If you have redistributed an application under GPLv2\footnote{This applies

  to all programs licensed to you under only GPLv2 (``GPLv2-only'').

  However, most so-called GPLv2 programs are actually distributed with

  permission to redistribute under GPLv2 \emph{or any later version of the

    GPL} (``GPLv2-or-later'').  In the latter cases, the redistributor can

  choose to redistribute under GPLv2, GPLv3, GPLv2-or-later or even

  GPLv3-or-later.  Where the redistributor has chosen v2 explicitly, the

  v2 termination provision will always apply.  If the redistributor has

  chosen v3, the v3 termination provision will always apply.  If the

  redistributor has chosen GPLv2-or-later, then the redistributor may want

  to narrow to GPLv3-only upon violation, to take advantage of the

  termination provisions in v3.}, but have violated the terms of GPLv2,

you must request a reinstatement of rights from the copyright holders

before making further distributions, or else cease distribution and

modification of the software forever.  Different copyright holders

condition reinstatement upon different requirements, and these

requirements can be (and often are) wholly independent of the GPL\@.  The

terms of your reinstatement will depend upon what you negotiate with the

copyright holder of the GPL'd program.

Since your rights under GPLv2 terminate automatically upon your initial

violation, \emph{all your subsequent distributions} are violations and

infringements of copyright.  Therefore, even if you resolve a violation on

your own, you must still seek a reinstatement of rights from the copyright

holders whose licenses you violated, lest you remain liable for

infringement for even compliant distributions made subsequent to the

initial violation.

GPLv3 is more lenient.  If you have distributed only v3-licensed programs,

you may be eligible under v3~\S~8 for automatic reinstatement of rights.

You are eligible for automatic reinstatement when:

\begin{itemize}

\item you correct the violation and are not contacted by a copyright

  holder about the violation within sixty days after the correction, or

\item you receive, from a copyright holder, your first-ever contact

  regarding a GPL violation, and you correct that violation within thirty

  days of receipt of copyright holder's notice.

\end{itemize}

In addition to these permanent reinstatements provided under v3, violators

who voluntarily correct their violation also receive provisional

permission to continue distributing until they receive contact from the

copyright holder.  If sixty days pass without contact, that reinstatement

becomes permanent.  Nonetheless, you should be prepared to cease

distribution during those initial sixty days should you receive a

termination notice from the copyright holder.

Given that much discussion of v3 has focused on its so-called more

complicated requirements, it should be noted that v3 is, in this regard,

more favorable to violators than v2.

However, note that most Linux-based systems typically include some software

licensed under GPLv2-only, and thus the copyright holders have withheld

permission to redistribute under terms of GPLv3.  In larger aggregate

distributions which include GPLv2-only works (such as the kernel named

Linux), redistributors must operate as if termination is immediate and

permanent, since the technological remove of GPLv2-only works from the larger

distribution requires much more engineering work than the negotiation

required to seek restoration of rights for distribution under GPLv2-only

after permanent termination.

\chapter{Standard Requests}

As we noted above, different copyright holders have different requirements

for reinstating a violator's distribution rights.  Upon violation, you no

longer have a license under the GPL\@.  Copyright holders can therefore

set their own requirements outside the license before reinstatement of

rights.  We have collected below a list of reinstatement demands that

copyright holders often require.

\begin{itemize}

\item {\bf Compliance on all Free Software copyrights}.  Copyright holders of Free Software

  often want a company to demonstrate compliance for all GPL'd software in

  a distribution, not just their own.  A copyright holder may refuse to

  reinstate your right to distribute one program unless and until you

  comply with the licenses of all Free Software in your distribution.

\item {\bf Notification to past recipients}.  Users to whom you previously

  distributed non-compliant software should receive a communication

  (email, letter, bill insert, etc.) indicating the violation, describing

  their rights under the GPL, and informing them how to obtain a gratis source

  distribution.  If a customer list does not exist (such as in reseller

  situations), an alternative form of notice may be required (such as a

  magazine advertisement).

\item {\bf Appointment of a GPL Compliance Officer.}  The software freedom community

  values personal accountability when things go wrong.  Copyright holders

  often require that you name someone within the violating company

  officially responsible for Free Software license compliance, and that this

  individual serve as the key public contact for the community when

  compliance concerns arise.

\item {\bf Periodic Compliance Reports.}  Many copyright holders wish to

  monitor future compliance for some period of time after the violation.

  For some period, your company may be required to send regular reports on

  how many distributions of binary and source have occurred.

\end{itemize}

These are just a few possible requirements for reinstatement.  In the

context of a GPL violation, and particularly under v2's termination

provision, the copyright holder may have a range of requests in exchange

for reinstatement of rights.  These software developers are talented

professionals from whose work your company has benefited.  Indeed, you are

unlikely to find a better value or more generous license terms for similar

software elsewhere.  Treat the copyright holders with the same respect you

treat your corporate partners and collaborators.

\chapter{Special Topics in Compliance}

There are several other issues that are less common, but also relevant in

a GPL compliance situation.  To those who face them, they tend to be of

particular interest.

\section{LGPL Compliance}

\label{lgpl}

GPL compliance and LGPL compliance mostly involve the same issues.  As we

discussed in \S~\ref{derivative-works}, questions of modified versions of

software are highly fact-dependent and cannot be easily addressed in any

overview document.  The LGPL adds some additional complexity to the

analysis.  Namely, the various LGPL versions permit proprietary licensing

of certain types of modified versions.  These issues are discussed in greater

detail in Chapter~\ref{LGPLv2} and~\ref{LGPLv3}.  However, as a rule of thumb, once you have determined

(in accordance with LGPLv3) what part of the work is the ``Application''

and what portions of the source are ``Minimal Corresponding Source'', then

support services when they make modifications.\footnote{A popular t-shirt

  in the software freedom community reads: ``I void warranties.''.  Our community is

  well-known for modifying products with full knowledge of the

  consequences.  GPLv3's ``Installation Instructions'' section merely

  confirms that reality, and makes sure GPL rights can be fully exercised,

  even if users exercise those rights at their own peril.}

GPLv3 is in many ways better for distributors who seek some degree of

device lock-down.  Technical processes are always found for subverting any

lock-down; pursuing it is a losing battle regardless.  With GPLv3, unlike

with GPLv2, the license gives you clear provisions that you can rely on

when you are forced to cut off support, service or warranty for a customer

who has chosen to modify.

% FIXME-soon: write a full section on Javascript compliance.  Here's a

%             potentially useful one-sentence introduction for such a

%             section.

% Non-compliance with GPLv3 in the

% distribution of Javascript on the Web is becoming more frequent

%FIXME-soon: END

\section{Beware The Consultant in Enforcers' Clothing}

There are admittedly portions of the GPL enforcement community that function

somewhat like the

\href{http://en.wikipedia.org/wiki/Hacker_%28computer_security%29#Classifications}{computer

  security and network penetration testing hacker community}.  By analogy,

most COGEO's consider themselves

\href{http://en.wikipedia.org/wiki/White_hat_%28computer_security%29}{white hats},

while some might appropriately call

\hyperref[Proprietary Relicensing]{proprietary relicensing} by the name ``\href{http://en.wikipedia.org/wiki/Hacker_%28computer_security%29#Black_hat}{black hats}''.

And, to finalize the analogy, there are indeed few

\href{http://en.wikipedia.org/wiki/Grey_hat}{grey hat} GPL enforcers.

Grey hat GPL enforcers usually have done some community-oriented GPL

enforcement themselves, typically working as a volunteer for a COGEO, but make

their living as a ``hired gun'' consultant to find GPL violations and offer

to ``fix them'' for companies.  Other such operators hold copyrights in some

key piece of copylefted software and enforce as a mechanism to find out who

is most likely to fund improvements on the software.

A few companies report that they have formed beneficial consulting or

employment relationships with developers they first encountered through

enforcement.  In some such cases, companies have worked with such consultants

to alter the mode of use of the project's code in the company's products.

More often in these cases, the communication channels opened in the course of

the inquiry served other consulting purposes later.

Feelings and opinions about this behavior are mixed within the larger

copyleft community.  Some see it as a reasonable business model and others

renounce it as corrupt behavior.  Regardless, a GPL

violator should always immediately determine the motivations of the

enforcer via documented, verifiable facts.  For example, COGEOs such as the FSF and Conservancy have made substantial

public commitments to enforce in a way that is uniform, transparent, and

publicly documented.  Furthermore, since these specific organizations are

public charities in the USA, they

are accountable to the IRS (and the public at large) in their annual Form 990

filings.   Everyone may examine their revenue models and scrutinize their

work.

However, entities and individuals who do GPL enforcement centered primarily

around a profit motive are likely the most dangerous enforcement entities for

one simple reason: an agreement to comply fully with the GPL for past and

adequate resolution for a proprietary relicensing company or grey hat GPL

\chapter{Conclusion}

GPL compliance need not be an onerous process.  Historically, struggles

have been the result of poor development methodologies and communications,

rather than any unexpected application of the GPL's source code disclosure

requirements.

Compliance is straightforward when the entirety of your enterprise is

well-informed and well-coordinated.  The receptionists should know how to

route a GPL source request or accusation of infringement.  The lawyers

should know the basic provisions of Free Software licenses and your source

disclosure requirements, and should explain those details to the software

developers.  The software developers should use a version control system

that allows them to associate versions of source with distributed

binaries, have a well-documented build process that anyone skilled in the

art can understand, and inform the lawyers when they bring in new

software.  Managers should build systems and procedures that keep everyone

on target.  With these practices in place, any organization can comply

with the GPL without serious effort, and receive the substantial benefits

of good citizenship in the software freedom community, and lots of great code

ready-made for their products.

\vfill

% LocalWords:  redistributors NeXT's Slashdot Welte gpl ISC embedders BusyBox

% LocalWords:  someone's downloadable subdirectory subdirectories filesystem

% LocalWords:  roadmap README upstream's Ravicher's FOSSology readme CDs iPhone

% LocalWords:  makefiles violator's Michlmayr Stallman RMS GPL'd Harald LGPL

%%  LocalWords:  GPL's resellers copylefted sublicenses GPLv unmanaged MySQL

%%  LocalWords:  misassessments licensor COGEOs COGEO LGPLv CCS Requestors

%%  LocalWords:  codebase Yocto distributees COGEO's Coreboot ERP reseller

%%  LocalWords:  redistributor reinstatements decompilation acquired's grey

%%  LocalWords:  upgradable unmodifiable Relicensing relicensing