particularly in

embedded devices such as wireless routers.  During this period, public

ridicule of violators in the press and on Internet fora supplemented

ongoing private enforcement and increased pressure on businesses to

comply.  In 2003, the FSF formalized its efforts into the GPL Compliance

Lab, increased the volume of enforcement, and built community coalitions

to encourage copyright holders to together settle amicably with violators.

Beginning in 2004, Harald Welte took a more organized public enforcement

list for collecting reports of GPL violations.  On the basis of these

reports, Welte successfully pursued many enforcements in Europe, including

formal legal action.  Harald earns the permanent fame as the first copyright

holder to bring legal action in a court regarding GPL compliance.

In 2007, two copyright holders in BusyBox, in conjunction with the

Software Freedom Conservancy (``Conservancy''), filed the first copyright infringement lawsuit

based on a violation of the GPL\@ in the USA. While  lawsuits are of course

quite public, the vast majority of Conservancy's enforcement actions 

are resolved privately via

cooperative communications with violators.  As both FSF and Conservancy have worked to bring

individual companies into compliance, both organizations have encountered numerous

violations resulting from preventable problems such as inadequate

attention to licensing of upstream software, misconceptions about the

GPL's terms, and poor communication between software developers and their

management.  This document highlights these problems and describe

best practices to encourage corporate Free Software users to reevaluate their

approach to GPL'd software and avoid future violations.

Both FSF and Conservancy continue GPL enforcement and compliance efforts

for software under the GPL, the GNU Lesser

Public License (LGPL) and other copyleft licenses.  In doing so, both organizations have

found that most violations stem from a few common, avoidable mistakes.  All copyleft advocates  hope to educate the community of

commercial distributors, redistributors, and resellers on how to avoid

violations in the first place, and to respond adequately and appropriately

when a violation occurs.

\chapter{Best Practices to Avoid Common Violations}

\label{best-practices}

Unlike highly permissive licenses (such as the ISC license), which

typically only require preservation of copyright notices, licensees face many

important requirements from the GPL.  These requirements are

carefully designed to uphold certain values and standards of the software

freedom community.  While the GPL's requirements may initially appear

counter-intuitive to those more familiar with proprietary software

licenses, by comparison, its terms are in fact clear and quite favorable to

licensees.  Indeed, the GPL's terms actually simplify compliance when

violations occur.

GPL violations occur (or, are compounded) most often when companies lack sound

practices for the incorporation of GPL'd components into their

internal development environment.  This section introduces some best

practices for software tool selection, integration and distribution,

inspired by and congruent with software freedom methodologies.  Companies should

establish such practices before building a product based on GPL'd

software.\footnote{This document addresses compliance with GPLv2,

  GPLv3, LGPLv2, and LGPLv3.  Advice on avoiding the most common

  errors differs little for compliance with these four licenses.

  \S~\ref{lgpl} discusses the key differences between GPL and LGPL

  compliance.}

\section{Evaluate License Applicability}

\label{derivative-works}

Political discussion about the GPL often centers around the ``copyleft''

requirements of the license.  Indeed, the license was designed primarily

to embody this licensing feature.  Most companies adding non-trivial

features (beyond mere porting and bug-fixing) to GPL'd software (and

thereby invoking these requirements) are already well aware of their

more complex obligations under the license.\footnote{There has been much legal

  discussion regarding copyleft and derivative works.  In practical

  reality, this issue is not relevant to the vast majority of companies

  distributing GPL'd software.  Those interested in this issue should study

  \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related

      Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of

    this tutorial}.}

However, experienced  GPL enforcers find that few redistributors'

compliance challenges relate directly to combined work issues in copyleft.

Instead, the distributions of GPL'd

systems most often encountered typically consist of a full operating system

including components under the GPL (e.g., Linux, BusyBox) and components

under the LGPL (e.g., the GNU C Library).  Sometimes, these programs have

been patched or slightly improved by direct modification of their sources,

and thus the result is unequivocally a modified version.  Alongside these programs,

companies often distribute fully independent, proprietary programs,

developed from scratch, which are designed to run on the Free Software operating

system but do not combine with, link to, modify, derive from, or otherwise

create a combined work with

the GPL'd components.\footnote{However, these programs do often combine

  with LGPL'd libraries. This is discussed in detail in \S~\ref{lgpl}.}

In the latter case, where the work is unquestionably a separate work of

creative expression, no copyleft provisions are invoked.

The core compliance issue faced, thus, in such a situation, is not an discussion of what is or is not a

combined, derivative, and/or modified version of the work, but rather, issues related to distribution and

conveyance of binary works based on GPL'd source, but without Complete,

Corresponding Source.  This tutorial therefore focuses primarily on that issue.

Admittedly, a tiny

minority of compliance situations relate to question of derivative,

combined, or modified versions of the work.  Those

situations are so rare, and the details from situation to situation differ

greatly.  Thus, such situations require a highly

fact-dependent analysis and cannot be addressed in a general-purpose

document such as this one.

\medskip

Most companies accused of violations lack a basic understanding

of how to comply even in the straightforward scenario.  This document

provides those companies with the fundamental and generally applicable prerequisite knowledge.

For answers to rarer and more complicated legal questions, such as whether

your software is a derivative or combined work of some copylefted software, consult

with an attorney.\footnote{If you would like more information on the

  application of derivative works doctrine to software, a detailed legal

  discussion is presented in our colleague Dan Ravicher's article,

  \textit{Software Derivative Work: A Circuit Dependent Determination} and in

  \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related

      Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of

    this tutorial}.}

This discussion thus assumes that you have already identified the

``work'' covered by the license, and that any components not under the GPL

(e.g., applications written entirely by your developers that merely happen

to run on a Linux-based operating system) distributed in conjunction with

those works are separate works within the meaning of copyright law and the GPL\@.  In

such a case, the GPL requires you to provide complete corresponding

source (CCS)\footnote{For more on CCS,  see

\tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related

      Licenses}'s Section on GPLv2~\S2 and GPLv3~\S1.}{\S~\ref{GPLv2s2} and \S~\ref{GPLv3s1} of

    this tutorial}.}

for the GPL'd components and your modifications thereto, but not

for independent proprietary applications.  The procedures described in

this document address this typical scenario.

\section{Monitor Software Acquisition}

Software engineers deserve the freedom to innovate and import useful

software components to improve products.  However, along with that

freedom should come rules and reporting procedures to make sure that you

are aware of what software that you include with your product.

The most typical response to an initial enforcement action is: ``We

didn't know there was GPL'd stuff in there''.  This answer indicates

failure in the software acquisition and procurement process.  Integration

of third-party proprietary software typically requires a formal

arrangement and management/legal oversight before the developers

incorporate the software.  By contrast, developers often obtain and

integrate Free Software without intervention nor oversight. That ease of acquisition, however,

does not mean the oversight is any less necessary.  Just as your legal

and/or management team negotiates terms for inclusion of any proprietary

software, they should gently facilitate all decisions to bring Free Software into your

product.

Simple, engineering-oriented rules help provide a stable foundation for

Free Software integration.  For example, simply ask your software developers to send an email to a

standard place describing each new Free Software component they add to the system,

and have them include a brief description of how they will incorporate it

into the product.  Further, make sure developers use a revision control

system (such as Git or Mercurial), and

store the upstream versions of all software in a ``vendor branch'' or

similar mechanism, whereby they can easily track and find the main version

of the software and, separately, any local changes.

Such procedures are best instituted at your project's launch.  Once 

chaotic and poorly-sourced development processes begin, cataloging the

presence of GPL'd components  becomes challenging.

Such a situation often requires use of a tool to ``catch up'' your knowledge

about what software your product includes.  Most commonly, companies choose

some software licensing scanning tool to inspect the codebase.  However,

there are few tools that are themselves Free Software.  Thus, GPL enforcers

usually recommend the GPL'd

\href{http://fossology.org/}{FOSSology system}, which analyzes a

source code base and produces a list of Free Software licenses that may apply to

the code.  FOSSology can help you build a catalog of the sources you have

already used to build your product.  You can then expand that into a more

structured inventory and process.

\section{Track Your Changes and Releases}

As explained in further detail below, the most important component of GPL

compliance is the one most often ignored: proper inclusion of CCS in all

distributions  of GPL'd

software.  To comply with GPL's CCS requirements, the distributor

\textit{must} always know precisely what sources generated a given binary

distribution.

In an unfortunately large number of our enforcement cases, the violating

company's engineering team had difficulty reconstructing the CCS

for binaries distributed by the company.  Here are three simple rules to

follow to decrease the likelihood of this occurrence:

\begin{itemize}

\item Ensure that your

developers are using revision control systems properly.

\item Have developers mark or ``tag'' the full source tree corresponding to

  builds distributed to customers.

\item Check that your developers store all parts of the software

development in the revision control system, including {\sc readme}s, build

scripts, engineers' notes, and documentation.

\end{itemize}

Your developers will benefit anyway from these rules.  Developers will be

happier in their jobs if their tools already track the precise version of

source that corresponds to any deployed binary.

\section{Avoid the ``Build Guru''}

Too many software projects rely on only one or a very few team members who

know how to build and assemble the final released product.  Such knowledge

centralization not only creates engineering redundancy issues, but also

thwarts GPL compliance.  Specifically, CCS does not just require source code,

but scripts and other material that explain how to control compilation and

installation of the executable and object code.

Thus, avoid relying on a ``build guru'', a single developer who is the only one

who knows how to produce your final product. Make sure the build process

is well defined.  Train every developer on the build process for the final

binary distribution, including (in the case of embedded software)

generating a final firmware image suitable for distribution to the

customer.  Require developers to use revision control for build processes.

Make a rule that adding new components to the system without adequate

build instructions (or better yet, scripts) is unacceptable engineering

practice.

\chapter{Details of Compliant Distribution}

This section explains the specific requirements placed upon

distributors of GPL'd software.  Note that this section refers heavily to

specific provisions and language in

\href{http://www.gnu.org/licenses/old-licenses/gpl-2.0.html#section3}{GPLv2}

and \href{http://www.fsf.org/licensing/licenses/gpl.html#section6}{GPLv3}.

It may be helpful to have a copy of each license open while reading this

section.

\section{Binary Distribution Permission}

\label{binary-distribution-permission}

% be careful below, you cannot refill the \if section, so don't refill

% this paragraph without care.

The various versions of the GPL are copyright licenses that grant

permission to make certain uses of software that are otherwise restricted

by copyright law.  This permission is conditioned upon compliance with the

GPL's requirements.

This section walks through the requirements (of both GPLv2 and GPLv3) that

apply when you distribute GPL'd programs in binary (i.e., executable or

object code) form, which is typical for embedded applications.  Because a

binary application derives from a program's original sources, you need

permission from the copyright holder to distribute it.  \S~3 of GPLv2 and

\S~6 of GPLv3 contain the permissions and conditions related to binary

distributions of GPL'd programs.\footnote{These sections cannot be fully

  understood in isolation; read the entire license thoroughly before

  focusing on any particular provision.  However, once you have read and

  understood the entire license, look to these sections to guide

  compliance for binary distributions.}

GPL's binary distribution sections offer a choice of compliance methods,

each of which we consider in turn.  Each option refers to the

``Corresponding Source'' code for the binary distribution, which includes

the source code from which the binary was produced.  This abbreviated and

simplified definition is sufficient for the binary distribution discussion

in this section, but you may wish to refer back to this section after

reading the thorough discussion of ``Corresponding Source'' that appears

in \S~\ref{corresponding-source}.

\subsection{Option (a): Source Alongside Binary}

GPLv2~\S~3(a) and v3~\S~6(a) embody the easiest option for providing

source code: including Corresponding Source with every binary

distribution.  While other options appear initially less onerous, this

option invariably minimizes potential compliance problems, because when

you distribute Corresponding Source with the binary, \emph{your GPL

  obligations are satisfied at the time of distribution}.  This is not

true of other options, and for this reason, we urge you to seriously

consider this option.  If you do not, you may extend the duration of your

obligations far beyond your last binary distribution.

Compliance under this option is straightforward.  If you ship a product

that includes binary copies of GPL'd software (e.g., in firmware, or on a

hard drive, CD, or other permanent storage medium), you can store the

Corresponding Source alongside the binaries.  Alternatively, you can

include the source on a CD or other removable storage medium in the box

containing the product.

GPLv2 refers to the various storage mechanisms as ``medi[a] customarily

used for software interchange''.  While the Internet has attained primacy

as a means of software distribution where super-fast Internet connections

are available, GPLv2 was written at a time when downloading software was

not practical (and was often impossible).  For much of the world, this

condition has not changed since GPLv2's publication, and the Internet

still cannot be considered ``a medium customary for software

interchange''.  GPLv3 clarifies this matter, requiring that source be

``fixed on a durable physical medium customarily used for software

interchange''.  This language affirms that option (a) requires binary

redistributors to provide source on a physical medium.

Please note that while selection of option (a) requires distribution on a

physical medium, voluntary distribution via the Internet is very useful.  This

is discussed in detail in \S~\ref{offer-with-internet}.

\subsection{Option (b): The Offer}

\label{offer-for-source}

Many distributors prefer to ship only an offer for source with the binary

distribution, rather than the complete source package.  This

option has value when the cost of source distribution is a true

per-unit cost.  For example, this option might be a good choice for

embedded products with permanent storage too small to fit the source, and

which are not otherwise shipped with a CD but \emph{are} shipped with a

manual or other printed material.

However, this option increases the duration of your obligations

dramatically.  An offer for source must be good for three full years from

your last binary distribution (under GPLv2), or your last binary or spare

part distribution (under GPLv3).  Your source code request and

provisioning system must be designed to last much longer than your product

life cycle.

In addition, if you are required to comply with the terms of GPLv2, you

{\bf cannot} use a network service to provide the source code.  For GPLv2,

the source code offer is fulfilled only with physical media.  This usually

means that you must continue to produce an up-to-date ``source code CD''

for years after the product's end-of-life.

\label{offer-with-internet}

Under GPLv2, it is acceptable and advisable for your offer for source code

to include an Internet link for downloadable source \emph{in addition} to

offering source on a physical medium.  This practice enables those with

fast network connections to get the source more quickly, and typically

decreases the number of physical media fulfillment requests.

(GPLv3~\S~6(b) permits provision of source with a public

network-accessible distribution only and no physical media.  We discuss

this in detail at the end of this section.)

The following is a suggested compliant offer for source under GPLv2 (and

is also acceptable for GPLv3) that you would include in your printed

materials accompanying each binary distribution:

\begin{quote}

The software included in this product contains copyrighted software that

is licensed under the GPL\@.  A copy of that license is included in this

document on page $X$\@.  You may obtain the complete Corresponding Source

code from us for a period of three years after our last shipment of this

product, which will be no earlier than 2011-08-01, by sending a money

order or check for \$5 to: \\

GPL Compliance Division \\

Our Company \\

Any Town, US 99999 \\

\\

Please write ``source for product $Y$'' in the memo line of your

payment.

You may also find a copy of the source at

This offer is valid to anyone in receipt of this information.

\end{quote}

There are a few important details about this offer.  First, it requires a

copying fee.  GPLv2 permits ``a charge no more than your cost of

physically performing source distribution''.  This fee must be reasonable.

If your cost of copying and mailing a CD is more than around \$10, you

should perhaps find a cheaper CD stock and shipment method.  It is simply

not in your interest to try to overcharge the community.  Abuse of this

provision in order to make a for-profit enterprise of source code

provision will likely trigger enforcement action.

Second, note that the last line makes the offer valid to anyone who

requests the source.  This is because v2~\S~3(b) requires that offers be

``to give any third party'' a copy of the Corresponding Source.  GPLv3 has

a similar requirement, stating that an offer must be valid for ``anyone

who possesses the object code''.  These requirements indicated in

v2~\S~3(c) and v3~\S~6(c) are so that noncommercial redistributors may

pass these offers along with their distributions.  Therefore, the offers

must be valid not only to your customers, but also to anyone who received

a copy of the binaries from them.  Many distributors overlook this

requirement and assume that they are only required to fulfill a request

from their direct customers.

The option to provide an offer for source rather than direct source

distribution is a special benefit to companies equipped to handle a

fulfillment process.  GPLv2~\S~3(c) and GPLv3~\S~6(c) avoid burdening

noncommercial, occasional redistributors with fulfillment request

obligations by allowing them to pass along the offer for source as they

received it.

Note that commercial redistributors cannot avail themselves of the option

(c) exception, and so while your offer for source must be good to anyone

who receives the offer (under v2) or the object code (under v3), it

\emph{cannot} extinguish the obligations of anyone who commercially

redistributes your product.  The license terms apply to anyone who

distributes GPL'd software, regardless of whether they are the original

distributor.  Take the example of Vendor $V$, who develops a software

platform from GPL'd sources for use in embedded devices.  Manufacturer $M$

contracts with $V$ to install the software as firmware in $M$'s device.

$V$ provides the software to $M$, along with a compliant offer for source.

In this situation, $M$ cannot simply pass $V$'s offer for source along to

its customers.  $M$ also distributes the GPL'd software commercially, so

$M$ too must comply with the GPL and provide source (or $M$'s \emph{own}

offer for source) to $M$'s customers.

This situation illustrates that the offer for source is often a poor

choice for products that your customers will likely redistribute.  If you

include the source itself with the products, then your distribution to

your customers is compliant, and their (unmodified) distribution to their

customers is likewise compliant, because both include source.  If you

include only an offer for source, your distribution is compliant but your

customer's distribution does not ``inherit'' that compliance, because they

have not made their own offer to accompany their distribution.

The terms related to the offer for source are quite different if you

distribute under GPLv3.  Under v3, you may make source available only over

a network server, as long as it is available to the general public and

remains active for three years from the last distribution of your product

or related spare part.  Accordingly, you may satisfy your fulfillment

obligations via Internet-only distribution.  This makes the ``offer for

source'' option less troublesome for v3-only distributions, easing

compliance for commercial redistributors.  However, before you switch to a

purely Internet-based fulfillment process, you must first confirm that you

can actually distribute \emph{all} of the software under GPLv3.  Some

programs are indeed licensed under ``GPLv2, \emph{or any later version}''

(often abbreviated ``GPLv2-or-later'').  Such licensing gives you the

option to redistribute under GPLv3.  However, a few popular programs are

only licensed under GPLv2 and not ``or any later version''

(``GPLv2-only'').  You cannot provide only Internet-based source request

fulfillment for the latter programs.

If you determine that all GPL'd works in your whole product allow upgrade

to GPLv3 (or were already GPLv3'd to start), your offer for source may be

as simple as this:

\begin{quote}

The software included in this product contains copyrighted software that

is licensed under the GPLv3\@.  A copy of that license is included in this

document on page $X$\@.  You may obtain the complete Corresponding Source

code from us for a period of three years after our last shipment of this

product and/or spare parts therefor, which will be no earlier than

2011-08-01, on our website at

\end{quote}

\medskip

Under both GPLv2 and GPLv3, source offers must be accompanied by a copy of

the license itself, either electronically or in print, with every

distribution.

Finally, it is unacceptable to use option (b) merely because you do not have

Corresponding Source ready.  We find that some companies choose this option

because writing an offer is easy, but producing a source distribution as

an afterthought to a hasty development process is difficult.  The offer

for source does not exist as a stop-gap solution for companies rushing to

market with an out-of-compliance product.  If you ship an offer for source

with your product but cannot actually deliver \emph{immediately} on that

offer when your customers request it, you should expect an enforcement

action.

\subsection{Option (c): Noncommercial Offers}

As discussed in the last section, GPLv2~\S~3(c) and GPLv3~\S~6(c) apply

only to noncommercial use.  These options are not available to businesses

distributing GPL'd software.  Consequently, companies that redistribute

software packaged for them by an upstream vendor cannot merely pass along

the offer they received from the vendor; they must provide their own offer

or corresponding source to their distributees.  We talk in detail about

upstream software providers in \S~\ref{upstream}.

\subsection{Option 6(d) in GPLv3: Internet Distribution}

Under GPLv2, your formal provisioning options for Corresponding Source

ended with \S~3(c).  But even under GPLv2, pure Internet source

distribution was a common practice and generally considered to be

compliant.  GPLv2 mentions Internet-only distribution almost as aside in

the language, in text at the end of the section after the three

provisioning options are listed.  To quote that part of GPLv2~\S~3:

\begin{quote}

If distribution of executable or object code is made by offering access to

copy from a designated place, then offering equivalent access to copy the

source code from the same place counts as distribution of the source code,

even though third parties are not compelled to copy the source along with

the object code.

\end{quote}

When that was written in 1991, Internet distribution of software was the

exception, not the rule.  Some FTP sites existed, but generally software

was sent on magnetic tape or CDs.  GPLv2 therefore mostly assumed that

binary distribution happened on some physical media.  By contrast,

GPLv3~\S~6(d) explicitly gives an option for this practice that the

community has historically considered GPLv2-compliant.

Thus, you may fulfill your source-provision obligations by providing the

source code in the same way and from the same location.  When exercising

this option, you are not obligated to ensure that users download the

source when they download the binary, and you may use separate servers as

needed to fulfill the requests as long as you make the source as

accessible as the binary.  However, you must ensure that users can easily

find the source code at the time they download the binary. GPLv3~\S~6(d)

thus clarifies a point that has caused confusion about source provision in

v2.  Indeed, many such important clarifications are included in v3 which

together provide a compelling reason for authors and redistributors alike

to adopt GPLv3.

\subsection{Option 6(e) in GPLv3: Software Torrents}

Peer-to-peer file sharing arose well after GPLv2 was written, and does not

easily fit any of the v2 source provision options.  GPLv3~\S~6(e)

addresses this issue, explicitly allowing for distribution of source and

binary together on a peer-to-peer file sharing network.  If you distribute

solely via peer-to-peer networks, you can exercise this option.  However,

peer-to-peer source distribution \emph{cannot} fulfill your source

provision obligations for non-peer-to-peer binary distributions.  Finally,

you should ensure that binaries and source are equally seeded upon initial

peer-to-peer distribution.

\section{Preparing Corresponding Source}

\label{corresponding-source}

Most enforcement cases involve companies that have unfortunately not

implemented procedures like our \S~\ref{best-practices} recommendations

and have no source distribution arranged at all.  These companies must

work backwards from a binary distribution to come into compliance.  Our

recommendations in \S~\ref{best-practices} are designed to make it easy to

construct a complete and Corresponding Source release from the outset.  If

you have followed those principles in your development, you can meet the

following requirements with ease.  If you have not, you may have

substantial reconstruction work to do.

\subsection{Assemble the Sources}

For every binary that you produce, you should collect and maintain a copy

of the sources from which it was built.  A large system, such as an

embedded firmware, will probably contain many GPL'd and LGPL'd components

for which you will have to provide source.  The binary distribution may

also contain proprietary components which are separate and independent

works that are covered by neither the GPL nor LGPL\@.

The best way to separate out your sources is to have a subdirectory for

each component in your system.  You can then easily mark some of them as

required for your Corresponding Source releases.  Collecting

subdirectories of GPL'd and LGPL'd components is the first step toward

preparing your release.

\subsection{Building the Sources}

Few distributors, particularly of embedded systems, take care to read the

actual definition of Corresponding Source in the GPL\@.  Consider

carefully the definition, from GPLv3:

\begin{quote}

  The ``Corresponding Source'' for a work in object code form means all

  the source code needed to generate, install, and (for an executable

  work) run the object code and to modify the work, including scripts to

  control those activities.

\end{quote}

and the definition from GPLv2:

\begin{quote}

The source code for a work means the preferred form of the work for making

modifications to it.  For an executable work, complete source code means

all the source code for all modules it contains, plus any associated

interface definition files, plus the scripts used to control compilation

and installation of the executable.

\end{quote}

Note that you must include ``scripts used to control compilation and

installation of the executable'' and/or anything ``needed to generate,

install, and (for an executable work) run the object code and to modify

the work, including scripts to control those activities''.  These phrases

are written to cover different types of build environments and systems.

Therefore, the details of what you need to provide with regard to scripts

and installation instructions vary depending on the software details.  You

must provide all information necessary such that someone generally skilled

with computer systems could produce a binary similar to the one provided.

Take as an example an embedded wireless device.  Usually, a company

distributes a firmware, which includes a binary copy of

Linux\footnote{``Linux'' refers only to the kernel, not the larger system

  as a whole.} and a filesystem.  That filesystem contains various binary

programs, including some GPL'd binaries, alongside some proprietary

binaries that are separate works (i.e., not derived from, nor based on

freely-licensed sources).  Consider what, in this case, constitutes adequate

``scripts to control compilation and installation'' or items ``needed to

generate, install and run'' the GPL'd programs.

Most importantly, you must provide some sort of roadmap that allows

technically sophisticated users to build your software.  This can be

complicated in an embedded environment.  If your developers use scripts to

control the entire compilation and installation procedure, then you can

simply provide those scripts to users along with the sources they act

upon.  Sometimes, however, scripts were never written (e.g., the

information on how to build the binaries is locked up in the mind of your

``build guru'').  In that case, we recommend that you write out build

instructions in a natural language as a detailed, step-by-step {\sc

  readme}.

No matter what you offer, you need to give those who receive source a

clear path from your sources to binaries similar to the ones you ship.  If

you ship a firmware (kernel plus filesystem), and the filesystem contains

binaries of GPL'd programs, then you should provide whatever is necessary

to enable a reasonably skilled user to build any given GPL'd source

program (and modified versions thereof), and replace the given binary in

your filesystem.  If the kernel is Linux, then the users must have the

instructions to do the same with the kernel.  The best way to achieve this

is to make available to your users whatever scripts or process your

engineers would use to do the same.

These are the general details for how installation instructions work.

Details about what differs when the work is licensed under LGPL is

discussed in \S~\ref{lgpl}, and specific details that are unique to

GPLv3's installation instructions are in \S~\ref{user-products}.

\subsection{What About the Compiler?}

The GPL contains no provision that requires distribution of the compiler

used to build the software.  While companies are encouraged to make it as

easy as possible for their users to build the sources, inclusion of the

compiler itself is not normally considered mandatory.  The Corresponding

Source definition -- both in GPLv2 and GPLv3 -- has not been typically

read to include the compiler itself, but rather things like makefiles,

build scripts, and packaging scripts.

Nonetheless, in the interest of goodwill and the spirit of the GPL, most

companies do provide the compiler itself when they are able, particularly

when the compiler is based on GCC\@ or another copylefted compiler.  If you have

a GCC-based system, it is your prerogative to redistribute that GCC

version (binaries plus sources) to your customers.  We in the software freedom

community encourage you to do this, since it often makes it easier for

users to exercise their software freedom.  However, if you chose to take

this recommendation, ensure that your GCC distribution is itself

compliant.

If you have used a proprietary, third-party compiler to build the

%      Tutorial Text for the Detailed Study and Analysis of GPL and LGPL course

% License: CC-By-SA-4.0

% The copyright holders hereby grant the freedom to copy, modify, convey,

% Adapt, and/or redistribute this work under the terms of the Creative

% Commons Attribution Share Alike 4.0 International License.

% This text is distributed in the hope that it will be useful, but

% WITHOUT ANY WARRANTY; without even the implied warranty of

% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

% You should have received a copy of the license with this document in

% a file called 'CC-By-SA-4.0.txt'.  If not, please visit

% https://creativecommons.org/licenses/by-sa/4.0/legalcode to receive

% the license text.

\part{Case Studies in GPL Enforcement}

{\parindent 0in

This part is: \\

\begin{tabbing}

Copyright \> \copyright{} 2014 \>  Bradley M. Kuhn. \\

Copyright \= \copyright{} 2014 \= \hspace{.2in} Denver Gingerich \\

Copyright \= \copyright{} 2003, 2004, 2014 \= \hspace{.2in} Free Software Foundation, Inc. \\

\end{tabbing}

\vspace{1in}

\begin{center}

Authors of this part are: \\

Bradley M. Kuhn \\

John Sullivan

\vspace{3in}

Copy editors of this part include: \\

Martin Michlmayr

\vspace{3in}

The copyright holders hereby grant the freedom to copy, modify, convey,

Adapt, and/or redistribute this work under the terms of the Creative Commons

Attribution Share Alike 4.0 International License.  A copy of that license is

\end{center}

}

% =====================================================================

% START OF SECOND DAY SEMINAR SECTION

% =====================================================================

\chapter*{Preface}

This one-day course presents the details of five different GPL

compliance cases handled by FSF's GPL Compliance Laboratory. Each case

offers unique insights into problems that can arise when the terms of

the GPL are not properly followed, and how diplomatic negotiation between

the violator and the copyright holder can yield positive results for

both parties.

Attendees should have successfully completely the course, a ``Detailed

Study and Analysis of the GPL and LGPL,'' as the material from that

course forms the building blocks for this material.

This course is of most interest to lawyers who have clients or

employers that deal with Free Software on a regular basis. However,

technical managers and executives whose businesses use or distribute

Free Software will also find the course very helpful.

\bigskip

These course materials are merely a summary of the highlights of the

course presented. Please be aware that during the actual GPL course, class

discussion supplements this printed curriculum. Simply reading it is

not equivalent to attending the course.

%FIXME-LATER: write these

%\chapter{Not All GPL Enforcement is Created Equal}

%\section{For-Profit Enforcement}

%\section{Community and Non-Profit Enforcement}

\chapter{Overview of Community Enforcement}

The GPL is a Free Software license with legal teeth. Unlike licenses like

the X11-style or various BSD licenses, the GPL (and by extension, the LGPL) is

designed to defend as well as grant freedom. We saw in the last course

that the GPL uses copyright law as a mechanism to grant all the key freedoms

essential in Free Software, but also to ensure that those freedoms

propagate throughout the distribution chain of the software.

\section{Termination Begins Enforcement}

As we have learned, the assurance that Free Software under the GPL remains

Free Software is accomplished through various terms of the GPL: \S 3 ensures

that binaries are always accompanied with source; \S 2 ensures that the

sources are adequate, complete and usable; \S 6 and \S 7 ensure that the

license of the software is always the GPL for everyone, and that no other

legal agreements or licenses trump the GPL. It is \S 4, however, that ensures

that the GPL can be enforced.

Thus, \S 4 is where we begin our discussion of GPL enforcement. This

clause is where the legal teeth of the license are rooted. As a copyright

license, the GPL governs only the activities governed by copyright law ---

copying, modifying and redistributing computer software. Unlike most

copyright licenses, the GPL gives wide grants of permission for engaging with

these activities. Such permissions continue, and all parties may exercise

them until such time as one party violates the terms of the GPL\@. At the

moment of such a violation (i.e., the engaging of copying, modifying or

redistributing in ways not permitted by the GPL) \S 4 is invoked. While other

parties may continue to operate under the GPL, the violating party loses their

rights.

Specifically, \S 4 terminates the violators' rights to continue

engaging in the permissions that are otherwise granted by the GPL\@.

Effectively, their rights revert to the copyright defaults ---

no permission is granted to copy, modify, nor redistribute the work.

Meanwhile, \S 5 points out that if the violator has no rights under

the GPL, they are prohibited by copyright law from engaging in the

activities of copying, modifying and distributing. They have lost

these rights because they have violated the GPL, and no other license

gives them permission to engage in these activities governed by copyright law.

\section{Ongoing Violations}

In conjunction with \S 4's termination of violators' rights, there is

one final industry fact added to the mix: rarely does one engage in a

single, solitary act of copying, distributing or modifying software.

Almost always, a violator will have legitimately acquired a copy of a

GPL'd program, either making modifications or not, and then begun

distributing that work. For example, the violator may have put the

software in boxes and sold them at stores. Or perhaps the software

was put up for download on the Internet. Regardless of the delivery

mechanism, violators almost always are engaged in {\em ongoing\/}

violation of the GPL\@.

In fact, when we discover a GPL violation that occurred only once --- for

example, a user group who distributed copies of a GNU/Linux system without

source at one meeting --- we rarely pursue it with a high degree of

tenacity. In our minds, such a violation is an educational problem, and

unless the user group becomes a repeat offender (as it turns out, they

never do), we simply forward along a FAQ entry that best explains how user

groups can most easily comply with the GPL, and send them on their merry way.

It is only the cases of {\em ongoing\/} GPL violation that warrant our

active attention. We vehemently pursue those cases where dozens, hundreds

or thousands of customers are receiving software that is out of

compliance, and where the company continually offers for sale (or

distributes gratis as a demo) software distributions that include GPL'd

components out of compliance. Our goal is to maximize the impact of

enforcement and educate industries who are making such a mistake on a

large scale.

In addition, such ongoing violation shows that a particular company is

committed to a GPL'd product line. We are thrilled to learn that someone

is benefiting from Free Software, and we understand that sometimes they

become confused about the rules of the road. Rather than merely