Bradley Kuhn (bkuhn) - 10 years ago 2014-11-06 21:59:48
Copyright notice updates.

Joshua Gay made contributions to all the files earlier in 2014 (see git
log) which were copyrighted by the FSF, so FSF's copyright needs
refreshed to include this year.

Denver recently added a section to the enforcement-case-studies.tex, so
his copyright notice needs to go there and at the top file.

I made changes to enforcement-case-studies.tex on top of Denver's.

Also, remove commented-out copyright notices -- the ones in the actual
text are now primary and should be maintained directly.
% compliance-guide.tex                            -*- LaTeX -*-

\part{A Practical Guide to GPL Compliance}

{\parindent 0in
This part is: \\
Copyright \= \copyright{} 2014 \= \hspace{.2in} Bradley M. Kuhn. \\
Copyright \= \copyright{} 2014 \= \hspace{.2in} Free Software Foundation, Inc. \\
Copyright \> \copyright{} 2008 \> \hspace{.2in} Software Freedom Law Center. \\


Authors of this part are: \\

Bradley M. Kuhn \\
Aaron Williamson \\
Karen M. Sandler \\


Copy editors of this part include: \\
Martin Michlmayr


The copyright holders of this part hereby grant the freedom to copy, modify,
convey, Adapt, and/or redistribute this work under the terms of the Creative
Commons Attribution Share Alike 4.0 International License.  A copy of that
license is available at


\chapter*{Executive Summary}

This is a guide to effective compliance with the GNU General Public
License (GPL) and related licenses.  Copyleft advocates
usually seek to assist the community with
GPL compliance cooperatively.   This guide focuses on complying from the
start, so that readers can learn to avoid enforcement actions entirely, or, at
least, minimize  the negative impact when enforcement actions occur.
This guide  introduces and explains basic legal concepts related to the GPL and its
enforcement by copyright holders. It also outlines business practices and
methods that lead to better GPL compliance.  Finally, it recommends proper
post-violation responses to the concerns of copyright holders.


Early GPL enforcement efforts began soon after the GPL was written by
Richard M.~Stallman (RMS) in 1989, and consisted of informal community efforts,
often in public Usenet discussions.\footnote{One example is the public
  outcry over NeXT's attempt to make the Objective-C front-end to GCC
  proprietary.  RMS, in fact, handled this enforcement action personally and
  the Objective-C front-end is still part of upstream GCC today.}  Over the next decade, the Free Software Foundation (FSF),
which holds copyrights in many GNU programs, was the only visible entity
actively enforcing its GPL'd copyrights on behalf of the software freedom
FSF's enforcement
was generally a private process; the FSF contacted violators
confidentially and helped them to comply with the license.  Most
violations were pursued this way until the early 2000's.

By that time, Linux-based systems such as GNU/Linux and BusyBox/Linux had become very common, particularly in
embedded devices such as wireless routers.  During this period, public
ridicule of violators in the press and on Internet fora supplemented
ongoing private enforcement and increased pressure on businesses to
comply.  In 2003, the FSF formalized its efforts into the GPL Compliance
Lab, increased the volume of enforcement, and built community coalitions
to encourage copyright holders to together settle amicably with violators.
Beginning in 2004, Harald Welte took a more organized public enforcement
approach and launched \verb0gpl-violations.org0, a website and mailing
list for collecting reports of GPL violations.  On the basis of these
reports, Welte successfully pursued many enforcements in Europe, including
formal legal action.  Harald earns the permanent fame as the first copyright
holder to bring legal action in a court regarding GPL compliance.

In 2007, two copyright holders in BusyBox, in conjunction with the
Software Freedom Conservancy (``Conservancy''), filed the first copyright infringement lawsuit
based on a violation of the GPL\@ in the USA. While  lawsuits are of course
quite public, the vast majority of Conservancy's enforcement actions 
are resolved privately via
cooperative communications with violators.  As both FSF and Conservancy have worked to bring
individual companies into compliance, both organizations have encountered numerous
violations resulting from preventable problems such as inadequate
attention to licensing of upstream software, misconceptions about the
GPL's terms, and poor communication between software developers and their
management.  This document highlights these problems and describe
best practices to encourage corporate Free Software users to reevaluate their
approach to GPL'd software and avoid future violations.

Both FSF and Conservancy continue GPL enforcement and compliance efforts
for software under the GPL, the GNU Lesser
Public License (LGPL) and other copyleft licenses.  In doing so, both organizations have
found that most violations stem from a few common, avoidable mistakes.  All copyleft advocates  hope to educate the community of
commercial distributors, redistributors, and resellers on how to avoid
violations in the first place, and to respond adequately and appropriately
when a violation occurs.

\chapter{Best Practices to Avoid Common Violations}

Unlike highly permissive licenses (such as the ISC license), which
typically only require preservation of copyright notices, licensees face many
important requirements from the GPL.  These requirements are
carefully designed to uphold certain values and standards of the software
freedom community.  While the GPL's requirements may initially appear
counter-intuitive to those more familiar with proprietary software
licenses, by comparison, its terms are in fact clear and quite favorable to
licensees.  Indeed, the GPL's terms actually simplify compliance when
violations occur.

GPL violations occur (or, are compounded) most often when companies lack sound
practices for the incorporation of GPL'd components into their
internal development environment.  This section introduces some best
practices for software tool selection, integration and distribution,
inspired by and congruent with software freedom methodologies.  Companies should
establish such practices before building a product based on GPL'd
software.\footnote{This document addresses compliance with GPLv2,
  GPLv3, LGPLv2, and LGPLv3.  Advice on avoiding the most common
  errors differs little for compliance with these four licenses.
  \S~\ref{lgpl} discusses the key differences between GPL and LGPL

\section{Evaluate License Applicability}
Political discussion about the GPL often centers around the ``copyleft''
requirements of the license.  Indeed, the license was designed primarily
to embody this licensing feature.  Most companies adding non-trivial
features (beyond mere porting and bug-fixing) to GPL'd software (and
thereby invoking these requirements) are already well aware of their
more complex obligations under the license.\footnote{There has been much legal
  discussion regarding copyleft and derivative works.  In practical
  reality, this issue is not relevant to the vast majority of companies
  distributing GPL'd software.  Those interested in this issue should study
  \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related
      Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of
    this tutorial}.}

However, experienced  GPL enforcers find that few redistributors'
compliance challenges relate directly to combined work issues in copyleft.
Instead, the distributions of GPL'd
systems most often encountered typically consist of a full operating system
including components under the GPL (e.g., Linux, BusyBox) and components
under the LGPL (e.g., the GNU C Library).  Sometimes, these programs have
been patched or slightly improved by direct modification of their sources,
and thus the result is unequivocally a modified version.  Alongside these programs,
companies often distribute fully independent, proprietary programs,
developed from scratch, which are designed to run on the Free Software operating
system but do not combine with, link to, modify, derive from, or otherwise
create a combined work with
the GPL'd components.\footnote{However, these programs do often combine
  with LGPL'd libraries. This is discussed in detail in \S~\ref{lgpl}.}
In the latter case, where the work is unquestionably a separate work of
creative expression, no copyleft provisions are invoked.
The core compliance issue faced, thus, in such a situation, is not an discussion of what is or is not a
combined, derivative, and/or modified version of the work, but rather, issues related to distribution and
conveyance of binary works based on GPL'd source, but without Complete,
Corresponding Source.  This tutorial therefore focuses primarily on that issue.

Admittedly, a tiny
minority of compliance situations relate to question of derivative,
combined, or modified versions of the work.  Those
situations are so rare, and the details from situation to situation differ
greatly.  Thus, such situations require a highly
fact-dependent analysis and cannot be addressed in a general-purpose
document such as this one.


Most companies accused of violations lack a basic understanding
of how to comply even in the straightforward scenario.  This document
provides those companies with the fundamental and generally applicable prerequisite knowledge.
For answers to rarer and more complicated legal questions, such as whether
your software is a derivative or combined work of some copylefted software, consult
with an attorney.\footnote{If you would like more information on the
  application of derivative works doctrine to software, a detailed legal
  discussion is presented in our colleague Dan Ravicher's article,
  \textit{Software Derivative Work: A Circuit Dependent Determination} and in
  \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related
      Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of
    this tutorial}.}

This discussion thus assumes that you have already identified the
``work'' covered by the license, and that any components not under the GPL
(e.g., applications written entirely by your developers that merely happen
to run on a Linux-based operating system) distributed in conjunction with
those works are separate works within the meaning of copyright law and the GPL\@.  In
such a case, the GPL requires you to provide complete corresponding
source (CCS)\footnote{For more on CCS,  see
\tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related
      Licenses}'s Section on GPLv2~\S2 and GPLv3~\S1.}{\S~\ref{GPLv2s2} and \S~\ref{GPLv3s1} of
    this tutorial}.}
for the GPL'd components and your modifications thereto, but not
for independent proprietary applications.  The procedures described in
this document address this typical scenario.

\section{Monitor Software Acquisition}

Software engineers deserve the freedom to innovate and import useful
software components to improve products.  However, along with that
freedom should come rules and reporting procedures to make sure that you
are aware of what software that you include with your product.

The most typical response to an initial enforcement action is: ``We
didn't know there was GPL'd stuff in there''.  This answer indicates
failure in the software acquisition and procurement process.  Integration
of third-party proprietary software typically requires a formal
arrangement and management/legal oversight before the developers
incorporate the software.  By contrast, developers often obtain and
integrate Free Software without intervention nor oversight. That ease of acquisition, however,
does not mean the oversight is any less necessary.  Just as your legal
and/or management team negotiates terms for inclusion of any proprietary
software, they should gently facilitate all decisions to bring Free Software into your

Simple, engineering-oriented rules help provide a stable foundation for
Free Software integration.  For example, simply ask your software developers to send an email to a
standard place describing each new Free Software component they add to the system,
and have them include a brief description of how they will incorporate it
into the product.  Further, make sure developers use a revision control
system (such as Git or Mercurial), and
store the upstream versions of all software in a ``vendor branch'' or
similar mechanism, whereby they can easily track and find the main version
of the software and, separately, any local changes.

Such procedures are best instituted at your project's launch.  Once 
chaotic and poorly-sourced development processes begin, cataloging the
presence of GPL'd components  becomes challenging.

Such a situation often requires use of a tool to ``catch up'' your knowledge
about what software your product includes.  Most commonly, companies choose
some software licensing scanning tool to inspect the codebase.  However,
there are few tools that are themselves Free Software.  Thus, GPL enforcers
usually recommend the GPL'd
\href{}{FOSSology system}, which analyzes a
source code base and produces a list of Free Software licenses that may apply to
the code.  FOSSology can help you build a catalog of the sources you have
already used to build your product.  You can then expand that into a more
structured inventory and process.

\section{Track Your Changes and Releases}

As explained in further detail below, the most important component of GPL
compliance is the one most often ignored: proper inclusion of CCS in all
distributions  of GPL'd
software.  To comply with GPL's CCS requirements, the distributor
\textit{must} always know precisely what sources generated a given binary

In an unfortunately large number of our enforcement cases, the violating
company's engineering team had difficulty reconstructing the CCS
for binaries distributed by the company.  Here are three simple rules to
follow to decrease the likelihood of this occurrence:


\item Ensure that your
developers are using revision control systems properly.

\item Have developers mark or ``tag'' the full source tree corresponding to
  builds distributed to customers.

\item Check that your developers store all parts of the software
development in the revision control system, including {\sc readme}s, build
scripts, engineers' notes, and documentation.

Your developers will benefit anyway from these rules.  Developers will be
happier in their jobs if their tools already track the precise version of
source that corresponds to any deployed binary.

\section{Avoid the ``Build Guru''}

Too many software projects rely on only one or a very few team members who
know how to build and assemble the final released product.  Such knowledge
centralization not only creates engineering redundancy issues, but also
thwarts GPL compliance.  Specifically, CCS does not just require source code,
but scripts and other material that explain how to control compilation and
installation of the executable and object code.

Thus, avoid relying on a ``build guru'', a single developer who is the only one
who knows how to produce your final product. Make sure the build process
is well defined.  Train every developer on the build process for the final
binary distribution, including (in the case of embedded software)
generating a final firmware image suitable for distribution to the
customer.  Require developers to use revision control for build processes.
Make a rule that adding new components to the system without adequate
build instructions (or better yet, scripts) is unacceptable engineering

\chapter{Details of Compliant Distribution}

This section explains the specific requirements placed upon
distributors of GPL'd software.  Note that this section refers heavily to
specific provisions and language in
and \href{}{GPLv3}.
It may be helpful to have a copy of each license open while reading this

\section{Binary Distribution Permission}

% be careful below, you cannot refill the \if section, so don't refill
% this paragraph without care.

The various versions of the GPL are copyright licenses that grant
permission to make certain uses of software that are otherwise restricted
by copyright law.  This permission is conditioned upon compliance with the
GPL's requirements.

This section walks through the requirements (of both GPLv2 and GPLv3) that
apply when you distribute GPL'd programs in binary (i.e., executable or
object code) form, which is typical for embedded applications.  Because a
binary application derives from a program's original sources, you need
permission from the copyright holder to distribute it.  \S~3 of GPLv2 and
\S~6 of GPLv3 contain the permissions and conditions related to binary
distributions of GPL'd programs.\footnote{These sections cannot be fully
  understood in isolation; read the entire license thoroughly before
  focusing on any particular provision.  However, once you have read and
  understood the entire license, look to these sections to guide
  compliance for binary distributions.}

GPL's binary distribution sections offer a choice of compliance methods,
each of which we consider in turn.  Each option refers to the
``Corresponding Source'' code for the binary distribution, which includes
the source code from which the binary was produced.  This abbreviated and
simplified definition is sufficient for the binary distribution discussion
in this section, but you may wish to refer back to this section after
reading the thorough discussion of ``Corresponding Source'' that appears
in \S~\ref{corresponding-source}.

\subsection{Option (a): Source Alongside Binary}

GPLv2~\S~3(a) and v3~\S~6(a) embody the easiest option for providing
source code: including Corresponding Source with every binary
distribution.  While other options appear initially less onerous, this
option invariably minimizes potential compliance problems, because when
you distribute Corresponding Source with the binary, \emph{your GPL
  obligations are satisfied at the time of distribution}.  This is not
true of other options, and for this reason, we urge you to seriously
consider this option.  If you do not, you may extend the duration of your
obligations far beyond your last binary distribution.

Compliance under this option is straightforward.  If you ship a product
that includes binary copies of GPL'd software (e.g., in firmware, or on a
hard drive, CD, or other permanent storage medium), you can store the
Corresponding Source alongside the binaries.  Alternatively, you can
include the source on a CD or other removable storage medium in the box
containing the product.

GPLv2 refers to the various storage mechanisms as ``medi[a] customarily
used for software interchange''.  While the Internet has attained primacy
as a means of software distribution where super-fast Internet connections
are available, GPLv2 was written at a time when downloading software was
not practical (and was often impossible).  For much of the world, this
condition has not changed since GPLv2's publication, and the Internet
still cannot be considered ``a medium customary for software
interchange''.  GPLv3 clarifies this matter, requiring that source be
``fixed on a durable physical medium customarily used for software
interchange''.  This language affirms that option (a) requires binary
redistributors to provide source on a physical medium.

Please note that while selection of option (a) requires distribution on a
physical medium, voluntary distribution via the Internet is very useful.  This
is discussed in detail in \S~\ref{offer-with-internet}.

\subsection{Option (b): The Offer}

Many distributors prefer to ship only an offer for source with the binary
distribution, rather than the complete source package.  This
option has value when the cost of source distribution is a true
per-unit cost.  For example, this option might be a good choice for
embedded products with permanent storage too small to fit the source, and
which are not otherwise shipped with a CD but \emph{are} shipped with a
manual or other printed material.

However, this option increases the duration of your obligations
dramatically.  An offer for source must be good for three full years from
your last binary distribution (under GPLv2), or your last binary or spare
part distribution (under GPLv3).  Your source code request and
provisioning system must be designed to last much longer than your product
life cycle.

In addition, if you are required to comply with the terms of GPLv2, you
{\bf cannot} use a network service to provide the source code.  For GPLv2,
the source code offer is fulfilled only with physical media.  This usually
means that you must continue to produce an up-to-date ``source code CD''
for years after the product's end-of-life.


Under GPLv2, it is acceptable and advisable for your offer for source code
to include an Internet link for downloadable source \emph{in addition} to
offering source on a physical medium.  This practice enables those with
fast network connections to get the source more quickly, and typically
decreases the number of physical media fulfillment requests.
(GPLv3~\S~6(b) permits provision of source with a public
network-accessible distribution only and no physical media.  We discuss
this in detail at the end of this section.)

The following is a suggested compliant offer for source under GPLv2 (and
is also acceptable for GPLv3) that you would include in your printed
materials accompanying each binary distribution:

The software included in this product contains copyrighted software that
is licensed under the GPL\@.  A copy of that license is included in this
document on page $X$\@.  You may obtain the complete Corresponding Source
code from us for a period of three years after our last shipment of this
product, which will be no earlier than 2011-08-01, by sending a money
order or check for \$5 to: \\
GPL Compliance Division \\
Our Company \\
Any Town, US 99999 \\
Please write ``source for product $Y$'' in the memo line of your

You may also find a copy of the source at

This offer is valid to anyone in receipt of this information.

There are a few important details about this offer.  First, it requires a
copying fee.  GPLv2 permits ``a charge no more than your cost of
physically performing source distribution''.  This fee must be reasonable.
If your cost of copying and mailing a CD is more than around \$10, you
should perhaps find a cheaper CD stock and shipment method.  It is simply
not in your interest to try to overcharge the community.  Abuse of this
provision in order to make a for-profit enterprise of source code
provision will likely trigger enforcement action.

Second, note that the last line makes the offer valid to anyone who
requests the source.  This is because v2~\S~3(b) requires that offers be
``to give any third party'' a copy of the Corresponding Source.  GPLv3 has
a similar requirement, stating that an offer must be valid for ``anyone
who possesses the object code''.  These requirements indicated in
v2~\S~3(c) and v3~\S~6(c) are so that noncommercial redistributors may
pass these offers along with their distributions.  Therefore, the offers
must be valid not only to your customers, but also to anyone who received
a copy of the binaries from them.  Many distributors overlook this
requirement and assume that they are only required to fulfill a request
from their direct customers.

The option to provide an offer for source rather than direct source
distribution is a special benefit to companies equipped to handle a
fulfillment process.  GPLv2~\S~3(c) and GPLv3~\S~6(c) avoid burdening
noncommercial, occasional redistributors with fulfillment request
obligations by allowing them to pass along the offer for source as they
received it.

Note that commercial redistributors cannot avail themselves of the option
(c) exception, and so while your offer for source must be good to anyone
who receives the offer (under v2) or the object code (under v3), it
\emph{cannot} extinguish the obligations of anyone who commercially
redistributes your product.  The license terms apply to anyone who
distributes GPL'd software, regardless of whether they are the original
distributor.  Take the example of Vendor $V$, who develops a software
platform from GPL'd sources for use in embedded devices.  Manufacturer $M$
contracts with $V$ to install the software as firmware in $M$'s device.
$V$ provides the software to $M$, along with a compliant offer for source.
In this situation, $M$ cannot simply pass $V$'s offer for source along to
its customers.  $M$ also distributes the GPL'd software commercially, so
$M$ too must comply with the GPL and provide source (or $M$'s \emph{own}
offer for source) to $M$'s customers.

This situation illustrates that the offer for source is often a poor
choice for products that your customers will likely redistribute.  If you
include the source itself with the products, then your distribution to
your customers is compliant, and their (unmodified) distribution to their
customers is likewise compliant, because both include source.  If you
include only an offer for source, your distribution is compliant but your
customer's distribution does not ``inherit'' that compliance, because they
have not made their own offer to accompany their distribution.

The terms related to the offer for source are quite different if you
distribute under GPLv3.  Under v3, you may make source available only over
a network server, as long as it is available to the general public and
remains active for three years from the last distribution of your product
or related spare part.  Accordingly, you may satisfy your fulfillment
obligations via Internet-only distribution.  This makes the ``offer for
source'' option less troublesome for v3-only distributions, easing
compliance for commercial redistributors.  However, before you switch to a
purely Internet-based fulfillment process, you must first confirm that you
can actually distribute \emph{all} of the software under GPLv3.  Some
programs are indeed licensed under ``GPLv2, \emph{or any later version}''
(often abbreviated ``GPLv2-or-later'').  Such licensing gives you the
option to redistribute under GPLv3.  However, a few popular programs are
only licensed under GPLv2 and not ``or any later version''
(``GPLv2-only'').  You cannot provide only Internet-based source request
fulfillment for the latter programs.

If you determine that all GPL'd works in your whole product allow upgrade
to GPLv3 (or were already GPLv3'd to start), your offer for source may be
as simple as this:

The software included in this product contains copyrighted software that
is licensed under the GPLv3\@.  A copy of that license is included in this
document on page $X$\@.  You may obtain the complete Corresponding Source
code from us for a period of three years after our last shipment of this
product and/or spare parts therefor, which will be no earlier than
2011-08-01, on our website at


Under both GPLv2 and GPLv3, source offers must be accompanied by a copy of
the license itself, either electronically or in print, with every
Finally, it is unacceptable to use option (b) merely because you do not have
Corresponding Source ready.  We find that some companies choose this option
because writing an offer is easy, but producing a source distribution as
an afterthought to a hasty development process is difficult.  The offer
for source does not exist as a stop-gap solution for companies rushing to
market with an out-of-compliance product.  If you ship an offer for source
with your product but cannot actually deliver \emph{immediately} on that
offer when your customers request it, you should expect an enforcement

\subsection{Option (c): Noncommercial Offers}

As discussed in the last section, GPLv2~\S~3(c) and GPLv3~\S~6(c) apply
only to noncommercial use.  These options are not available to businesses
distributing GPL'd software.  Consequently, companies that redistribute
software packaged for them by an upstream vendor cannot merely pass along
the offer they received from the vendor; they must provide their own offer
or corresponding source to their distributees.  We talk in detail about
upstream software providers in \S~\ref{upstream}.

\subsection{Option 6(d) in GPLv3: Internet Distribution}

Under GPLv2, your formal provisioning options for Corresponding Source
ended with \S~3(c).  But even under GPLv2, pure Internet source
distribution was a common practice and generally considered to be
compliant.  GPLv2 mentions Internet-only distribution almost as aside in
the language, in text at the end of the section after the three
provisioning options are listed.  To quote that part of GPLv2~\S~3:
If distribution of executable or object code is made by offering access to
copy from a designated place, then offering equivalent access to copy the
source code from the same place counts as distribution of the source code,
even though third parties are not compelled to copy the source along with
the object code.

When that was written in 1991, Internet distribution of software was the
exception, not the rule.  Some FTP sites existed, but generally software
was sent on magnetic tape or CDs.  GPLv2 therefore mostly assumed that
binary distribution happened on some physical media.  By contrast,
GPLv3~\S~6(d) explicitly gives an option for this practice that the
community has historically considered GPLv2-compliant.

Thus, you may fulfill your source-provision obligations by providing the
source code in the same way and from the same location.  When exercising
this option, you are not obligated to ensure that users download the
source when they download the binary, and you may use separate servers as
needed to fulfill the requests as long as you make the source as
accessible as the binary.  However, you must ensure that users can easily
find the source code at the time they download the binary. GPLv3~\S~6(d)
thus clarifies a point that has caused confusion about source provision in
v2.  Indeed, many such important clarifications are included in v3 which
together provide a compelling reason for authors and redistributors alike
to adopt GPLv3.

\subsection{Option 6(e) in GPLv3: Software Torrents}

Peer-to-peer file sharing arose well after GPLv2 was written, and does not
easily fit any of the v2 source provision options.  GPLv3~\S~6(e)
addresses this issue, explicitly allowing for distribution of source and
binary together on a peer-to-peer file sharing network.  If you distribute
solely via peer-to-peer networks, you can exercise this option.  However,
peer-to-peer source distribution \emph{cannot} fulfill your source
provision obligations for non-peer-to-peer binary distributions.  Finally,
you should ensure that binaries and source are equally seeded upon initial
peer-to-peer distribution.

\section{Preparing Corresponding Source}

Most enforcement cases involve companies that have unfortunately not
implemented procedures like our \S~\ref{best-practices} recommendations
and have no source distribution arranged at all.  These companies must
work backwards from a binary distribution to come into compliance.  Our
recommendations in \S~\ref{best-practices} are designed to make it easy to
construct a complete and Corresponding Source release from the outset.  If
you have followed those principles in your development, you can meet the
following requirements with ease.  If you have not, you may have
substantial reconstruction work to do.

\subsection{Assemble the Sources}

For every binary that you produce, you should collect and maintain a copy
of the sources from which it was built.  A large system, such as an
embedded firmware, will probably contain many GPL'd and LGPL'd components
for which you will have to provide source.  The binary distribution may
also contain proprietary components which are separate and independent
works that are covered by neither the GPL nor LGPL\@.

The best way to separate out your sources is to have a subdirectory for
each component in your system.  You can then easily mark some of them as
required for your Corresponding Source releases.  Collecting
subdirectories of GPL'd and LGPL'd components is the first step toward
preparing your release.

\subsection{Building the Sources}

Few distributors, particularly of embedded systems, take care to read the
actual definition of Corresponding Source in the GPL\@.  Consider
carefully the definition, from GPLv3:
  The ``Corresponding Source'' for a work in object code form means all
  the source code needed to generate, install, and (for an executable
  work) run the object code and to modify the work, including scripts to
  control those activities.

and the definition from GPLv2:
The source code for a work means the preferred form of the work for making
modifications to it.  For an executable work, complete source code means
all the source code for all modules it contains, plus any associated
interface definition files, plus the scripts used to control compilation
and installation of the executable.

Note that you must include ``scripts used to control compilation and
installation of the executable'' and/or anything ``needed to generate,
install, and (for an executable work) run the object code and to modify
the work, including scripts to control those activities''.  These phrases
are written to cover different types of build environments and systems.
Therefore, the details of what you need to provide with regard to scripts
and installation instructions vary depending on the software details.  You
must provide all information necessary such that someone generally skilled
with computer systems could produce a binary similar to the one provided.

Take as an example an embedded wireless device.  Usually, a company
distributes a firmware, which includes a binary copy of
Linux\footnote{``Linux'' refers only to the kernel, not the larger system
  as a whole.} and a filesystem.  That filesystem contains various binary
programs, including some GPL'd binaries, alongside some proprietary
binaries that are separate works (i.e., not derived from, nor based on
freely-licensed sources).  Consider what, in this case, constitutes adequate
``scripts to control compilation and installation'' or items ``needed to
generate, install and run'' the GPL'd programs.

Most importantly, you must provide some sort of roadmap that allows
technically sophisticated users to build your software.  This can be
complicated in an embedded environment.  If your developers use scripts to
control the entire compilation and installation procedure, then you can
simply provide those scripts to users along with the sources they act
upon.  Sometimes, however, scripts were never written (e.g., the
information on how to build the binaries is locked up in the mind of your
``build guru'').  In that case, we recommend that you write out build
instructions in a natural language as a detailed, step-by-step {\sc

No matter what you offer, you need to give those who receive source a
clear path from your sources to binaries similar to the ones you ship.  If
you ship a firmware (kernel plus filesystem), and the filesystem contains
binaries of GPL'd programs, then you should provide whatever is necessary
to enable a reasonably skilled user to build any given GPL'd source
program (and modified versions thereof), and replace the given binary in
your filesystem.  If the kernel is Linux, then the users must have the
instructions to do the same with the kernel.  The best way to achieve this
is to make available to your users whatever scripts or process your
engineers would use to do the same.

These are the general details for how installation instructions work.
Details about what differs when the work is licensed under LGPL is
discussed in \S~\ref{lgpl}, and specific details that are unique to
GPLv3's installation instructions are in \S~\ref{user-products}.

\subsection{What About the Compiler?}

The GPL contains no provision that requires distribution of the compiler
used to build the software.  While companies are encouraged to make it as
easy as possible for their users to build the sources, inclusion of the
compiler itself is not normally considered mandatory.  The Corresponding
Source definition -- both in GPLv2 and GPLv3 -- has not been typically
read to include the compiler itself, but rather things like makefiles,
build scripts, and packaging scripts.

Nonetheless, in the interest of goodwill and the spirit of the GPL, most
companies do provide the compiler itself when they are able, particularly
when the compiler is based on GCC\@ or another copylefted compiler.  If you have
a GCC-based system, it is your prerogative to redistribute that GCC
version (binaries plus sources) to your customers.  We in the software freedom
community encourage you to do this, since it often makes it easier for
users to exercise their software freedom.  However, if you chose to take
this recommendation, ensure that your GCC distribution is itself

If you have used a proprietary, third-party compiler to build the
software, then you probably cannot ship it to your customers.  We consider
the name of the compiler, its exact version number, and where it can be
acquired as information that \emph{must} be provided as part of the
Corresponding Source.  This information is essential to anyone who wishes
to produce a binary.  It is not the intent of the GPL to require you to
distribute third-party software tools to your customer (provided the tools
themselves are not based on the GPL'd software shipped), but we do believe
it requires that you give the user all the essential non-proprietary facts
that you had at your disposal to build the software.  Therefore, if you
choose not to distribute the compiler, you should include a {\sc readme}
about where you got it, what version it was, and who to contact to acquire
it, regardless of whether your compiler is Free Software, proprietary, or
internally developed.

\section{Best Practices and Corresponding Source}

\S~\ref{best-practices} and \S~\ref{corresponding-source} above are
closely related.  If you follow the best practices outlined above, you
will find that preparing your Corresponding Source release is an easier
task, perhaps even a trivial one.

Indeed, the enforcement process itself has historically been useful to
software development teams.  Development on a deadline can lead
organizations to cut corners in a way that negatively impacts its
development processes.  We have frequently been told by violators that
they experience difficulty when determining the exact source for a binary
in production (in some cases because their ``build guru'' quit during the
release cycle).  When management rushes a development team to ship a
release, they are less likely to keep release sources tagged and build
systems well documented.

We suggest that, if contacted about a violation, product builders use GPL
enforcement as an opportunity to improve their development practices.  No
developer would argue that their system is better for having a mysterious
build system and no source tracking.  Address these issues by installing a
revision system, telling your developers to use it, and requiring your
build guru to document his or her work!

\chapter{When The Letter Comes}

Unfortunately, many GPL violators ignore their obligations until they are
contacted by a copyright holder or the lawyer of a copyright holder.  You
should certainly contact your own lawyer if you have received a letter
alleging that you have infringed copyrights that were licensed to you
under the GPL\@.  This section outlines a typical enforcement case and
provides some guidelines for response.  These discussions are
generalizations and do not all apply to every alleged violation.

\section{Understanding Who's Enforcing}
% FIXME-LATER: this text needs work.

Both  FSF and Conservancy has, as part their mission,  to spread software
freedom. When FSF or Conservancy
enforces GPL, the goal is to bring the violator back into compliance as
quickly as possible, and redress the damage caused by the violation.
That is FSF's steadfast position in a violation negotiation --- comply
with the license and respect freedom.

However, other entities who do not share the full ethos of software freedom
as institutionalized by FSF and Conservancy pursue GPL violations differently.  Oracle, a
company that produces the GPL'd MySQL database, upon discovering GPL
violations typically negotiates a proprietary software license separately for
a fee.  While this practice is not one that FSF nor Conservancy would ever
consider undertaking or even endorsing, it is a legal way for copyright
holders to proceed.

Generally, GPL enforcers come in two varieties.  First, there are
Conservancy, FSF, and other ``community enforcers'', who primarily seek the
policy goals of GPL (software freedom), and see financial compensation as
ultimately secondary to those goals.  Second, there are ``for-profit
enforcers'' who use the GPL either as a crippleware license, or sneakily
induce infringement merely to gain proprietary licensing revenue.

Note that the latter model \textit{only} works for companies that hold 100\% of
the copyrights in the infringed work.  As such, multi-copyright-held works
are fully insulated from these tactics.


\section{Communication Is Key}

GPL violations are typically only escalated when a company ignores the
copyright holder's initial communication or fails to work toward timely
compliance.  Accused violators should respond very promptly to the
initial request.  As the process continues, violators should follow up weekly with the
copyright holders to make sure everyone agrees on targets and deadlines
for resolving the situation.

Ensure that any staff who might receive communications regarding alleged
GPL violations understands how to channel the communication appropriately
within your organization.  Often, initial contact is addressed for general
correspondence (e.g., by mail to corporate headquarters or by e-mail to
general informational or support-related addresses).  Train the staff that
processes such communications to escalate them to someone with authority
to take action.  An unknowledgable response to such an inquiry (e.g., from
a first-level technical support person) can cause negotiations to fail

Answer promptly by multiple means (paper letter, telephone call, and
email), even if your response merely notifies the sender that you are
investigating the situation and will respond by a certain date.  Do not
let the conversation lapse until the situation is fully resolved.
Proactively follow up with synchronous communication means to be sure
communications sent by non-reliable means (such as email) were received.

Remember that the software freedom community generally values open communication and
cooperation, and these values extend to GPL enforcement.  You will
generally find that software freedom developers and their lawyers are willing to
have a reasonable dialogue and will work with you to resolve a violation
once you open the channels of communication in a friendly way.


Many redistributors overlook the GPL's termination provision (GPLv2~\S~4 and
GPLv3~\S~8).  Under v2, violators forfeit their rights to redistribute and
modify the GPL'd software until those rights are explicitly reinstated by
the copyright holder.  In contrast, v3 allows violators to rapidly resolve
some violations without consequence.

If you have redistributed an application under GPLv2\footnote{This applies
  to all programs licensed to you under only GPLv2 (``GPLv2-only'').
  However, most so-called GPLv2 programs are actually distributed with
  permission to redistribute under GPLv2 \emph{or any later version of the
    GPL} (``GPLv2-or-later'').  In the latter cases, the redistributor can
  choose to redistribute under GPLv2, GPLv3, GPLv2-or-later or even
  GPLv3-or-later.  Where the redistributor has chosen v2 explicitly, the
  v2 termination provision will always apply.  If the redistributor has
  chosen v3, the v3 termination provision will always apply.  If the
  redistributor has chosen GPLv2-or-later, then the redistributor may want
  to narrow to GPLv3-only upon violation, to take advantage of the
  termination provisions in v3.}, but have violated the terms of GPLv2,
you must request a reinstatement of rights from the copyright holders
before making further distributions, or else cease distribution and
modification of the software forever.  Different copyright holders
condition reinstatement upon different requirements, and these
requirements can be (and often are) wholly independent of the GPL\@.  The
terms of your reinstatement will depend upon what you negotiate with the
copyright holder of the GPL'd program.

Since your rights under GPLv2 terminate automatically upon your initial
violation, \emph{all your subsequent distributions} are violations and
infringements of copyright.  Therefore, even if you resolve a violation on
your own, you must still seek a reinstatement of rights from the copyright
holders whose licenses you violated, lest you remain liable for
infringement for even compliant distributions made subsequent to the
initial violation.

GPLv3 is more lenient.  If you have distributed only v3-licensed programs,
you may be eligible under v3~\S~8 for automatic reinstatement of rights.
You are eligible for automatic reinstatement when:
\item you correct the violation and are not contacted by a copyright
  holder about the violation within sixty days after the correction, or

\item you receive, from a copyright holder, your first-ever contact
  regarding a GPL violation, and you correct that violation within thirty
  days of receipt of copyright holder's notice.

In addition to these permanent reinstatements provided under v3, violators
who voluntarily correct their violation also receive provisional
permission to continue distributing until they receive contact from the
copyright holder.  If sixty days pass without contact, that reinstatement
becomes permanent.  Nonetheless, you should be prepared to cease
distribution during those initial sixty days should you receive a
termination notice from the copyright holder.

Given that much discussion of v3 has focused on its so-called more
complicated requirements, it should be noted that v3 is, in this regard,
more favorable to violators than v2.

\chapter{Standard Requests}

As we noted above, different copyright holders have different requirements
for reinstating a violator's distribution rights.  Upon violation, you no
longer have a license under the GPL\@.  Copyright holders can therefore
set their own requirements outside the license before reinstatement of
rights.  We have collected below a list of reinstatement demands that
copyright holders often require.


\item {\bf Compliance on all Free Software copyrights}.  Copyright holders of Free Software
  often want a company to demonstrate compliance for all GPL'd software in
  a distribution, not just their own.  A copyright holder may refuse to
  reinstate your right to distribute one program unless and until you
  comply with the licenses of all Free Software in your distribution.
\item {\bf Notification to past recipients}.  Users to whom you previously
  distributed non-compliant software should receive a communication
  (email, letter, bill insert, etc.) indicating the violation, describing
  their rights under the GPL, and informing them how to obtain a gratis source
  distribution.  If a customer list does not exist (such as in reseller
  situations), an alternative form of notice may be required (such as a
  magazine advertisement).

\item {\bf Appointment of a GPL Compliance Officer.}  The software freedom community
  values personal accountability when things go wrong.  Copyright holders
  often require that you name someone within the violating company
  officially responsible for Free Software license compliance, and that this
  individual serve as the key public contact for the community when
  compliance concerns arise.

\item {\bf Periodic Compliance Reports.}  Many copyright holders wish to
  monitor future compliance for some period of time after the violation.
  For some period, your company may be required to send regular reports on
  how many distributions of binary and source have occurred.

These are just a few possible requirements for reinstatement.  In the
context of a GPL violation, and particularly under v2's termination
provision, the copyright holder may have a range of requests in exchange
for reinstatement of rights.  These software developers are talented
professionals from whose work your company has benefited.  Indeed, you are
unlikely to find a better value or more generous license terms for similar
software elsewhere.  Treat the copyright holders with the same respect you
treat your corporate partners and collaborators.

\chapter{Special Topics in Compliance}

There are several other issues that are less common, but also relevant in
a GPL compliance situation.  To those who face them, they tend to be of
particular interest.

\section{LGPL Compliance}

GPL compliance and LGPL compliance mostly involve the same issues.  As we
discussed in \S~\ref{derivative-works}, questions of modified versions of
software are highly fact-dependant and cannot be easily addressed in any
overview document.  The LGPL adds some additional complexity to the
analysis.  Namely, the various LGPL versions permit proprietary licensing
of certain types of modified versions.  These issues are well beyond the
scope of this document, but as a rule of thumb, once you have determined
(in accordance with LGPLv3) what part of the work is the ``Application''
and what portions of the source are ``Minimal Corresponding Source'', then
you can usually proceed to follow the GPL compliance rules that we
discussed, replacing our discussion of ``Corresponding Source'' with
``Minimal Corresponding Source''.

LGPL also requires that you provide a mechanism to combine the Application
with a modified version of the library, and outlines some options for
this.  Also, the license of the whole work must permit ``reverse
engineering for debugging such modifications'' to the library.  Therefore,
you should take care that the EULA used for the Application does not
contradict this permission.

\section{Upstream Providers}

With ever-increasing frequency, software development (particularly for
embedded devices) is outsourced to third parties.  If you rely on an
upstream provider for your software, note that you \emph{cannot ignore
  your GPL compliance requirements} simply because someone else packaged
the software that you distribute.  If you redistribute GPL'd software
(which you do, whenever you ship a device with your upstream's software in
it), you are bound by the terms of the GPL\@.  No distribution (including
redistribution) is permissible absent adherence to the license terms.

Therefore, you should introduce a due diligence process into your software
acquisition plans.  This is much like the software-oriented
recommendations we make in \S~\ref{best-practices}.  Implementing
practices to ensure that you are aware of what software is in your devices
can only improve your general business processes.  You should ask a clear
list of questions of all your upstream providers and make sure the answers
are complete and accurate.  The following are examples of questions you
should ask:

\item What are all the licenses that cover the software in this device?

\item From which upstream vendors, be they companies or individuals, did
  \emph{you} receive your software before distributing it to us?

\item What are your GPL compliance procedures?

\item If there is GPL'd software in your distribution, we will be
  redistributors of this GPL'd software.  What mechanisms do you have in
  place to aid us with compliance?

\item If we follow your recommended compliance procedures, will you
  formally indemnify us in case we are nonetheless found to be in
  violation of the GPL?


This last point is particularly important.  Many GPL enforcements are
escalated because of petty finger-pointing between the distributor and its
upstream.  In our experience, agreements regarding GPL compliance issues
and procedures are rarely negotiated up front.  However, when they are,
violations are resolved much more smoothly (at least from the point of
view of the redistributor).

Consider the cost of potential violations in your acquisition process.
Using Free Software allows software vendors to reduce costs significantly, but be
wary of vendors who have done so without regard for the licenses.  If your
vendor's costs seem ``too good to be true,'' you may ultimately bear the
burden of the vendor's inattention to GPL compliance.  Ask the right
questions, demand an account of your vendors' compliance procedures, and
seek indemnity from them.

\section{User Products and Installation Information}

GPLv3 requires you to provide ``Installation Information'' when v3
software is distributed in a ``User Product.''  During the drafting of v3,
the debate over this requirement was contentious.  However, the provision
as it appears in the final license is reasonable and easy to understand.

If you put GPLv3'd software into a User Product (as defined by the
license) and \emph{you} have the ability to install modified versions onto
that device, you must provide information that makes it possible for the
user to install functioning, modified versions of the software.  Note that
if no one, including you, can install a modified version, this provision
does not apply.  For example, if the software is burned onto an
non-field-upgradable ROM chip, and the only way that chip can be upgraded
is by producing a new one via a hardware factory process, then it is
acceptable that the users cannot electronically upgrade the software

Furthermore, you are permitted to refuse support service, warranties, and
software updates to a user who has installed a modified version.  You may
even forbid network access to devices that behave out of specification due
to such modifications.  Indeed, this permission fits clearly with usual
industry practice.  While it is impossible to provide a device that is
completely unmodifiable\footnote{Consider that the iPhone, a device
  designed primarily to restrict users' freedom to modify it, was unlocked
  and modified within 48 hours of its release.}, users are generally on
notice that they risk voiding their warranties and losing their update and
support services when they make modifications.\footnote{A popular t-shirt
  in the software freedom community reads: ``I void warranties.''.  Our community is
  well-known for modifying products with full knowledge of the
  consequences.  GPLv3's ``Installation Instructions'' section merely
  confirms that reality, and makes sure GPL rights can be fully exercised,
  even if users exercise those rights at their own peril.}

GPLv3 is in many ways better for distributors who seek some degree of
device lock-down.  Technical processes are always found for subverting any
lock-down; pursuing it is a losing battle regardless.  With GPLv3, unlike
with GPLv2, the license gives you clear provisions that you can rely on
when you are forced to cut off support, service or warranty for a customer
who has chosen to modify.


GPL compliance need not be an onerous process.  Historically, struggles
have been the result of poor development methodologies and communications,
rather than any unexpected application of the GPL's source code disclosure

Compliance is straightforward when the entirety of your enterprise is
well-informed and well-coordinated.  The receptionists should know how to
route a GPL source request or accusation of infringement.  The lawyers
should know the basic provisions of Free Software licenses and your source
disclosure requirements, and should explain those details to the software
developers.  The software developers should use a version control system
that allows them to associate versions of source with distributed
binaries, have a well-documented build process that anyone skilled in the
art can understand, and inform the lawyers when they bring in new
software.  Managers should build systems and procedures that keep everyone
on target.  With these practices in place, any organization can comply
with the GPL without serious effort, and receive the substantial benefits
of good citizenship in the software freedom community, and lots of great code
ready-made for their products.


% comprehensive-gpl-guide.tex                                    -*- LaTeX -*-
% Toplevel file to build the entire book.
\documentclass[10pt, letterpaper, openany, oneside]{book}
% I'm somewhat convinced that this book would be better formatted using
%  the memoir class :

% For the moment, I've thrown in fancychap because I don't have time to
% research memoir.

\usepackage[verbose, twoside, dvips,
              paperwidth=8.5in, paperheight=11in,
              left=1in, right=1in, top=1.25in, bottom=.75in,








{\sc Copyleft and the  \\

GNU General Public License:


A Comprehensive Tutorial

{\parindent 0in
Copyright \= \copyright{} 2003--2007 \hspace{} \=  \kill
Copyright \> \copyright{} 2014 \>  Bradley M. Kuhn. \\
Copyright \> \copyright{} 2014 \>  Anthony K. Sebro, Jr. \\
Copyright \= \copyright{} 2014 \= \hspace{.2in} Denver Gingerich \\
Copyright \= \copyright{} 2003--2007, 2014 \= \hspace{.2in} Free Software Foundation, Inc. \\
Copyright \> \copyright{} 2008 \>  Software Freedom Law Center. \\
Copyright \> \copyright{} 2003-2007 \> Free Software Foundation, Inc. \\


The copyright holders hereby grant the freedom to copy, modify, convey,
Adapt, and/or redistribute this work under the terms of the Creative Commons
Attribution Share Alike 4.0 International License.  A copy of that license is
available at \url{}.

Each part of this book, except the appendix, is separately under this same
license, but copyrighted by different entities at different times.  Each part
therefore also contains its own copyright and licensing notice.  The notice
above is for the entire work, and includes the full copyright and licensing
details, except for the appendix.

Since the appendix includes copies of the texts of various licenses published
by FSF, and they are all licensed under the license, ``Everyone is permitted
to copy and distribute verbatim copies of this license document, but changing
it is not allowed.''.  However, those who seek to make modified versions of
those licenses should note the
\href{}{explanation given in the GPL FAQ}.


Patches are welcome to this material.  Sources can be found in the Git
repository at: \url{}




This tutorial is the culmination of nearly a decade of studying and writing
about software freedom licensing and the GPL\@.  Each part of this tutorial
is a course unto itself, educating the reader on a myriad of topics from the
deep details of the GPLv2 and GPLv3, common business models in the copyleft
licensing area (both the friendly and unfriendly kind), best practices for
compliance with the GPL, for engineers, managers, and lawyers, as well as
real-world case studies of GPL enforcement matters.

It is unlikely that all the information herein is necessary to learn all at
once, and therefore this tutorial likely serves best as a reference book.
The material herein has been used as the basis for numerous live tutorials
and discussion groups since 2002, and the materials have been periodically
updated.   They likely stand on their own as excellent reference material.

However, if you are reading these course materials without attending a live
tutorial session, please note that this material is merely a summary of the
highlights of the various CLE and other tutorial courses based on this
material.  Please be aware that during the actual courses, class discussion
and presentation supplements this printed curriculum.  Simply reading this
material is \textbf{not an equivalent} for attending a course.








Show inline comments
%      Tutorial Text for the Detailed Study and Analysis of GPL and LGPL course
% Copyright (C) 2003, 2004 Free Software Foundation, Inc.

% License: CC-By-SA-4.0

% The copyright holders hereby grant the freedom to copy, modify, convey,
% Adapt, and/or redistribute this work under the terms of the Creative
% Commons Attribution Share Alike 4.0 International License.

% This text is distributed in the hope that it will be useful, but
% WITHOUT ANY WARRANTY; without even the implied warranty of

% You should have received a copy of the license with this document in
% a file called 'CC-By-SA-4.0.txt'.  If not, please visit
% to receive
% the license text.


\part{Case Studies in GPL Enforcement}

{\parindent 0in
This part is: \\
Copyright \= \copyright{} 2003, 2004 \= \hspace{.2in} Free Software Foundation, Inc. \\
Copyright \> \copyright{} 2014 \>  Bradley M. Kuhn. \\
Copyright \= \copyright{} 2014 \= \hspace{.2in} Denver Gingerich \\
Copyright \= \copyright{} 2003, 2004, 2014 \= \hspace{.2in} Free Software Foundation, Inc. \\


Authors of this part are: \\

Bradley M. Kuhn \\
John Sullivan

Copy editors of this part include: \\
Martin Michlmayr


The copyright holders hereby grant the freedom to copy, modify, convey,
Adapt, and/or redistribute this work under the terms of the Creative Commons
Attribution Share Alike 4.0 International License.  A copy of that license is
available at \verb=
% =====================================================================
% =====================================================================


This one-day course presents the details of five different GPL
compliance cases handled by FSF's GPL Compliance Laboratory. Each case
offers unique insights into problems that can arise when the terms of
the GPL are not properly followed, and how diplomatic negotiation between
the violator and the copyright holder can yield positive results for
both parties.

Attendees should have successfully completely the course, a ``Detailed
Study and Analysis of the GPL and LGPL,'' as the material from that
course forms the building blocks for this material.

This course is of most interest to lawyers who have clients or
employers that deal with Free Software on a regular basis. However,
technical managers and executives whose businesses use or distribute
Free Software will also find the course very helpful.


These course materials are merely a summary of the highlights of the
course presented. Please be aware that during the actual GPL course, class
discussion supplements this printed curriculum. Simply reading it is
not equivalent to attending the course.

%FIXME-LATER: write these

%\chapter{Not All GPL Enforcement is Created Equal}

%\section{For-Profit Enforcement}

%\section{Community and Non-Profit Enforcement}

\chapter{Overview of Community Enforcement}

The GPL is a Free Software license with legal teeth. Unlike licenses like
the X11-style or various BSD licenses, the GPL (and by extension, the LGPL) is
designed to defend as well as grant freedom. We saw in the last course
that the GPL uses copyright law as a mechanism to grant all the key freedoms
essential in Free Software, but also to ensure that those freedoms
propagate throughout the distribution chain of the software.

\section{Termination Begins Enforcement}

As we have learned, the assurance that Free Software under the GPL remains
Free Software is accomplished through various terms of the GPL: \S 3 ensures
that binaries are always accompanied with source; \S 2 ensures that the
sources are adequate, complete and usable; \S 6 and \S 7 ensure that the
license of the software is always the GPL for everyone, and that no other
legal agreements or licenses trump the GPL. It is \S 4, however, that ensures
that the GPL can be enforced.

Thus, \S 4 is where we begin our discussion of GPL enforcement. This
clause is where the legal teeth of the license are rooted. As a copyright
license, the GPL governs only the activities governed by copyright law ---
copying, modifying and redistributing computer software. Unlike most
copyright licenses, the GPL gives wide grants of permission for engaging with
these activities. Such permissions continue, and all parties may exercise
them until such time as one party violates the terms of the GPL\@. At the
moment of such a violation (i.e., the engaging of copying, modifying or
redistributing in ways not permitted by the GPL) \S 4 is invoked. While other
parties may continue to operate under the GPL, the violating party loses their

Specifically, \S 4 terminates the violators' rights to continue
engaging in the permissions that are otherwise granted by the GPL\@.
Effectively, their rights revert to the copyright defaults ---
no permission is granted to copy, modify, nor redistribute the work.
Meanwhile, \S 5 points out that if the violator has no rights under
the GPL, they are prohibited by copyright law from engaging in the
activities of copying, modifying and distributing. They have lost
these rights because they have violated the GPL, and no other license
gives them permission to engage in these activities governed by copyright law.

\section{Ongoing Violations}

In conjunction with \S 4's termination of violators' rights, there is
one final industry fact added to the mix: rarely does one engage in a
single, solitary act of copying, distributing or modifying software.
Almost always, a violator will have legitimately acquired a copy of a
GPL'd program, either making modifications or not, and then begun
distributing that work. For example, the violator may have put the
software in boxes and sold them at stores. Or perhaps the software
was put up for download on the Internet. Regardless of the delivery
mechanism, violators almost always are engaged in {\em ongoing\/}
violation of the GPL\@.

In fact, when we discover a GPL violation that occurred only once --- for
example, a user group who distributed copies of a GNU/Linux system without
source at one meeting --- we rarely pursue it with a high degree of
tenacity. In our minds, such a violation is an educational problem, and
unless the user group becomes a repeat offender (as it turns out, they
never do), we simply forward along a FAQ entry that best explains how user
groups can most easily comply with the GPL, and send them on their merry way.

It is only the cases of {\em ongoing\/} GPL violation that warrant our
active attention. We vehemently pursue those cases where dozens, hundreds
or thousands of customers are receiving software that is out of
compliance, and where the company continually offers for sale (or
distributes gratis as a demo) software distributions that include GPL'd
components out of compliance. Our goal is to maximize the impact of
enforcement and educate industries who are making such a mistake on a
large scale.

In addition, such ongoing violation shows that a particular company is
committed to a GPL'd product line. We are thrilled to learn that someone
is benefiting from Free Software, and we understand that sometimes they
become confused about the rules of the road. Rather than merely
giving us a postmortem to perform on a past mistake, an ongoing violation
gives us an active opportunity to educate a new contributor to the GPL'd
commons about proper procedures to contribute to the community.

Our central goal is not, in fact, to merely clear up a particular violation.
In fact, over time, we hope that our compliance lab will be out of
business. We seek to educate the businesses that engage in commerce
related to GPL'd software to obey the rules of the road and allow them to
operate freely under them. Just as a traffic officer would not revel in
reminding people which side of the road to drive on, so we do not revel in
violations. By contrast, we revel in the successes of educating an
ongoing violator about the GPL so that GPL compliance becomes a second-nature
matter, allowing that company to join the GPL ecosystem as a contributor.

\section{How are Violations Discovered?}

Our enforcement of the GPL is not a fund-raising effort; in fact, FSF's GPL
Compliance Lab runs at a loss (in other words, it is subsided by our
donors). Our violation reports come from volunteers, who have encountered,
in their business or personal life, a device or software product that
appears to contain GPL'd software. These reports are almost always sent
via email to $<$$>$.

Our first order of business, upon receiving such a report, is to seek
independent confirmation. When possible, we get a copy of the software
product. For example, if it is an offering that is downloadable from a
Web site, we download it and investigate ourselves. When it is not
possible for us to actually get a copy of the software, we ask the
reporter to go through the same process we would use in examining the

By rough estimation, about 95\% of violations at this stage can be
confirmed by simple commands. Almost all violators have merely made an
error and have no nefarious intentions. They have made no attempt to
remove our copyright notices from the software. Thus, given the
third-party binary, {\tt tpb}, usually, a simple command (on a GNU/Linux
system) such as the following will find a Free Software copyright notice
and GPL reference:
{\tt strings tpb | grep Copyright}
In other words, it is usually more than trivial to confirm that GPL'd
software is included.

Once we have confirmed that a violation has indeed occurred, we must then
determine whose copyright has been violated. Contrary to popular belief,
FSF does not have the power to enforce the GPL in all cases. Since the GPL
operates under copyright law, the powers of enforcement --- to seek
redress once \S 4 has been invoked --- lie with the copyright holder of
the software. FSF is one of the largest copyright holders in the world of
GPL'd software, but we are by no means the only one. Thus, we sometimes
discover that while GPL'd code is present in the software, there is no
software copyrighted by FSF present.

In cases where FSF does not hold copyright interest in the software, but
we have confirmed a violation, we contact the copyright holders of the
software, and encourage them to enforce the GPL\@. We offer our good offices
to help negotiate compliance on their behalf, and many times, we help as a
third party to settle such GPL violations. However, what we will describe
primarily in this course is FSF's first-hand experience enforcing its own
copyrights and the GPL\@.

\section{First Contact}

The Free Software community is built on a structure of voluntary
cooperation and mutual help. Our community has learned that cooperation
works best when you assume the best of others, and only change policy,
procedures and attitudes when some specific event or occurrence indicates
that a change is necessary. We treat the process of GPL enforcement in
the same way. Our goal is to encourage violators to join the cooperative
community of software sharing, so we want to open our hand in friendship.

Therefore, once we have confirmed a violation, our first assumption is
that the violation is an oversight or otherwise a mistake due to confusion
about the terms of the license. We reach out to the violator and ask them
to work with us in a collaborative way to bring the product into
compliance. We have received the gamut of possible reactions to such
requests, and in this course, we examine four specific examples of such
compliance work.


\chapter{Bortez: Modified GCC SDK}

In our first case study, we will consider Bortez, a company that
produces software and hardware toolkits to assist OEM vendors, makers
of consumer electronic devices.


One of Bortez's key products is a Software Development Kit (``SDK'')
designed to assist developers building software for a specific class of
consumer electronics devices.

FSF received a report that the SDK may be based on the GNU Compiler
Collection (which is an FSF-copyrighted collection of tools for software
development in C, C++ and other popular languages). FSF investigated the
claim, but was unable to confirm the violation. The violation reporter
was unresponsive to follow-up requests for more information.

Since FSF was unable to confirm the violation, we did not pursue it any
further. Bogus reports do happen, and we do not want to burden companies
with specious GPL violation complaints. FSF shelved the matter until
more evidence was discovered.

FSF was later able to confirm the violation when two additional reports
surfaced from other violation reporters, both of whom had used the SDK
professionally and noticed clear similarities to FSF's GNU GCC\@. FSF's
Compliance Engineer asked the reporters to run standard tests to confirm
the violation, and it was confirmed that Bortez's SDK was indeed a
modified version of GCC\@. Bortez had ported to Windows and added a number
of features, including support for a specific consumer device chipset and
additional features to aid in the linking process (``LP'') for those
specific devices. FSF explained the rights that the GPL afforded these
customers and pointed out, for example, that Bortez only needed to provide
source to those in possession of the binaries, and that the users may need
to request that source (if \S 3(b) was exercised). The violators
confirmed that such requests were not answered.

FSF brought the matter to the attention of Bortez, who immediately
escalated the matter to their attorneys. After a long negotiation,
Bortez acknowledged that their SDK was indeed a modified version of
GCC\@. Bortez released most of the source, but some disagreement
occurred over whether LP was also derivative of GCC\@. After repeated
FSF inquiries, Bortez reaudited the source to discover that FSF's
analysis was correct. Bortez determined that LP included a number of
source files copied from the GCC code-base.

Once the full software release was made available, FSF asked the violation
reporters if it addressed the problem. Reports came back that the source
did not properly build. FSF asked Bortez to provide better build
instructions with the software, and such build instructions were
incorporated into the next software release.

At FSF's request as well, Bortez informed customers who had previously
purchased the product that the source was now available by announcing
the availability on its Web site and via a customer newsletter.

Bortez did have some concerns regarding patents. They wished to include a
statement with the software release that made sure they were not granting
any patent permission other than what was absolutely required by the GPL\@.
They understood that their patent assertions could not trump any rights
granted by the GPL\@. The following language was negotiated into the release:

Subject to the qualifications stated below, Bortez, on behalf of itself
and its Subsidiaries, agrees not to assert the Claims against you for your
making, use, offer for sale, sale, or importation of the Bortez's GNU
Utilities or derivative works of the Bortez's GNU Utilities
(``Derivatives''), but only to the extent that any such Derivatives are
licensed by you under the terms of the GNU General Public License. The
Claims are the claims of patents that Bortez or its Subsidiaries have
standing to enforce that are directly infringed by the making, use, or
sale of an Bortez Distributed GNU Utilities in the form it was distributed
by Bortez and that do not include any limitation that reads on hardware;
the Claims do not include any additional patent claims held by Bortez that
cover any modifications of, derivative works based on or combinations with
the Bortez's GNU Utilities, even if such a claim is disclosed in the same
patent as a Claim. Subsidiaries are entities that are wholly owned by

This statement does not negate, limit or restrict any rights you already
have under the GNU General Public License version 2.

This quelled Bortez's concerns about other patent licensing they sought to
do outside of the GPL'd software, and satisfied FSF's concerns that Bortez
give proper permissions to exercise teachings of patents that were
exercised in their GPL'd software release.

Finally, a GPL Compliance Officer inside Bortez was appointed to take
responsibility for all matters of GPL compliance inside the company.
Bortez is responsible for informing FSF if the position is given to
someone else inside the company, and making sure that FSF has direct
contact with Bortez's Compliance Officer.


This case introduces a number of concepts regarding GPL enforcement.


\item {\bf Enforcement should not begin until the evidence is confirmed.}
  Most companies that distribute GPL'd software do so in compliance, and at
  times, violation reports are mistaken. Even with extensive efforts in
  GPL education, many users do not fully understand their rights and the
  obligations that companies have. By working through the investigation
  with reporters, the violation can be properly confirmed, and {\bf the
    user of the software can be educated about what to expect with GPL'd
    software}. When users and customers of GPL'd products know their
  rights, what to expect, and how to properly exercise their rights
  (particularly under \S 3(b)), it reduces the chances for user
  frustration and inappropriate community outcry about an alleged GPL

\item {\bf GPL compliance requires friendly negotiation and cooperation.}
  Often, attorneys and managers are legitimately surprised to find out
  GPL'd software is included in their company's products. Engineers
  sometimes include GPL'd software without understanding the requirements.
  This does not excuse companies from their obligations under the license,
  but it does mean that care and patience are essential for reaching GPL
  compliance. We want companies to understand that participating and
  benefiting from a collaborative Free Software community is not a burden,
  so we strive to make the process of coming into compliance as smooth as

\item {\bf Confirming compliance is a community effort.}  The whole point
  of making sure that software distributors respect the terms of the GPL is to
  allow a thriving software sharing community to benefit and improve the
  work. FSF is not the expert on how a compiler for consumer electronic
  devices should work. We therefore inform the community who originally
  brought the violation to our attention and ask them to assist in
  evaluation and confirmation of the product's compliance. Of course, FSF
  coordinates and oversees the process, but we do not want compliance for
  compliance's sake; rather, we wish to foster a cooperating community of
  development around the Free Software in question, and encourage the
  once-violator to begin participating in that community.

\item {\bf Informing the harmed community is part of compliance.} FSF asks
  violators to make some attempt --- such as via newsletters and the
  company's Web site --- to inform those who already have the products as
  to their rights under the GPL\@. One of the key thrusts of the GPL's \S 1 and
  \S 3 is to {\em make sure the user knows she has these rights\/}. If a
  product was received out of compliance by a customer, she may never
  actually discover that she has such rights. Informing customers, in a
  way that is not burdensome but has a high probability of successfully
  reaching those who would seek to exercise their freedoms, is essential
  to properly remedy the mistake.

\item {\bf Lines between various copyright, patent, and other legal
  mechanisms must be precisely defined and considered.}  The most
  difficult negotiation point of the Bortez case was drafting language
  that simultaneously protected Bortez's patent rights outside of the
  GPL'd source, but was consistent with the implicit patent grant in
  the GPL\@. As we discussed in the first course of this series, there is
  indeed an implicit patent grant with the GPL, thanks to \S 6 and \S 7.
  However, many companies become nervous and wish to make the grant
  explicit to assure themselves that the grant is sufficiently narrow for
  their needs. We understand that there is no reasonable way to determine
  what patent claims read on a company's GPL holdings and which do not, so
  we do not object to general language that explicitly narrows the patent
  grant to only those patents that were, in fact, exercised by the GPL'd
  software as released by the company.


\chapter{Bracken: a Minor Violation in a GNU/Linux Distribution}

In this case study, we consider a minor violation made by a company whose
knowledge of the Free Software community and its functions is deep.

\section{The Facts} 

Bracken produces a GNU/Linux operating system product that is sold
primarily to OEM vendors to be placed in appliance devices used for a
single purpose, such as an Internet-browsing-only device. The product
is almost 100\% Free Software, mostly licensed under the GPL and related
Free Software licenses.

FSF found out about this violation through a report first posted on a
  Slashdot\footnote{Slashdot is a popular news and discussion site for
  technical readers.} comment, and then it was brought to our attention again
  by another Free Software copyright holder who had discovered the
  same violation.

Bracken's GNU/Linux product is delivered directly from their Web site.
This allowed FSF engineers to directly download and confirm the
violation quickly. Two primary problems were discovered with the
online distribution:


\item No source code nor offer for source code was provided for a number
  of components for the distributed GNU/Linux system; only binaries were

\item An End User License Agreement (``EULA'') was included that
  contradicted the permissions granted by the GPL\@


FSF contacted Bracken and gave them the details of the violation. Bracken
immediately ceased distribution of the product temporarily and set forth
a plan to bring themselves back into compliance. This plan included the
following steps:


\item Bracken attorneys would rewrite the EULA to comply with the GPL and
  would vet the new EULA through FSF before use

\item Bracken engineers would provide source side-by-side with the
  binaries for the GNU/Linux distribution on the site (and on CD's, if
  ever they distributed that way)

\item Bracken attorneys would run an internal seminar for its engineers
  regarding proper GPL compliance to help ensure that such oversights
  regarding source releases would not occur in the future

\item Bracken would resume distribution of the product only after FSF
  formally restored Bracken's distribution rights

This case was completed in about a month. FSF approved the new EULA
text. The key portion in the EULA relating to the GPL read as follows:

Many of the Software Programs included in Bracken Software are distributed
under the terms of agreements with Third Parties (``Third Party
Agreements'') which may expand or limit the Licensee's rights to use
certain Software Programs as set forth in [this EULA]. Certain Software
Programs may be licensed (or sublicensed) to Licensee under the GNU
General Public License and other similar license agreements listed in part
in this section which, among other rights, permit the Licensee to copy,
modify and redistribute certain Software Programs, or portions thereof,
and have access to the source code of certain Software Programs, or
portions thereof. In addition, certain Software Programs, or portions
thereof, may be licensed (or sublicensed) to Licensee under terms stricter
than those set forth in [this EULA]. The Licensee must review the
electronic documentation that accompanies certain Software Programs, or
portions thereof, for the applicable Third Party Agreements. To the
extent any Third Party Agreements require that Bracken provide rights to
use, copy or modify a Software Program that are broader than the rights
granted to the Licensee in [this EULA], then such rights shall take
precedence over the rights and restrictions granted in this Agreement
solely for such Software Programs.

FSF restored Bracken's distribution rights shortly after the work was
completed as described.

\section{Lessons Learned}

This case was probably the most quickly and easily resolved of all GPL
violations in the history of FSF's Compliance Lab. The ease with which
the problem was resolved shows a number of cultural factors that play a
role in GPL compliance.


\item {\bf Companies that understand Free Software culture better have an
  easier time with compliance.}  Bracken's products were designed and
  built around the GNU/Linux system and Free Software components. Their
  engineers were deeply familiar with the Free Software ecosystem, and
  their lawyers had seen and reviewed the GPL before. The violation was
  completely an honest mistake. Since the culture inside the company had
  already adapted to the cooperative style of resolution in the Free
  Software world, there was very little work for either party to bring the
  product into compliance.

\item {\bf When people in key positions understand the Free Software
  nature of their software products, compliance concerns are as
  mundane as minor software bugs.}  Even the most functional system or
  structure has its problems, and successful business often depends on
  agile response to the problems that do come up; avoiding problems
  altogether is a pipe dream. Minor GPL violations can and do happen
  even with well-informed redistributors. However, resolution is
  reached quickly when the company --- and in particular, the lawyers,
  managers, and engineers working on the Free Software product lines
  --- have adapted to Free Software culture that the lower-level
  engineer already understood

\item {\bf Legally, distribution must stop when a violation is
  identified.}  In our opinion, Bracken went above and beyond the call of
  duty by ceasing distribution while the violation was being resolved.
  Under GPL \S 4, the redistributor loses the right to distribute the
  software, and thus they are in ongoing violation of copyright law if
  they distribute before rights are restored. It is FSF's policy to
  temporarily allow distribution while compliance negotiations are ongoing
  and only in the most extreme cases (where the other party appears to be
  negotiating in bad faith) does FSF even threaten an injunction on
  copyright grounds. However, Bracken --- as a good Free Software citizen
  --- chose to be on the safe side and do the legally correct thing while
  the violation case was pending. From start to finish, it took less
  than a month to resolve. This lapse in distribution did not, to FSF's
  knowledge, impact Bracken's business in any way.

\item {\bf EULAs are a common area for GPL problems.}  Often, EULAs
  are drafted from boilerplate text that a company uses for all its
  products. Even the most diligent attorneys forget or simply do not
  know that a product contains software licensed under the GPL and other
  Free Software licenses. Drafting a EULA that accounts for such
  licenses is straightforward; the text quoted above works just fine.
  The EULA must be designed so that it does not trump rights and
  permissions already granted by the GPL\@. The EULA must clearly state
  that if there is a conflict between it and the GPL, with regard to GPL'd
  code, the GPL is the overriding license.

\item {\bf Compliance Officers are rarely necessary when companies are
  educated about GPL compliance.}  As we saw in the Bortez case, FSF asks
  that a formal ``GPL Compliance Officer'' be appointed inside a
  previously violating organization to shepherd the organization to a
  cooperative approach to GPL compliance. However, when FSF
  sees that an organization already has such an approach, there is no
  need to request that such an officer be appointed.



\chapter{Vigorien: Security, Export Controls, and GPL Compliance}

This case study introduces how concerns of ``security through obscurity''
and regulatory problems can impact GPL compliance matters.

\section{The Facts}

Vigorien distributes a back-up solution product that allows system
administrators to create encrypted backups of file-systems on
Unix-like computers. The product is based on GNU tar, a backup utility
that replaces the standard Unix utility simply called tar, but has
additional features.

Vigorien's backup solution added cryptographic features to GNU tar, and
included a suite of utilities and graphical user interfaces surrounding
GNU tar to make backups convenient.

FSF discovered the violation from a user report, and determined that the
cryptographic features were the only part of the product that constituted
a derivative work of GNU tar; the extraneous utilities merely made
shell calls out to GNU tar. FSF requested that Vigorien come into
compliance with the GPL by releasing the source of GNU tar, with the
cryptographic modifications, to its customers.

Vigorien released the original GNU tar sources, but kept the cryptographic
modifications proprietary. They argued that the security of their system
depending on keeping the software proprietary and that regardless, USA
export restrictions on cryptographic software prohibited such a release.
FSF disputed the first claim, pointing out that Vigorien had only one
option if they did not want to release the source: they would have to
remove GNU tar from the software and not distribute it further. Vigorien
rejected this suggestion, since GNU tar was an integral part of the
product, and the security changes were useless without GNU tar.

Regarding the export control claims, FSF proposed a number of options,
including release of the source from one of Vigorien's divisions overseas
where no such restrictions occurred, but Vigorien argued that the problem
was insoluble because they operated primarily in the USA\@.

The deadlock on the second issue was resolved when those cryptographic
export restrictions were lifted shortly thereafter, and FSF again raised
the matter with Vigorien. At that point, they dropped the first claim and
agreed to release the remaining source module to their customers. They
did so, and the violation was resolved.


\section{Lessons Learned}


\item {\bf Removing the GPL'd portion of the product is always an
  option.}  Many violators' first response is to simply refuse to
  release the source code as the GPL requires. FSF offers the option to
  simply remove the GPL'd portions from the product and continue along
  without them. Every case where this has been suggested has led to
  the same conclusion. Like Vigorien, the violator argues that the
  product cannot function without the GPL'd components, and they
  cannot effectively replace them.

  Such an outcome is simply further evidence that the combined work in
  question is indeed a modified version of the original GPL'd component.
  If the other components cannot stand on their own and be useful without
  the GPL'd portions, then one cannot effectively argue that the work as a
  whole is not a based on the GPL'd portions.

\item {\bf The whole product is not always covered.}  In this case,
  Vigorien had additional works aggregated. The backup system was a suite
  of utilities, some of which were the GPL and some of which were not. While
  the cryptographic routines were tightly coupled with GNU tar and clearly
  made a whole new combined work of both components, the various GUI utilities were separate and
  independent works merely aggregated with the distribution of the
  GNU-tar-based product.


\item {\bf ``Security'' concerns do not exonerate a distributor from GPL
  obligations, and ``security through obscurity'' does not work anyway.}
  The argument that ``this is security software, so it cannot be released
  in source form'' is not a valid defense for explaining why the terms of
  the GPL are ignored. If companies do not want to release source code
  for some reason, then they should not base the work on GPL'd software.
  No external argument for noncompliance can hold weight if the work as
  a whole is indeed a modified version of a GPL'd program.

  The ``security concerns'' argument is often floated as a reason to keep
  software proprietary, but the computer security community has on
  numerous occasions confirmed that such arguments are entirely specious.
  Security experts have found --- since the beginnings of the field of
  cryptography in the ancient world --- that sharing results about systems
  and having such systems withstand peer review and scrutiny builds the
  most secure systems. While full disclosure may help some who wish to
  compromise security, it helps those who want to fix problems even more
  by identifying them early.

\item {\bf External regulatory problems can be difficult to resolve.}
  The GPL, though grounded in copyright law, does not have the power to trump
  regulations like export controls. While Vigorien's ``security
  concerns'' were specious, their export control concerns were not. It is
  indeed a difficult problem that FSF acknowledges. We want compliance
  with the GPL and respect for users' freedoms, but we certainly do not expect
  companies to commit criminal offenses for the sake of compliance. We
  will see more about this issue in our next case study.


\chapter{Haxil, Polgara, and Thesulac: Mergers, Upstream Providers and Radio Devices}

This case study considers an ongoing (at the time of writing) violation
that has occurred. By the end of the investigation period, three
companies were involved and many complex issues arose.

\section{The Facts}

Haxil produced a consumer electronics device which included a mini
GNU/Linux distribution to control the device. The device was of interest
to many technically-minded consumers, who purchased the device and very
quickly discovered that Free Software was included without source.
Mailing lists throughout the Free Software community erupted with
complaints about the problem, and FSF quickly investigated.

FSF confirmed that FSF-copyrighted GPL'd software was included. In
addition, the whole distribution included GPL'd works from hundreds of
individual copyright holders, many of whom were, at this point, up in
arms about the violation.

Meanwhile, Haxil was in the midst of being acquired by Polgara. Polgara
was as surprised as everyone else to discover the product was based on
GPL'd software; this fact had not been part of the disclosures made during
acquisition. FSF contacted Haxil, Polgara, and the product managers
who had transitioned into the ``Haxil division'' of the newly-merged
Polgara company. Polgara's General Counsel's office worked with FSF on
the matter.

FSF formed a coalition with the other primary copyright holders
to pursue the enforcement effort on their behalf. FSF communicated
directly with Polgara's representatives to begin working through the
issues on behalf of itself and the Free Software community at large.

Polgara pointed out that the software distribution they used was mostly
contributed by an upstream provider, Thesulac, and Haxil's changes to that
code base were minimal. Polgara negotiated with Thesulac to obtain the
source, although the issue moved very slowly in the channels between
Polgara and Thesulac.

FSF encouraged a round-table meeting so that high bandwidth communication
could occur between FSF, Polgara and Thesulac. Polgara and Thesulac
agreed, and that discussion began. Thesulac provided nearly complete
sources to Polgara, and Polgara made a full software release on their
Web site. At the time of writing, that software still has some build
problems (similar to those that occurred with Bortez, as described in
Section~\ref{davrik-build-problems}). FSF continues to negotiate with
Polgara and Thesulac to resolve these problems, which have a clear path to
a solution and are expected to resolve.

Similar to the Vigorien case, Thesulac has regulatory concerns. In this
case, it is not export controls --- an issue that has since been resolved
--- but radio spectrum regulation. Since this consumer electronic device
contains a software-programmable radio transmitter, regulations in (at
least) the USA and Japan prohibit release of those portions of the code
that operate the device. Since this is a low-level programming issue, the
changes to operate the device form a single combined work with the kernel named
Linux.  A decade later, this situation remains largely unresolved.

\section{Lessons Learned}


\item {\bf Community outrage, while justified, can often make negotiation
  more difficult.}  FSF has a strong policy never to publicize names of
  GPL violators if they are negotiating in a friendly way and operating in
  good faith toward compliance. Most violations are honest mistakes, and
  FSF sees no reason to publicly admonish violators who genuinely want to
  come into compliance with the GPL and to work hard staying in compliance.

  This case was so public in the Free Software community that both Haxil's
  and Polgara's representatives were nearly shell-shocked by the time FSF
  began negotiations. There was much work required to diffuse the
  situation. We empathize with our community and their outrage about GPL
  violations, but we also want to follow a path that leads expediently
  to compliance. In our experience, public outcry works best as a last
  resort, not the first.

\item {\bf For software companies, GPL compliance belongs on a corporate
  acquisition checklist. }  Polgara was truly amazed that Haxil had used
  GPL'd software in a major new product line but never informed Polgara
  during the acquisition process. While GPL compliance is not a
  particularly difficult matter, it is an additional obligation that comes
  along with the product line. When planning mergers and joint ventures,
  one should include lists of GPL'd components contained in the products

\item {\bf Compliance problems of upstream providers do not excuse a
  violation for the downstream distributor.}  To paraphrase \S 6, upstream
  providers are not responsible for enforcing compliance of their
  downstream, nor are downstream distributors responsible for compliance
  problems of upstream providers. However, engaging in distribution of
  GPL'd works out of compliance is still just that: a compliance problem.
  When FSF carries out enforcement, we are patient and sympathetic when
  the problem appears to be upstream. In fact, we urge the violator to
  point us to the upstream provider so we may talk to them directly. In
  this case, we were happy to begin negotiations with Thesulac. However,
  Polgara still has an obligation to bring their product into compliance,
  regardless of Thesulac's response.

\item {\bf It behooves upstream providers to advise downstream
  distributors about compliance matters.}  FSF has encouraged Thesulac to
  distribute a ``good practices for GPL compliance'' document with their
  product. Polgara added various software components to Thesulac's
  product, and it is conceivable that such additions can introduce
  compliance. In FSF's opinion, Thesulac is in no way legally responsible
  for such a violation introduced by their customer, but it behooves them
  from a marketing standpoint to educate their customers about using the
  product. We can argue whether or not it is your coffee vendor's fault
  if you burn yourself with their product, but (likely) no one on either
  side would dispute the prudence of placing a ``caution: hot'' label on
  the cup.

\item {\bf FSF enforcement often avoids redundant enforcement cases from
  many parties.}  Most Free Software systems have hundreds of copyright
  holders. Some have thousands. FSF is in a unique position as one of
  the largest single copyright holders on GPL'd software and as a
  respected umpire in the community, neutrally enforcing the rules of the
  GPL road. FSF works hard in the community to convince copyright
  holders that consolidating GPL claims through FSF is better for them,
  and more likely to yield positive compliance results.

  A few copyright holders engage in the ``proprietary relicensing''
  business, so they use GPL enforcement as a sales channel for that
  business. FSF, as a community-oriented, not-for-profit organization,
  seeks only to preserve the freedom of Free Software in its enforcement
  efforts. As it turns out, most of the community of copyright holders
  of Free Software want the same thing. Share and share alike is a
  simple rule to follow, and following that rule to FSF's satisfaction
  usually means you are following it to the satisfaction of the entire
  Free Software community.



% FIXME: make this section properly TeX-formatted
\chapter{ThinkPenguin Wireless Router: A study in Excellent CCS}

This case study does a step-by-step build and installation analysis of  one
of the best Complete, Corresponding Source (CCS) releases we've seen.  The
CSS release studied here was provided for the binary distribution of a
physical product by ThinkPenguin.  The product is the model
``TPE-NWIFIROUTER'', a wireless router.

The method of
distribution (complete source accompanying the product) and the way the source
was laid out provide very good examples of how to make things easier for both
the distributor and the purchaser of the hardware containing GPLed components.

\section{Root Filesystem and Kernel Compilation}

* We found a CD included in the box that the ThinkPenguin TPE-NWIFIROUTER
  shipped in, labelled "libreCMC v1.2.1 source code".  On the CD, there was a
  README file at the top level, which mentioned that to build the software, one
  needed a GNU/Linux system as well as a list of approximately 10 packages.
  These sorts of plain text instructions are helpful because we know what kind
  of system we are expected to use, and what commands we should run on it.  Such
  instructions are not strictly required, as an obviously-named shell script may
  suffice, but they are helpful in clarifying any ambiguities that may arise.
** Since it appears that this source release will build on a wide range of
   distributions, it was fine that no specific distribution was specified.
   However, most source releases we see will only build on a very specific
   distribution, due to a variety of assumptions made about the build
   environment.  While such a situation is not ideal in the general sense, it is
   fine to specify a particular distribution that must be use to build the
   source release (such as "Debian 7 amd64"), from a compliance perspective.
   As an example, we noticed such an assumption later on in this source release,
   but it would be easy to correct in the instructions in this situation (see
   "`GLIBC\verb0_02.14' not found" below).

% FIXME: Spend some  time here (admittedly a digression: maybe refer to
% another section later?) about how it's ok to specify a specific build
% environment.
% FIXME(dg): Hopefully the above will suffice.  I can expand more/differently if
% such is desired.

* The actual building of the source code was completed in the following way:
** Since the instructions didn't mention a specific distro to use, we ran the
   build on an amd64 Debian 6 machine we had.  The only distro requirement was:

To build your own firmware you need to have access to a GNU/Linux system
(case-sensitive filesystem required).

** The README mentioned that:

"In order to build firmware images for your router,the
following needs to be installed :

gcc, binutils, bzip2, flex, python, perl, make, find,
grep, diff, unzip, gawk, getopt, libz-dev and libc headers."

   So we ran "dpkg --list" and confirmed that each package was installed (this
   is indicated by a leading "ii" on the line containing the package).  Other
   GNU/Linux distributions may have other ways of determing which packages are
** We then extracted the LibreCMC tarball by running
   "tar --posix -jxpf /media/libreCMC\verb0_0v1\verb0_02\verb0_01\verb0_0SRC/librecmc-v1.2.1.tar.bz2".  The
   CD did contain another tarball (librecmc-u-boot.tar.bz2), but there appeared
   to be separate instructions for that (in the u-boot\verb0_0reflash text file in the
   same directory).  Having the README be more explicit about this would be nice
   but did not ultimately prevent us from determing the proper steps to execute.
** The README mentioned the following optional step, which we skipped because
   we did not need to modify the configuration for our initial build:

Please use "make menuconfig" to configure your appreciated
configuration for the toolchain and firmware. Please note that
the default configuration is what was used to build the firmware
image for your router. It is advised that you use this configuration.

** The next instruction was 'Simply running "make" will build your firmware.'
   So we entered the "librecmc" directory that had been created from the above
   "tar" command and then ran "make".  The build took about 40 minutes to run on
   our system.  The command used and output from running it are available here:


% FIXME: Above, I'd like to see more ``walk through'' of the step by step
% instructions.  The text is a bit terse: could be expanded to talk more.
% FIXME(dg): Hopefully the above will suffice.  I can expand more/differently if
% such is desired.

* It was helpful to know that we could use "make menuconfig" for configuration
  changes, as being able to modify the source is an important part of the GPL's
  requirements.  Adding instructions like these shows that the distributor is
  aware of and interested in promoting the spirit of the GPL, by making it
  easier to modify the source than may be strictly required by the GPL's text.

% FIXME: We should somewhere (perhaps on each step we discuss) talk about
% what often goes wrong on those steps, and why this is right.  As written
% now, there is no driving home of the fact that it is uncommon that things
% are so smooth. :)
% FIXME(dg): Hopefully the below will suffice.  I can expand more/differently if
% such is desired.  (I presume the above comment relates to the below text.)
* The "make" step completed successfully on our system and resulted in several
  files being generated in the bin/ar71xx directory, namely firmware images.
** This step is normally where we run into the greatest number of build issues
   (and thus compliance problems).  In many cases, the "make" step will fail due
   to a missing package or because toolchain paths are not setup correctly.  As
   a result, it is important to test the provided instructions on a clean system
   before distributing the binaries and corresponding source.  Listing the
   specific GNU/Linux distribution and any non-default packages required for the
   build (ie. those installed before testing the instructions) in the build
   instructions makes it easier for the end user to successfully build the
   source release.

* There appeared to be several filesystem and kernel images, for different
  hardware versions.  It was unclear which one to install on the particular
  device we received or how to install it, both of which should have been
  mentioned in the README.

% FIXME: Below, we probably want to talk to them to add this, and also, be a
% bit more expansive.
* The above installation issue is mitigated by the availability of a web UI in
  the product that performs firmware image installation.  It would be best if
  instructions like those at
  were included in the README, as the user cannot be expected to infer that or
  to find such a link.

\section{Root Filesystem and Kernel Installation}

As mentioned above, the specific steps for installing an updated firmware image
were not provided, but we found that the firmware update method available in the
web interface worked fine.  In particular, we went to in
our browser, then logged in and chose System -> Backup / Flash Firmware.  From
there, we went to the "Flash new firmware image" section and selected the
librecmc-ar71xx-generic-tl-wr841n-v8-squashfs-sysupgrade.bin image in the
bin/ar71xx directory mentioned above.  We chose the "v8" image because we found
our router said "v8.2" on the bottom and "sysupgrade" because we were doing a
firmware upgrade rather than a fresh install.

When we clicked "Flash image...", we were prompted to confirm the MD5 hash of
the image to flash and then clicked "Proceed" to flash the image.  The process
took about one minute, at which point we were back at the web UI login screen.
We logged in and found that the Kernel Log section showed we were running the
new kernel.

We then logged in via SSH again and ran "busybox", which printed the new version
string, showing it was using our newly-compiled version (given the date).

\section{U-Boot Compilation}

* As mentioned above, we also found a "u-boot\verb0_0reflash" file at the top level of
  the included source CD.  We followed the instructions for compiling U-Boot,
  which were fairly straight-forward.  One modification would be to mention that
  "\$U-BOOT\verb0_0SRC" referred to the extracted source directory, which was implied,
  but should have been explicit.
* Additionally, we noticed that the included toolchain binaries, which were used
  by the U-Boot compilation process by default, did not run on our system.  In
  particular, we received this error:

mips-librecmc-linux-uclibc-gcc.bin: /lib/ version `GLIBC`\verb0_02.14' not found (required by mips-librecmc-linux-uclibc-gcc.bin)

  The complete log output (including the command used to run it) is here:


* We found that by removing toolchain/bin and symlinking the toolchain built for
  the filesystem/kernel above in its place, we were able to complete the U-Boot
  build.  Specifically, we symlinked toolchain/bin to:


  Output from the symlink operation can be found here:


* Ideally the pre-built toolchain binaries should not be included and a symlink
  as mentioned above should be created by default, with a mention that the
  U-Boot build depends on the previous build for its toolchain.
* After compilation completed successfully, we found a new U-Boot image in the
  bin directory.  The instructions explained how to install it on the device.
  Output from the successful build (after the symlink was created) is here:


\section{U-Boot Installation}

We obtained a serial cable along with our router, in order to complete the
U-Boot installation per the instructions in u-boot\verb0_0reflash.  However, we were
only able to read data from the serial port; we were unable to interrupt the
boot process or access the U-Boot console to complete the U-Boot re-flash.  Here
are the steps we tried:

* We found the serial cable included was a USB serial adapter that had a male
  USB type A connector on one end and 4 female jumper wires at the other end.
  These female jumper wires were red, black, white, and green.
* The instructions did not specify how to connect these wires, but we were able
  to determine this in part using the "v8.4" image (close to our "v8.2" router)
  at \url{} .  Aside from
  power and ground (red and black), we did have to guess which of the wires was
  RX and TX.  By experimentation we found that green was RX and white was TX.
  When we tried the other way, we received no data to our serial console at boot
* We did have to use the included jumper pin gender changer with the USB serial
  adapter, which we put through the holes on the router's mainboard and then
  connected to the USB serial adapter.  The fit was fairly loose so it would be
  nice if future router versions included a tighter gender changer or (ideally)
  had the jumper pins soldered onto the board to begin with (so no gender
  changer would be required).
* We used 115200 8N1 as our serial console settings (with no hardware or
  software flow control).  This was tested with both the minicom and screen
  commands.  We found that if we connected all 4 wires on the USB serial adapter
  that the router would start without additional power and our console would
  receive the startup messages.  We could replicate the same behavior by
  omitting the power cable from the USB serial adapter (red wire) and connecting
  the main power adapter to the router instead.
* While we did see the U-Boot and kernel boot logs in our serial console, we
  were unable to interrupt the boot process as u-boot\verb0_0reflash indicated we
  should.  We suspect this is a misconfiguration of our serial console, but it's
  unclear exactly how it is misconfigured, as we were able to receive data fine
  (we just couldn't send data to the router).
* As a result, we were unable to complete the U-Boot installation test.  We did
  appreciate that installation instructions were included, though these
  instructions should be updated to include more specifics about connecting the
  serial cable.  Since ThinkPenguin does have the option to ship a serial
  adapter with the router, it would be helpful if instructions specific to that
  adapter were included, as the wiring configuration one should use was unclear.
* Additionally, instructions for removing the router's case should be included.
  We found that the two screws that needed removal to open the case were hidden
  underneath rubber feet on the case.  Indicating which feet need removal to
  unscrew the case would be helpful.  The instructions should also note that the
  case needs to be carefully separated once the screws are removed; it
  effectively snaps apart, but care must be taken to avoid breaking the plastic
  fasteners that keep the case together after the screws are removed.

\section{Firmware Comparison}

To ensure that the CCS did indeed correspond to the firmware that was shipped on
the router, we compared the firmware image that we built using the above steps
with the filesystem we found on the device itself.  The comparison steps we used

* Extract the filesystem from the image we built by running
  from on
  librecmc-ar71xx-generic-tl-wr841n-v8-squashfs-factory.bin from the bin/ar71xx
  directory mentioned above (we noticed that our router said "Ver:8.2" on the
  bottom).  Then run squashfs4.2/squashfs-tools/bat-unsquashfs42 from
  bat-extratools (at )
  on the resulting morx0.squash and use the filesystem in the new squashfs-root
  directory for comparison.
* Login to the web interface (at ) from a computer that is
  connected to the router.
* Set a password using the provided link at the top (the UI warns that no
  password is set and asks the user to change it).
* Login to the router via SSH, using the root user and the password we just set.
* Compare representative directory listings and binaries to ensure the set of
  included files (on the router) is similar to those found in the firmware image
  we created (whose contents are now in the local squashfs-root directory).  In
  particular, we did the following comparisons:
** List the /bin folder ("ls -l /bin") and confirm the list of files is the same
   and that the file sizes are similar.
** Check the "strings" output of /bin/busybox to confirm it was similar in both
   places (similar number of lines and content of lines).  One cannot directly
   compare the binaries because the slight compilation variations will cause
   some bits to be different.
** Do the above two steps for /lib/modules, /usr/bin, and other directories with
   a significant number of binaries.
** To check that the kernel is sufficiently similar, compare the "dmesg" output
   both before and after flashing the new firmware.  The kernel version string
   should be similar, but should have a different build date and user@host
   indicator.  The kernel binary itself is not easily accessible from an SSH
   login, but may be retrievable using the U-Boot console (the start address of
   the kernel in flash appears to be 0x9F000000, based on the u-boot\verb0_0reflash
   instructions).  We were not able to verify this, due to the serial connection
   issues (see above section on U-Boot installation).

\section{Minor Infractions}

As mentioned above, there were a few minor infractions.  These made it slightly
difficult to complete the build and installation without additional context, but
did not make the build impossible to complete without more information, such as
missing source code for kernel modules or depending on a specific cross-compiler
but not mentioning which one or, better yet, including its source code, which
are both more problematic infractions.  These minor infractions were:

% FIXME: clarify seriousness of no install instructions; lack of clarity in
% which version to install could be more problematic

* Not mentioning how to extract the source tarball and then where to run the
  "make" command.
* Not mentioning how to install the kernel and root filesystem on the device;
  this is the biggest of these 3 issues but a bit less troublesome than it would
  otherwise have been since the web-based firmware update process is well-known.
* Using pre-built toolchain binaries that don't work on all systems instead of
  the ones that are built in a separate step, but not moved to the right place.
  We were able to build corresponding toolchain binaries from source (though
  for a slightly different target) so this is not a severe toolchain violation
  of the type we normally find (where toolchain binaries are provided without
  source).  However, including instructions to use the built toolchain binaries
  instead would be best, or alternatively specifying the distribution on which
  the toolchain binaries must be run (to avoid being unable to run them as we


% FIXME: is this material moot now that we include the compliance guide?
% Either way, it should be merged into compliance guide.
%\chapter{Good Practices for Compliance}

Generally, from the experience of GPL enforcement, we glean the following
general practices that can help in GPL compliance for organizations that
distribute products based on GPL'd software:


\item Talk to your software engineers and ask them where they got the
  components they use in the products they build. Find out if GPL'd
  components are present.

\item Teach your engineering staff to pay attention to license documents.
  Give them easy-to-follow policies to get approval for using a Free
  Software component.

\item Build a ``Free Software Licensing'' committee that handles requests
  and questions about the GPL and other Free Software licenses.

\item Add ``What parts of your products are under the GPL or other Free
  Software licenses?'' to your checklist of questions to ask when you
  consider mergers, acquisitions, or joint ventures.

\item Encourage your engineers to participate collaboratively with GPL'd
  software development. The more knowledge about the Free Software world
  your organization has, the better equipped it is to deal with this
  rapidly changing field.

\item When someone points out a potential GPL violation in one of your
  products, do not assume the product line is doomed. The GPL is not a virus;
  merely having GPL'd code in one part of a product does not necessarily
  mean that every related product must also be GPL'd. And, even if some
  software needs to be released that was not before, the product will
  surely survive. In FSF's enforcement efforts, we have not yet
  seen a product line die because source was released to customers in
  compliance with the GPL.


0 comments (0 inline, 0 general)