Richard M.~Stallman (RMS) in 1989, and consisted of informal community efforts,

often in public Usenet discussions.\footnote{One example is the public

  outcry over NeXT's attempt to make the Objective-C front-end to GCC

  proprietary.  RMS, in fact, handled this enforcement action personally and

  the Objective-C front-end is still part of upstream GCC today.}  Over the next decade, the Free Software Foundation (FSF),

which holds copyrights in many GNU programs, was the only visible entity

actively enforcing its GPL'd copyrights on behalf of the software freedom

community.

FSF's enforcement

was generally a private process; the FSF contacted violators

confidentially and helped them to comply with the license.  Most

violations were pursued this way until the early 2000's.

By that time, Linux-based systems such as GNU/Linux and BusyBox/Linux had become very common, particularly in

embedded devices such as wireless routers.  During this period, public

ridicule of violators in the press and on Internet fora supplemented

ongoing private enforcement and increased pressure on businesses to

comply.  In 2003, the FSF formalized its efforts into the GPL Compliance

Lab, increased the volume of enforcement, and built community coalitions

to encourage copyright holders to together settle amicably with violators.

Beginning in 2004, Harald Welte took a more organized public enforcement

approach and launched \verb0gpl-violations.org0, a website and mailing

list for collecting reports of GPL violations.  On the basis of these

reports, Welte successfully pursued many enforcements in Europe, including

formal legal action.  Harald earns the permanent fame as the first copyright

holder to bring legal action in a court regarding GPL compliance.

In 2007, two copyright holders in BusyBox, in conjunction with the

Software Freedom Conservancy (``Conservancy''), filed the first copyright infringement lawsuit

based on a violation of the GPL\@ in the USA. While  lawsuits are of course

quite public, the vast majority of Conservancy's enforcement actions 

are resolved privately via

cooperative communications with violators.  As both FSF and Conservancy have worked to bring

individual companies into compliance, both organizations have encountered numerous

violations resulting from preventable problems such as inadequate

attention to licensing of upstream software, misconceptions about the

GPL's terms, and poor communication between software developers and their

management.  This document highlights these problems and describe

best practices to encourage corporate Free Software users to reevaluate their

approach to GPL'd software and avoid future violations.

Both FSF and Conservancy continue GPL enforcement and compliance efforts

for software under the GPL, the GNU Lesser

Public License (LGPL) and other copyleft licenses.  In doing so, both organizations have

found that most violations stem from a few common, avoidable mistakes.  All copyleft advocates  hope to educate the community of

commercial distributors, redistributors, and resellers on how to avoid

violations in the first place, and to respond adequately and appropriately

when a violation occurs.

\chapter{Best Practices to Avoid Common Violations}

\label{best-practices}

Unlike highly permissive licenses (such as the ISC license), which

typically only require preservation of copyright notices, licensees face many

important requirements from the GPL.  These requirements are

carefully designed to uphold certain values and standards of the software

freedom community.  While the GPL's requirements may initially appear

counter-intuitive to those more familiar with proprietary software

licenses, by comparison, its terms are in fact clear and quite favorable to

licensees.  Indeed, the GPL's terms actually simplify compliance when

violations occur.

GPL violations occur (or, are compounded) most often when companies lack sound

practices for the incorporation of GPL'd components into their

internal development environment.  This section introduces some best

practices for software tool selection, integration and distribution,

inspired by and congruent with software freedom methodologies.  Companies should

establish such practices before building a product based on GPL'd

software.\footnote{This document addresses compliance with GPLv2,

  GPLv3, LGPLv2, and LGPLv3.  Advice on avoiding the most common

  errors differs little for compliance with these four licenses.

  \S~\ref{lgpl} discusses the key differences between GPL and LGPL

  compliance.}

\section{Evaluate License Applicability}

\label{derivative-works}

Political discussion about the GPL often centers around the ``copyleft''

requirements of the license.  Indeed, the license was designed primarily

to embody this licensing feature.  Most companies adding non-trivial

features (beyond mere porting and bug-fixing) to GPL'd software (and

thereby invoking these requirements) are already well aware of their

more complex obligations under the license.\footnote{There has been much legal

  discussion regarding copyleft and derivative works.  In practical

  reality, this issue is not relevant to the vast majority of companies

  distributing GPL'd software.  Those interested in this issue should study

  \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related

      Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of

    this tutorial}.}

However, experienced  GPL enforcers find that few redistributors'

compliance challenges relate directly to combined work issues in copyleft.

Instead, the distributions of GPL'd

systems most often encountered typically consist of a full operating system

including components under the GPL (e.g., Linux, BusyBox) and components

under the LGPL (e.g., the GNU C Library).  Sometimes, these programs have

been patched or slightly improved by direct modification of their sources,

companies often distribute fully independent, proprietary programs,

developed from scratch, which are designed to run on the Free Software operating

system but do not combine with, link to, modify, derive from, or otherwise

create a combined work with

the GPL'd components.\footnote{However, these programs do often combine

  with LGPL'd libraries. This is discussed in detail in \S~\ref{lgpl}.}

In the latter case, where the work is unquestionably a separate work of

creative expression, no copyleft provisions are invoked.

The core compliance issue faced, thus, in such a situation, is not an discussion of what is or is not a

conveyance of binary works based on GPL'd source, but without Complete,

Corresponding Source.  This tutorial therefore focuses primarily on that issue.

Admittedly, a tiny

situations are so rare, and the details from situation to situation differ

greatly.  Thus, such situations require a highly

fact-dependent analysis and cannot be addressed in a general-purpose

document such as this one.

\medskip

Most companies accused of violations lack a basic understanding

of how to comply even in the straightforward scenario.  This document

provides those companies with the fundamental and generally applicable prerequisite knowledge.

For answers to rarer and more complicated legal questions, such as whether

your software is a derivative or combined work of some copylefted software, consult

with an attorney.\footnote{If you would like more information on the

  application of derivative works doctrine to software, a detailed legal

  discussion is presented in our colleague Dan Ravicher's article,

  \textit{Software Derivative Work: A Circuit Dependent Determination} and in

  \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related

      Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of

    this tutorial}.}

This discussion thus assumes that you have already identified the

``work'' covered by the license, and that any components not under the GPL

(e.g., applications written entirely by your developers that merely happen

to run on a Linux-based operating system) distributed in conjunction with

those works are separate works within the meaning of copyright law and the GPL\@.  In

such a case, the GPL requires you to provide complete corresponding

source (CCS)\footnote{For more on CCS,  see

\tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related

      Licenses}'s Section on GPLv2~\S2 and GPLv3~\S1.}{\S~\ref{GPLv2s2} and \S~\ref{GPLv3s1} of

    this tutorial}.}

for the GPL'd components and your modifications thereto, but not

for independent proprietary applications.  The procedures described in

this document address this typical scenario.

\section{Monitor Software Acquisition}

Software engineers deserve the freedom to innovate and import useful

software components to improve products.  However, along with that

freedom should come rules and reporting procedures to make sure that you

are aware of what software that you include with your product.

The most typical response to an initial enforcement action is: ``We

didn't know there was GPL'd stuff in there''.  This answer indicates

failure in the software acquisition and procurement process.  Integration

of third-party proprietary software typically requires a formal

arrangement and management/legal oversight before the developers

incorporate the software.  By contrast, developers often obtain and

integrate Free Software without intervention nor oversight. That ease of acquisition, however,

does not mean the oversight is any less necessary.  Just as your legal

and/or management team negotiates terms for inclusion of any proprietary

software, they should gently facilitate all decisions to bring Free Software into your

product.

Simple, engineering-oriented rules help provide a stable foundation for

Free Software integration.  For example, simply ask your software developers to send an email to a

standard place describing each new Free Software component they add to the system,

and have them include a brief description of how they will incorporate it

into the product.  Further, make sure developers use a revision control

system (such as Git or Mercurial), and

store the upstream versions of all software in a ``vendor branch'' or

similar mechanism, whereby they can easily track and find the main version

of the software and, separately, any local changes.

Such procedures are best instituted at your project's launch.  Once 

chaotic and poorly-sourced development processes begin, cataloging the

presence of GPL'd components  becomes challenging.

Such a situation often requires use of a tool to ``catch up'' your knowledge

about what software your product includes.  Most commonly, companies choose

some software licensing scanning tool to inspect the codebase.  However,

there are few tools that are themselves Free Software.  Thus, GPL enforcers

usually recommend the GPL'd

\href{http://fossology.org/}{FOSSology system}, which analyzes a

source code base and produces a list of Free Software licenses that may apply to

the code.  FOSSology can help you build a catalog of the sources you have

already used to build your product.  You can then expand that into a more

structured inventory and process.

\section{Track Your Changes and Releases}

As explained in further detail below, the most important component of GPL

compliance is the one most often ignored: proper inclusion of CCS in all

distributions  of GPL'd

software.  To comply with GPL's CCS requirements, the distributor

\textit{must} always know precisely what sources generated a given binary

distribution.

In an unfortunately large number of our enforcement cases, the violating

company's engineering team had difficulty reconstructing the CCS

for binaries distributed by the company.  Here are three simple rules to

follow to decrease the likelihood of this occurrence:

\begin{itemize}

\item Ensure that your

developers are using revision control systems properly.

\section{How are Violations Discovered?}

Our enforcement of the GPL is not a fund-raising effort; in fact, FSF's GPL

Compliance Lab runs at a loss (in other words, it is subsided by our

donors). Our violation reports come from volunteers, who have encountered,

in their business or personal life, a device or software product that

appears to contain GPL'd software. These reports are almost always sent

via email to $<$license-violation@fsf.org$>$.

Our first order of business, upon receiving such a report, is to seek

independent confirmation. When possible, we get a copy of the software

product. For example, if it is an offering that is downloadable from a

Web site, we download it and investigate ourselves. When it is not

possible for us to actually get a copy of the software, we ask the

reporter to go through the same process we would use in examining the

software.

By rough estimation, about 95\% of violations at this stage can be

confirmed by simple commands. Almost all violators have merely made an

error and have no nefarious intentions. They have made no attempt to

remove our copyright notices from the software. Thus, given the

third-party binary, {\tt tpb}, usually, a simple command (on a GNU/Linux

system) such as the following will find a Free Software copyright notice

and GPL reference:

\begin{quotation}

{\tt strings tpb | grep Copyright}

\end{quotation}

In other words, it is usually more than trivial to confirm that GPL'd

software is included.

Once we have confirmed that a violation has indeed occurred, we must then

determine whose copyright has been violated. Contrary to popular belief,

FSF does not have the power to enforce the GPL in all cases. Since the GPL

operates under copyright law, the powers of enforcement --- to seek

redress once \S 4 has been invoked --- lie with the copyright holder of

the software. FSF is one of the largest copyright holders in the world of

GPL'd software, but we are by no means the only one. Thus, we sometimes

discover that while GPL'd code is present in the software, there is no

software copyrighted by FSF present.

In cases where FSF does not hold copyright interest in the software, but

we have confirmed a violation, we contact the copyright holders of the

software, and encourage them to enforce the GPL\@. We offer our good offices

to help negotiate compliance on their behalf, and many times, we help as a

third party to settle such GPL violations. However, what we will describe

primarily in this course is FSF's first-hand experience enforcing its own

copyrights and the GPL\@.

\section{First Contact}

The Free Software community is built on a structure of voluntary

cooperation and mutual help. Our community has learned that cooperation

works best when you assume the best of others, and only change policy,

procedures and attitudes when some specific event or occurrence indicates

that a change is necessary. We treat the process of GPL enforcement in

the same way. Our goal is to encourage violators to join the cooperative

community of software sharing, so we want to open our hand in friendship.

Therefore, once we have confirmed a violation, our first assumption is

that the violation is an oversight or otherwise a mistake due to confusion

about the terms of the license. We reach out to the violator and ask them

to work with us in a collaborative way to bring the product into

compliance. We have received the gamut of possible reactions to such

requests, and in this course, we examine four specific examples of such

compliance work.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\chapter{Bortez: Modified GCC SDK}

In our first case study, we will consider Bortez, a company that

produces software and hardware toolkits to assist OEM vendors, makers

of consumer electronic devices.

\section{Facts}

One of Bortez's key products is a Software Development Kit (``SDK'')

designed to assist developers building software for a specific class of

consumer electronics devices.

FSF received a report that the SDK may be based on the GNU Compiler

Collection (which is an FSF-copyrighted collection of tools for software

development in C, C++ and other popular languages). FSF investigated the

claim, but was unable to confirm the violation. The violation reporter

was unresponsive to follow-up requests for more information.

Since FSF was unable to confirm the violation, we did not pursue it any

further. Bogus reports do happen, and we do not want to burden companies

with specious GPL violation complaints. FSF shelved the matter until

more evidence was discovered.

FSF was later able to confirm the violation when two additional reports

surfaced from other violation reporters, both of whom had used the SDK

professionally and noticed clear similarities to FSF's GNU GCC\@. FSF's

Compliance Engineer asked the reporters to run standard tests to confirm

the violation, and it was confirmed that Bortez's SDK was indeed a

of features, including support for a specific consumer device chipset and

additional features to aid in the linking process (``LP'') for those

specific devices. FSF explained the rights that the GPL afforded these

customers and pointed out, for example, that Bortez only needed to provide

source to those in possession of the binaries, and that the users may need

to request that source (if \S 3(b) was exercised). The violators

confirmed that such requests were not answered.

FSF brought the matter to the attention of Bortez, who immediately

escalated the matter to their attorneys. After a long negotiation,

GCC\@. Bortez released most of the source, but some disagreement

FSF inquiries, Bortez reaudited the source to discover that FSF's

analysis was correct. Bortez determined that LP included a number of

source files copied from the GCC code-base.

\label{davrik-build-problems}

Once the full software release was made available, FSF asked the violation

reporters if it addressed the problem. Reports came back that the source

did not properly build. FSF asked Bortez to provide better build

instructions with the software, and such build instructions were

incorporated into the next software release.

At FSF's request as well, Bortez informed customers who had previously

purchased the product that the source was now available by announcing

the availability on its Web site and via a customer newsletter.

Bortez did have some concerns regarding patents. They wished to include a

statement with the software release that made sure they were not granting

any patent permission other than what was absolutely required by the GPL\@.

They understood that their patent assertions could not trump any rights

granted by the GPL\@. The following language was negotiated into the release:

\begin{quotation}

Subject to the qualifications stated below, Bortez, on behalf of itself

and its Subsidiaries, agrees not to assert the Claims against you for your

making, use, offer for sale, sale, or importation of the Bortez's GNU

Utilities or derivative works of the Bortez's GNU Utilities

(``Derivatives''), but only to the extent that any such Derivatives are

licensed by you under the terms of the GNU General Public License. The

Claims are the claims of patents that Bortez or its Subsidiaries have

standing to enforce that are directly infringed by the making, use, or

sale of an Bortez Distributed GNU Utilities in the form it was distributed

by Bortez and that do not include any limitation that reads on hardware;

the Claims do not include any additional patent claims held by Bortez that

cover any modifications of, derivative works based on or combinations with

the Bortez's GNU Utilities, even if such a claim is disclosed in the same

patent as a Claim. Subsidiaries are entities that are wholly owned by

Bortez.

This statement does not negate, limit or restrict any rights you already

have under the GNU General Public License version 2.

\end{quotation}

This quelled Bortez's concerns about other patent licensing they sought to

do outside of the GPL'd software, and satisfied FSF's concerns that Bortez

give proper permissions to exercise teachings of patents that were

exercised in their GPL'd software release.

Finally, a GPL Compliance Officer inside Bortez was appointed to take

responsibility for all matters of GPL compliance inside the company.

Bortez is responsible for informing FSF if the position is given to

someone else inside the company, and making sure that FSF has direct

contact with Bortez's Compliance Officer.

\section{Lessons}

This case introduces a number of concepts regarding GPL enforcement.

\begin{enumerate}

\item {\bf Enforcement should not begin until the evidence is confirmed.}

  Most companies that distribute GPL'd software do so in compliance, and at

  times, violation reports are mistaken. Even with extensive efforts in

  GPL education, many users do not fully understand their rights and the

  obligations that companies have. By working through the investigation

  with reporters, the violation can be properly confirmed, and {\bf the

    user of the software can be educated about what to expect with GPL'd

    software}. When users and customers of GPL'd products know their

  rights, what to expect, and how to properly exercise their rights

  (particularly under \S 3(b)), it reduces the chances for user

  frustration and inappropriate community outcry about an alleged GPL

  violation.

\item {\bf GPL compliance requires friendly negotiation and cooperation.}

  Often, attorneys and managers are legitimately surprised to find out

  GPL'd software is included in their company's products. Engineers

  sometimes include GPL'd software without understanding the requirements.

  This does not excuse companies from their obligations under the license,

  but it does mean that care and patience are essential for reaching GPL

  compliance. We want companies to understand that participating and

  benefiting from a collaborative Free Software community is not a burden,

  so we strive to make the process of coming into compliance as smooth as

  possible.

\item {\bf Confirming compliance is a community effort.}  The whole point

  of making sure that software distributors respect the terms of the GPL is to

  allow a thriving software sharing community to benefit and improve the

  work. FSF is not the expert on how a compiler for consumer electronic

  devices should work. We therefore inform the community who originally

  brought the violation to our attention and ask them to assist in

  evaluation and confirmation of the product's compliance. Of course, FSF

  coordinates and oversees the process, but we do not want compliance for

  compliance's sake; rather, we wish to foster a cooperating community of

  development around the Free Software in question, and encourage the

  once-violator to begin participating in that community.

\item {\bf Informing the harmed community is part of compliance.} FSF asks

  duty by ceasing distribution while the violation was being resolved.

  Under GPL \S 4, the redistributor loses the right to distribute the

  software, and thus they are in ongoing violation of copyright law if

  they distribute before rights are restored. It is FSF's policy to

  temporarily allow distribution while compliance negotiations are ongoing

  and only in the most extreme cases (where the other party appears to be

  negotiating in bad faith) does FSF even threaten an injunction on

  copyright grounds. However, Bracken --- as a good Free Software citizen

  --- chose to be on the safe side and do the legally correct thing while

  the violation case was pending. From start to finish, it took less

  than a month to resolve. This lapse in distribution did not, to FSF's

  knowledge, impact Bracken's business in any way.

\item {\bf EULAs are a common area for GPL problems.}  Often, EULAs

  are drafted from boilerplate text that a company uses for all its

  products. Even the most diligent attorneys forget or simply do not

  know that a product contains software licensed under the GPL and other

  Free Software licenses. Drafting a EULA that accounts for such

  licenses is straightforward; the text quoted above works just fine.

  The EULA must be designed so that it does not trump rights and

  permissions already granted by the GPL\@. The EULA must clearly state

  that if there is a conflict between it and the GPL, with regard to GPL'd

  code, the GPL is the overriding license.

\item {\bf Compliance Officers are rarely necessary when companies are

  educated about GPL compliance.}  As we saw in the Bortez case, FSF asks

  that a formal ``GPL Compliance Officer'' be appointed inside a

  previously violating organization to shepherd the organization to a

  cooperative approach to GPL compliance. However, when FSF

  sees that an organization already has such an approach, there is no

  need to request that such an officer be appointed.

\end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\chapter{Vigorien: Security, Export Controls, and GPL Compliance}

This case study introduces how concerns of ``security through obscurity''

and regulatory problems can impact GPL compliance matters.

\section{The Facts}

Vigorien distributes a back-up solution product that allows system

administrators to create encrypted backups of file-systems on

Unix-like computers. The product is based on GNU tar, a backup utility

that replaces the standard Unix utility simply called tar, but has

additional features.

Vigorien's backup solution added cryptographic features to GNU tar, and

included a suite of utilities and graphical user interfaces surrounding

GNU tar to make backups convenient.

FSF discovered the violation from a user report, and determined that the

cryptographic features were the only part of the product that constituted

a derivative work of GNU tar; the extraneous utilities merely made

shell calls out to GNU tar. FSF requested that Vigorien come into

compliance with the GPL by releasing the source of GNU tar, with the

cryptographic modifications, to its customers.

Vigorien released the original GNU tar sources, but kept the cryptographic

modifications proprietary. They argued that the security of their system

depending on keeping the software proprietary and that regardless, USA

export restrictions on cryptographic software prohibited such a release.

FSF disputed the first claim, pointing out that Vigorien had only one

option if they did not want to release the source: they would have to

remove GNU tar from the software and not distribute it further. Vigorien

rejected this suggestion, since GNU tar was an integral part of the

product, and the security changes were useless without GNU tar.

Regarding the export control claims, FSF proposed a number of options,

including release of the source from one of Vigorien's divisions overseas

where no such restrictions occurred, but Vigorien argued that the problem

was insoluble because they operated primarily in the USA\@.

The deadlock on the second issue was resolved when those cryptographic

export restrictions were lifted shortly thereafter, and FSF again raised

the matter with Vigorien. At that point, they dropped the first claim and

agreed to release the remaining source module to their customers. They

did so, and the violation was resolved.

\section{Lessons Learned}

\begin{enumerate}

\item {\bf Removing the GPL'd portion of the product is always an

  option.}  Many violators' first response is to simply refuse to

  release the source code as the GPL requires. FSF offers the option to

  simply remove the GPL'd portions from the product and continue along

  without them. Every case where this has been suggested has led to

  the same conclusion. Like Vigorien, the violator argues that the

  product cannot function without the GPL'd components, and they

  cannot effectively replace them.

  Such an outcome is simply further evidence that the combined work in

  If the other components cannot stand on their own and be useful without

  the GPL'd portions, then one cannot effectively argue that the work as a

\item {\bf The whole product is not always covered.}  In this case,

  Vigorien had additional works aggregated. The backup system was a suite

  of utilities, some of which were the GPL and some of which were not. While

  the cryptographic routines were tightly coupled with GNU tar and clearly

  independent works merely aggregated with the distribution of the

  GNU-tar-based product.

\item {\bf ``Security'' concerns do not exonerate a distributor from GPL

  obligations, and ``security through obscurity'' does not work anyway.}

  The argument that ``this is security software, so it cannot be released

  in source form'' is not a valid defense for explaining why the terms of

  the GPL are ignored. If companies do not want to release source code

  for some reason, then they should not base the work on GPL'd software.

  No external argument for noncompliance can hold weight if the work as

  The ``security concerns'' argument is often floated as a reason to keep

  software proprietary, but the computer security community has on

  numerous occasions confirmed that such arguments are entirely specious.

  Security experts have found --- since the beginnings of the field of

  cryptography in the ancient world --- that sharing results about systems

  and having such systems withstand peer review and scrutiny builds the

  most secure systems. While full disclosure may help some who wish to

  compromise security, it helps those who want to fix problems even more

  by identifying them early.

\item {\bf External regulatory problems can be difficult to resolve.}

  The GPL, though grounded in copyright law, does not have the power to trump

  regulations like export controls. While Vigorien's ``security

  concerns'' were specious, their export control concerns were not. It is

  indeed a difficult problem that FSF acknowledges. We want compliance

  with the GPL and respect for users' freedoms, but we certainly do not expect

  companies to commit criminal offenses for the sake of compliance. We

  will see more about this issue in our next case study.

\end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\chapter{Haxil, Polgara, and Thesulac: Mergers, Upstream Providers and Radio Devices}

This case study considers an ongoing (at the time of writing) violation

that has occurred. By the end of the investigation period, three

companies were involved and many complex issues arose.

\section{The Facts}

Haxil produced a consumer electronics device which included a mini

GNU/Linux distribution to control the device. The device was of interest

to many technically-minded consumers, who purchased the device and very

quickly discovered that Free Software was included without source.

Mailing lists throughout the Free Software community erupted with

complaints about the problem, and FSF quickly investigated.

FSF confirmed that FSF-copyrighted GPL'd software was included. In

addition, the whole distribution included GPL'd works from hundreds of

individual copyright holders, many of whom were, at this point, up in

arms about the violation.

Meanwhile, Haxil was in the midst of being acquired by Polgara. Polgara

was as surprised as everyone else to discover the product was based on

GPL'd software; this fact had not been part of the disclosures made during

acquisition. FSF contacted Haxil, Polgara, and the product managers

who had transitioned into the ``Haxil division'' of the newly-merged

Polgara company. Polgara's General Counsel's office worked with FSF on

the matter.

FSF formed a coalition with the other primary copyright holders

to pursue the enforcement effort on their behalf. FSF communicated

directly with Polgara's representatives to begin working through the

issues on behalf of itself and the Free Software community at large.

Polgara pointed out that the software distribution they used was mostly

contributed by an upstream provider, Thesulac, and Haxil's changes to that

code base were minimal. Polgara negotiated with Thesulac to obtain the

source, although the issue moved very slowly in the channels between

Polgara and Thesulac.

FSF encouraged a round-table meeting so that high bandwidth communication

could occur between FSF, Polgara and Thesulac. Polgara and Thesulac

agreed, and that discussion began. Thesulac provided nearly complete

sources to Polgara, and Polgara made a full software release on their

Web site. At the time of writing, that software still has some build

problems (similar to those that occurred with Bortez, as described in

Section~\ref{davrik-build-problems}). FSF continues to negotiate with

Polgara and Thesulac to resolve these problems, which have a clear path to

a solution and are expected to resolve.

Similar to the Vigorien case, Thesulac has regulatory concerns. In this

case, it is not export controls --- an issue that has since been resolved

--- but radio spectrum regulation. Since this consumer electronic device

contains a software-programmable radio transmitter, regulations in (at

least) the USA and Japan prohibit release of those portions of the code

that operate the device. Since this is a low-level programming issue, the

Linux.  A decade later, this situation remains largely unresolved.

\section{Lessons Learned}

\begin{enumerate}

\item {\bf Community outrage, while justified, can often make negotiation

  more difficult.}  FSF has a strong policy never to publicize names of

  GPL violators if they are negotiating in a friendly way and operating in

  good faith toward compliance. Most violations are honest mistakes, and

  FSF sees no reason to publicly admonish violators who genuinely want to

  come into compliance with the GPL and to work hard staying in compliance.

  This case was so public in the Free Software community that both Haxil's

  and Polgara's representatives were nearly shell-shocked by the time FSF

  began negotiations. There was much work required to diffuse the

  situation. We empathize with our community and their outrage about GPL

  violations, but we also want to follow a path that leads expediently

  to compliance. In our experience, public outcry works best as a last

  resort, not the first.

\item {\bf For software companies, GPL compliance belongs on a corporate

  acquisition checklist. }  Polgara was truly amazed that Haxil had used

  GPL'd software in a major new product line but never informed Polgara

  during the acquisition process. While GPL compliance is not a

  particularly difficult matter, it is an additional obligation that comes

  along with the product line. When planning mergers and joint ventures,

  one should include lists of GPL'd components contained in the products

  discussed.

\item {\bf Compliance problems of upstream providers do not excuse a

  violation for the downstream distributor.}  To paraphrase \S 6, upstream

  providers are not responsible for enforcing compliance of their

  downstream, nor are downstream distributors responsible for compliance

  problems of upstream providers. However, engaging in distribution of

  GPL'd works out of compliance is still just that: a compliance problem.

  When FSF carries out enforcement, we are patient and sympathetic when

  the problem appears to be upstream. In fact, we urge the violator to

  point us to the upstream provider so we may talk to them directly. In

  this case, we were happy to begin negotiations with Thesulac. However,

  Polgara still has an obligation to bring their product into compliance,

  regardless of Thesulac's response.

\item {\bf It behooves upstream providers to advise downstream

  distributors about compliance matters.}  FSF has encouraged Thesulac to

  distribute a ``good practices for GPL compliance'' document with their

  product. Polgara added various software components to Thesulac's

  product, and it is conceivable that such additions can introduce

  compliance. In FSF's opinion, Thesulac is in no way legally responsible

  for such a violation introduced by their customer, but it behooves them

  from a marketing standpoint to educate their customers about using the

  product. We can argue whether or not it is your coffee vendor's fault

  if you burn yourself with their product, but (likely) no one on either

  side would dispute the prudence of placing a ``caution: hot'' label on

  the cup.

\item {\bf FSF enforcement often avoids redundant enforcement cases from

  many parties.}  Most Free Software systems have hundreds of copyright

  holders. Some have thousands. FSF is in a unique position as one of

  the largest single copyright holders on GPL'd software and as a

  respected umpire in the community, neutrally enforcing the rules of the

  GPL road. FSF works hard in the community to convince copyright

  holders that consolidating GPL claims through FSF is better for them,

  and more likely to yield positive compliance results.

  A few copyright holders engage in the ``proprietary relicensing''

  business, so they use GPL enforcement as a sales channel for that

  business. FSF, as a community-oriented, not-for-profit organization,

  seeks only to preserve the freedom of Free Software in its enforcement

  efforts. As it turns out, most of the community of copyright holders

  of Free Software want the same thing. Share and share alike is a

  simple rule to follow, and following that rule to FSF's satisfaction

  usually means you are following it to the satisfaction of the entire

  Free Software community.

\end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

% COMMENT OUT THIS CHAPTER.

% FIXME: is this material moot now that we include the compliance guide?

% Either way, it should be merged into compliance guide.

%\chapter{Good Practices for Compliance}

Generally, from the experience of GPL enforcement, we glean the following

general practices that can help in GPL compliance for organizations that

distribute products based on GPL'd software:

\begin{itemize}

\item Talk to your software engineers and ask them where they got the

  components they use in the products they build. Find out if GPL'd

  components are present.

\item Teach your engineering staff to pay attention to license documents.

  Give them easy-to-follow policies to get approval for using a Free

  Software component.

considered this possibility for GPLv3 and chose not to do so, instead opting

for the third-party steward designation clause discussed in

Section~\ref{GPLv3s14}.

\section{Complexities of Two Simultaneously Popular Copylefts}

Obviously most GPL advocates would prefer widespread migration to GPLv3, and

many newly formed projects who seek a copyleft license tend to choose a

GPLv3-based license.  However, many existing copylefted projects continue

with GPLv2-only or GPLv2-or-later as their default license.

While GPLv3 introduces many improvements --- many of which were designed to

increase adoption by for-profit companies --- GPLv2 remains a widely used and

extremely popular license.  The GPLv2 is, no doubt, a good and useful

license.

However, unlike GPLv1 before it,

GPLv2 remains an integral part of the copyleft licensing infrastructure.  As such, those who seek to have expertise in current

topics of copyleft licensing need to study both the GPLv2 and GPLv3 family of

licenses.

Furthermore, GPLv3 is more easily understood by first studying GPLv2.

This is not only because of their chronological order, but also because much

of the discussion material available for GPLv3 tends to talk about GPLv3 in

contrast to GPLv2.  As such, a strong understanding of GPLv2 helps in

understanding most of the third-party material found regarding GPLv3.  Thus,

the following chapter begins a deep discussion of GPLv2.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\chapter{Running Software and Verbatim Copying}

\label{run-and-verbatim}

This chapter begins the deep discussion of the details of the terms of

GPLv2\@. In this chapter, we consider the first two sections: GPLv2 \S\S

0--2. These are the straightforward sections of the GPL that define the

simplest rights that the user receives.

\section{GPLv2~\S0: Freedom to Run}

\label{GPLv2s0}

GPLv2~\S0, the opening section of GPLv2, sets forth that copyright law governs

the work.  It specifically points out that it is the ``copyright

holder'' who decides if a work is licensed under its terms and explains

how the copyright holder might indicate this fact.

A bit more subtly, GPLv2~\S0 makes an inference that copyright law is the only

system that can restrict the software.  Specifically, it states:

\begin{quote}

Activities other than copying, distribution and modification are not

covered by this License; they are outside its scope.

\end{quote}

In essence, the license governs \emph{only} those activities, and all other

activities are unrestricted, provided that no other agreements trump GPLv2

(which they cannot; see Sections~\ref{GPLv2s6} and~\ref{GPLv2s7}).  This is

very important, because the Free Software community heavily supports

users' rights to ``fair use'' and ``unregulated use'' of copyrighted

material.  GPLv2 asserts through this clause that it supports users' rights

to fair and unregulated uses.

Fair use (called ``fair dealing'' in some jurisdictions) of copyrighted

material is an established legal doctrine that permits certain activities

regardless of whether copyright law would otherwise restrict those activities.

Discussion of the various types of fair use activity are beyond the scope of

this tutorial.  However, one important example of fair use is the right to

quote portions of the text in a larger work so as to criticize or suggest

changes.  This fair use right is commonly used on mailing lists when

discussing potential improvements or changes to Free Software.

Fair use is a doctrine established by the courts or by statute.  By

contrast, unregulated uses are those that are not covered by the statue

nor determined by a court to be covered, but are common and enjoyed by

many users.  An example of unregulated use is reading a printout of the

program's source code like an instruction book for the purpose of learning

how to be a better programmer.  The right to read something that you have

access to is and should remain unregulated and unrestricted.

\medskip

Thus, the GPLv2 protects users' fair and unregulated use rights precisely by

not attempting to cover them.  Furthermore, the GPLv2 ensures the freedom

to run specifically by stating the following:

\begin{quote}

''The act of running the Program is not restricted.''

\end{quote}

Thus, users are explicitly given the freedom to run by GPLv2~\S0.

\medskip

The bulk of GPLv2~\S0 not yet discussed gives definitions for other terms used

throughout.  The only one worth discussing in detail is ``work based on

the Program''.  The reason this definition is particularly interesting is

not for the definition itself, which is rather straightforward, but

because it clears up a common misconception about the GPL\@.

The GPL is often mistakenly criticized because it fails to give a

\section{GPLv2~\S1: Verbatim Copying}

\label{GPLv2s1}

GPLv2~\S1 covers the matter of redistributing the source code of a program

exactly as it was received. This section is quite straightforward.

However, there are a few details worth noting here.

The phrase ``in any medium'' is important.  This, for example, gives the

freedom to publish a book that is the printed copy of the program's source

code.  It also allows for changes in the medium of distribution.  Some

vendors may ship Free Software on a CD, but others may place it right on

the hard drive of a pre-installed computer.  Any such redistribution media

is allowed.

Preservation of copyright notice and license notifications are mentioned

specifically in GPLv2~\S1.  These are in some ways the most important part of

the redistribution, which is why they are mentioned by name.  GPL

always strives to make it abundantly clear to anyone who receives the

software what its license is.  The goal is to make sure users know their

rights and freedoms under GPL, and to leave no reason that users might be

surprised the software is GPL'd. Thus

throughout the GPL, there are specific references to the importance of

notifying others down the distribution chain that they have rights under

GPL.