% compliance-guide.tex                            -*- LaTeX -*-

\part{A Practical Guide to GPL Compliance}

\label{gpl-compliance-guide}

{\parindent 0in

This part is: \\

\begin{tabbing}

Copyright \= \copyright{} 2014 \= \hspace{.2in} Bradley M. Kuhn. \\

Copyright \> \copyright{} 2008 \> \hspace{.2in} Software Freedom Law Center. \\

\end{tabbing}

\vspace{1in}

\begin{center}

Authors of this part are: \\

Bradley M. Kuhn \\

Aaron Williamson \\

Karen M. Sandler \\

\vspace{1in}

Copy editors of this part include: \\

Martin Michlmayr

\vspace{3in}

The copyright holders of this part hereby grant the freedom to copy, modify,

convey, Adapt, and/or redistribute this work under the terms of the Creative

Commons Attribution Share Alike 4.0 International License.  A copy of that

license is available at

\verb=https://creativecommons.org/licenses/by-sa/4.0/legalcode=. 

\end{center}

}

\bigskip

\chapter*{Executive Summary}

This is a guide to effective compliance with the GNU General Public

License (GPL) and related licenses.  Copyleft advocates

usually seek to assist the community with

GPL compliance cooperatively.   This guide focuses on complying from the

start, so that readers can learn to avoid enforcement actions entirely, or, at

least, minimize  the negative impact when enforcement actions occur.

This guide  introduces and explains basic legal concepts related to the GPL and its

enforcement by copyright holders. It also outlines business practices and

methods that lead to better GPL compliance.  Finally, it recommends proper

post-violation responses to the concerns of copyright holders.

\chapter{Background}

Early GPL enforcement efforts began soon after the GPL was written by

Richard M.~Stallman (RMS) in 1989, and consisted of informal community efforts,

often in public Usenet discussions.\footnote{One example is the public

  outcry over NeXT's attempt to make the Objective-C front-end to GCC

  proprietary.  RMS, in fact, handled this enforcement action personally and

  the Objective-C front-end is still part of upstream GCC today.}  Over the next decade, the Free Software Foundation (FSF),

which holds copyrights in many GNU programs, was the only visible entity

actively enforcing its GPL'd copyrights on behalf of the software freedom

community.

FSF's enforcement

was generally a private process; the FSF contacted violators

confidentially and helped them to comply with the license.  Most

violations were pursued this way until the early 2000's.

By that time, Linux-based systems such as GNU/Linux and BusyBox/Linux had become very common, particularly in

embedded devices such as wireless routers.  During this period, public

ridicule of violators in the press and on Internet fora supplemented

ongoing private enforcement and increased pressure on businesses to

comply.  In 2003, the FSF formalized its efforts into the GPL Compliance

Lab, increased the volume of enforcement, and built community coalitions

to encourage copyright holders to together settle amicably with violators.

Beginning in 2004, Harald Welte took a more organized public enforcement

approach and launched \verb0gpl-violations.org0, a website and mailing

list for collecting reports of GPL violations.  On the basis of these

reports, Welte successfully pursued many enforcements in Europe, including

formal legal action.  Harald earns the permanent fame as the first copyright

holder to bring legal action in a court regarding GPL compliance.

In 2007, two copyright holders in BusyBox, in conjunction with the

Software Freedom Conservancy (``Conservancy''), filed the first copyright infringement lawsuit

based on a violation of the GPL\@ in the USA. While  lawsuits are of course

quite public, the vast majority of Conservancy's enforcement actions 

are resolved privately via

cooperative communications with violators.  As both FSF and Conservancy have worked to bring

individual companies into compliance, both organizations have encountered numerous

violations resulting from preventable problems such as inadequate

attention to licensing of upstream software, misconceptions about the

GPL's terms, and poor communication between software developers and their

management.  This document highlights these problems and describe

best practices to encourage corporate Free Software users to reevaluate their

approach to GPL'd software and avoid future violations.

Both FSF and Conservancy continue GPL enforcement and compliance efforts

for software under the GPL, the GNU Lesser

Public License (LGPL) and other copyleft licenses.  In doing so, both organizations have

found that most violations stem from a few common, avoidable mistakes.  All copyleft advocates  hope to educate the community of

commercial distributors, redistributors, and resellers on how to avoid

violations in the first place, and to respond adequately and appropriately

when a violation occurs.

\chapter{Best Practices to Avoid Common Violations}

\label{best-practices}

Unlike highly permissive licenses (such as the ISC license), which

typically only require preservation of copyright notices, licensees face many

important requirements from the GPL.  These requirements are

carefully designed to uphold certain values and standards of the software

freedom community.  While the GPL's requirements may initially appear

counter-intuitive to those more familiar with proprietary software

licenses, by comparison, its terms are in fact clear and quite favorable to

licensees.  Indeed, the GPL's terms actually simplify compliance when

violations occur.

GPL violations occur (or, are compounded) most often when companies lack sound

practices for the incorporation of GPL'd components into their

internal development environment.  This section introduces some best

practices for software tool selection, integration and distribution,

inspired by and congruent with software freedom methodologies.  Companies should

establish such practices before building a product based on GPL'd

software.\footnote{This document addresses compliance with GPLv2,

  GPLv3, LGPLv2, and LGPLv3.  Advice on avoiding the most common

  errors differs little for compliance with these four licenses.

  \S~\ref{lgpl} discusses the key differences between GPL and LGPL

  compliance.}

\section{Evaluate License Applicability}

\label{derivative-works}

Political discussion about the GPL often centers around the ``copyleft''

requirements of the license.  Indeed, the license was designed primarily

to embody this licensing feature.  Most companies adding non-trivial

features (beyond mere porting and bug-fixing) to GPL'd software (and

thereby invoking these requirements) are already well aware of their

more complex obligations under the license.\footnote{There has been much legal

  discussion regarding copyleft and derivative works.  In practical

  reality, this issue is not relevant to the vast majority of companies

  distributing GPL'd software.  Those interested in this issue should study

  \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related

      Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of

    this tutorial}.}

However, experienced  GPL enforcers find that few redistributors'

compliance challenges relate directly to combined work issues in copyleft.

Instead, the distributions of GPL'd

systems most often encountered typically consist of a full operating system

including components under the GPL (e.g., Linux, BusyBox) and components

under the LGPL (e.g., the GNU C Library).  Sometimes, these programs have

been patched or slightly improved by direct modification of their sources,

companies often distribute fully independent, proprietary programs,

developed from scratch, which are designed to run on the Free Software operating

system but do not combine with, link to, modify, derive from, or otherwise

create a combined work with

the GPL'd components.\footnote{However, these programs do often combine

  with LGPL'd libraries. This is discussed in detail in \S~\ref{lgpl}.}

In the latter case, where the work is unquestionably a separate work of

creative expression, no copyleft provisions are invoked.

The core compliance issue faced, thus, in such a situation, is not an discussion of what is or is not a

conveyance of binary works based on GPL'd source, but without Complete,

Corresponding Source.  This tutorial therefore focuses primarily on that issue.

Admittedly, a tiny

situations are so rare, and the details from situation to situation differ

greatly.  Thus, such situations require a highly

fact-dependent analysis and cannot be addressed in a general-purpose

document such as this one.

\medskip

Most companies accused of violations lack a basic understanding

of how to comply even in the straightforward scenario.  This document

provides those companies with the fundamental and generally applicable prerequisite knowledge.

For answers to rarer and more complicated legal questions, such as whether

your software is a derivative or combined work of some copylefted software, consult

with an attorney.\footnote{If you would like more information on the

  application of derivative works doctrine to software, a detailed legal

  discussion is presented in our colleague Dan Ravicher's article,

  \textit{Software Derivative Work: A Circuit Dependent Determination} and in

  \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related

      Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of

    this tutorial}.}

This discussion thus assumes that you have already identified the

``work'' covered by the license, and that any components not under the GPL

(e.g., applications written entirely by your developers that merely happen

to run on a Linux-based operating system) distributed in conjunction with

those works are separate works within the meaning of copyright law and the GPL\@.  In

such a case, the GPL requires you to provide complete corresponding

source (CCS)\footnote{For more on CCS,  see

\tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related

      Licenses}'s Section on GPLv2~\S2 and GPLv3~\S1.}{\S~\ref{GPLv2s2} and \S~\ref{GPLv3s1} of

    this tutorial}.}

for the GPL'd components and your modifications thereto, but not

for independent proprietary applications.  The procedures described in

this document address this typical scenario.

\section{Monitor Software Acquisition}

Software engineers deserve the freedom to innovate and import useful

software components to improve products.  However, along with that

freedom should come rules and reporting procedures to make sure that you

are aware of what software that you include with your product.

The most typical response to an initial enforcement action is: ``We

didn't know there was GPL'd stuff in there''.  This answer indicates

failure in the software acquisition and procurement process.  Integration

of third-party proprietary software typically requires a formal

arrangement and management/legal oversight before the developers

incorporate the software.  By contrast, developers often obtain and

integrate Free Software without intervention nor oversight. That ease of acquisition, however,

does not mean the oversight is any less necessary.  Just as your legal

and/or management team negotiates terms for inclusion of any proprietary

software, they should gently facilitate all decisions to bring Free Software into your

product.

Simple, engineering-oriented rules help provide a stable foundation for

Free Software integration.  For example, simply ask your software developers to send an email to a

standard place describing each new Free Software component they add to the system,

and have them include a brief description of how they will incorporate it

into the product.  Further, make sure developers use a revision control

system (such as Git or Mercurial), and

store the upstream versions of all software in a ``vendor branch'' or

similar mechanism, whereby they can easily track and find the main version

of the software and, separately, any local changes.

Such procedures are best instituted at your project's launch.  Once 

chaotic and poorly-sourced development processes begin, cataloging the

presence of GPL'd components  becomes challenging.

Such a situation often requires use of a tool to ``catch up'' your knowledge

about what software your product includes.  Most commonly, companies choose

some software licensing scanning tool to inspect the codebase.  However,

there are few tools that are themselves Free Software.  Thus, GPL enforcers

usually recommend the GPL'd

\href{http://fossology.org/}{FOSSology system}, which analyzes a

source code base and produces a list of Free Software licenses that may apply to

the code.  FOSSology can help you build a catalog of the sources you have

already used to build your product.  You can then expand that into a more

structured inventory and process.

\section{Track Your Changes and Releases}

As explained in further detail below, the most important component of GPL

compliance is the one most often ignored: proper inclusion of CCS in all

distributions  of GPL'd

software.  To comply with GPL's CCS requirements, the distributor

\textit{must} always know precisely what sources generated a given binary

distribution.

In an unfortunately large number of our enforcement cases, the violating

company's engineering team had difficulty reconstructing the CCS

for binaries distributed by the company.  Here are three simple rules to

follow to decrease the likelihood of this occurrence:

\begin{itemize}

\item Ensure that your

developers are using revision control systems properly.

\item Have developers mark or ``tag'' the full source tree corresponding to

  builds distributed to customers.

\item Check that your developers store all parts of the software

development in the revision control system, including {\sc readme}s, build

scripts, engineers' notes, and documentation.

\end{itemize}

Your developers will benefit anyway from these rules.  Developers will be

happier in their jobs if their tools already track the precise version of

source that corresponds to any deployed binary.

\section{Avoid the ``Build Guru''}

Too many software projects rely on only one or a very few team members who

know how to build and assemble the final released product.  Such knowledge

centralization not only creates engineering redundancy issues, but also

thwarts GPL compliance.  Specifically, CCS does not just require source code,

but scripts and other material that explain how to control compilation and

installation of the executable and object code.

Thus, avoid relying on a ``build guru'', a single developer who is the only one

who knows how to produce your final product. Make sure the build process

is well defined.  Train every developer on the build process for the final

binary distribution, including (in the case of embedded software)

generating a final firmware image suitable for distribution to the

customer.  Require developers to use revision control for build processes.

Make a rule that adding new components to the system without adequate

build instructions (or better yet, scripts) is unacceptable engineering

practice.

\chapter{Details of Compliant Distribution}

This section explains the specific requirements placed upon

distributors of GPL'd software.  Note that this section refers heavily to

specific provisions and language in

\href{http://www.gnu.org/licenses/old-licenses/gpl-2.0.html#section3}{GPLv2}

and \href{http://www.fsf.org/licensing/licenses/gpl.html#section6}{GPLv3}.

It may be helpful to have a copy of each license open while reading this

section.

\section{Binary Distribution Permission}

\label{binary-distribution-permission}

% be careful below, you cannot refill the \if section, so don't refill

% this paragraph without care.

The various versions of the GPL are copyright licenses that grant

permission to make certain uses of software that are otherwise restricted

by copyright law.  This permission is conditioned upon compliance with the

GPL's requirements.

This section walks through the requirements (of both GPLv2 and GPLv3) that

apply when you distribute GPL'd programs in binary (i.e., executable or

object code) form, which is typical for embedded applications.  Because a

binary application derives from a program's original sources, you need

permission from the copyright holder to distribute it.  \S~3 of GPLv2 and

\S~6 of GPLv3 contain the permissions and conditions related to binary

distributions of GPL'd programs.\footnote{These sections cannot be fully

  understood in isolation; read the entire license thoroughly before

  focusing on any particular provision.  However, once you have read and

  understood the entire license, look to these sections to guide

  compliance for binary distributions.}

GPL's binary distribution sections offer a choice of compliance methods,

each of which we consider in turn.  Each option refers to the

``Corresponding Source'' code for the binary distribution, which includes

the source code from which the binary was produced.  This abbreviated and

simplified definition is sufficient for the binary distribution discussion

in this section, but you may wish to refer back to this section after

reading the thorough discussion of ``Corresponding Source'' that appears

in \S~\ref{corresponding-source}.

\subsection{Option (a): Source Alongside Binary}

GPLv2~\S~3(a) and v3~\S~6(a) embody the easiest option for providing

source code: including Corresponding Source with every binary

distribution.  While other options appear initially less onerous, this

option invariably minimizes potential compliance problems, because when

you distribute Corresponding Source with the binary, \emph{your GPL

  obligations are satisfied at the time of distribution}.  This is not

true of other options, and for this reason, we urge you to seriously

consider this option.  If you do not, you may extend the duration of your

obligations far beyond your last binary distribution.

Compliance under this option is straightforward.  If you ship a product

that includes binary copies of GPL'd software (e.g., in firmware, or on a

hard drive, CD, or other permanent storage medium), you can store the

Corresponding Source alongside the binaries.  Alternatively, you can

include the source on a CD or other removable storage medium in the box

containing the product.

GPLv2 refers to the various storage mechanisms as ``medi[a] customarily

used for software interchange''.  While the Internet has attained primacy

as a means of software distribution where super-fast Internet connections

%\chapter{Not All GPL Enforcement is Created Equal}

%\section{For-Profit Enforcement}

%\section{Community and Non-Profit Enforcement}

\chapter{Overview of Community Enforcement}

The GPL is a Free Software license with legal teeth. Unlike licenses like

the X11-style or various BSD licenses, the GPL (and by extension, the LGPL) is

designed to defend as well as grant freedom. We saw in the last course

that the GPL uses copyright law as a mechanism to grant all the key freedoms

essential in Free Software, but also to ensure that those freedoms

propagate throughout the distribution chain of the software.

\section{Termination Begins Enforcement}

As we have learned, the assurance that Free Software under the GPL remains

Free Software is accomplished through various terms of the GPL: \S 3 ensures

that binaries are always accompanied with source; \S 2 ensures that the

sources are adequate, complete and usable; \S 6 and \S 7 ensure that the

license of the software is always the GPL for everyone, and that no other

legal agreements or licenses trump the GPL. It is \S 4, however, that ensures

that the GPL can be enforced.

Thus, \S 4 is where we begin our discussion of GPL enforcement. This

clause is where the legal teeth of the license are rooted. As a copyright

license, the GPL governs only the activities governed by copyright law ---

copying, modifying and redistributing computer software. Unlike most

copyright licenses, the GPL gives wide grants of permission for engaging with

these activities. Such permissions continue, and all parties may exercise

them until such time as one party violates the terms of the GPL\@. At the

moment of such a violation (i.e., the engaging of copying, modifying or

redistributing in ways not permitted by the GPL) \S 4 is invoked. While other

parties may continue to operate under the GPL, the violating party loses their

rights.

Specifically, \S 4 terminates the violators' rights to continue

engaging in the permissions that are otherwise granted by the GPL\@.

Effectively, their rights revert to the copyright defaults ---

no permission is granted to copy, modify, nor redistribute the work.

Meanwhile, \S 5 points out that if the violator has no rights under

the GPL, they are prohibited by copyright law from engaging in the

activities of copying, modifying and distributing. They have lost

these rights because they have violated the GPL, and no other license

gives them permission to engage in these activities governed by copyright law.

\section{Ongoing Violations}

In conjunction with \S 4's termination of violators' rights, there is

one final industry fact added to the mix: rarely does one engage in a

single, solitary act of copying, distributing or modifying software.

Almost always, a violator will have legitimately acquired a copy of a

GPL'd program, either making modifications or not, and then begun

distributing that work. For example, the violator may have put the

software in boxes and sold them at stores. Or perhaps the software

was put up for download on the Internet. Regardless of the delivery

mechanism, violators almost always are engaged in {\em ongoing\/}

violation of the GPL\@.

In fact, when we discover a GPL violation that occurred only once --- for

example, a user group who distributed copies of a GNU/Linux system without

source at one meeting --- we rarely pursue it with a high degree of

tenacity. In our minds, such a violation is an educational problem, and

unless the user group becomes a repeat offender (as it turns out, they

never do), we simply forward along a FAQ entry that best explains how user

groups can most easily comply with the GPL, and send them on their merry way.

It is only the cases of {\em ongoing\/} GPL violation that warrant our

active attention. We vehemently pursue those cases where dozens, hundreds

or thousands of customers are receiving software that is out of

compliance, and where the company continually offers for sale (or

distributes gratis as a demo) software distributions that include GPL'd

components out of compliance. Our goal is to maximize the impact of

enforcement and educate industries who are making such a mistake on a

large scale.

In addition, such ongoing violation shows that a particular company is

committed to a GPL'd product line. We are thrilled to learn that someone

is benefiting from Free Software, and we understand that sometimes they

become confused about the rules of the road. Rather than merely

giving us a postmortem to perform on a past mistake, an ongoing violation

gives us an active opportunity to educate a new contributor to the GPL'd

commons about proper procedures to contribute to the community.

Our central goal is not, in fact, to merely clear up a particular violation.

In fact, over time, we hope that our compliance lab will be out of

business. We seek to educate the businesses that engage in commerce

related to GPL'd software to obey the rules of the road and allow them to

operate freely under them. Just as a traffic officer would not revel in

reminding people which side of the road to drive on, so we do not revel in

violations. By contrast, we revel in the successes of educating an

ongoing violator about the GPL so that GPL compliance becomes a second-nature

matter, allowing that company to join the GPL ecosystem as a contributor.

\section{How are Violations Discovered?}

Our enforcement of the GPL is not a fund-raising effort; in fact, FSF's GPL

Compliance Lab runs at a loss (in other words, it is subsided by our

donors). Our violation reports come from volunteers, who have encountered,

in their business or personal life, a device or software product that

appears to contain GPL'd software. These reports are almost always sent

via email to $<$license-violation@fsf.org$>$.

Our first order of business, upon receiving such a report, is to seek

independent confirmation. When possible, we get a copy of the software

product. For example, if it is an offering that is downloadable from a

Web site, we download it and investigate ourselves. When it is not

possible for us to actually get a copy of the software, we ask the

reporter to go through the same process we would use in examining the

software.

By rough estimation, about 95\% of violations at this stage can be

confirmed by simple commands. Almost all violators have merely made an

error and have no nefarious intentions. They have made no attempt to

remove our copyright notices from the software. Thus, given the

third-party binary, {\tt tpb}, usually, a simple command (on a GNU/Linux

system) such as the following will find a Free Software copyright notice

and GPL reference:

\begin{quotation}

{\tt strings tpb | grep Copyright}

\end{quotation}

In other words, it is usually more than trivial to confirm that GPL'd

software is included.

Once we have confirmed that a violation has indeed occurred, we must then

determine whose copyright has been violated. Contrary to popular belief,

FSF does not have the power to enforce the GPL in all cases. Since the GPL

operates under copyright law, the powers of enforcement --- to seek

redress once \S 4 has been invoked --- lie with the copyright holder of

the software. FSF is one of the largest copyright holders in the world of

GPL'd software, but we are by no means the only one. Thus, we sometimes

discover that while GPL'd code is present in the software, there is no

software copyrighted by FSF present.

In cases where FSF does not hold copyright interest in the software, but

we have confirmed a violation, we contact the copyright holders of the

software, and encourage them to enforce the GPL\@. We offer our good offices

to help negotiate compliance on their behalf, and many times, we help as a

third party to settle such GPL violations. However, what we will describe

primarily in this course is FSF's first-hand experience enforcing its own

copyrights and the GPL\@.

\section{First Contact}

The Free Software community is built on a structure of voluntary

cooperation and mutual help. Our community has learned that cooperation

works best when you assume the best of others, and only change policy,

procedures and attitudes when some specific event or occurrence indicates

that a change is necessary. We treat the process of GPL enforcement in

the same way. Our goal is to encourage violators to join the cooperative

community of software sharing, so we want to open our hand in friendship.

Therefore, once we have confirmed a violation, our first assumption is

that the violation is an oversight or otherwise a mistake due to confusion

about the terms of the license. We reach out to the violator and ask them

to work with us in a collaborative way to bring the product into

compliance. We have received the gamut of possible reactions to such

requests, and in this course, we examine four specific examples of such

compliance work.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\chapter{Bortez: Modified GCC SDK}

In our first case study, we will consider Bortez, a company that

produces software and hardware toolkits to assist OEM vendors, makers

of consumer electronic devices.

\section{Facts}

One of Bortez's key products is a Software Development Kit (``SDK'')

designed to assist developers building software for a specific class of

consumer electronics devices.

FSF received a report that the SDK may be based on the GNU Compiler

Collection (which is an FSF-copyrighted collection of tools for software

development in C, C++ and other popular languages). FSF investigated the

claim, but was unable to confirm the violation. The violation reporter

was unresponsive to follow-up requests for more information.

Since FSF was unable to confirm the violation, we did not pursue it any

further. Bogus reports do happen, and we do not want to burden companies

with specious GPL violation complaints. FSF shelved the matter until

more evidence was discovered.

FSF was later able to confirm the violation when two additional reports

surfaced from other violation reporters, both of whom had used the SDK

professionally and noticed clear similarities to FSF's GNU GCC\@. FSF's

Compliance Engineer asked the reporters to run standard tests to confirm

the violation, and it was confirmed that Bortez's SDK was indeed a

of features, including support for a specific consumer device chipset and

additional features to aid in the linking process (``LP'') for those

specific devices. FSF explained the rights that the GPL afforded these

customers and pointed out, for example, that Bortez only needed to provide

source to those in possession of the binaries, and that the users may need

to request that source (if \S 3(b) was exercised). The violators

confirmed that such requests were not answered.

FSF brought the matter to the attention of Bortez, who immediately

escalated the matter to their attorneys. After a long negotiation,

GCC\@. Bortez released most of the source, but some disagreement

FSF inquiries, Bortez reaudited the source to discover that FSF's

analysis was correct. Bortez determined that LP included a number of

source files copied from the GCC code-base.

\label{davrik-build-problems}

Once the full software release was made available, FSF asked the violation

reporters if it addressed the problem. Reports came back that the source

did not properly build. FSF asked Bortez to provide better build

instructions with the software, and such build instructions were

incorporated into the next software release.

At FSF's request as well, Bortez informed customers who had previously

purchased the product that the source was now available by announcing

the availability on its Web site and via a customer newsletter.

Bortez did have some concerns regarding patents. They wished to include a

statement with the software release that made sure they were not granting

any patent permission other than what was absolutely required by the GPL\@.

They understood that their patent assertions could not trump any rights

granted by the GPL\@. The following language was negotiated into the release:

\begin{quotation}

Subject to the qualifications stated below, Bortez, on behalf of itself

and its Subsidiaries, agrees not to assert the Claims against you for your

making, use, offer for sale, sale, or importation of the Bortez's GNU

Utilities or derivative works of the Bortez's GNU Utilities

(``Derivatives''), but only to the extent that any such Derivatives are

licensed by you under the terms of the GNU General Public License. The

Claims are the claims of patents that Bortez or its Subsidiaries have

standing to enforce that are directly infringed by the making, use, or

sale of an Bortez Distributed GNU Utilities in the form it was distributed

by Bortez and that do not include any limitation that reads on hardware;

the Claims do not include any additional patent claims held by Bortez that

cover any modifications of, derivative works based on or combinations with

the Bortez's GNU Utilities, even if such a claim is disclosed in the same

patent as a Claim. Subsidiaries are entities that are wholly owned by

Bortez.

This statement does not negate, limit or restrict any rights you already

have under the GNU General Public License version 2.

\end{quotation}

This quelled Bortez's concerns about other patent licensing they sought to

do outside of the GPL'd software, and satisfied FSF's concerns that Bortez

give proper permissions to exercise teachings of patents that were

exercised in their GPL'd software release.

Finally, a GPL Compliance Officer inside Bortez was appointed to take

responsibility for all matters of GPL compliance inside the company.

Bortez is responsible for informing FSF if the position is given to

someone else inside the company, and making sure that FSF has direct

contact with Bortez's Compliance Officer.

\section{Lessons}

This case introduces a number of concepts regarding GPL enforcement.

\begin{enumerate}

\item {\bf Enforcement should not begin until the evidence is confirmed.}

  Most companies that distribute GPL'd software do so in compliance, and at

  times, violation reports are mistaken. Even with extensive efforts in

  GPL education, many users do not fully understand their rights and the

  obligations that companies have. By working through the investigation

  with reporters, the violation can be properly confirmed, and {\bf the

    user of the software can be educated about what to expect with GPL'd

    software}. When users and customers of GPL'd products know their

  rights, what to expect, and how to properly exercise their rights

  (particularly under \S 3(b)), it reduces the chances for user

  frustration and inappropriate community outcry about an alleged GPL

  violation.

\item {\bf GPL compliance requires friendly negotiation and cooperation.}

  Often, attorneys and managers are legitimately surprised to find out

  GPL'd software is included in their company's products. Engineers

  sometimes include GPL'd software without understanding the requirements.

  This does not excuse companies from their obligations under the license,

  but it does mean that care and patience are essential for reaching GPL

  compliance. We want companies to understand that participating and

  benefiting from a collaborative Free Software community is not a burden,

  so we strive to make the process of coming into compliance as smooth as

  possible.

\item {\bf Confirming compliance is a community effort.}  The whole point

  of making sure that software distributors respect the terms of the GPL is to

  allow a thriving software sharing community to benefit and improve the

  work. FSF is not the expert on how a compiler for consumer electronic

  devices should work. We therefore inform the community who originally

  brought the violation to our attention and ask them to assist in

  evaluation and confirmation of the product's compliance. Of course, FSF

  coordinates and oversees the process, but we do not want compliance for

  compliance's sake; rather, we wish to foster a cooperating community of

  development around the Free Software in question, and encourage the

  once-violator to begin participating in that community.

\item {\bf Informing the harmed community is part of compliance.} FSF asks

  violators to make some attempt --- such as via newsletters and the

  company's Web site --- to inform those who already have the products as

  to their rights under the GPL\@. One of the key thrusts of the GPL's \S 1 and

  \S 3 is to {\em make sure the user knows she has these rights\/}. If a

  product was received out of compliance by a customer, she may never

  actually discover that she has such rights. Informing customers, in a

  way that is not burdensome but has a high probability of successfully

  reaching those who would seek to exercise their freedoms, is essential

  to properly remedy the mistake.

\item {\bf Lines between various copyright, patent, and other legal

  mechanisms must be precisely defined and considered.}  The most

  difficult negotiation point of the Bortez case was drafting language

  that simultaneously protected Bortez's patent rights outside of the

  GPL'd source, but was consistent with the implicit patent grant in

  the GPL\@. As we discussed in the first course of this series, there is

  indeed an implicit patent grant with the GPL, thanks to \S 6 and \S 7.

  However, many companies become nervous and wish to make the grant

  explicit to assure themselves that the grant is sufficiently narrow for

  their needs. We understand that there is no reasonable way to determine

  what patent claims read on a company's GPL holdings and which do not, so

  we do not object to general language that explicitly narrows the patent

  grant to only those patents that were, in fact, exercised by the GPL'd

  software as released by the company.

\end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\chapter{Bracken: a Minor Violation in a GNU/Linux Distribution}

In this case study, we consider a minor violation made by a company whose

knowledge of the Free Software community and its functions is deep.

\section{The Facts} 

Bracken produces a GNU/Linux operating system product that is sold

primarily to OEM vendors to be placed in appliance devices used for a

single purpose, such as an Internet-browsing-only device. The product

is almost 100\% Free Software, mostly licensed under the GPL and related

Free Software licenses.

FSF found out about this violation through a report first posted on a

  Slashdot\footnote{Slashdot is a popular news and discussion site for

  technical readers.} comment, and then it was brought to our attention again

  by another Free Software copyright holder who had discovered the

  same violation.

Bracken's GNU/Linux product is delivered directly from their Web site.

This allowed FSF engineers to directly download and confirm the

violation quickly. Two primary problems were discovered with the

online distribution:

\begin{itemize}

\item No source code nor offer for source code was provided for a number

  of components for the distributed GNU/Linux system; only binaries were

  available

\item An End User License Agreement (``EULA'') was included that

  contradicted the permissions granted by the GPL\@

\end{itemize}

FSF contacted Bracken and gave them the details of the violation. Bracken

immediately ceased distribution of the product temporarily and set forth

a plan to bring themselves back into compliance. This plan included the

following steps:

\begin{itemize}

\item Bracken attorneys would rewrite the EULA to comply with the GPL and

  would vet the new EULA through FSF before use

\item Bracken engineers would provide source side-by-side with the

  binaries for the GNU/Linux distribution on the site (and on CD's, if

  ever they distributed that way)

\item Bracken attorneys would run an internal seminar for its engineers

  regarding proper GPL compliance to help ensure that such oversights

  regarding source releases would not occur in the future

\item Bracken would resume distribution of the product only after FSF

  formally restored Bracken's distribution rights

\end{itemize}

This case was completed in about a month. FSF approved the new EULA

text. The key portion in the EULA relating to the GPL read as follows:

\begin{quotation}

Many of the Software Programs included in Bracken Software are distributed

under the terms of agreements with Third Parties (``Third Party

Agreements'') which may expand or limit the Licensee's rights to use

certain Software Programs as set forth in [this EULA]. Certain Software

Programs may be licensed (or sublicensed) to Licensee under the GNU

General Public License and other similar license agreements listed in part

in this section which, among other rights, permit the Licensee to copy,

modify and redistribute certain Software Programs, or portions thereof,

and have access to the source code of certain Software Programs, or

portions thereof. In addition, certain Software Programs, or portions

thereof, may be licensed (or sublicensed) to Licensee under terms stricter

than those set forth in [this EULA]. The Licensee must review the

electronic documentation that accompanies certain Software Programs, or

portions thereof, for the applicable Third Party Agreements. To the

extent any Third Party Agreements require that Bracken provide rights to

use, copy or modify a Software Program that are broader than the rights

granted to the Licensee in [this EULA], then such rights shall take

precedence over the rights and restrictions granted in this Agreement

solely for such Software Programs.

\end{quotation}

FSF restored Bracken's distribution rights shortly after the work was

completed as described.

\section{Lessons Learned}

This case was probably the most quickly and easily resolved of all GPL

violations in the history of FSF's Compliance Lab. The ease with which

the problem was resolved shows a number of cultural factors that play a

role in GPL compliance.

\begin{enumerate}

\item {\bf Companies that understand Free Software culture better have an

  easier time with compliance.}  Bracken's products were designed and

  built around the GNU/Linux system and Free Software components. Their

  engineers were deeply familiar with the Free Software ecosystem, and

  their lawyers had seen and reviewed the GPL before. The violation was

  completely an honest mistake. Since the culture inside the company had

  already adapted to the cooperative style of resolution in the Free

  Software world, there was very little work for either party to bring the

  product into compliance.

\item {\bf When people in key positions understand the Free Software

  nature of their software products, compliance concerns are as

  mundane as minor software bugs.}  Even the most functional system or

  structure has its problems, and successful business often depends on

  agile response to the problems that do come up; avoiding problems

  altogether is a pipe dream. Minor GPL violations can and do happen

  even with well-informed redistributors. However, resolution is

  reached quickly when the company --- and in particular, the lawyers,

  managers, and engineers working on the Free Software product lines

  --- have adapted to Free Software culture that the lower-level

  engineer already understood

\item {\bf Legally, distribution must stop when a violation is

  identified.}  In our opinion, Bracken went above and beyond the call of

  duty by ceasing distribution while the violation was being resolved.

  Under GPL \S 4, the redistributor loses the right to distribute the

  software, and thus they are in ongoing violation of copyright law if

  they distribute before rights are restored. It is FSF's policy to

  temporarily allow distribution while compliance negotiations are ongoing

  and only in the most extreme cases (where the other party appears to be

  negotiating in bad faith) does FSF even threaten an injunction on

  copyright grounds. However, Bracken --- as a good Free Software citizen

  --- chose to be on the safe side and do the legally correct thing while

  the violation case was pending. From start to finish, it took less

  than a month to resolve. This lapse in distribution did not, to FSF's

  knowledge, impact Bracken's business in any way.

\item {\bf EULAs are a common area for GPL problems.}  Often, EULAs

  are drafted from boilerplate text that a company uses for all its

  products. Even the most diligent attorneys forget or simply do not

  know that a product contains software licensed under the GPL and other

  Free Software licenses. Drafting a EULA that accounts for such

  licenses is straightforward; the text quoted above works just fine.

  The EULA must be designed so that it does not trump rights and

  permissions already granted by the GPL\@. The EULA must clearly state

  that if there is a conflict between it and the GPL, with regard to GPL'd

  code, the GPL is the overriding license.

\item {\bf Compliance Officers are rarely necessary when companies are

  educated about GPL compliance.}  As we saw in the Bortez case, FSF asks

  that a formal ``GPL Compliance Officer'' be appointed inside a

  previously violating organization to shepherd the organization to a

  cooperative approach to GPL compliance. However, when FSF

  sees that an organization already has such an approach, there is no

  need to request that such an officer be appointed.

\end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\chapter{Vigorien: Security, Export Controls, and GPL Compliance}

This case study introduces how concerns of ``security through obscurity''

and regulatory problems can impact GPL compliance matters.

\section{The Facts}

Vigorien distributes a back-up solution product that allows system

administrators to create encrypted backups of file-systems on

Unix-like computers. The product is based on GNU tar, a backup utility

that replaces the standard Unix utility simply called tar, but has

additional features.

Vigorien's backup solution added cryptographic features to GNU tar, and

included a suite of utilities and graphical user interfaces surrounding

GNU tar to make backups convenient.

FSF discovered the violation from a user report, and determined that the