Copyleft/guide Changeset - b0801a2b8a2f

Changeset - b0801a2b8a2f

Parent rev.

Child rev.

[Not reviewed]

0 3 0

Bradley Kuhn (bkuhn) - 9 years ago 2014-12-20 00:09:01
bkuhn@ebb.org

Clarify sentence.

Make this sentence a bit clearer.

3 files changed with 3 insertions and 3 deletions:

compliance-guide.tex

enforcement-case-studies.tex

gpl-lgpl.tex

0 comments (0 inline, 0 general)

compliance-guide.tex

➞

Show inline comments

 % compliance-guide.tex                            -*- LaTeX -*-
 \part{A Practical Guide to GPL Compliance}
 \label{gpl-compliance-guide}
 {\parindent 0in
 This part is: \\
 \begin{tabbing}
 Copyright \= \copyright{} 2008, 2014 \= \hspace{.2in} Bradley M. Kuhn. \\
 Copyright \= \copyright{} 2014 \> \hspace{.2in} Free Software Foundation, Inc. \\
 Copyright \> \copyright{} 2008, 2014 \> \hspace{.2in} Software Freedom Law Center. \\
 \end{tabbing}
 \vspace{.1in}
 \begin{center}
 The copyright holders of this part hereby grant the freedom to copy, modify,
 convey, Adapt, and/or redistribute this work under the terms of the Creative
 Commons Attribution Share Alike 4.0 International License.  A copy of that
 license is available at
 \url{https://creativecommons.org/licenses/by-sa/4.0/legalcode}.
 \vfill
 This part includes material from many sources, including the following
+This part includes material from many sources, including some material from the following
 CC-By-SA-licensed published works: \\
 \begin{itemize}
 \item \hrefnofollow{http://www.softwarefreedom.org/resources/2008/compliance-guide.html}{\textit{The Practical Guide GPL Compliance}}, by Bradley M. Kuhn, Aaron
 Williamson and Karen Sandler, first published on 2008-08-20. \\
 \item \hrefnofollow{http://www.softwarefreedom.org/resources/2014/SFLC-Guide_to_GPL_Compliance_2d_ed.html}{\textit{Software Freedom Law Center Guide to GPL Compliance, 2nd
   Edition}} by Eben Moglen and Mishi Choudhary, first published on 2014-10-31. \\
 \end{itemize}
 However, this work is primarily composed of the many contributions it
 receives as a public, collaborative project.  Please
 \href{https://gitorious.org/copyleft-org/tutorial/history/master:compliance-guide.tex}{review
   its Git logs} for full documentation of all contributions.
 \end{center}
+}
 \pagebreak
 \chapter*{Executive Summary}
 This is a guide to effective compliance with the GNU General Public
 License (GPL) and related licenses.  Copyleft advocates
 usually seek to assist the community with
 GPL compliance cooperatively.   This guide focuses on complying from the
 start, so that readers can learn to avoid enforcement actions entirely, or, at
 least, minimize  the negative impact when enforcement actions occur.
 This guide  introduces and explains basic legal concepts related to the GPL and its
 enforcement by copyright holders. It also outlines business practices and
 methods that lead to better GPL compliance.  Finally, it recommends proper
 post-violation responses to the concerns of copyright holders.
 \chapter{Background}
 Copyright law grants exclusive rights to authors.  Authors who chose copyleft
 seek to protect the freedom of users and developers to copy, share, modify
 and redistribute the software.  However, copyleft is ultimately implemented
 through copyright, and the GPL is primarily and by default a copyright
 license.  (See \S~\ref{explaining-copyright} for more about the interaction
 between copyright and copyleft.)  Copyright law grants an unnatural exclusive
 control to copyright holders regarding copyright-controlled permissions
 related to the work.  Therefore, copyright holders (or their agents) are the
 ultimately the sole authorities to enforce copyleft and protect the rights of
 users.  Actions for copyright infringement are the ultimate legal mechanism
 for enforcement.  Therefore, copyright holders, or collaborative groups of
 copyright holders, have historically been the actors in GPL enforcement.
 The earliest of these efforts began soon after the GPL was written by
 Richard M.~Stallman (RMS) in 1989, and consisted of informal community efforts,
 often in public Usenet discussions.\footnote{One example is the public
   outcry over NeXT's attempt to make the Objective-C front-end to GCC
   proprietary.  RMS, in fact, handled this enforcement action personally and
   the Objective-C front-end is still part of upstream GCC today.}  Over the next decade, the Free Software Foundation (FSF),
 which holds copyrights in many GNU programs, was the only visible entity
 actively enforcing its GPL'd copyrights on behalf of the software freedom
 community.
 FSF's enforcement
 was generally a private process; the FSF contacted violators
 confidentially and helped them to comply with the license.  Most
 violations were pursued this way until the early 2000's.
 By that time, Linux-based systems such as GNU/Linux and BusyBox/Linux had become very common, particularly in
 embedded devices such as wireless routers.  During this period, public
 ridicule of violators in the press and on Internet fora supplemented
 ongoing private enforcement and increased pressure on businesses to
 comply.  In 2003, the FSF formalized its efforts into the GPL Compliance
 Lab, increased the volume of enforcement, and built community coalitions
 to encourage copyright holders to together settle amicably with violators.
 Beginning in 2004, Harald Welte took a more organized public enforcement
 approach and launched \href{http://gpl-violations.org/}{gpl-violations.org}, a website and mailing
 list for collecting reports of GPL violations.  On the basis of these
 reports, Welte successfully pursued many enforcement actions in Europe, including
 formal legal action.  Harald earns the permanent fame as the first copyright
 holder to bring legal action in a court regarding GPL compliance.
 In 2007, two copyright holders in BusyBox, in conjunction with the
 Software Freedom Conservancy (``Conservancy''), filed the first copyright infringement lawsuit
 based on a violation of the GPL\@ in the USA. While  lawsuits are of course
 quite public, the vast majority of Conservancy's enforcement actions
 are resolved privately via
 cooperative communications with violators.  As both FSF and Conservancy have worked to bring
 individual companies into compliance, both organizations have encountered numerous
 violations resulting from preventable problems such as inadequate
 attention to licensing of upstream software, misconceptions about the
 GPL's terms, and poor communication between software developers and their
 management.  This document highlights these problems and describe
 best practices to encourage corporate Free Software users to reevaluate their
 approach to GPL'd software and avoid future violations.
 Both FSF and Conservancy continue GPL enforcement and compliance efforts
 for software under the GPL, the GNU Lesser
 Public License (LGPL) and other copyleft licenses.  In doing so, both organizations have
 found that most violations stem from a few common, avoidable mistakes.  All copyleft advocates  hope to educate the community of
 commercial distributors, redistributors, and resellers on how to avoid
 violations in the first place, and to respond adequately and appropriately
 when a violation occurs.
 \section{Who Has Compliance Obligations?}
 All distributors of modified or unmodified versions of copylefted works
 unmodified versions of the works have compliance obligations.  Common methods
 of modifying the works include innumerable common acts, such as:
 \begin{itemize}
   \item embedding those works as executable copies
     into a device,
   \item transferring a digital copy of executable copies to someone else,
   \item posting a patch to the copylefted software to a public mailing list.
 \end{itemize}
 Such distributors have obligations to (at least) the users to whom they (or
 intermediary parties) distribute those copies.  In some cases, distributors
 have obligations to third parties not directly receiving their distribution
 of the works (depending on the distributors chosen licensing options, as
 described later in \S~\ref{binary-distribution-permission}).  In addition,
 distributors have compliance obligations to upstream parties, such as
 preservation of reasonable legal notices embedded in the code, and
 appropriate labeling of modified versions.
 Online service providers and distributors alike have other compliance
 obligations.  In general, they must refrain from imposing any additional
 restrictions on downstream parties. Most typically, such compliance problems
 arise from ``umbrella licenses:'' EULAs, or sublicenses that restrict
 downstream users' rights under copyleft. (See \S~\ref{GPLv2s6} and
 \S~\ref{GPLv3s10}).
 Patent holders having claims reading on GPL'd works they distribute must
 refrain from enforcing those claims against parties to whom they distribute.
 Furthermore, patent holders holding copyrights on GPLv3'd works must further
 grant an explicit patent license for any patent claims reading on the version
 they distributed, and therefore cannot enforce those specific patent claims
 against anyone making, using or selling a work based on their distributed
 version.  All parties must refrain from acting as a provider of services or
 distributor of licensed works if they have accepted, or had imposed on them
 by judicial action, any legal conditions that would prevent them from meeting
 any obligation under GPL\@.  (See \S~\ref{GPLv2s7}, \S~\ref{GPLv3s11} and
 \S~\ref{GPLv3s12}.
 \section{What Are The Risks of Non-Compliance?}
 Copyleft experts have for decades observed a significant mismatch between the
 assumptions most businesses make about copyleft compliance and the realities.
 Possibly due to excessive marketing of proprietary tools and services from
 the for-profit compliance industry, businesses perennially focus on the wrong
 concerns.  This tutorial seeks to educate those businesses about what
 actually goes wrong, what causes disputes, and how to resolve those disputes.
 Many businesses currently invest undue resources to avoid unlikely risks that
 have low historical incidence of occurrence and low cost of remediation,
 while leaving unmanaged the risks that have historically resulted in all the
 litigation and other adverse outcomes.  For example, some ``compliance
 industry''\footnote{``Compliance industry'' refers to third-party for-profit
   companies that market proprietary software tools and/or consulting services
   that purport to aid businesses with their Free Software license compliance
   obligations, such as those found in GPL and other copyleft licenses.  This
   tutorial leaves the term in quotes throughout, primarily to communicate the
   skepticism most of this tutorial's authors feel regarding the mere
   existence of this industry.  Not only do copyleft advocates object on
   principle to proprietary software tools in general, and to their ironic use
   specifically to comply with copyleft, but also to the ``compliance
   industry'' vendors' marketing messaging, which some copyleft advocates
   claim as a cause in the risk misassessments discussed herein.  Bradley
   M.~Kuhn, specifically, regularly uses the term ``compliance industrial
   complex''
   \href{http://en.wikipedia.org/wiki/Military-industrial_complex}{to
     analogize the types of problems in this industry to those warned against
     in the phrase of origin}.} vendors insist that great effort must be
 expended to carefully list, in the menus or manuals of embedded electronics
 products, copyright notices for every last copyright holder that contributed
 to the Free Software included in the product.  While nearly all Free Software
 licenses, including copylefts like GPL, require preservation and display of
 copyright notices, failure to meet this specific requirement is trivially
 remedied.  Therefore, businesses should spend just reasonable efforts to
 properly display copyright notices, and note that failure to do so is simply
 remedied: add the missing copyright notice!
 \section{Understanding Who's Enforcing}
 \label{compliance-understanding-whos-enforcing}
 The mismatch between actual compliance risk and compliance risk management
 typically results from a misunderstanding of licensor intentions.  For-profit
 businesses often err by assuming other actors have kindred motivations.  The
 primary enforcers of the GPL, however, have goals that for-profit businesses
 will find strange and perhaps downright alien.
 Specifically, community-oriented GPL enforcement organizations (called
 ``COGEOs'' throughout the remainder of this tutorial) are typically
 non-profit charities (such as the FSF and Software Freedom Conservancy) who
 declare, as part of their charitable mission, advancement of software freedom
 for all users.  In the USA, these COGEOs are all classified as charitable
 under the IRS's 501(c)(3) designation, which is reserved for organizations
 that have a mission to enhance the public good.
 As such, these COGEOs enforce GPL primarily to pursue the policy goals and
 motivations discussed throughout this tutorial: to spread software freedom
 further.  As such, COGEOs are unified in their primary goal to bring the
 violator back into compliance as quickly as possible, and redress the damage
 caused by the violation.  COGEOs are steadfast in their position in a
 violation negotiation: comply with the license and respect freedom.
 Certainly, other entities do not share the full ethos of software freedom as
 institutionalized by COGEOs, and those entities pursue GPL violations
 differently.  Oracle, a company that produces the GPL'd MySQL database, upon
 discovering GPL violations typically negotiates a proprietary software
 license separately for a fee.  While this practice is not one a COGEO would
 undertaking nor endorsing, a copyleft license technically permits this
 behavior.  To put a finer point on this practice already discussed
 in~\S~\ref{Proprietary Relicensing}, copyleft advocates usually find copyleft
 enforcement efforts focused on extract alternative proprietary licenses
 distasteful at best, and a corrupt manipulation of copyleft at worst.  Much
 to the advocates' chagrin, such for-profit enforcement efforts seem to
 increase rather than decrease.
 Thus, unsurprisingly, for-profit adopters of GPL'd software often incorrectly
 assume that all copyright holders seek royalties.  Businesses therefore focus
 on the risk of so-called ``accidental'' (typically as the result of
 unsupervised activity by individual programmers) infringe copyright by
 incorporating ``snippets'' of copylefted code into their own proprietary
 computer program.  ``Compliance industry'' flagship products, therefore,
 focus on ``code scanning'' services that purport to detect accidental
 inclusions.  Such effort focuses on proprietary software development and view
 Free Software as a foreign interloper.  Such approach not only ignores
 current reality that many companies build their products directly on major
 copylefted projects (e.g., Android vendor's use of the kernel named Linux),
 but also creates a culture of fear among developers, leading them into a
 downward spiral of further hiding their necessary reliance on copylefted
 software in the company's products.
 Fortunately, COGEOs regard GPL compliance failures as an opportunity to
 improve compliance.  Every compliance failure downstream represents a loss of
 rights by their users. The COGEOs are the guardian of its users' and
 developers' rights.  Their activity seeks to restore those rights, and
 to protect the project's contributors' intentions in the making of their
 software.
 \chapter{Best Practices to Avoid Common Violations}
 \label{best-practices}
 Unlike highly permissive licenses (such as the ISC license), which
 typically only require preservation of copyright notices, licensees face many
 important requirements from the GPL.  These requirements are
 carefully designed to uphold certain values and standards of the software
 freedom community.  While the GPL's requirements may initially appear
 counter-intuitive to those more familiar with proprietary software
 licenses, by comparison, its terms are in fact clear and quite favorable to
 licensees.  Indeed, the GPL's terms actually simplify compliance when
 violations occur.
 GPL violations occur (or, are compounded) most often when companies lack sound
 practices for the incorporation of GPL'd components into their
 internal development environment.  This section introduces some best
 practices for software tool selection, integration and distribution,
 inspired by and congruent with software freedom methodologies.  Companies should
 establish such practices before building a product based on GPL'd
 software.\footnote{This document addresses compliance with GPLv2,
   GPLv3, LGPLv2, and LGPLv3.  Advice on avoiding the most common
   errors differs little for compliance with these four licenses.
   \S~\ref{lgpl} discusses the key differences between GPL and LGPL
   compliance.}
 \section{Evaluate License Applicability}
 \label{derivative-works}
 Political discussion about the GPL often centers around determining the
 ``work'' that must be licensed under GPL, or in other words, ``what is the
 derivative and/or combined work that was created''.  Nearly ever esoteric
 question asked by lawyers seek to consider that question
 \footnote{\tutorialpartsplit{In fact, a companion work, \textit{Detailed Analysis of the GNU GPL and Related
       Licenses} contains an entire section discussing derivative works}{This tutorial in fact
   also addresses the issue at length in~\S~\ref{derivative-works}}.} (perhaps because
 that question explores exciting legal issues while the majority of the GPL
 deals with much more mundane ones).
 Of course, GPL was designed
 primarily to embody the licensing feature of copyleft.
 However, most companies who add
 complex features to and make combinations with GPL'd software
 are already well aware of their
 more complex obligations under the license that require complex legal
 analysis.  And, there are few companies overall that engage in such
 activities. Thus,  in practical reality, this issue is not relevant to the vast
 majority of companies distributing GPL'd software.
 Thus, experienced  GPL enforcers find that few redistributors'
 compliance challenges relate directly to combined work issues in copyleft.
 Instead, the distributions of GPL'd
 systems most often encountered typically consist of a full operating system
 including components under the GPL (e.g., Linux, BusyBox) and components
 under the LGPL (e.g., the GNU C Library).  Sometimes, these programs have
 been patched or slightly improved by direct modification of their sources,
 and thus the result is unequivocally a modified version.  Alongside these programs,
 companies often distribute fully independent, proprietary programs,
 developed from scratch, which are designed to run on the Free Software operating
 system but do not combine with, link to, modify, derive from, or otherwise
 create a combined work with
 the GPL'd components.\footnote{However, these programs do often combine
   with LGPL'd libraries. This is discussed in detail in \S~\ref{lgpl}.}
 In the latter case, where the work is unquestionably a separate work of
 creative expression, no copyleft provisions are invoked.
 The core compliance issue faced, thus, in such a situation, is not an discussion of what is or is not a
 combined, derivative, and/or modified version of the work, but rather, issues related to distribution and
 conveyance of binary works based on GPL'd source, but without Complete,
 Corresponding Source.
 As such, issues of software delivery are the primary frustration for GPL
 enforcers. In particular, the following short list accounts for at least 95\%
 of the GPL violations ever encountered:
 \begin{itemize}
 \item The violator fails to provide required information about the presence
   of copylefted programs and their applicable license terms in the product
   they have purchased.
 \item The violator fails to reliably deliver \hyperref[CCS
   Definition]{complete, corresponding source} (CCS) for copylefted programs
   the violator knew were included (i.e., the CCS is either delivered but
   incomplete, or is not delivered at all).
 \item Requestors are ignored when they communicate with violator's published
   addresses requesting fulfillment of businesses' obligations.
 \end{itemize}
 This tutorial therefore focuses primarily on these issue.
 Admittedly, a tiny
 minority of compliance situations relate to question of derivative,
 combined, or modified versions of the work.  Those
 situations are so rare, and the details from situation to situation differ
 greatly.  Thus, such situations require a highly
 fact-dependent analysis and cannot be addressed in a general-purpose
 document such as this one.
 \medskip
 Most companies accused of violations lack a basic understanding
 of how to comply even in the straightforward scenario.  This document
 provides those companies with the fundamental and generally applicable prerequisite knowledge.
 For answers to rarer and more complicated legal questions, such as whether
 your software is a derivative or combined work of some copylefted software, consult
 with an attorney.\footnote{If you would like more information on the
   application of derivative works doctrine to software, a detailed legal
   discussion is presented in our colleague Dan Ravicher's article,
   \textit{Software Derivative Work: A Circuit Dependent Determination} and in
   \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related
       Licenses}'s Section on derivative works}{\S~\ref{derivative-works} of
     this tutorial}.}
 This discussion thus assumes that you have already identified the
 ``work'' covered by the license, and that any components not under the GPL
 (e.g., applications written entirely by your developers that merely happen
 to run on a Linux-based operating system) distributed in conjunction with
 those works are separate works within the meaning of copyright law and the GPL\@.  In
 such a case, the GPL requires you to provide complete corresponding
 source (CCS)\footnote{For more on CCS,  see
 \tutorialpartsplit{\textit{Detailed Analysis of the GNU GPL and Related
       Licenses}'s Section on GPLv2~\S2 and GPLv3~\S1.}{\S~\ref{GPLv2s2} and \S~\ref{GPLv3s1} of
     this tutorial}.}
 for the GPL'd components and your modifications thereto, but not
 for independent proprietary applications.  The procedures described in
 this document address this typical scenario.
 \section{Monitor Software Acquisition}
 Software engineers deserve the freedom to innovate and import useful
 software components to improve products.  However, along with that
 freedom should come rules and reporting procedures to make sure that you
 are aware of what software that you include with your product.
 The most typical response to an initial enforcement action is: ``We
 didn't know there was GPL'd stuff in there''.  This answer indicates
 failure in the software acquisition and procurement process.  Integration
 of third-party proprietary software typically requires a formal
 arrangement and management/legal oversight before the developers
 incorporate the software.  By contrast, developers often obtain and
 integrate Free Software without intervention nor oversight. That ease of acquisition, however,
 does not mean the oversight is any less necessary.  Just as your legal
 and/or management team negotiates terms for inclusion of any proprietary
 software, they should gently facilitate all decisions to bring Free Software into your
 product.
 Simple, engineering-oriented rules help provide a stable foundation for
 Free Software integration.  For example, simply ask your software developers to send an email to a
 standard place describing each new Free Software component they add to the system,
 and have them include a brief description of how they will incorporate it
 into the product.  Further, make sure developers use a revision control
 system (such as Git or Mercurial), and
 store the upstream versions of all software in a ``vendor branch'' or
 similar mechanism, whereby they can easily track and find the main version
 of the software and, separately, any local changes.
 Such procedures are best instituted at your project's launch.  Once
 chaotic and poorly-sourced development processes begin, cataloging the
 presence of GPL'd components  becomes challenging.
 Such a situation often requires use of a tool to ``catch up'' your knowledge
 about what software your product includes.  Most commonly, companies choose
 some software licensing scanning tool to inspect the codebase.  However,
 there are few tools that are themselves Free Software.  Thus, GPL enforcers
 usually recommend the GPL'd
 \href{http://fossology.org/}{FOSSology system}, which analyzes a
 source code base and produces a list of Free Software licenses that may apply to
 the code.  FOSSology can help you build a catalog of the sources you have
 already used to build your product.  You can then expand that into a more
 structured inventory and process.
 \section{Track Your Changes and Releases}
 As explained in further detail below, the most important component of GPL
 compliance is the one most often ignored: proper inclusion of CCS in all
 distributions  of GPL'd
 software.  To comply with GPL's CCS requirements, the distributor
 \textit{must} always know precisely what sources generated a given binary
 distribution.
 In an unfortunately large number of our enforcement cases, the violating
 company's engineering team had difficulty reconstructing the CCS
 for binaries distributed by the company.  Here are three simple rules to
 follow to decrease the likelihood of this occurrence:
 \begin{itemize}
 \item Ensure that your
 developers are using revision control systems properly.
 \item Have developers mark or ``tag'' the full source tree corresponding to
   builds distributed to customers.
 \item Check that your developers store all parts of the software
 development in the revision control system, including {\sc readme}s, build
 scripts, engineers' notes, and documentation.
 \end{itemize}
 Your developers will benefit anyway from these rules.  Developers will be
 happier in their jobs if their tools already track the precise version of
 source that corresponds to any deployed binary.
 \section{Avoid the ``Build Guru''}
 Too many software projects rely on only one or a very few team members who
 know how to build and assemble the final released product.  Such knowledge
 centralization not only creates engineering redundancy issues, but also
 thwarts GPL compliance.  Specifically, CCS does not just require source code,
 but scripts and other material that explain how to control compilation and
 installation of the executable and object code.
 Thus, avoid relying on a ``build guru'', a single developer who is the only one
 who knows how to produce your final product. Make sure the build process
 is well defined.  Train every developer on the build process for the final
 binary distribution, including (in the case of embedded software)
 generating a final firmware image suitable for distribution to the
 customer.  Require developers to use revision control for build processes.
 Make a rule that adding new components to the system without adequate
 build instructions (or better yet, scripts) is unacceptable engineering
 practice.
 \chapter{Details of Compliant Distribution}
 Distribution of GPL'd works has requirements; copyleft will not function
 without placing requirements on redistribution.  However, some requirements
 are more likely to cause compliance difficult than others.  This
 chapter\footnote{Note that this chapter refers heavily to specific provisions
   and language in
   \hyperref[GPLv2s3-full-text]{GPLv2\S3}
   and \hyperref[GPLv3s6-full-text]{GPLv3\S6}.
   It may be helpful  to review \S~\ref{GPLv2s3} and \S~\ref{GPLv3s6} first,
   and then have a copy of each license open while reading this
   section.}  explains some the specific requirements placed upon
 distributors of GPL'd software that redistributors are most likely to
 overlook, yielding compliance problems.
 First, \hyperref[GPLv2s1]{GPLv2\S1} and \hyperref[GPLv2s4]{GPLv2\S4} require
 that the full license text must accompany every distribution (either in
 source or binary form) of each licensed work.  Strangely, this requirement is
 responsible for a surprisingly significant fraction of compliance errors; too
 often, physical products lack required information about the presence of
 GPL'd programs and the applicable license terms.  Automated build processes
 can and should carry a copy of the license from the the source distribution
 into the final binary firmware package for embedded products.  Such
 automation usually achieves compliance regarding license inclusion
 requirements\footnote{At least one COGEO recommends the
   \href{https://www.yoctoproject.org/}{Yocto Project}, since its engineers
   have designed such features into it build process.}
 \section{Binary Distribution Permission}
 \label{binary-distribution-permission}
 % be careful below, you cannot refill the \if section, so don't refill
 % this paragraph without care.
 The various versions of the GPL are copyright licenses that grant
 permission to make certain uses of software that are otherwise restricted
 by copyright law.  This permission is conditioned upon compliance with the
 GPL's requirements.
 This section walks through the requirements (of both GPLv2 and GPLv3) that
 apply when you distribute GPL'd programs in binary (i.e., executable or
 object code) form, which is typical for embedded applications.  Because a
 binary application derives from a program's original sources, you need
 permission from the copyright holder to distribute it.  \S~3 of GPLv2 and
 \S~6 of GPLv3 contain the permissions and conditions related to binary
 distributions of GPL'd programs.\footnote{These sections cannot be fully
   understood in isolation; read the entire license thoroughly before
   focusing on any particular provision.  However, once you have read and
   understood the entire license, look to these sections to guide
   compliance for binary distributions.}  Failure to provide or offer CCS is the
 single largest failure mode leading to compliance disputes.
 GPL's binary distribution sections offer a choice of compliance methods,
 each of which we consider in turn.  Each option refers to the
 ``Corresponding Source'' code for the binary distribution, which includes
 the source code from which the binary was produced.  This abbreviated and
 simplified definition is sufficient for the binary distribution discussion
 in this section, but you may wish to refer back to this section after
 reading the thorough discussion of ``Corresponding Source'' that appears
 in \S~\ref{corresponding-source}.
 \subsection{Option (a): Source Alongside Binary}
 GPLv2~\S~3(a) and v3~\S~6(a) embody the easiest option for providing
 source code: including Corresponding Source with every binary
 distribution.  While other options appear initially less onerous, this
 option invariably minimizes potential compliance problems, because when
 you distribute Corresponding Source with the binary, \emph{your GPL
   obligations are satisfied at the time of distribution}.  This is not
 true of other options, and for this reason, we urge you to seriously
 consider this option.  If you do not, you may extend the duration of your
 obligations far beyond your last binary distribution.
 Compliance under this option is straightforward.  If you ship a product
 that includes binary copies of GPL'd software (e.g., in firmware, or on a
 hard drive, CD, or other permanent storage medium), you can store the
 Corresponding Source alongside the binaries.  Alternatively, you can
 include the source on a CD or other removable storage medium in the box
 containing the product.
 GPLv2 refers to the various storage mechanisms as ``medi[a] customarily
 used for software interchange''.  While the Internet has attained primacy
 as a means of software distribution where super-fast Internet connections
 are available, GPLv2 was written at a time when downloading software was
 not practical (and was often impossible).  For much of the world, this
 condition has not changed since GPLv2's publication, and the Internet
 still cannot be considered ``a medium customary for software
 interchange''.  GPLv3 clarifies this matter, requiring that source be
 ``fixed on a durable physical medium customarily used for software
 interchange''.  This language affirms that option (a) requires binary
 redistributors to provide source on a physical medium.
 Please note that while selection of option (a) requires distribution on a
 physical medium, voluntary distribution via the Internet is very useful.  This
 is discussed in detail in \S~\ref{offer-with-internet}.
 \subsection{Option (b): The Offer}
 \label{offer-for-source}
 Many distributors prefer to ship only an offer for source with the binary
 distribution, rather than the complete source package.  This
 option has value when the cost of source distribution is a true
 per-unit cost.  For example, this option might be a good choice for
 embedded products with permanent storage too small to fit the source, and
 which are not otherwise shipped with a CD but \emph{are} shipped with a
 manual or other printed material.
 However, this option increases the duration of your obligations
 dramatically.  An offer for source must be good for three full years from
 your last binary distribution (under GPLv2), or your last binary or spare
 part distribution (under GPLv3).  Your source code request and
 provisioning system must be designed to last much longer than your product
 life cycle. Thus, it also increases your compliance costs in the long
 run.
 In addition, if you are required to comply with the terms of GPLv2, you
 {\bf cannot} use a network service to provide the source code.  For GPLv2,
 the source code offer is fulfilled only with physical media.  This usually
 means that you must continue to produce an up-to-date ``source code CD''
 for years after the product's end-of-life.
 \label{offer-with-internet}
 Under GPLv2, it is acceptable and advisable for your offer for source code
 to include an Internet link for downloadable source \emph{in addition} to
 offering source on a physical medium.  This practice enables those with
 fast network connections to get the source more quickly, and typically
 decreases the number of physical media fulfillment requests.
 (GPLv3~\S~6(b) permits provision of source with a public
 network-accessible distribution only and no physical media.  We discuss
 this in detail at the end of this section.)
 The following is a suggested compliant offer for source under GPLv2 (and
 is also acceptable for GPLv3) that you would include in your printed
 materials accompanying each binary distribution:
 \begin{quote}
 The software included in this product contains copyrighted software that
 is licensed under the GPL\@.  A copy of that license is included in this
 document on page $X$\@.  You may obtain the complete Corresponding Source
 code from us for a period of three years after our last shipment of this
 product, which will be no earlier than 2011-08-01, by sending a money
 order or check for \$5 to: \\
 GPL Compliance Division \\
 Our Company \\
 Any Town, US 99999 \\
 \\
 Please write ``source for product $Y$'' in the memo line of your
 payment.
 You may also find a copy of the source at
 \url{http://www.example.com/sources/Y/}.
 This offer is valid to anyone in receipt of this information.
 \end{quote}
 There are a few important details about this offer.  First, it requires a
 copying fee.  GPLv2 permits ``a charge no more than your cost of
 physically performing source distribution''.  This fee must be reasonable.
 If your cost of copying and mailing a CD is more than around \$10, you
 should perhaps find a cheaper CD stock and shipment method.  It is simply
 not in your interest to try to overcharge the community.  Abuse of this
 provision in order to make a for-profit enterprise of source code
 provision will likely trigger enforcement action.
 Second, note that the last line makes the offer valid to anyone who
 requests the source.  This is because v2~\S~3(b) requires that offers be
 ``to give any third party'' a copy of the Corresponding Source.  GPLv3 has
 a similar requirement, stating that an offer must be valid for ``anyone
 who possesses the object code''.  These requirements indicated in
 v2~\S~3(c) and v3~\S~6(c) are so that noncommercial redistributors may
 pass these offers along with their distributions.  Therefore, the offers
 must be valid not only to your customers, but also to anyone who received
 a copy of the binaries from them.  Many distributors overlook this
 requirement and assume that they are only required to fulfill a request
 from their direct customers.
 The option to provide an offer for source rather than direct source
 distribution is a special benefit to companies equipped to handle a
 fulfillment process.  GPLv2~\S~3(c) and GPLv3~\S~6(c) avoid burdening
 noncommercial, occasional redistributors with fulfillment request
 obligations by allowing them to pass along the offer for source as they
 received it.
 Note that commercial redistributors cannot avail themselves of the option
 (c) exception, and so while your offer for source must be good to anyone
 who receives the offer (under v2) or the object code (under v3), it
 \emph{cannot} extinguish the obligations of anyone who commercially
 redistributes your product.  The license terms apply to anyone who
 distributes GPL'd software, regardless of whether they are the original
 distributor.  Take the example of Vendor $V$, who develops a software
 platform from GPL'd sources for use in embedded devices.  Manufacturer $M$
 contracts with $V$ to install the software as firmware in $M$'s device.
 $V$ provides the software to $M$, along with a compliant offer for source.
 In this situation, $M$ cannot simply pass $V$'s offer for source along to
 its customers.  $M$ also distributes the GPL'd software commercially, so
 $M$ too must comply with the GPL and provide source (or $M$'s \emph{own}
 offer for source) to $M$'s customers.
 This situation illustrates that the offer for source is often a poor
 choice for products that your customers will likely redistribute.  If you
 include the source itself with the products, then your distribution to
 your customers is compliant, and their (unmodified) distribution to their
 customers is likewise compliant, because both include source.  If you
 include only an offer for source, your distribution is compliant but your
 customer's distribution does not ``inherit'' that compliance, because they
 have not made their own offer to accompany their distribution.
 The terms related to the offer for source are quite different if you
 distribute under GPLv3.  Under v3, you may make source available only over
 a network server, as long as it is available to the general public and
 remains active for three years from the last distribution of your product
 or related spare part.  Accordingly, you may satisfy your fulfillment
 obligations via Internet-only distribution.  This makes the ``offer for
 source'' option less troublesome for v3-only distributions, easing
 compliance for commercial redistributors.  However, before you switch to a
 purely Internet-based fulfillment process, you must first confirm that you
 can actually distribute \emph{all} of the software under GPLv3.  Some
 programs are indeed licensed under ``GPLv2, \emph{or any later version}''
 (often abbreviated ``GPLv2-or-later'').  Such licensing gives you the
 option to redistribute under GPLv3.  However, a few popular programs are
 only licensed under GPLv2 and not ``or any later version''
 (``GPLv2-only'').  You cannot provide only Internet-based source request
 fulfillment for the latter programs.
 If you determine that all GPL'd works in your whole product allow upgrade
 to GPLv3 (or were already GPLv3'd to start), your offer for source may be
 as simple as this:
 \begin{quote}
 The software included in this product contains copyrighted software that
 is licensed under the GPLv3\@.  A copy of that license is included in this
 document on page $X$\@.  You may obtain the complete Corresponding Source
 code from us for a period of three years after our last shipment of this
 product and/or spare parts therefor, which will be no earlier than
 -08-01, on our website at
 \url{http://www.example.com/sources/productnum/}.
 \end{quote}
 \medskip
 Under both GPLv2 and GPLv3, source offers must be accompanied by a copy of
 the license itself, either electronically or in print, with every
 distribution.
 Finally, it is unacceptable to use option (b) merely because you do not have
 Corresponding Source ready.  We find that some companies choose this option
 because writing an offer is easy, but producing a source distribution as
 an afterthought to a hasty development process is difficult.  The offer
 for source does not exist as a stop-gap solution for companies rushing to
 market with an out-of-compliance product.  If you ship an offer for source
 with your product but cannot actually deliver \emph{immediately} on that
 offer when your customers request it, you should expect an enforcement
 action.
 \subsection{Option (c): Noncommercial Offers}
 As discussed in the last section, GPLv2~\S~3(c) and GPLv3~\S~6(c) apply
 only to noncommercial use.  These options are not available to businesses
 distributing GPL'd software.  Consequently, companies that redistribute
 software packaged for them by an upstream vendor cannot merely pass along
 the offer they received from the vendor; they must provide their own offer
 or corresponding source to their distributees.  We talk in detail about
 upstream software providers in \S~\ref{upstream}.
 \subsection{Option 6(d) in GPLv3: Internet Distribution}
 Under GPLv2, your formal provisioning options for Corresponding Source
 ended with \S~3(c).  But even under GPLv2, pure Internet source
 distribution was a common practice and generally considered to be
 compliant.  GPLv2 mentions Internet-only distribution almost as aside in
 the language, in text at the end of the section after the three
 provisioning options are listed.  To quote that part of GPLv2~\S~3:
 \begin{quote}
 If distribution of executable or object code is made by offering access to
 copy from a designated place, then offering equivalent access to copy the
 source code from the same place counts as distribution of the source code,
 even though third parties are not compelled to copy the source along with
 the object code.
 \end{quote}
 When that was written in 1991, Internet distribution of software was the
 exception, not the rule.  Some FTP sites existed, but generally software
 was sent on magnetic tape or CDs.  GPLv2 therefore mostly assumed that
 binary distribution happened on some physical media.  By contrast,
 GPLv3~\S~6(d) explicitly gives an option for this practice that the
 community has historically considered GPLv2-compliant.
 Thus, you may fulfill your source-provision obligations by providing the
 source code in the same way and from the same location.  When exercising
 this option, you are not obligated to ensure that users download the
 source when they download the binary, and you may use separate servers as
 needed to fulfill the requests as long as you make the source as
 accessible as the binary.  However, you must ensure that users can easily
 find the source code at the time they download the binary. GPLv3~\S~6(d)
 thus clarifies a point that has caused confusion about source provision in
 v2.  Indeed, many such important clarifications are included in v3 which
 together provide a compelling reason for authors and redistributors alike
 to adopt GPLv3.
 \subsection{Option 6(e) in GPLv3: Software Torrents}
 Peer-to-peer file sharing arose well after GPLv2 was written, and does not
 easily fit any of the v2 source provision options.  GPLv3~\S~6(e)
 addresses this issue, explicitly allowing for distribution of source and
 binary together on a peer-to-peer file sharing network.  If you distribute
 solely via peer-to-peer networks, you can exercise this option.  However,
 peer-to-peer source distribution \emph{cannot} fulfill your source
 provision obligations for non-peer-to-peer binary distributions.  Finally,
 you should ensure that binaries and source are equally seeded upon initial
 peer-to-peer distribution.
 \section{Preparing Corresponding Source}
 \label{corresponding-source}
 Most enforcement cases involve companies that have unfortunately not
 implemented procedures like our \S~\ref{best-practices} recommendations
 and have no source distribution arranged at all.  These companies must
 work backwards from a binary distribution to come into compliance.  Our
 recommendations in \S~\ref{best-practices} are designed to make it easy to
 construct a complete and Corresponding Source release from the outset.  If
 you have followed those principles in your development, you can meet the
 following requirements with ease.  If you have not, you may have
 substantial reconstruction work to do.
 \subsection{Assemble the Sources}
 For every binary that you produce, you should collect and maintain a copy
 of the sources from which it was built.  A large system, such as an
 embedded firmware, will probably contain many GPL'd and LGPL'd components
 for which you will have to provide source.  The binary distribution may
 also contain proprietary components which are separate and independent
 works that are covered by neither the GPL nor LGPL\@.
 The best way to separate out your sources is to have a subdirectory for
 each component in your system.  You can then easily mark some of them as
 required for your Corresponding Source releases.  Collecting
 subdirectories of GPL'd and LGPL'd components is the first step toward
 preparing your release.
 \subsection{Building the Sources}
 Few distributors, particularly of embedded systems, take care to read the
 actual definition of Corresponding Source in the GPL\@.  Consider
 carefully the definition, from GPLv3:
 \begin{quote}
   The ``Corresponding Source'' for a work in object code form means all
   the source code needed to generate, install, and (for an executable
   work) run the object code and to modify the work, including scripts to
   control those activities.
 \end{quote}
 and the definition from GPLv2:
 \begin{quote}
 The source code for a work means the preferred form of the work for making
 modifications to it.  For an executable work, complete source code means
 all the source code for all modules it contains, plus any associated
 interface definition files, plus the scripts used to control compilation
 and installation of the executable.
 \end{quote}
 Note that you must include ``scripts used to control compilation and
 installation of the executable'' and/or anything ``needed to generate,
 install, and (for an executable work) run the object code and to modify
 the work, including scripts to control those activities''.  These phrases
 are written to cover different types of build environments and systems.
 Therefore, the details of what you need to provide with regard to scripts
 and installation instructions vary depending on the software details.  You
 must provide all information necessary such that someone generally skilled
 with computer systems could produce a binary similar to the one provided.
 Take as an example an embedded wireless device.  Usually, a company
 distributes a firmware, which includes a binary copy of
 Linux\footnote{``Linux'' refers only to the kernel, not the larger system
   as a whole.} and a filesystem.  That filesystem contains various binary
 programs, including some GPL'd binaries, alongside some proprietary
 binaries that are separate works (i.e., not derived from, nor based on
 freely-licensed sources).  Consider what, in this case, constitutes adequate
 ``scripts to control compilation and installation'' or items ``needed to
 generate, install and run'' the GPL'd programs.
 Most importantly, you must provide some sort of roadmap that allows
 technically sophisticated users to build your software.  This can be
 complicated in an embedded environment.  If your developers use scripts to
 control the entire compilation and installation procedure, then you can
 simply provide those scripts to users along with the sources they act
 upon.  Sometimes, however, scripts were never written (e.g., the
 information on how to build the binaries is locked up in the mind of your
 ``build guru'').  In that case, we recommend that you write out build
 instructions in a natural language as a detailed, step-by-step {\sc
   readme}.
 No matter what you offer, you need to give those who receive source a
 clear path from your sources to binaries similar to the ones you ship.  If
 you ship a firmware (kernel plus filesystem), and the filesystem contains
 binaries of GPL'd programs, then you should provide whatever is necessary
 to enable a reasonably skilled user to build any given GPL'd source
 program (and modified versions thereof), and replace the given binary in
 your filesystem.  If the kernel is Linux, then the users must have the
 instructions to do the same with the kernel.  The best way to achieve this
 is to make available to your users whatever scripts or process your
 engineers would use to do the same.
 These are the general details for how installation instructions work.
 Details about what differs when the work is licensed under LGPL is
 discussed in \S~\ref{lgpl}, and specific details that are unique to
 GPLv3's installation instructions are in \S~\ref{user-products}.
 \subsection{What About the Compiler?}
 The GPL contains no provision that requires distribution of the compiler
 used to build the software.  While companies are encouraged to make it as
 easy as possible for their users to build the sources, inclusion of the
 compiler itself is not normally considered mandatory.  The Corresponding
 Source definition -- both in GPLv2 and GPLv3 -- has not been typically
 read to include the compiler itself, but rather things like makefiles,
 build scripts, and packaging scripts.
 Nonetheless, in the interest of goodwill and the spirit of the GPL, most
 companies do provide the compiler itself when they are able, particularly
 when the compiler is based on GCC\@ or another copylefted compiler.  If you have
 a GCC-based system, it is your prerogative to redistribute that GCC
 version (binaries plus sources) to your customers.  We in the software freedom
 community encourage you to do this, since it often makes it easier for
 users to exercise their software freedom.  However, if you chose to take
 this recommendation, ensure that your GCC distribution is itself
 compliant.
 If you have used a proprietary, third-party compiler to build the
 software, then you probably cannot ship it to your customers.  We consider
 the name of the compiler, its exact version number, and where it can be
 acquired as information that \emph{must} be provided as part of the
 Corresponding Source.  This information is essential to anyone who wishes
 to produce a binary.  It is not the intent of the GPL to require you to
 distribute third-party software tools to your customer (provided the tools
 themselves are not based on the GPL'd software shipped), but we do believe
 it requires that you give the user all the essential non-proprietary facts
 that you had at your disposal to build the software.  Therefore, if you
 choose not to distribute the compiler, you should include a {\sc readme}
 about where you got it, what version it was, and who to contact to acquire
 it, regardless of whether your compiler is Free Software, proprietary, or
 internally developed.
 \section{Best Practices and Corresponding Source}
 \S~\ref{best-practices} and \S~\ref{corresponding-source} above are
 closely related.  If you follow the best practices outlined above, you
 will find that preparing your Corresponding Source release is an easier
 task, perhaps even a trivial one.
 Indeed, the enforcement process itself has historically been useful to
 software development teams.  Development on a deadline can lead
 organizations to cut corners in a way that negatively impacts its
 development processes.  We have frequently been told by violators that
 they experience difficulty when determining the exact source for a binary
 in production (in some cases because their ``build guru'' quit during the
 release cycle).  When management rushes a development team to ship a
 release, they are less likely to keep release sources tagged and build
 systems well documented.
 We suggest that, if contacted about a violation, product builders use GPL
 enforcement as an opportunity to improve their development practices.  No
 developer would argue that their system is better for having a mysterious
 build system and no source tracking.  Address these issues by installing a
 revision system, telling your developers to use it, and requiring your
 build guru to document his or her work!
 \section{Non-Technical Compliance Issues}
 Certainly, the overwhelming majority of compliance issues are, in fact,
 either procedural or technical.  Thus, the primary material in this chapter
 so far has covered those issues.  However, a few compliance issues do require
 more direct consideration of a legal situation.  This portion guide does not
 consider those in detail, as a careful reading of the earlier chapters of
 Part~\ref{gpl-lgpl-part} shows various places where legal considerations are
 necessary for considering compliance activity.
 For example, specific compliance issues related to
 \hyperref[GPLv2s7]{GPLv2\S7}, \hyperref[GPLv3s7]{GPLv3\S7}, and
 \hyperref[GPLv3s7]{GPLv3\S11} demand a more traditional approach to legal
 license compliance.  Of course, such analysis and consideration can be
 complicated, and some are considered in the enforcement case studies that
 follow in the next part.  However, compliance issues related to such sections
 are not rare, and, as is typical, no specific training is available for
 dealing with extremely rare occurrences.
 \section{Self-Assessment of Compliance}
 Most companies that adopt copylefted software believe they have complied.
 Humans usually have difficult admitting their own mistakes, particularly
 systematic ones.  Therefore, perhaps the most important necessary step to
 stay in compliance is a company's regular evaluation of their own compliance.
 First, exercise a request CCS for all copylefted works from all your upstream
 providers of software and of components embedding software.  Then, perform
 your own CCS check on this material first, and verify that it meets the
 requirements.  This tutorial presents later a case study of a COGEO's CCS
 check in \S~\ref{pristine-example}, which you can emulate when examining
 their own CCS\@.
 Second, measure all copyleft compliance from the position of the
 users\footnote{Realizing of course that user very well may not be your own
   customer.} downstream from you exercising their rights under GPL\@.  Have
 those users received notice of the copylefted software included in your
 product?  Is CCS available to the users easily (preferably by automated
 means)?  Ask yourself these questions frequently.  If you cannot answer these
 questions with certainty in the positive, dig deeper and modify your process.
 Avoid ``compliance industry'' marketing distractions and concentrate on the
 copylefted software you already know is in your product.  Historically, the
 risk from a copylefted code snippet that some programmer dropped in your
 proprietary product careless of the consequences is a problem far more
 infrequent and less difficult to resolve.  Efficient management of the risks
 of higher concern lies in making sure you can provide, for example, precisely
 CCS for a copy of Coreboot, the kernel named Linux, BusyBox, or GNU tar that
 you included in a product your company shipped two years ago than in the risk
 of 10 lines of GPL'd Java code an engineer accidentally pasted into the
 source of your ERP system.
 Thus, reject the ``compliance industry'' suggestions that code scanners find
 and help solve fundamental compliance problems.  Consider how COGEO's tend to
 use code scanners.  FOSSology is indeed an important part of a violation
 investigation, but such is the last step and catches only some (usually
 minor) licensing notice problems.  Thus, code scanners can help solve minor
 compliance problems once you have resolved the major ones.  Code scanners
 do not manage risk.
 \chapter{When The Letter Comes}
 Unfortunately, many GPL violators ignore their obligations until they are
 contacted by a copyright holder or the lawyer of a copyright holder.  You
 should certainly contact your own lawyer if you have received a letter
 alleging that you have infringed copyrights that were licensed to you
 under the GPL\@.  This section outlines a typical enforcement case and
 provides some guidelines for response.  These discussions are
 generalizations and do not all apply to every alleged violation.  However,
 COGEO's in particular universally follow the processes described herein.
 \section{Communication Is Key}
 GPL violations are typically only escalated when a company ignores the
 copyright holder's initial communication or fails to work toward timely
 compliance.  Accused violators should respond very promptly to the
 initial request.  As the process continues, violators should follow up weekly with the
 copyright holders to make sure everyone agrees on targets and deadlines
 for resolving the situation.
 Ensure that any staff who might receive communications regarding alleged
 GPL violations understands how to channel the communication appropriately
 within your organization.  Often, initial contact is addressed for general
 correspondence (e.g., by mail to corporate headquarters or by e-mail to
 general informational or support-related addresses).  Train the staff that
 processes such communications to escalate them to someone with authority
 to take action.  An uninformed response to such an inquiry (e.g., from
 a first-level technical support person) can cause negotiations to fail
 prematurely.
 Answer promptly by multiple means (paper letter, telephone call, and
 email), even if your response merely notifies the sender that you are
 investigating the situation and will respond by a certain date.  Do not
 let the conversation lapse until the situation is fully resolved.
 Proactively follow up with synchronous communication means to be sure
 communications sent by non-reliable means (such as email) were received.
 Remember that the software freedom community generally values open communication and
 cooperation, and these values extend to GPL enforcement.  You will
 generally find that software freedom developers and their lawyers are willing to
 have a reasonable dialogue and will work with you to resolve a violation
 once you open the channels of communication in a friendly way.
 Furthermore, if the complaint comes from a COGEO, assume they are
 well-prepared.  COGEO's fully investigate compliance issues before raising
 the issue.  The claims and concerns will be substantiated, and immediate
 denials will likely lead the COGEO to suspect malice rather than honest
 mistake.
 However, the biggest and most perennial mistake that all COGEOs see during
 enforcement is this: failure to include the violators' software development
 teams in the enforcement discussions and negotiations.  As described above,
 CCS verification and approval is the most time-consuming and difficult part
 of resolving most compliance matters.  Without direct contact between
 software developers on both sides, the resolution of the technical issues
 involved in demonstrating that the binary distributed was built from the
 source provided is likely to be tortuous, expensive, and tense. Your lawyers
 will certainly be understandably reluctant to expose your employees to direct
 inquiry from potentially adverse parties.  However, facilitated exchanges of
 information among software engineers communicating on technical subjects
 shortens the time to resolution, substantially reduces the cost of reaching
 resolution, and prevents unnecessary escalation due to mutual
 misunderstanding.  Furthermore, such frank technical discussion will often be
 the only way to avoid compliance litigation once a violation has occurred.
 Fortunately, these frank discussions will improve your company's
 relationships.  Free Software development communities improve software to
 benefit everyone, which includes you and your company.  When you use
 copylefted community software in your products, you are part of that
 community.  Therefore, resolving a compliance matter is an occasion to
 strengthen your relationship to the community, by increasing communication
 between your developers and the project whose work you use for business
 benefit.
 \section{Termination}
 Many redistributors overlook the GPL's termination provision (GPLv2~\S~4 and
 GPLv3~\S~8).  Under v2, violators forfeit their rights to redistribute and
 modify the GPL'd software until those rights are explicitly reinstated by
 the copyright holder.  In contrast, v3 allows violators to rapidly resolve
 some violations without consequence.
 If you have redistributed an application under GPLv2\footnote{This applies
   to all programs licensed to you under only GPLv2 (``GPLv2-only'').
   However, most so-called GPLv2 programs are actually distributed with
   permission to redistribute under GPLv2 \emph{or any later version of the
     GPL} (``GPLv2-or-later'').  In the latter cases, the redistributor can
   choose to redistribute under GPLv2, GPLv3, GPLv2-or-later or even
   GPLv3-or-later.  Where the redistributor has chosen v2 explicitly, the
   v2 termination provision will always apply.  If the redistributor has
   chosen v3, the v3 termination provision will always apply.  If the
   redistributor has chosen GPLv2-or-later, then the redistributor may want
   to narrow to GPLv3-only upon violation, to take advantage of the
   termination provisions in v3.}, but have violated the terms of GPLv2,
 you must request a reinstatement of rights from the copyright holders
 before making further distributions, or else cease distribution and
 modification of the software forever.  Different copyright holders
 condition reinstatement upon different requirements, and these
 requirements can be (and often are) wholly independent of the GPL\@.  The
 terms of your reinstatement will depend upon what you negotiate with the
 copyright holder of the GPL'd program.
 Since your rights under GPLv2 terminate automatically upon your initial
 violation, \emph{all your subsequent distributions} are violations and
 infringements of copyright.  Therefore, even if you resolve a violation on
 your own, you must still seek a reinstatement of rights from the copyright
 holders whose licenses you violated, lest you remain liable for
 infringement for even compliant distributions made subsequent to the
 initial violation.
 GPLv3 is more lenient.  If you have distributed only v3-licensed programs,
 you may be eligible under v3~\S~8 for automatic reinstatement of rights.
 You are eligible for automatic reinstatement when:
 \begin{itemize}
 \item you correct the violation and are not contacted by a copyright
   holder about the violation within sixty days after the correction, or
 \item you receive, from a copyright holder, your first-ever contact
   regarding a GPL violation, and you correct that violation within thirty
   days of receipt of copyright holder's notice.
 \end{itemize}
 In addition to these permanent reinstatements provided under v3, violators
 who voluntarily correct their violation also receive provisional
 permission to continue distributing until they receive contact from the
 copyright holder.  If sixty days pass without contact, that reinstatement
 becomes permanent.  Nonetheless, you should be prepared to cease
 distribution during those initial sixty days should you receive a
 termination notice from the copyright holder.
 Given that much discussion of v3 has focused on its so-called more
 complicated requirements, it should be noted that v3 is, in this regard,
 more favorable to violators than v2.
 However, note that most Linux-based systems typically include some software
 licensed under GPLv2-only, and thus the copyright holders have withheld
 permission to redistribute under terms of GPLv3.  In larger aggregate
 distributions which include GPLv2-only works (such as the kernel named
 Linux), redistributors must operate as if termination is immediate and
 permanent, since the technological remove of GPLv2-only works from the larger
 distribution requires much more engineering work than the negotiation
 required to seek restoration of rights for distribution under GPLv2-only
 after permanent termination.
 \chapter{Standard Requests}
 \label{enforcement-standard-requests}
 As we noted above, different copyright holders have different requirements
 for reinstating a violator's distribution rights.  Upon violation, you no
 longer have a license under the GPL\@.  Copyright holders can therefore
 set their own requirements outside the license before reinstatement of
 rights.  We have collected below a list of reinstatement demands that
 copyright holders often require.
 \begin{itemize}
 \item {\bf Compliance on all Free Software copyrights}.  Copyright holders of Free Software
   often want a company to demonstrate compliance for all GPL'd software in
   a distribution, not just their own.  A copyright holder may refuse to
   reinstate your right to distribute one program unless and until you
   comply with the licenses of all Free Software in your distribution.
 \item {\bf Notification to past recipients}.  Users to whom you previously
   distributed non-compliant software should receive a communication
   (email, letter, bill insert, etc.) indicating the violation, describing
   their rights under the GPL, and informing them how to obtain a gratis source
   distribution.  If a customer list does not exist (such as in reseller
   situations), an alternative form of notice may be required (such as a
   magazine advertisement).
 \item {\bf Appointment of a GPL Compliance Officer.}  The software freedom community
   values personal accountability when things go wrong.  Copyright holders
   often require that you name someone within the violating company
   officially responsible for Free Software license compliance, and that this
   individual serve as the key public contact for the community when
   compliance concerns arise.
 \item {\bf Periodic Compliance Reports.}  Many copyright holders wish to
   monitor future compliance for some period of time after the violation.
   For some period, your company may be required to send regular reports on
   how many distributions of binary and source have occurred.
 \end{itemize}
 These are just a few possible requirements for reinstatement.  In the
 context of a GPL violation, and particularly under v2's termination
 provision, the copyright holder may have a range of requests in exchange
 for reinstatement of rights.  These software developers are talented
 professionals from whose work your company has benefited.  Indeed, you are
 unlikely to find a better value or more generous license terms for similar
 software elsewhere.  Treat the copyright holders with the same respect you
 treat your corporate partners and collaborators.
 \chapter{Special Topics in Compliance}
 There are several other issues that are less common, but also relevant in
 a GPL compliance situation.  To those who face them, they tend to be of
 particular interest.
 \section{LGPL Compliance}
 \label{lgpl}
 GPL compliance and LGPL compliance mostly involve the same issues.  As we
 discussed in \S~\ref{derivative-works}, questions of modified versions of
 software are highly fact-dependent and cannot be easily addressed in any
 overview document.  The LGPL adds some additional complexity to the
 analysis.  Namely, the various LGPL versions permit proprietary licensing
 of certain types of modified versions.  These issues are discussed in greater
 detail in Chapter~\ref{LGPLv2} and~\ref{LGPLv3}.  However, as a rule of thumb, once you have determined
 (in accordance with LGPLv3) what part of the work is the ``Application''
 and what portions of the source are ``Minimal Corresponding Source'', then
 you can usually proceed to follow the GPL compliance rules that
 discussed above, replacing our discussion of ``Corresponding Source'' with
 ``Minimal Corresponding Source''.
 LGPL also requires that you provide a mechanism to combine the Application
 with a modified version of the library, and outlines some options for
 this.  Also, the license of the whole work must permit ``reverse
 engineering for debugging such modifications'' to the library.  Therefore,
 you should take care that the EULA used for the Application does not
 contradict this permission.
 Thus, under the terms of LGPL, you must refrain from license terms on works
 based on the licensed work that prohibit replacement of the licensed
 components of the larger non-LGPL'd work, or prohibit decompilation or
 reverse engineering in order to enhance or fix bugs in the LGPL'd components.
 LGPLv3 is not surprisingly easier to understand and examine from a compliance
 lens, since the FSF was influenced in LGPLv3's drafting by questions and
 comments on LGPLv2.1 over a period of years.  Admittedly, LGPLv2.1 is still
 in wide use, and thus compliance with LGPLv2.1 remains a frequent topic you
 may encounter.  The best advice there is careful study of
 Chapter~\ref{LGPLv2}.
 However, to repeat a key point here made within that chapter: Note though
 that, since the LGPLv2.1 can be easily upgraded to GPLv2-or-later, in the
 worst case you simply need to comply as if the software was licensed under
 GPLv2.  The only reason you must consider the question of whether you have a
 ``work that uses the library'' or a ``work based on the library'' is when you
 wish to take advantage of the ``weak copyleft'' effect of the Lesser GPL\@.
 If GPLv2-or-later is an acceptable license (i.e., if you plan to copyleft the
 entire work anyway), you may find this an easier option.
 \section{Upstream Providers}
 \label{upstream}
 With ever-increasing frequency, software development (particularly for
 embedded devices) is outsourced to third parties.  If you rely on an
 upstream provider for your software, note that you \emph{cannot ignore
   your GPL compliance requirements} simply because someone else packaged
 the software that you distribute.  If you redistribute GPL'd software
 (which you do, whenever you ship a device with your upstream's software in
 it), you are bound by the terms of the GPL\@.  No distribution (including
 redistribution) is permissible absent adherence to the license terms.
 Therefore, you should introduce a due diligence process into your software
 acquisition plans.  This is much like the software-oriented
 recommendations we make in \S~\ref{best-practices}.  Implementing
 practices to ensure that you are aware of what software is in your devices
 can only improve your general business processes.  You should ask a clear
 list of questions of all your upstream providers and make sure the answers
 are complete and accurate.  The following are examples of questions you
 should ask:
 \begin{itemize}
 \item What are all the licenses that cover the software in this device?
 \item From which upstream vendors, be they companies or individuals, did
   \emph{you} receive your software before distributing it to us?
 \item What are your GPL compliance procedures?
 \item If there is GPL'd software in your distribution, we will be
   redistributors of this GPL'd software.  What mechanisms do you have in
   place to aid us with compliance?
 \item If we follow your recommended compliance procedures, will you
   formally indemnify us in case we are nonetheless found to be in
   violation of the GPL?
 \end{itemize}
 This last point is particularly important.  Many GPL enforcement actions are
 escalated because of petty finger-pointing between the distributor and its
 upstream.  In our experience, agreements regarding GPL compliance issues
 and procedures are rarely negotiated up front.  However, when they are,
 violations are resolved much more smoothly (at least from the point of
 view of the redistributor).
 Consider the cost of potential violations in your acquisition process.
 Using Free Software allows software vendors to reduce costs significantly, but be
 wary of vendors who have done so without regard for the licenses.  If your
 vendor's costs seem ``too good to be true,'' you may ultimately bear the
 burden of the vendor's inattention to GPL compliance.  Ask the right
 questions, demand an account of your vendors' compliance procedures, and
 seek indemnity from them.
 In particular, any time your vendor incorporates copylefted software, you
 \textit{must} exercise your own rights as a user to request CCS for all the
 copylefted programs that your suppliers provided to you.  Furthermore, you
 must ensure that CCS is correct and adequate yourself.  Good vendors should
 help you do this, and make it easy.  If those vendors cannot, pick a
 different vendor before proceeding with the product.
 \section{Mergers and Acquisitions}
 Often, larger companies often encounter copyleft licensing during a Mergers
 and Acquisitions (M\&A) process.  Ultimately, a merger or acquisition causes
 all of the other company's problems to become yours.  Therefore, for most
 concerns, the acquirer ``simply'' must apply the compliance analysis and
 methodologies discussed earlier across the acquired company's entire product
 line.  Of course, this is not so simple, as such effort may be substantial,
 but a well-defined process for compliance investigation means the required
 work, while voluminous, is likely rote.
 A few sections of GPL require careful attention and legal analysis to
 determine the risk of acquisitions.  Those handling M\&A issues should pay
 particular attention to the requirements of GPLv2~\S7 and GPLv3~\S10--12 ---
 focusing on how they relate to the acquired assets may be of particular
 importance.
 For example, GPLv3\S10 clarifies that in business acquisitions, whether by
 sale of assets or transfers of control, the acquiring party is downstream
 from the party acquired.  This results in new automatic downstream licenses
 from upstream copyright holders, licenses to all modifications made by the
 acquired business, and rights to source code provisioning for the
 now-downstream purchaser.  However, despite this aid given by explicit
 language in GPLv3, acquirers must still confirm compliance by the acquired
 (even if GPLv3\S10 does assert the the acquirers rights under GPL, that does
 not help if the acquired is out of compliance altogether).  Furthermore, for
 fear of later reprisal by the acquirer if a GPL violation is later discovered
 in the acquired's product line, the acquired may need to seek a waiver and
 release of from additional damages beyond a requirement to comply fully (and
 a promise of rights restoration) if a GPL violation by the acquired is later
 uncovered during completion of the acquisition or thereafter.
 Finally, other advice available regarding handling of GPL compliance in an
 M\&A situation tends to ignore the most important issue: most essential
 copylefted software is not wholly copyrighted by the entities involved in the
 M\&A transaction.  Therefore, copyleft obligations likely reach out to the
 customers of all entities involved, as well as to the original copyright
 holders of the copylefted work.  As such, notwithstanding the two paragraphs
 in GPLv3\S10, the entities involved in M\&A should read the copyleft licenses
 through the lens of third parties whose software freedom rights under those
 licenses are of equal importance to then entities inside the transaction.
 \section{User Products and Installation Information}
 \label{user-products}
 GPLv3 requires you to provide ``Installation Information'' when v3
 software is distributed in a ``User Product.''  During the drafting of v3,
 the debate over this requirement was contentious.  However, the provision
 as it appears in the final license is reasonable and easy to understand.
 If you put GPLv3'd software into a User Product (as defined by the
 license) and \emph{you} have the ability to install modified versions onto
 that device, you must provide information that makes it possible for the
 user to install functioning, modified versions of the software.  Note that
 if no one, including you, can install a modified version, this provision
 does not apply.  For example, if the software is burned onto an
 non-field-upgradable ROM chip, and the only way that chip can be upgraded
 is by producing a new one via a hardware factory process, then it is
 acceptable that the users cannot electronically upgrade the software
 themselves.
 Furthermore, you are permitted to refuse support service, warranties, and
 software updates to a user who has installed a modified version.  You may
 even forbid network access to devices that behave out of specification due
 to such modifications.  Indeed, this permission fits clearly with usual
 industry practice.  While it is impossible to provide a device that is
 completely unmodifiable\footnote{Consider that the iPhone, a device
   designed primarily to restrict users' freedom to modify it, was unlocked
   and modified within 48 hours of its release.}, users are generally on
 notice that they risk voiding their warranties and losing their update and
 support services when they make modifications.\footnote{A popular t-shirt
   in the software freedom community reads: ``I void warranties.''.  Our community is
   well-known for modifying products with full knowledge of the
   consequences.  GPLv3's ``Installation Instructions'' section merely
   confirms that reality, and makes sure GPL rights can be fully exercised,
   even if users exercise those rights at their own peril.}
 GPLv3 is in many ways better for distributors who seek some degree of
 device lock-down.  Technical processes are always found for subverting any
 lock-down; pursuing it is a losing battle regardless.  With GPLv3, unlike
 with GPLv2, the license gives you clear provisions that you can rely on
 when you are forced to cut off support, service or warranty for a customer
 who has chosen to modify.
 % FIXME-soon: write a full section on Javascript compliance.  Here's a
 %             potentially useful one-sentence introduction for such a
 %             section.
 % Non-compliance with GPLv3 in the
 % distribution of Javascript on the Web is becoming more frequent
 %FIXME-soon: END
 \section{Beware The Consultant in Enforcers' Clothing}
 There are admittedly portions of the GPL enforcement community that function
 somewhat like the
 \href{http://en.wikipedia.org/wiki/Hacker_%28computer_security%29#Classifications}{computer
   security and network penetration testing hacker community}.  By analogy,
 most COGEO's consider themselves
 \href{http://en.wikipedia.org/wiki/White_hat_%28computer_security%29}{white hats},
 while some might appropriately call
 \hyperref[Proprietary Relicensing]{proprietary relicensing} by the name ``\href{http://en.wikipedia.org/wiki/Hacker_%28computer_security%29#Black_hat}{black hats}''.
 And, to finalize the analogy, there are indeed few
 \href{http://en.wikipedia.org/wiki/Grey_hat}{grey hat} GPL enforcers.
 Grey hat GPL enforcers usually have done some community-oriented GPL
 enforcement themselves, typically working as a volunteer for a COGEO, but make
 their living as a ``hired gun'' consultant to find GPL violations and offer
 to ``fix them'' for companies.  Other such operators hold copyrights in some
 key piece of copylefted software and enforce as a mechanism to find out who
 is most likely to fund improvements on the software.
 A few companies report that they have formed beneficial consulting or
 employment relationships with developers they first encountered through
 enforcement.  In some such cases, companies have worked with such consultants
 to alter the mode of use of the project's code in the company's products.
 More often in these cases, the communication channels opened in the course of
 the inquiry served other consulting purposes later.
 Feelings and opinions about this behavior are mixed within the larger
 copyleft community.  Some see it as a reasonable business model and others
 renounce it as corrupt behavior.  Regardless, a GPL
 violator should always immediately determine the motivations of the
 enforcer via documented, verifiable facts.  For example, COGEOs such as the FSF and Conservancy have made substantial
 public commitments to enforce in a way that is uniform, transparent, and
 publicly documented.  Furthermore, since these specific organizations are
 public charities in the USA, they
 are accountable to the IRS (and the public at large) in their annual Form 990
 filings.   Everyone may examine their revenue models and scrutinize their
 work.
 However, entities and individuals who do GPL enforcement centered primarily
 around a profit motive are likely the most dangerous enforcement entities for
 one simple reason: an agreement to comply fully with the GPL for past and
 future products --- always the paramount goal to COGEOs --- may not suffice as
 adequate resolution for a proprietary relicensing company or grey hat GPL
 enforcer.  Therefore, violators must consider carefully who has
 made the enforcement inquiry and ask when and where the enforcer made public
 commitments and reports regarding their enforcement work and perhaps even ask
 the enforcer to directly mimic CEOGEO's detailed public disclosures and
 follow the \hyperref[enforcement-standard-requests]{standard requests for
   resolution} found in this document.
 \chapter{Conclusion}
 GPL compliance need not be an onerous process.  Historically, struggles
 have been the result of poor development methodologies and communications,
 rather than any unexpected application of the GPL's source code disclosure
 requirements.
 Compliance is straightforward when the entirety of your enterprise is
 well-informed and well-coordinated.  The receptionists should know how to
 route a GPL source request or accusation of infringement.  The lawyers
 should know the basic provisions of Free Software licenses and your source
 disclosure requirements, and should explain those details to the software
 developers.  The software developers should use a version control system
 that allows them to associate versions of source with distributed
 binaries, have a well-documented build process that anyone skilled in the
 art can understand, and inform the lawyers when they bring in new
 software.  Managers should build systems and procedures that keep everyone
 on target.  With these practices in place, any organization can comply
 with the GPL without serious effort, and receive the substantial benefits
 of good citizenship in the software freedom community, and lots of great code
 ready-made for their products.
 \vfill
 % LocalWords:  redistributors NeXT's Slashdot Welte gpl ISC embedders BusyBox
 % LocalWords:  someone's downloadable subdirectory subdirectories filesystem
 % LocalWords:  roadmap README upstream's Ravicher's FOSSology readme CDs iPhone
 % LocalWords:  makefiles violator's Michlmayr Stallman RMS GPL'd Harald LGPL
 %%  LocalWords:  GPL's resellers copylefted sublicenses GPLv unmanaged MySQL
 %%  LocalWords:  misassessments licensor COGEOs COGEO LGPLv CCS Requestors
 %%  LocalWords:  codebase Yocto distributees COGEO's Coreboot ERP reseller
 %%  LocalWords:  redistributor reinstatements decompilation acquired's grey
 %%  LocalWords:  upgradable unmodifiable Relicensing relicensing

enforcement-case-studies.tex

➞

Show inline comments

 %      Tutorial Text for the Detailed Study and Analysis of GPL and LGPL course
 % License: CC-By-SA-4.0
 % The copyright holders hereby grant the freedom to copy, modify, convey,
 % Adapt, and/or redistribute this work under the terms of the Creative
 % Commons Attribution Share Alike 4.0 International License.
 % This text is distributed in the hope that it will be useful, but
 % WITHOUT ANY WARRANTY; without even the implied warranty of
 % MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 % You should have received a copy of the license with this document in
 % a file called 'CC-By-SA-4.0.txt'.  If not, please visit
 % https://creativecommons.org/licenses/by-sa/4.0/legalcode to receive
 % the license text.
 \part{Case Studies in GPL Enforcement}
 {\parindent 0in
 This part is: \\
 \begin{tabbing}
 Copyright \= \copyright{} 2003, 2004, 2014 \hspace{1mm} \= \hspace{1.mm} \=  \kill
 Copyright \> \copyright{} 2014 \>  Bradley M. Kuhn. \\
 Copyright \> \copyright{} 2014 \>  Denver Gingerich \\
 Copyright \> \copyright{} 2003, 2004, 2014 \> Free Software Foundation, Inc. \\
 \end{tabbing}
 \vspace{.2in}
 \begin{center}
 The copyright holders hereby grant the freedom to copy, modify, convey,
 Adapt, and/or redistribute this work under the terms of the Creative Commons
 Attribution Share Alike 4.0 International License.  A copy of that license is
 available at \url{https://creativecommons.org/licenses/by-sa/4.0/legalcode}.
 \end{center}
 \vfill
 This part includes material from many sources, including the following
+This part includes material from many sources, including some material from the following
 CC-By-SA-licensed published works: \\
 \begin{itemize}
 \item \textit{Enforcement Case Studies}, written by Bradley M. Kuhn and published by the Free
   Software Foundation for its CLE courses  on 2004-01-20, 2004-08-24, and 2014-03-24.
 \end{itemize}
 However, this work is primarily composed of the many contributions it
 receives as a public, collaborative project.  Please
 \href{https://gitorious.org/copyleft-org/tutorial/history/master:enforcement-case-studies.tex}{review
   its Git logs} for full documentation of all contributions.
+}
 % =====================================================================
 % START OF SECOND DAY SEMINAR SECTION
 % =====================================================================
 \chapter*{Preface}
 This one-day course presents the details of five different GPL
 compliance cases handled by FSF's GPL Compliance Laboratory. Each case
 offers unique insights into problems that can arise when the terms of
 the GPL are not properly followed, and how diplomatic negotiation between
 the violator and the copyright holder can yield positive results for
 both parties.
 Attendees should have successfully completely the course, a ``Detailed
 Study and Analysis of the GPL and LGPL,'' as the material from that
 course forms the building blocks for this material.
 This course is of most interest to lawyers who have clients or
 employers that deal with Free Software on a regular basis. However,
 technical managers and executives whose businesses use or distribute
 Free Software will also find the course very helpful.
 \bigskip
 These course materials are merely a summary of the highlights of the
 course presented. Please be aware that during the actual GPL course, class
 discussion supplements this printed curriculum. Simply reading it is
 not equivalent to attending the course.
 %FIXME-LATER: write these
 %\chapter{Not All GPL Enforcement is Created Equal}
 %\section{For-Profit Enforcement}
 %\section{Community and Non-Profit Enforcement}
 \chapter{Overview of Community Enforcement}
 The GPL is a Free Software license with legal teeth. Unlike licenses like
 the X11-style or various BSD licenses, the GPL (and by extension, the LGPL) is
 designed to defend as well as grant freedom. We saw in the last course
 that the GPL uses copyright law as a mechanism to grant all the key freedoms
 essential in Free Software, but also to ensure that those freedoms
 propagate throughout the distribution chain of the software.
 \section{Termination Begins Enforcement}
 As we have learned, the assurance that Free Software under the GPL remains
 Free Software is accomplished through various terms of the GPL: \S 3 ensures
 that binaries are always accompanied with source; \S 2 ensures that the
 sources are adequate, complete and usable; \S 6 and \S 7 ensure that the
 license of the software is always the GPL for everyone, and that no other
 legal agreements or licenses trump the GPL. It is \S 4, however, that ensures
 that the GPL can be enforced.
 Thus, \S 4 is where we begin our discussion of GPL enforcement. This
 clause is where the legal teeth of the license are rooted. As a copyright
 license, the GPL governs only the activities governed by copyright law ---
 copying, modifying and redistributing computer software. Unlike most
 copyright licenses, the GPL gives wide grants of permission for engaging with
 these activities. Such permissions continue, and all parties may exercise
 them until such time as one party violates the terms of the GPL\@. At the
 moment of such a violation (i.e., the engaging of copying, modifying or
 redistributing in ways not permitted by the GPL) \S 4 is invoked. While other
 parties may continue to operate under the GPL, the violating party loses their
 rights.
 Specifically, \S 4 terminates the violators' rights to continue
 engaging in the permissions that are otherwise granted by the GPL\@.
 Effectively, their rights revert to the copyright defaults ---
 no permission is granted to copy, modify, nor redistribute the work.
 Meanwhile, \S 5 points out that if the violator has no rights under
 the GPL, they are prohibited by copyright law from engaging in the
 activities of copying, modifying and distributing. They have lost
 these rights because they have violated the GPL, and no other license
 gives them permission to engage in these activities governed by copyright law.
 \section{Ongoing Violations}
 In conjunction with \S 4's termination of violators' rights, there is
 one final industry fact added to the mix: rarely does one engage in a
 single, solitary act of copying, distributing or modifying software.
 Almost always, a violator will have legitimately acquired a copy of a
 GPL'd program, either making modifications or not, and then begun
 distributing that work. For example, the violator may have put the
 software in boxes and sold them at stores. Or perhaps the software
 was put up for download on the Internet. Regardless of the delivery
 mechanism, violators almost always are engaged in {\em ongoing\/}
 violation of the GPL\@.
 In fact, when we discover a GPL violation that occurred only once --- for
 example, a user group who distributed copies of a GNU/Linux system without
 source at one meeting --- we rarely pursue it with a high degree of
 tenacity. In our minds, such a violation is an educational problem, and
 unless the user group becomes a repeat offender (as it turns out, they
 never do), we simply forward along a FAQ entry that best explains how user
 groups can most easily comply with the GPL, and send them on their merry way.
 It is only the cases of {\em ongoing\/} GPL violation that warrant our
 active attention. We vehemently pursue those cases where dozens, hundreds
 or thousands of customers are receiving software that is out of
 compliance, and where the company continually offers for sale (or
 distributes gratis as a demo) software distributions that include GPL'd
 components out of compliance. Our goal is to maximize the impact of
 enforcement and educate industries who are making such a mistake on a
 large scale.
 In addition, such ongoing violation shows that a particular company is
 committed to a GPL'd product line. We are thrilled to learn that someone
 is benefiting from Free Software, and we understand that sometimes they
 become confused about the rules of the road. Rather than merely
 giving us a postmortem to perform on a past mistake, an ongoing violation
 gives us an active opportunity to educate a new contributor to the GPL'd
 commons about proper procedures to contribute to the community.
 Our central goal is not, in fact, to merely clear up a particular violation.
 In fact, over time, we hope that our compliance lab will be out of
 business. We seek to educate the businesses that engage in commerce
 related to GPL'd software to obey the rules of the road and allow them to
 operate freely under them. Just as a traffic officer would not revel in
 reminding people which side of the road to drive on, so we do not revel in
 violations. By contrast, we revel in the successes of educating an
 ongoing violator about the GPL so that GPL compliance becomes a second-nature
 matter, allowing that company to join the GPL ecosystem as a contributor.
 \section{How are Violations Discovered?}
 Our enforcement of the GPL is not a fund-raising effort; in fact, FSF's GPL
 Compliance Lab runs at a loss (in other words, it is subsided by our
 donors). Our violation reports come from volunteers, who have encountered,
 in their business or personal life, a device or software product that
 appears to contain GPL'd software. These reports are almost always sent
 via email to $<$license-violation@fsf.org$>$.
 Our first order of business, upon receiving such a report, is to seek
 independent confirmation. When possible, we get a copy of the software
 product. For example, if it is an offering that is downloadable from a
 Web site, we download it and investigate ourselves. When it is not
 possible for us to actually get a copy of the software, we ask the
 reporter to go through the same process we would use in examining the
 software.
 By rough estimation, about 95\% of violations at this stage can be
 confirmed by simple commands. Almost all violators have merely made an
 error and have no nefarious intentions. They have made no attempt to
 remove our copyright notices from the software. Thus, given the
 third-party binary, {\tt tpb}, usually, a simple command (on a GNU/Linux
 system) such as the following will find a Free Software copyright notice
 and GPL reference:
 \begin{quotation}
 {\tt strings tpb | grep Copyright}
 \end{quotation}
 In other words, it is usually more than trivial to confirm that GPL'd
 software is included.
 Once we have confirmed that a violation has indeed occurred, we must then
 determine whose copyright has been violated. Contrary to popular belief,
 FSF does not have the power to enforce the GPL in all cases. Since the GPL
 operates under copyright law, the powers of enforcement --- to seek
 redress once \S 4 has been invoked --- lie with the copyright holder of
 the software. FSF is one of the largest copyright holders in the world of
 GPL'd software, but we are by no means the only one. Thus, we sometimes
 discover that while GPL'd code is present in the software, there is no
 software copyrighted by FSF present.
 In cases where FSF does not hold copyright interest in the software, but
 we have confirmed a violation, we contact the copyright holders of the
 software, and encourage them to enforce the GPL\@. We offer our good offices
 to help negotiate compliance on their behalf, and many times, we help as a
 third party to settle such GPL violations. However, what we will describe
 primarily in this course is FSF's first-hand experience enforcing its own
 copyrights and the GPL\@.
 \section{First Contact}
 The Free Software community is built on a structure of voluntary
 cooperation and mutual help. Our community has learned that cooperation
 works best when you assume the best of others, and only change policy,
 procedures and attitudes when some specific event or occurrence indicates
 that a change is necessary. We treat the process of GPL enforcement in
 the same way. Our goal is to encourage violators to join the cooperative
 community of software sharing, so we want to open our hand in friendship.
 Therefore, once we have confirmed a violation, our first assumption is
 that the violation is an oversight or otherwise a mistake due to confusion
 about the terms of the license. We reach out to the violator and ask them
 to work with us in a collaborative way to bring the product into
 compliance. We have received the gamut of possible reactions to such
 requests, and in this course, we examine four specific examples of such
 compliance work.
 % FIXME: make this section properly TeX-formatted
 \chapter{ThinkPenguin Wireless Router: Excellent CCS}
 \label{pristine-example}
 Too often, case studies examine failure and mistakes.  Indeed, most of the
 chapters that follow herein will consider the myriad difficulties discovered
 in community-oriented GPL enforcement for the last two decades.  However, to
 begin, this is a case study in how copyleft compliance can indeed be done correctly.
 This example is, in fact, more than ten years in the making.  Since almost
 the inception of for-profit corporate adoption of Free Software, companies
 have requested a clear example of a model citizen to emulate.  Sadly, while
 community-oriented enforcers have vetted uncounted thousands of ``Complete,
 Corresponding Source'' (CCS) candidates from hundreds of companies, this
 particular CCS release described herein is the first ever declared a ``pristine
 example''.
 % FIXME (above): link to a further discussion of CCS in the compliance guide
 % when a good spot exists, then (below) link to a ``CCS iteration''
 % discussion in compliance-guide.tex when one exists.  (the ``iteration
 % process'' is discussed in~\ref{} of this guide)
 Of course, most CCS examined for the last decade has (eventually) complied
 with the GPL, perhaps after many iterations of review by the enforcer.
 However, in the experience of the two primary community-oriented enforcers
 (Conservancy and the FSF), such CCS results routinely
 ``barely comply with GPL's requirements''.  To use an academic analogy:
 while a ``C'' is certainly a passing grade, any instructor prefers to
 disseminate to the class an exemplar sample that earned an ``A''.
 Fortunately, thanks in large part to the FSF's
 ``Respects Your Freedom'' (RYF) certification campaign\footnote{\href{http://www.fsf.org/resources/hw/endorsement/respects-your-freedom}{RYF is
     a campaign by FSF to certify products that truly meet the principles of
     software freedom}.  Products must meet
   \href{http://www.fsf.org/resources/hw/endorsement/criteria}{strict
     standards for RYF certification}, and among them is a pristine example of
   CCS\@.}, a few electronics products on the market meet
 a higher standard of copyleft compliance.  As such, for the first
 time in the history of copyleft, CCS experts have pristine examples to study
 and present as exemplars worthy of emulation.
 This case study therefore examines the entire life-cycle of a GPL compliance
 investigation: from product purchase, to source request, to CCS review, and concluding
 in a final compliance determination.
 Specifically, this chapter discusses the purchase, CCS provision, and a
 step-by-step build and installation analysis of a specific, physical,
 embedded electronics product:
 \href{https://www.thinkpenguin.com/gnu-linux/free-software-wireless-n-broadband-router-gnu-linux-tpe-nwifirouter}{the
   ``TPE-NWIFIROUTER'' wireless router by ThinkPenguin}.\footnote{The FSF of
   course performed a thorough CCS check as part of its certification process.
   The analysis discussed herein was independently performed by Software
   Freedom Conservancy without reviewing the FSF's findings.  Thus, this
   analysis is ``true to form'', and explains the typical procedures Conservancy
   uses when investigating a potential GPL violation.  In this case, obviously, no
   violation was uncovered.}
 \section{Consumer Purchase and Unboxing}
 The process for copyleft compliance investigation, when properly conducted,
 determines whether users inclined to exercise their rights under a copyleft
 license will be successful in their attempt.  Therefore, at every stage, the
 investigator seeks to take actions that reasonably technically knowledgeable
 users would during the ordinary course of their acquisition and use of
 copyleft-covered products.  As such, the investigator typically purchases the device on the
 open market to verify that distribution of the copylefted software therein
 complies with binary distribution requirements (such as those
 \tutorialpartsplit{discussed in \textit{Detailed Analysis of the GNU GPL and
     Related Licenses}}{discussed earlier in \S~\ref{GPLv2s3} and
   \S~\ref{GPLv3s6}}).
 % FIXME: Above is my only use of \tutorialpartsplit in this chapter.  I just
 % got lazy and that should be fixed by someone.
 \label{thinkpenguin-included-ccs}
 Therefore, the investigator first purchased the TPE-NWIFIROUTER through an
 online order, and when the package arrived, examined the contents of the box.
 The investigator immediately discovered that ThinkPenguin had taken advice
 from \S~\ref{offer-for-source}, and exercised
 \hyperref[GPLv2s3a]{GPLv2\S3(a)} and \hyperref[GPLv3s6]{GPLv3\S6}, rather than
 using the \hyperref[offer-for-source]{problematic offer for source
   provisions}.  This choice not only accelerated the investigation (since there
 was no CCS offer to ``test''), but also simplified the compliance requirements for
 ThinkPenguin.
 \section{Root Filesystem and Kernel Compilation}
 The CD found in the box was labeled ``libreCMC v1.2.1 source code'', and
 contained 407 megabytes of data.  The investigator copied this ISO to a
 desktop GNU/Linux system and
 examined its contents.  Upon doing so, the investigator immediately found a
 file called ``README'' at the top-level directory:
 \lstset{tabsize=2}
 \begin{lstlisting}[language=bash]
 $ dd if=/dev/cdrom of=libreCMC_v1.2.1_SRC.iso
 $ mkdir libCMC
 $ sudo mount -o loop ./libreCMC_v1.2.1_SRC.iso libCMC
 mount: block device /path/to/libreCMC_v1.2.1_SRC.iso
        is write-protected, mounting read-only
 $ ls -1 libCMC
 bin
 librecmc-u-boot.tar.bz2
 librecmc-v1.2.1.tar.bz2
 README
 u-boot_reflash
 $ cat libCMC/README
 ...
 \end{lstlisting}
 \label{thinkpenguin-toplevel-readme}
 The investigator therefore knew immediately to begin the CCS check should
 begin with a study of the contents of ``README''.  Indeed, that file contained the appropriate
 details to start the build:
 \begin{quotation}
 In order to build firmware images for your router, the following needs to be
 installed:
 gcc, binutils, bzip2, flex, python, perl, make, find, grep, diff, unzip,
 gawk, getopt, libz-dev and libc headers.
 Please use ``make menuconfig'' to configure your appreciated configuration
 for the toolchain and firmware. Please note that the default configuration is
 what was used to build the firmware image for your router. It is advised that
 you use this configuration.
 Simply running ``make'' will build your firmware.  The build system will
 download all sources, build the cross-compile toolchain, the kernel and all
 chosen applications.
 To build your own firmware you need to have access to a GNU/Linux system
 (case-sensitive filesystem required).
 \end{quotation}
 In other words, the first ``script'' that investigator ``ran'' was the above.
 This was not a software script, rather the processor for the script was the investigator's own
 brain --- like a script of a play.  Less glibly stated: instructions written in
 English are usually necessary for the build and installation operations
 that demand actual intelligence.
 In this case, the investigator ascertained the host system requirements
 for construction of this embedded firmware.
 GPL does not give specific guidance on the form or location of
 ``scripts used to control compilation and installation of the executable''
 and/or ``Installation Information''.  Community-oriented GPL enforcers apply a
 ``reasonableness standard'' to evaluate such instructions.  If an investigator of
 average skill in embedded firmware construction can surmise the proper
 procedures to build and install a replacement firmware, the instructions are
 likely sufficient to meet GPL's requirements.  Fortunately, in this case, the
 instructions are more abundant and give extra detail.
 Nevertheless, these instructions offer more options than the reader
 typically sees in other CCS candidates.  More typically, top-level build
 instructions name an exact host distribution to use, such as
 ``Debian 7 installed on an amd64 system with the following packages
 installed''.  Of course, if the build will fail on any other system,
 instructions \textit{should} include such details.  However, this CCS builds
 on a wide range of distributions, and thus it was appropriate (and preferred)
 that the build instructions do not  specify a specific distribution.
 \label{thinkpenguin-specific-host-system}
 In this specific case, the developers of the libreCMC project (a Free
 Software project that forms the base system for the TPE-NWIFIROUTER) have
 clearly made an effort to ensure the CCS builds on a variety of host systems.
 The investigator was in fact dubious upon seeing these instructions, since
 finicky embedded build processes usually require a very specific host system.
 Fortunately, it seems such doubts were generally unfounded (although the
 investigator did find
 \hyperref[thinkpenguin-glibc-214-issue]{a minor annoyance that could be
   resolved with more detailed instructions}).
 Anyway, since these instructions did not specify a specific host system, the
 investigator simply used his own amd64 Debian GNU/Linux 6 desktop system.  Before
 beginning, the investigator used the following command:
 \lstset{tabsize=2}
 \begin{lstlisting}[language=bash]
 $ dpkg --list | egrep '^iii' | less
 \end{lstlisting}
 to verify that the required packages listed in the README were
 installed\footnote{The ``dpkg'' command is a Debian-specific way of
   finding installed packages.}.
 Next, the investigator then extracted the primary source package with the
 following command:
 \lstset{tabsize=2}
 \begin{lstlisting}[language=bash]
 $ tar --posix -jxpf libCMC/librecmc-v1.2.1.tar.bz2
 \end{lstlisting}
 The investigator did notice an additional source release, entitled
 ``librecmc-u-boot.tar.bz2''.  The investigator concluded upon simple
 inspection that the instructions found in ``u-boot\verb0_0reflash'' were
 specific instructions for that part of the CCS\@.  This was a minor
 annoyance, and ideally the ``README'' would so-state, but the CCS filesystem
 layout met the reasonableness standard; the skilled investigator determine the correct
 course of action with a few moments of study.
 The investigator then noted the additional step offered by the ``README'',
 which read:
 \begin{quotation}
 Please use ``make menuconfig'' to configure your appreciated configuration
 for the toolchain and firmware. Please note that the default configuration is
 what was used to build the firmware image for your router. It is advised that
 you use this configuration.
 \end{quotation}
 This instruction actually exceeds GPL's requirements.
 Specifically, the instruction guides users in their first step toward
 exercising the freedom to modify the software.  While the GPL does contain
 requirements that facilitate the freedom to modify (such as ensuring the CCS is
 in the ``preferred form \ldots for making modifications to it''), GPL
 does not require specific instructions explaining how to undertake
 modifications.  This specific instruction therefore exemplifies
 the exceptional quality of this particular CCS\@.
 %FIXME: add a \hyperref to some ``preferred for for modification'' stuff above.
 However, for purposes of the CCS verification process, typically the
 investigator avoids any unnecessary changes to the source code during the
 build process, lest the investigator err and cause the build to fail through
 his own modification, and thus incorrectly identify the CCS as inadequate.
 Therefore, the investigator proceeded to simply run:
 \lstset{tabsize=2}
 \begin{lstlisting}[language=bash]
 $ cd libCMC
 $ make
 \end{lstlisting}
 and waited approximately 40 minutes for the build to complete\footnote{Build
   times will likely vary widely on various host systems.}.  The investigator
 kept a
 \href{https://gitorious.org/copyleft-org/tutorial/source/master:enforcement-case-studies_log-output/thinkpenguin_librecmc-complete.log}{full
   log of the build}, which is not included herein due its size (approximately
 .2K of text).
 \label{thinkpenguin-main-build}
 Upon completion of the ``make'' process, the investigator immediately found
 (almost to his surprise) several large firmware files in the ``bin/ar71xx''
 directory.  Typically, this step in the CCS verification process is
 harrowing.  In most cases, the ``make'' step will fail due to a missing
 package or because toolchain paths are not setup correctly.
 In light of such experiences, the investigator speculated that ThinkPenguin's engineers did
 the most important step in self-CCS verification: test one's own instructions
 on a clean system.  Ideally, an employee with similar skills but
 unfamiliar with the specific product can most easily verify CCS  and identify
 problems before a violation occurs.
 % FIXME: Is there stuff about the above in the compliance guide?  If so, link
 % to it.  If not, write it, then link to it. :)
 However, upon completing the ``make'', the investigator was unclear which
 filesystem and kernel images to install on the TPE-NWIFIROUTER hardware.
 Ideally, the original ``README'' would indicate which image is appropriate
 for the included hardware.  However, this was ultimately an annoyance rather
 than a compliance issue.  Fortunately,
 the web UI (see next section) on the TPE-NWIFIROUTER performs firmware image
 installation.  Additionally, the router's version number was specified on the
 bottom of the device, which indicated which of the differently-versioned images
 we should install.  The investigator would prefer instructions such as
 those found at
 \url{http://librecmc.org/librecmc/wiki?name=Tp+MR3020}{instructions similar
   to these} in the README itself; however, application of the reasonableness
 standard here again indicates compliance, since a knowledgeable user can easily
 determine the proper course of action.
 \section{U-Boot Compilation}
 %FIXME: link to u-boot reflash, maybe put it in log-output dir?
 The investigator then turned his attention to the file,
 ``u-boot\verb0_0reflash''.  These instructions explained how to
 build and install the bootloader for the device.
 The investigator followed the instructions for compiling U-Boot, and found
 them quite straight-forward.  The investigator discovered two minor
 annoyances, however, while building U-Boot:
 \begin{itemize}
  \item The variable \verb0$U-BOOT_SRC0 was used as a placeholder for the name
    of the extracted source directory.  This was easy to surmise and was not a
    compliance issue (per the reasonableness standard), but explicitly stating
    that fact at the top of the instructions would be helpful.
 \label{thinkpenguin-glibc-214-issue}
 \item Toolchain binaries were included and used by default by the build
   process.  These binaries were not the appropriate ones for the
   investigator's host system, and the build failed with the following error:
 \lstset{tabsize=2}
 \begin{lstlisting}
 mips-librecmc-linux-uclibc-gcc.bin: /lib/libc.so.6:
    version `GLIBC`_2.14' not found
    (required by mips-librecmc-linux-uclibc-gcc.bin)
 \end{lstlisting}
    (The
 \href{https://gitorious.org/copyleft-org/tutorial/source/master:enforcement-case-studies_log-output/thinkpenguin_u-boot-build_fail.log}{complete
   log output from the failure} is too lengthy to include herein.)
    This issue is an annoyance, not a compliance problem.  It was clear from
    context that these binaries were simply for a different host architecture, and
    the investigator simply removed ``toolchain/bin'' and created a symlink to
    utilize the toolchain already built earlier (during the compilation
    discussed in \S~\ref{thinkpenguin-main-build}):
 \lstset{tabsize=2}
 \begin{lstlisting}
 $ ln -s \
   ../../staging_dir/toolchain-mips_34kc_gcc-4.6-linaro_uClibc-0.9.33.2/bin \
   toolchain/bin
 \end{lstlisting}
    After this change, the U-Boot build completed successfully.
 \end{itemize}
 The
 \href{https://gitorious.org/copyleft-org/tutorial/source/master:enforcement-case-studies_log-output/thinkpenguin_u-boot-finish_build.log}{full
   log of the build} is not included herein due its size (approximately 3.8K
 of text).  After that, the investigator found a new U-Boot image in the
 ``bin'' directory.
 \section{Root Filesystem and Kernel Installation}
 The investigator next tested installation of the firmware.  In particular,
 the investigator connected the TPE-NWIFIROUTER to a local network, and
 visited \url{http://192.168.10.1/}, logged in, and chose the option sequence:
 ``System $\Rightarrow$ Backup / Flash Firmware''.
 From there, the investigator chose the ``Flash new firmware image'' section
 and selected the
 ``librecmc-ar71xx-generic-tl-wr841n-v8-squashfs-sysupgrade.bin'' image from
 the ``bin/ar71xx'' directory.  The investigator chose the ``v8'' image upon
 verifying the physical router read ``v8.2'' on its bottom.  The investigator
 chose the ``sysupgrade'' version of the image because this was clearly a
 system upgrade (as a firmware already came preinstalled on the
 TPE-NWIFIROUTER).
 Upon clicking ``Flash image\ldots'', the web interface prompted the
 investigator to confirm the MD5 hash of the image to flash.  The investigator
 did so, and then clicked ``Proceed'' to flash the image.  The process took
 about one minute, at which point the web page refreshed to the login screen.
 Upon logging in, the investigator was able to confirm in the ``Kernel Log''
 section of the web interface that the newly built copy of Linux had indeed been
 installed.
 The investigator confirmed that a new version of ``busybox'' had also been
 installed by using SSH to connect to the router and ran the command
 ``busybox'', which showed the newly-compiled version (via its date of
 compilation).
 %FIXME: dg: can you get me  a screen shot for the Kernel Log above, and paste
 %in the output of running busybox ?
 %FIXME: bkuhn: the screen shot for the Kernel Log is in the log output dir at
 %thinkpenguin_librecmc-built-kernel_log.png and the BusyBox output is in the
 %same directory at thinkpenguin_librecmc-built-busybox_output.log - you may want
 %to only use part of the BusyBox output (maybe even just the login) for brevity
 \section{U-Boot Installation}
 The U-Boot installation process is substantially more complicated than the
 firmware update.  The investigator purchased the optional serial cable
 along with the TPE-NWIFIROUTER, in order to complete the U-Boot installation
 per the instructions in ``u-boot\verb0_0reflash'' in its section ``Installing
 u-boot to your router'', which reads:
 \begin{quotation}
   \begin{enumerate}
     \item Install and configure any TFTP server on your PC (tftp-hpa).
        Set a fixed IP address on your PC \ldots and connect it to the router,
        using RJ45 network cable \ldots
  \item Connect USB to UART adapter to the router and start any application to
    communicate with it, like PuTTY. \ldots
    \item Power on the router, wait for a line like one of the following and
      interrupt the process of loading a kernel:
 \begin{verbatim}
  Autobooting in 1 seconds
       (for most TP-Link routers, you should enter tpl at this point)
 Hit ESC key to stop autoboot: 1 (for 8devices Carambola 2, use ESC key)
  Hit any key to stop autoboot: 1 (for D-Link DIR-505, use any key)
 \end{verbatim}
 \item   Set ipaddr and serverip environment variables:
 \lstset{tabsize=2}
 \begin{lstlisting}
     hornet> setenv ipaddr 192.168.1.1
     hornet> setenv serverip 192.168.1.2
 \end{lstlisting}
   \end{enumerate}
 \end{quotation}
 %FIXME: image of the serial cable available anywhere to put here:
 %  https://www.adafruit.com/images/970x728/954-02.jpg
 The investigator used the purchased serial cable, which was a USB serial
 adapter with a male USB type A connector to 4 female jumper wires.  The
 female jumper wires were red, black, white, and green.
 The instructions here were slightly incomplete, since they did not specify
 how to connect the wires to the router.  However, the investigator found
 general information available online at
 \url{http://wiki.openwrt.org/toh/tp-link/tl-wr841nd#serial.console} which
 described the proper procedure.  While the ``power'' and ``ground'' cables
 were obvious, some trial and error was necessary to find the RX and TX
 cables, but this was easily determined since miswiring TX and RX yields no
 I/O and proper wiring yields the output as expected.  Using the pin gender
 changer included with the adapter, the investigator was able to stably wire
 the pins for use once the proper RX and TX connections were determined.
 The investigator then used the recommended 115200 8N1 for serial console
 settings, leaving all flow control off, and tested both with the
 \verb0minicom0 and \verb0screen0 commands.  The investigator found that if
 all 4 wires were connected on the USB serial adapter that the router would
 start without additional power and the console would receive the startup
 messages.  The investigator could replicate the same behavior by omitting the
 power cable from the USB serial adapter (red wire) and connecting the main
 power adapter to the router instead.
 At this point, the on-screen messages as described in the installation
 instructions appeared, but the investigator found that no key events sent via
 the serial port appeared to reach the U-Boot console.  In other words, while
 the investigator saw both U-Boot and kernel boot messages in the serial
 console, the investigator was unable to interrupt the boot process as
 instructed by ``u-boot\verb0_0reflash''.  Hitting a key simply did
 \textit{not} interrupt the boot process and yield the \verb0hornet>0 prompt.
 After additional trial and error over a period of hours, the investigator had
 finally to consider this question for the first time during the process:
 ``Has ThinkPenguin violated the GPL?'' More specifically, the immediate
 question was: ``Given this failure, has the distributor met
 \hyperref[GPLv2s3-build-scripts]{the requirements for `scripts used to
   control \ldots installation of the executable' (GPLv2)} and
 \hyperref[GPLv3-installation-information]{necessary `Installation
   Information' (GPLv3)}?''
 The appropriate answer to the question (at this specific stage) is ``possibly,
 but more information is needed''.  Embedded installation and configuration is
 a tricky and complex technical process.  While the GPL requires documentation
 and clear instructions for this process, the investigator did not immediately blame the distributor
 for what may be an honest, correctable mistake, or an issue legitimately explained by
 feasible alternative theories.
 In this case, upon remembering the issues of wiring, the investigator wonder
 if perhaps the power pin was accidentally connected for a moment to the RX
 pin while live.  Such action could easily fry the RX pin, and yield the
 observed behavior.  Since the investigator could not rule out the possibility
 of accidental connection of power to the RX pin mentioned, the investigator
 had to assume the instructions would work properly if he had not made that
 error.
 That conclusion, while correct, also left the investigator with only two
 option to complete the final verification of the CCS:
 \begin{itemize}
    \item Purchase a new router and cable anew, and reattempt the installation
      process while taking extra care not to miswire any cables.
    \item Seek assistance from the libreCMC community to find an alternative
      method of installation.
 \end{itemize}
 The investigator chose the latter and then contacted a libreCMC developer
 familiar with the product.  That developer, who  agreed the the RX pin was
 likely ruined, described an alternative method for console access using the
 {\tt netcat}.  The libreCMC developer described the process as follows:
 \begin{quotation}
   \begin{itemize}
   \item Change the IP address of the router to 192.168.1.1.
   \item Change the IP address of a desktop GNU/Linux system to 192.168.1.2.
   \item Power on the router while holding the reset button for 7 seconds.
   \item Use the {\tt netcat} command (as below) on the desktop, and press
     enter to receive U-Boot's prompt:
 \lstset{tabsize=2}
 \begin{lstlisting}[language=bash]
 $ nc -u -p 6666 192.168.1.1 6666
 uboot>
 \end{lstlisting}
   \end{itemize}
 \end{quotation}
 Upon following this procedure, the investigator was able to confirm the
 (original) shipped version of U-Boot was still installed:
 \begin{lstlisting}[language=bash]
 $ nc -u -p 6666 192.168.1.1 6666
 uboot> version
 U-Boot 1.1.4 (Jul 28 2014)
 \end{lstlisting}
 Thereafter, the investigator followed the instructions from
 ``u-boot\verb0_0reflash''.  Specifically, the investigator configured a TFTP server
 and placed the newly built firmware into \texttt{/srv/tftp}.  The investigator
 also followed the remaining instructions in ``u-boot\verb0_0reflash'', but
 used the \texttt{netcat} console rather than the serial console, and
 used U-Boot's \texttt{reset} command to reboot the router.
 Upon reboot, the serial console (still connect with working output) showed
 the message \texttt{U-Boot 1.1.4  (Oct 17 2014)}, and thus confirmed a
 successful reflash of the U-Boot image built by the investigator.
 \section{Firmware Comparison}
 Next, to ensure the CCS did indeed correspond to the firmware original
 installed on the TPE-NWIFIROUTER, the investigator compared the built
 firmware image with the filesystem originally found on the device itself.
 The comparison steps were as follows:
 \begin{enumerate}
 \item Extract the filesystem from the image we built by running
   \href{https://gitorious.org/copyleft-org/gpl-compliance-scripts/source/master:find-firmware.pl}{find-firmware.pl}
   on ``bin/ar71xx/librecmc-ar71xx-generic-tl-wr841n-v8-squashfs-factory.bin''
   and then running
   \href{http://www.binaryanalysis.org/en/content/show/download}{bat-extratools}'
   ``squashfs4.2/squashfs-tools/bat-unsquashfs42'' on the resulting
   morx0.squash, using the filesystem in the new squashfs-root directory for
   comparison.
 \item Login to the router's web interface (at \url{http://192.168.10.1/ }) from a computer
   connected to the router.
 \item Set a password using the provided link at the top (since the router's
   UI warns that no password is set and asks the user to change it).
 \item Logged into the router via SSH, using the root user with the
   aforementioned password.
 \item Compared representative directory listings and binaries to ensure the set of
   included files (on the router) is similar to those found in the firmware
   image that the investigator created (whose contents are now in the local squashfs-root directory).  In
   particular, the investigator did the following comparisons:
   \begin{enumerate}
   \item Listed the /bin folder (``ls -l /bin'') and confirm the list of files is the same
     and that the file sizes are similar.
   \item Checked the ``strings'' output of ``/bin/busybox'' to confirm it is similar in both
    places (similar number of lines and content of lines).  (One cannot directly
    compare the binaries because the slight compilation variations will cause
    some bits to be different.)
  \item Repeated the above two steps for ``/lib/modules'', ``/usr/bin'', and other directories with
    a significant number of binaries.
  \item Checked that the kernel was sufficiently similar.  The investigator
    compared the ``dmesg'' output both before and after flashing the new
    firmware.  As the investigator expected, the kernel version string was
    similar, but had a different build date and user@host indicator.  (The
    kernel binary itself is not easily accessible from an SSH login, but was
    retrievable using the U-Boot console (the start address of the kernel in
    flash appears to be 0x9F020000, based on the boot messages seen in the
    serial console).
   \end{enumerate}
 \end{enumerate}
 \section{Minor Annoyances}
 As discussed in detail above, there were a few minor annoyances, none of
 which were GPL violations.  Rather, the annoyances briefly impeded the
 build and installation.  However, the investigator, as a reasonably skilled
 build engineer for embedded devices, was able to complete the process with
 the instructions provided.
 To summarize, no GPL compliance issues were found, and the CCS release was
 one of the best ever reviewed by any investigator at any community-oriented
 enforcement organization.  However, the following annoyances were discovered:
 \begin{itemize}
 \item Failure to explain how to extract the source tarball and then where to run the
   ``make'' command.
 \item Failure to explain how to install the kernel and root filesystem on the
   device; the user must assume the web UI must be used.
 \item Including pre-built toolchain binaries that don't work on all systems,
   and failure to copy and/or symlink built toolchain binaries in the right location.
 \item Failure to include information in the U-Boot installation instructions for
   wiring the serial cable.
 \item Ideally, the U-Boot installation instructions would also include the
   {\tt netcat} method of installation.
 \item Finally, the instructions should note that the new U-Boot firmware
   should be placed into \texttt{/srv/tftp} when using TFTP on most GNU/Linux
   desktops.
 \end{itemize}
 Thus, no CCS is absolutely perfect, but GPL violation investigators always
 give the distributors the benefit of any doubts and seek to work with the
 vendors and improve their CCS for the betterment of their users, customers,
 and the entire software freedom community.
 \section{Lessons Learned}
 Companies that seek to redistribute copylefted software can benefit greatly
 from ThinkPenguin's example.  Here are just a few of the many lessons that
 can be learned here:
 \begin{enumerate}
 \item Even though copyleft licenses have them,
   \hyperref[thinkpenguin-included-ccs]{\bf avoid the offer-for-source
     provisions}.  Not only does including the CCS alongside binary
   distribution make violation investigation and compliance confirmation
   substantially easier, but also (and more importantly) doing so
   \hyperref[offer-for-source]{completes the distributor's CCS compliance
     obligations at the time of distribution} (provided, of course, that the
   distributor is otherwise in compliance with the relevant copyleft license).
 \item {\bf Include top-level build instructions in a natural language (such
   as English) in a \hyperref[thinkpenguin-toplevel-readme]{clear and
     conspicuous place}.}  Copyleft licenses require that someone reasonably
   skilled in the art can reproduce the build and installation.  Typically,
   instructions written in English are necessary, and often easier than writing
   programmed scripts.  The ``script'' included can
   certainly be more like the script of a play and less like a Bash script.
 \item {\bf Write build/install instructions to the appropriate level of
   specificity}.  The upstream engineers
   in this case study \hyperref[thinkpenguin-specific-host-system]{clearly did
     additional work to ensure functionality on a wide variety of host build
     systems}; this is quite rare.  When in doubt, include the maximum level
   of detail build engineers can provide with the CCS instructions, but also
   double-check to investigate if a more generalized solution (such as other
   host systems) work just as well for the build.
 \item {\bf Seek to adhere to the spirit of copyleft, not just the letter of
   the license}.  Encouragement of users to improve and
   make their devices better is one of ThinkPenguin's commercial differentiators.  Copyleft advocates
   that other companies have undervalued the large and lucrative
   market of
   users who seek hackable devices.  By going beyond the
   mere minimal requirements of GPL, companies can immediately reap the
   benefits in that target market.
   \item Community-oriented enforcement organizations do not play ``gotcha''\footnote{For lack of a better
     phrase.} with distributors regarding GPL
     violations.  The goal in the GPL enforcement process is to achieve
     compliance and correct mistakes and annoyances.  Such organizations
     therefore take an ``innocent until proven guilty $\rightarrow$ assume guilty
     due to honest error rather than malicious action '' approach.  The goal
     is compliance (in direct contrast with
     the \hyperref[Proprietary Relicensing]{discussion in \S~\ref*{Proprietary Relicensing} about the
       proprietary relicensing} business model).
 \end{enumerate}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{Bortez: Modified GCC SDK}
 In our first case study, we will consider Bortez, a company that
 produces software and hardware toolkits to assist OEM vendors, makers
 of consumer electronic devices.
 \section{Facts}
 One of Bortez's key products is a Software Development Kit (``SDK'')
 designed to assist developers building software for a specific class of
 consumer electronics devices.
 FSF received a report that the SDK may be based on the GNU Compiler
 Collection (which is an FSF-copyrighted collection of tools for software
 development in C, C++ and other popular languages). FSF investigated the
 claim, but was unable to confirm the violation. The violation reporter
 was unresponsive to follow-up requests for more information.
 Since FSF was unable to confirm the violation, we did not pursue it any
 further. Bogus reports do happen, and we do not want to burden companies
 with specious GPL violation complaints. FSF shelved the matter until
 more evidence was discovered.
 FSF was later able to confirm the violation when two additional reports
 surfaced from other violation reporters, both of whom had used the SDK
 professionally and noticed clear similarities to FSF's GNU GCC\@. FSF's
 Compliance Engineer asked the reporters to run standard tests to confirm
 the violation, and it was confirmed that Bortez's SDK was indeed a
 modified version of GCC\@. Bortez had ported to Windows and added a number
 of features, including support for a specific consumer device chipset and
 additional features to aid in the linking process (``LP'') for those
 specific devices. FSF explained the rights that the GPL afforded these
 customers and pointed out, for example, that Bortez only needed to provide
 source to those in possession of the binaries, and that the users may need
 to request that source (if \S 3(b) was exercised). The violators
 confirmed that such requests were not answered.
 FSF brought the matter to the attention of Bortez, who immediately
 escalated the matter to their attorneys. After a long negotiation,
 Bortez acknowledged that their SDK was indeed a modified version of
 GCC\@. Bortez released most of the source, but some disagreement
 occurred over whether LP was also derivative of GCC\@. After repeated
 FSF inquiries, Bortez reaudited the source to discover that FSF's
 analysis was correct. Bortez determined that LP included a number of
 source files copied from the GCC code-base.
 \label{davrik-build-problems}
 Once the full software release was made available, FSF asked the violation
 reporters if it addressed the problem. Reports came back that the source
 did not properly build. FSF asked Bortez to provide better build
 instructions with the software, and such build instructions were
 incorporated into the next software release.
 At FSF's request as well, Bortez informed customers who had previously
 purchased the product that the source was now available by announcing
 the availability on its Web site and via a customer newsletter.
 Bortez did have some concerns regarding patents. They wished to include a
 statement with the software release that made sure they were not granting
 any patent permission other than what was absolutely required by the GPL\@.
 They understood that their patent assertions could not trump any rights
 granted by the GPL\@. The following language was negotiated into the release:
 \begin{quotation}
 Subject to the qualifications stated below, Bortez, on behalf of itself
 and its Subsidiaries, agrees not to assert the Claims against you for your
 making, use, offer for sale, sale, or importation of the Bortez's GNU
 Utilities or derivative works of the Bortez's GNU Utilities
 (``Derivatives''), but only to the extent that any such Derivatives are
 licensed by you under the terms of the GNU General Public License. The
 Claims are the claims of patents that Bortez or its Subsidiaries have
 standing to enforce that are directly infringed by the making, use, or
 sale of an Bortez Distributed GNU Utilities in the form it was distributed
 by Bortez and that do not include any limitation that reads on hardware;
 the Claims do not include any additional patent claims held by Bortez that
 cover any modifications of, derivative works based on or combinations with
 the Bortez's GNU Utilities, even if such a claim is disclosed in the same
 patent as a Claim. Subsidiaries are entities that are wholly owned by
 Bortez.
 This statement does not negate, limit or restrict any rights you already
 have under the GNU General Public License version 2.
 \end{quotation}
 This quelled Bortez's concerns about other patent licensing they sought to
 do outside of the GPL'd software, and satisfied FSF's concerns that Bortez
 give proper permissions to exercise teachings of patents that were
 exercised in their GPL'd software release.
 Finally, a GPL Compliance Officer inside Bortez was appointed to take
 responsibility for all matters of GPL compliance inside the company.
 Bortez is responsible for informing FSF if the position is given to
 someone else inside the company, and making sure that FSF has direct
 contact with Bortez's Compliance Officer.
 \section{Lessons}
 This case introduces a number of concepts regarding GPL enforcement.
 \begin{enumerate}
 \item {\bf Enforcement should not begin until the evidence is confirmed.}
   Most companies that distribute GPL'd software do so in compliance, and at
   times, violation reports are mistaken. Even with extensive efforts in
   GPL education, many users do not fully understand their rights and the
   obligations that companies have. By working through the investigation
   with reporters, the violation can be properly confirmed, and {\bf the
     user of the software can be educated about what to expect with GPL'd
     software}. When users and customers of GPL'd products know their
   rights, what to expect, and how to properly exercise their rights
   (particularly under \S 3(b)), it reduces the chances for user
   frustration and inappropriate community outcry about an alleged GPL
   violation.
 \item {\bf GPL compliance requires friendly negotiation and cooperation.}
   Often, attorneys and managers are legitimately surprised to find out
   GPL'd software is included in their company's products. Engineers
   sometimes include GPL'd software without understanding the requirements.
   This does not excuse companies from their obligations under the license,
   but it does mean that care and patience are essential for reaching GPL
   compliance. We want companies to understand that participating and
   benefiting from a collaborative Free Software community is not a burden,
   so we strive to make the process of coming into compliance as smooth as
   possible.
 \item {\bf Confirming compliance is a community effort.}  The whole point
   of making sure that software distributors respect the terms of the GPL is to
   allow a thriving software sharing community to benefit and improve the
   work. FSF is not the expert on how a compiler for consumer electronic
   devices should work. We therefore inform the community who originally
   brought the violation to our attention and ask them to assist in
   evaluation and confirmation of the product's compliance. Of course, FSF
   coordinates and oversees the process, but we do not want compliance for
   compliance's sake; rather, we wish to foster a cooperating community of
   development around the Free Software in question, and encourage the
   once-violator to begin participating in that community.
 \item {\bf Informing the harmed community is part of compliance.} FSF asks
   violators to make some attempt --- such as via newsletters and the
   company's Web site --- to inform those who already have the products as
   to their rights under the GPL\@. One of the key thrusts of the GPL's \S 1 and
   \S 3 is to {\em make sure the user knows she has these rights\/}. If a
   product was received out of compliance by a customer, she may never
   actually discover that she has such rights. Informing customers, in a
   way that is not burdensome but has a high probability of successfully
   reaching those who would seek to exercise their freedoms, is essential
   to properly remedy the mistake.
 \item {\bf Lines between various copyright, patent, and other legal
   mechanisms must be precisely defined and considered.}  The most
   difficult negotiation point of the Bortez case was drafting language
   that simultaneously protected Bortez's patent rights outside of the
   GPL'd source, but was consistent with the implicit patent grant in
   the GPL\@. As we discussed in the first course of this series, there is
   indeed an implicit patent grant with the GPL, thanks to \S 6 and \S 7.
   However, many companies become nervous and wish to make the grant
   explicit to assure themselves that the grant is sufficiently narrow for
   their needs. We understand that there is no reasonable way to determine
   what patent claims read on a company's GPL holdings and which do not, so
   we do not object to general language that explicitly narrows the patent
   grant to only those patents that were, in fact, exercised by the GPL'd
   software as released by the company.
 \end{enumerate}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{Bracken: a Minor Violation in a GNU/Linux Distribution}
 In this case study, we consider a minor violation made by a company whose
 knowledge of the Free Software community and its functions is deep.
 \section{The Facts}
 Bracken produces a GNU/Linux operating system product that is sold
 primarily to OEM vendors to be placed in appliance devices used for a
 single purpose, such as an Internet-browsing-only device. The product
 is almost 100\% Free Software, mostly licensed under the GPL and related
 Free Software licenses.
 FSF found out about this violation through a report first posted on a
   Slashdot\footnote{Slashdot is a popular news and discussion site for
   technical readers.} comment, and then it was brought to our attention again
   by another Free Software copyright holder who had discovered the
   same violation.
 Bracken's GNU/Linux product is delivered directly from their Web site.
 This allowed FSF engineers to directly download and confirm the
 violation quickly. Two primary problems were discovered with the
 online distribution:
 \begin{itemize}
 \item No source code nor offer for source code was provided for a number
   of components for the distributed GNU/Linux system; only binaries were
   available
 \item An End User License Agreement (``EULA'') was included that
   contradicted the permissions granted by the GPL\@
 \end{itemize}
 FSF contacted Bracken and gave them the details of the violation. Bracken
 immediately ceased distribution of the product temporarily and set forth
 a plan to bring themselves back into compliance. This plan included the
 following steps:
 \begin{itemize}
 \item Bracken attorneys would rewrite the EULA to comply with the GPL and
   would vet the new EULA through FSF before use
 \item Bracken engineers would provide source side-by-side with the
   binaries for the GNU/Linux distribution on the site (and on CD's, if
   ever they distributed that way)
 \item Bracken attorneys would run an internal seminar for its engineers
   regarding proper GPL compliance to help ensure that such oversights
   regarding source releases would not occur in the future
 \item Bracken would resume distribution of the product only after FSF
   formally restored Bracken's distribution rights
 \end{itemize}
 This case was completed in about a month. FSF approved the new EULA
 text. The key portion in the EULA relating to the GPL read as follows:
 \begin{quotation}
 Many of the Software Programs included in Bracken Software are distributed
 under the terms of agreements with Third Parties (``Third Party
 Agreements'') which may expand or limit the Licensee's rights to use
 certain Software Programs as set forth in [this EULA]. Certain Software
 Programs may be licensed (or sublicensed) to Licensee under the GNU
 General Public License and other similar license agreements listed in part
 in this section which, among other rights, permit the Licensee to copy,
 modify and redistribute certain Software Programs, or portions thereof,
 and have access to the source code of certain Software Programs, or
 portions thereof. In addition, certain Software Programs, or portions
 thereof, may be licensed (or sublicensed) to Licensee under terms stricter
 than those set forth in [this EULA]. The Licensee must review the
 electronic documentation that accompanies certain Software Programs, or
 portions thereof, for the applicable Third Party Agreements. To the
 extent any Third Party Agreements require that Bracken provide rights to
 use, copy or modify a Software Program that are broader than the rights
 granted to the Licensee in [this EULA], then such rights shall take
 precedence over the rights and restrictions granted in this Agreement
 solely for such Software Programs.
 \end{quotation}
 FSF restored Bracken's distribution rights shortly after the work was
 completed as described.
 \section{Lessons Learned}
 This case was probably the most quickly and easily resolved of all GPL
 violations in the history of FSF's Compliance Lab. The ease with which
 the problem was resolved shows a number of cultural factors that play a
 role in GPL compliance.
 \begin{enumerate}
 \item {\bf Companies that understand Free Software culture better have an
   easier time with compliance.}  Bracken's products were designed and
   built around the GNU/Linux system and Free Software components. Their
   engineers were deeply familiar with the Free Software ecosystem, and
   their lawyers had seen and reviewed the GPL before. The violation was
   completely an honest mistake. Since the culture inside the company had
   already adapted to the cooperative style of resolution in the Free
   Software world, there was very little work for either party to bring the
   product into compliance.
 \item {\bf When people in key positions understand the Free Software
   nature of their software products, compliance concerns are as
   mundane as minor software bugs.}  Even the most functional system or
   structure has its problems, and successful business often depends on
   agile response to the problems that do come up; avoiding problems
   altogether is a pipe dream. Minor GPL violations can and do happen
   even with well-informed redistributors. However, resolution is
   reached quickly when the company --- and in particular, the lawyers,
   managers, and engineers working on the Free Software product lines
   --- have adapted to Free Software culture that the lower-level
   engineer already understood
 \item {\bf Legally, distribution must stop when a violation is
   identified.}  In our opinion, Bracken went above and beyond the call of
   duty by ceasing distribution while the violation was being resolved.
   Under GPL \S 4, the redistributor loses the right to distribute the
   software, and thus they are in ongoing violation of copyright law if
   they distribute before rights are restored. It is FSF's policy to
   temporarily allow distribution while compliance negotiations are ongoing
   and only in the most extreme cases (where the other party appears to be
   negotiating in bad faith) does FSF even threaten an injunction on
   copyright grounds. However, Bracken --- as a good Free Software citizen
   --- chose to be on the safe side and do the legally correct thing while
   the violation case was pending. From start to finish, it took less
   than a month to resolve. This lapse in distribution did not, to FSF's
   knowledge, impact Bracken's business in any way.
 \item {\bf EULAs are a common area for GPL problems.}  Often, EULAs
   are drafted from boilerplate text that a company uses for all its
   products. Even the most diligent attorneys forget or simply do not
   know that a product contains software licensed under the GPL and other
   Free Software licenses. Drafting a EULA that accounts for such
   licenses is straightforward; the text quoted above works just fine.
   The EULA must be designed so that it does not trump rights and
   permissions already granted by the GPL\@. The EULA must clearly state
   that if there is a conflict between it and the GPL, with regard to GPL'd
   code, the GPL is the overriding license.
 \item {\bf Compliance Officers are rarely necessary when companies are
   educated about GPL compliance.}  As we saw in the Bortez case, FSF asks
   that a formal ``GPL Compliance Officer'' be appointed inside a
   previously violating organization to shepherd the organization to a
   cooperative approach to GPL compliance. However, when FSF
   sees that an organization already has such an approach, there is no
   need to request that such an officer be appointed.
 \end{enumerate}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{Vigorien: Security, Export Controls, and GPL Compliance}
 This case study introduces how concerns of ``security through obscurity''
 and regulatory problems can impact GPL compliance matters.
 \section{The Facts}
 Vigorien distributes a back-up solution product that allows system
 administrators to create encrypted backups of file-systems on
 Unix-like computers. The product is based on GNU tar, a backup utility
 that replaces the standard Unix utility simply called tar, but has
 additional features.
 Vigorien's backup solution added cryptographic features to GNU tar, and
 included a suite of utilities and graphical user interfaces surrounding
 GNU tar to make backups convenient.
 FSF discovered the violation from a user report, and determined that the
 cryptographic features were the only part of the product that constituted
 a derivative work of GNU tar; the extraneous utilities merely made
 shell calls out to GNU tar. FSF requested that Vigorien come into
 compliance with the GPL by releasing the source of GNU tar, with the
 cryptographic modifications, to its customers.
 Vigorien released the original GNU tar sources, but kept the cryptographic
 modifications proprietary. They argued that the security of their system
 depending on keeping the software proprietary and that regardless, USA
 export restrictions on cryptographic software prohibited such a release.
 FSF disputed the first claim, pointing out that Vigorien had only one
 option if they did not want to release the source: they would have to
 remove GNU tar from the software and not distribute it further. Vigorien
 rejected this suggestion, since GNU tar was an integral part of the
 product, and the security changes were useless without GNU tar.
 Regarding the export control claims, FSF proposed a number of options,
 including release of the source from one of Vigorien's divisions overseas
 where no such restrictions occurred, but Vigorien argued that the problem
 was insoluble because they operated primarily in the USA\@.
 The deadlock on the second issue was resolved when those cryptographic
 export restrictions were lifted shortly thereafter, and FSF again raised
 the matter with Vigorien. At that point, they dropped the first claim and
 agreed to release the remaining source module to their customers. They
 did so, and the violation was resolved.
 \section{Lessons Learned}
 \begin{enumerate}
 \item {\bf Removing the GPL'd portion of the product is always an
   option.}  Many violators' first response is to simply refuse to
   release the source code as the GPL requires. FSF offers the option to
   simply remove the GPL'd portions from the product and continue along
   without them. Every case where this has been suggested has led to
   the same conclusion. Like Vigorien, the violator argues that the
   product cannot function without the GPL'd components, and they
   cannot effectively replace them.
   Such an outcome is simply further evidence that the combined work in
   question is indeed a modified version of the original GPL'd component.
   If the other components cannot stand on their own and be useful without
   the GPL'd portions, then one cannot effectively argue that the work as a
   whole is not a based on the GPL'd portions.
 \item {\bf The whole product is not always covered.}  In this case,
   Vigorien had additional works aggregated. The backup system was a suite
   of utilities, some of which were the GPL and some of which were not. While
   the cryptographic routines were tightly coupled with GNU tar and clearly
   made a whole new combined work of both components, the various GUI utilities were separate and
   independent works merely aggregated with the distribution of the
   GNU-tar-based product.
 \item {\bf ``Security'' concerns do not exonerate a distributor from GPL
   obligations, and ``security through obscurity'' does not work anyway.}
   The argument that ``this is security software, so it cannot be released
   in source form'' is not a valid defense for explaining why the terms of
   the GPL are ignored. If companies do not want to release source code
   for some reason, then they should not base the work on GPL'd software.
   No external argument for noncompliance can hold weight if the work as
   a whole is indeed a modified version of a GPL'd program.
   The ``security concerns'' argument is often floated as a reason to keep
   software proprietary, but the computer security community has on
   numerous occasions confirmed that such arguments are entirely specious.
   Security experts have found --- since the beginnings of the field of
   cryptography in the ancient world --- that sharing results about systems
   and having such systems withstand peer review and scrutiny builds the
   most secure systems. While full disclosure may help some who wish to
   compromise security, it helps those who want to fix problems even more
   by identifying them early.
 \item {\bf External regulatory problems can be difficult to resolve.}
   The GPL, though grounded in copyright law, does not have the power to trump
   regulations like export controls. While Vigorien's ``security
   concerns'' were specious, their export control concerns were not. It is
   indeed a difficult problem that FSF acknowledges. We want compliance
   with the GPL and respect for users' freedoms, but we certainly do not expect
   companies to commit criminal offenses for the sake of compliance. We
   will see more about this issue in our next case study.
 \end{enumerate}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{Haxil, Polgara, and Thesulac: Mergers, Upstream Providers and Radio Devices}
 This case study considers an ongoing (at the time of writing) violation
 that has occurred. By the end of the investigation period, three
 companies were involved and many complex issues arose.
 \section{The Facts}
 Haxil produced a consumer electronics device which included a mini
 GNU/Linux distribution to control the device. The device was of interest
 to many technically-minded consumers, who purchased the device and very
 quickly discovered that Free Software was included without source.
 Mailing lists throughout the Free Software community erupted with
 complaints about the problem, and FSF quickly investigated.
 FSF confirmed that FSF-copyrighted GPL'd software was included. In
 addition, the whole distribution included GPL'd works from hundreds of
 individual copyright holders, many of whom were, at this point, up in
 arms about the violation.
 Meanwhile, Haxil was in the midst of being acquired by Polgara. Polgara
 was as surprised as everyone else to discover the product was based on
 GPL'd software; this fact had not been part of the disclosures made during
 acquisition. FSF contacted Haxil, Polgara, and the product managers
 who had transitioned into the ``Haxil division'' of the newly-merged
 Polgara company. Polgara's General Counsel's office worked with FSF on
 the matter.
 FSF formed a coalition with the other primary copyright holders
 to pursue the enforcement effort on their behalf. FSF communicated
 directly with Polgara's representatives to begin working through the
 issues on behalf of itself and the Free Software community at large.
 Polgara pointed out that the software distribution they used was mostly
 contributed by an upstream provider, Thesulac, and Haxil's changes to that
 code base were minimal. Polgara negotiated with Thesulac to obtain the
 source, although the issue moved very slowly in the channels between
 Polgara and Thesulac.
 FSF encouraged a round-table meeting so that high bandwidth communication
 could occur between FSF, Polgara and Thesulac. Polgara and Thesulac
 agreed, and that discussion began. Thesulac provided nearly complete
 sources to Polgara, and Polgara made a full software release on their
 Web site. At the time of writing, that software still has some build
 problems (similar to those that occurred with Bortez, as described in
 Section~\ref{davrik-build-problems}). FSF continues to negotiate with
 Polgara and Thesulac to resolve these problems, which have a clear path to
 a solution and are expected to resolve.
 Similar to the Vigorien case, Thesulac has regulatory concerns. In this
 case, it is not export controls --- an issue that has since been resolved
 --- but radio spectrum regulation. Since this consumer electronic device
 contains a software-programmable radio transmitter, regulations in (at
 least) the USA and Japan prohibit release of those portions of the code
 that operate the device. Since this is a low-level programming issue, the
 changes to operate the device form a single combined work with the kernel named
 Linux.  A decade later, this situation remains largely unresolved.
 \section{Lessons Learned}
 \begin{enumerate}
 \item {\bf Community outrage, while justified, can often make negotiation
   more difficult.}  FSF has a strong policy never to publicize names of
   GPL violators if they are negotiating in a friendly way and operating in
   good faith toward compliance. Most violations are honest mistakes, and
   FSF sees no reason to publicly admonish violators who genuinely want to
   come into compliance with the GPL and to work hard staying in compliance.
   This case was so public in the Free Software community that both Haxil's
   and Polgara's representatives were nearly shell-shocked by the time FSF
   began negotiations. There was much work required to diffuse the
   situation. We empathize with our community and their outrage about GPL
   violations, but we also want to follow a path that leads expediently
   to compliance. In our experience, public outcry works best as a last
   resort, not the first.
 \item {\bf For software companies, GPL compliance belongs on a corporate
   acquisition checklist. }  Polgara was truly amazed that Haxil had used
   GPL'd software in a major new product line but never informed Polgara
   during the acquisition process. While GPL compliance is not a
   particularly difficult matter, it is an additional obligation that comes
   along with the product line. When planning mergers and joint ventures,
   one should include lists of GPL'd components contained in the products
   discussed.
 \item {\bf Compliance problems of upstream providers do not excuse a
   violation for the downstream distributor.}  To paraphrase \S 6, upstream
   providers are not responsible for enforcing compliance of their
   downstream, nor are downstream distributors responsible for compliance
   problems of upstream providers. However, engaging in distribution of
   GPL'd works out of compliance is still just that: a compliance problem.
   When FSF carries out enforcement, we are patient and sympathetic when
   the problem appears to be upstream. In fact, we urge the violator to
   point us to the upstream provider so we may talk to them directly. In
   this case, we were happy to begin negotiations with Thesulac. However,
   Polgara still has an obligation to bring their product into compliance,
   regardless of Thesulac's response.
 \item {\bf It behooves upstream providers to advise downstream
   distributors about compliance matters.}  FSF has encouraged Thesulac to
   distribute a ``good practices for GPL compliance'' document with their
   product. Polgara added various software components to Thesulac's
   product, and it is conceivable that such additions can introduce
   compliance. In FSF's opinion, Thesulac is in no way legally responsible
   for such a violation introduced by their customer, but it behooves them
   from a marketing standpoint to educate their customers about using the
   product. We can argue whether or not it is your coffee vendor's fault
   if you burn yourself with their product, but (likely) no one on either
   side would dispute the prudence of placing a ``caution: hot'' label on
   the cup.
 \item {\bf FSF enforcement often avoids redundant enforcement cases from
   many parties.}  Most Free Software systems have hundreds of copyright
   holders. Some have thousands. FSF is in a unique position as one of
   the largest single copyright holders on GPL'd software and as a
   respected umpire in the community, neutrally enforcing the rules of the
   GPL road. FSF works hard in the community to convince copyright
   holders that consolidating GPL claims through FSF is better for them,
   and more likely to yield positive compliance results.
   A few copyright holders engage in the ``proprietary relicensing''
   business, so they use GPL enforcement as a sales channel for that
   business. FSF, as a community-oriented, not-for-profit organization,
   seeks only to preserve the freedom of Free Software in its enforcement
   efforts. As it turns out, most of the community of copyright holders
   of Free Software want the same thing. Share and share alike is a
   simple rule to follow, and following that rule to FSF's satisfaction
   usually means you are following it to the satisfaction of the entire
   Free Software community.
 \end{enumerate}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 % COMMENT OUT THIS CHAPTER.
 % FIXME: is this material moot now that we include the compliance guide?
 % Either way, it should be merged into compliance guide.
 %\chapter{Good Practices for Compliance}
 Generally, from the experience of GPL enforcement, we glean the following
 general practices that can help in GPL compliance for organizations that
 distribute products based on GPL'd software:
 \begin{itemize}
 \item Talk to your software engineers and ask them where they got the
   components they use in the products they build. Find out if GPL'd
   components are present.
 \item Teach your engineering staff to pay attention to license documents.
   Give them easy-to-follow policies to get approval for using a Free
   Software component.
 \item Build a ``Free Software Licensing'' committee that handles requests
   and questions about the GPL and other Free Software licenses.
 \item Add ``What parts of your products are under the GPL or other Free
   Software licenses?'' to your checklist of questions to ask when you
   consider mergers, acquisitions, or joint ventures.
 \item Encourage your engineers to participate collaboratively with GPL'd
   software development. The more knowledge about the Free Software world
   your organization has, the better equipped it is to deal with this
   rapidly changing field.
 \item When someone points out a potential GPL violation in one of your
   products, do not assume the product line is doomed. The GPL is not a virus;
   merely having GPL'd code in one part of a product does not necessarily
   mean that every related product must also be GPL'd. And, even if some
   software needs to be released that was not before, the product will
   surely survive. In FSF's enforcement efforts, we have not yet
   seen a product line die because source was released to customers in
   compliance with the GPL.
 \end{itemize}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 % LocalWords:  proprietarize redistributors sublicense yyyy Gnomovision EULAs
 % LocalWords:  Yoyodyne FrontPage improvers Berne copyrightable Stallman's GPLs
 % LocalWords:  Lessig Lessig's UCITA pre PDAs CDs reshifts GPL's Gentoo glibc
 % LocalWords:  TrollTech administrivia LGPL's MontaVista OpenTV Mitek Arce DVD
 % LocalWords:  unprotectable protectable Unfreedonia chipset CodeSourcery Iqtel
 % LocalWords:  impermissibly Bateman faire minimis Borland uncopyrightable Mgmt
 % LocalWords:  franca downloadable Bortez Bortez's Gingerich Michlmayr LGPL
 % LocalWords:  Slashdot sublicensed Vigorien Vigorien's Haxil Polgara GPL'd
 % LocalWords:  Thesulac Polgara's Haxil's Thesulac's SDK CD's tpb CCS RYF cd
 %%  LocalWords:  ThinkPenguin TPE NWIFIROUTER Unboxing copylefted GPLv mkdir
 %%  LocalWords:  Filesystem libreCMC README tabsize libCMC sudo reflash gcc
 %%  LocalWords:  binutils bzip perl getopt libz dev libc menuconfig amd dpkg
 %%  LocalWords:  toolchain filesystem thinkpenguin egrep posix jxpf ar UI ln
 %%  LocalWords:  ThinkPenguin's versioned bootloader SRC mips librecmc linux
 %%  LocalWords:  uclibc symlink tl wr squashfs sysupgrade preinstalled TFTP
 %%  LocalWords:  busybox tftp hpa IP RJ UART PuTTY ipaddr serverip setenv nc
 %%  LocalWords:  miswiring minicom startup miswire netcat uboot extratools
 %%  LocalWords:  morx Login dmesg login ccs toplevel readme differentiators
 %%  LocalWords:  hackable Relicensing relicensing toolkits OEM reaudited
 %%  LocalWords:  redistributor cryptographic

gpl-lgpl.tex

➞

Show inline comments

 % gpl-lgpl.tex                                                  -*- LaTeX -*-
 %      Tutorial Text for the Detailed Study and Analysis of GPL and LGPL course
+%
 % License: CC-By-SA-4.0
 % The copyright holders hereby grant the freedom to copy, modify, convey,
 % Adapt, and/or redistribute this work under the terms of the Creative
 % Commons Attribution Share Alike 4.0 International License.
 % This text is distributed in the hope that it will be useful, but
 % WITHOUT ANY WARRANTY; without even the implied warranty of
 % MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 % You should have received a copy of the license with this document in
 % a file called 'CC-By-SA-4.0.txt'.  If not, please visit
 % https://creativecommons.org/licenses/by-sa/4.0/legalcode to receive
 % the license text.
 % FIXME-LATER: I should make a macro like the Texinfo @xref stuff for places
 %      where I'm saying ``see section X in this tutorial'', so that the extra
 %      verbiage isn't there in the HTML versions that I'll eventually do.
 %      Maybe something like that already exists?  In the worst case, I could
 %      adapt @xref from texinfo.texi for it.
 \newcommand{\defn}[1]{\emph{#1}}
 \part{Detailed Analysis of the GNU GPL and Related Licenses}
 \label{gpl-lgpl-part}
 {\parindent 0in
 \tutorialpartsplit{``Detailed Analysis of the GNU GPL and Related Licenses''}{This part} is: \\
 \begin{tabbing}
 Copyright \= \copyright{} 2003--2007, 2014 \hspace{.1mm} \=  \kill
 Copyright \> \copyright{} 2014 \> Bradley M. Kuhn \\
 Copyright \> \copyright{} 2014 \>  Anthony K. Sebro, Jr. \\
 Copyright \> \copyright{} 2003--2007, 2014 \>  Free Software Foundation, Inc. \\
 Copyright \> \copyright{} 2014 \>  Software Freedom Law Center.
 \end{tabbing}
 \vspace{.2in}
 \begin{center}
 The copyright holders of \tutorialpartsplit{``Detailed Analysis of the GNU GPL and Related Licenses''}{this part} hereby grant the freedom to copy, modify,
 convey, Adapt, and/or redistribute this work under the terms of the Creative
 Commons Attribution Share Alike 4.0 International License.  A copy of that
 license is available at
 \verb=https://creativecommons.org/licenses/by-sa/4.0/legalcode=.
 \end{center}
 \vfill
 This part includes material from many sources, including the following
+This part includes material from many sources, including some material from the following
 CC-By-SA-licensed published works: \\
 \begin{itemize}
 \item \textit{Detailed Analysis of the GNU GPL and Related Licenses}, written by
 Bradley M. Kuhn, Daniel B.~Ravicher, and John Sullivan and published by the Free Software Foundation for its CLE courses on 2004-01-20,
 -08-24, and 2014-03-24.
 \item \hrefnofollow{http://gplv3.fsf.org/gpl-rationale-2006-01-16.html}{\textit{GPLv3 First Discussion Draft Rationale}}, written and published by the Free
   Software Foundation on 2006-01-16.
 \item \hrefnofollow{http://gplv3.fsf.org/opinions-draft-2.html}{\textit{GPLv3 Second Discussion Draft Rationale}}, written and published by the Free
   Software Foundation circa 2006-07.
 \item \hrefnofollow{http://gplv3.fsf.org/gpl3-dd3-guide}{\textit{GPLv3 Third Discussion Draft Rationale}}, written and published by the Free
   Software Foundation on   2007-03-28.
 \item \hrefnofollow{http://gplv3.fsf.org/dd3-faq}{\textit{GPLv3  Discussion Draft 3 FAQ}}, written and published by the Free1 Software Foundation on   2007-03-28.
 \item \hrefnofollow{http://gplv3.fsf.org/gpl3-dd4-guide.html}{\textit{GPLv3 Final Discussion Draft Rationale}} written and published by the Free
   Software Foundation onon 2007-05-31.
 \item \hrefnofollow{http://www.gnu.org/licences/gpl3-final-rationale.pdf}{\textit{GPLv3 Final Rationale}}, written and published by the Free
   Software Foundation on 2007-06-29.
 \end{itemize}
 However, this work is primarily composed of the many contributions it
 receives as a public, collaborative project.  Please
 \href{https://gitorious.org/copyleft-org/tutorial/history/master:gpl-lgpl.tex}{review
   its Git logs} for full documentation of all contributions.
+}
 \pagebreak
 \tutorialpartsplit{This tutorial}{This part of the tutorial} gives a
 comprehensive explanation of the most popular Free Software copyright
 license, the GNU General Public License (``GNU GPL'', or sometimes just
 ``GPL'') -- both version 2 (``GPLv2'') and version 3 (``GPLv3'') -- and
 teaches lawyers, software developers, managers and business people how to use
 the GPL (and GPL'd software) successfully both as a community-building
 ``Constitution'' for a software project, and to incorporate copylefted
 software into a new Free Software business and in existing, successful
 enterprises.
 To benefit from this part of the tutorial, readers should
 have a general familiarity with software development processes.  A basic
 understanding of how copyright law applies to software is also helpful.  The
 tutorial is of most interest to lawyers, software developers and managers who
 run or advise software businesses that modify and/or redistribute software
 under the terms of the GNU GPL (or who wish to do so in the future), and those
 who wish to make use of existing GPL'd software in their enterprise.
 Upon completion of this part of the tutorial, readers can expect
 to have learned the following:
 \begin{itemize}
   \item The freedom-defending purpose of various terms in the GNU GPLv2 and GPLv3.
   \item The differences between GPLv2 and GPLv3.
   \item The redistribution options under the GPLv2 and GPLv3.
   \item The obligations when modifying GPLv2'd or GPLv3'd software.
   \item How to build a plan for proper and successful compliance with the GPL.
   \item The business advantages that the GPL provides.
   \item The most common business models used in conjunction with the GPL.
   \item How existing GPL'd software can be used in existing enterprises.
   \item The basics of LGPLv2.1 and LGPLv3, and how they
     differ from the GPLv2 and GPLv3, respectively.
   \item The basics to begin understanding the complexities regarding
     derivative and combined works of software.
 \end{itemize}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 % END OF ABSTRACTS SECTION
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 % START OF DAY ONE COURSE
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{What Is Software Freedom?}
 Study of the GNU General Public License (herein, abbreviated as \defn{GNU
   GPL} or just \defn{GPL}) must begin by first considering the broader world
 of software freedom. The GPL was not created in a vacuum. Rather, it was
 created to embody and defend a set of principles that were set forth at the
 founding of the GNU project and the Free Software Foundation (FSF) -- the
 preeminent organization that upholds, defends and promotes the philosophy of software
 freedom. A prerequisite for understanding both of the popular versions
 of the GPL
 (GPLv2 and GPLv3) and their terms and conditions is a basic understanding of
 the principles behind them.  The GPL family of licenses are unlike nearly all
 other software licenses in that they are designed to defend and uphold these
 principles.
 \section{The Free Software Definition}
 \label{Free Software Definition}
 The Free Software Definition is set forth in full on FSF's website at
 \verb0http://fsf.org/0 \verb0philosophy/free-sw.html0. This section presents
 an abbreviated version that will focus on the parts that are most pertinent
 to the GPL\@.
 A particular user has software freedom with respect to a particular program if that
 user has the following freedoms:
 \begin{itemize}
 \item The freedom to run the program, for any purpose.
 \item The freedom to study how the program works, and modify it
 \item The freedom to redistribute copies.
 \item The freedom to distribute copies of  modified versions to others.
 \end{itemize}
 The focus on ``a particular user'' is particularly pertinent here.  It is not
 uncommon for a subset of a specific program's user base to have these freedoms, while other
 users of the same version the program have none or only some of these freedoms.
 Section~\ref{Proprietary Relicensing} talks in detail about how
 this can unfortunately happen even if a program is released under the GPL\@.
 Many people refer to software with these freedoms as ``Open Source.''
 Besides having a different political focus than those who call it Free
 Software,\footnote{The political differences between the Free Software
   Movement and the Open Source Movement are documented on FSF's Web site at
   \url{http://www.fsf.org/licensing/essays/free-software-for-freedom.html}.}
 Those who call the software ``Open Source'' are often focused on a side
 issue.  Specifically, user access to the source code of a program is a
 prerequisite to make use of the freedom to modify.  However, the important
 issue is what freedoms are granted in the license of that source code.
 Software freedom is only complete when no restrictions are imposed on how
 these freedoms are exercised.  Specifically, users and programmers can
 exercise these freedoms noncommercially or commercially.  Licenses that grant
 these freedoms for noncommercial activities but prohibit them for commercial
 activities are considered non-free.  Even the Open Source Initiative
 (\defn{OSI}) (the arbiter of what is considered ``Open Source'') also rules
 such licenses not in fitting with its ``Open Source Definition''.
 In general, software for which any of these freedoms are
 restricted in any way is called ``non-Free Software.''  Typically, the
 term ``proprietary software'' is used more or less interchangeably with
 ``non-Free Software.''  Personally, I tend to use the term ``non-Free
 Software'' to refer to noncommercial software that restricts freedom
 (such as ``shareware'') and ``proprietary software'' to refer to
 commercial software that restricts freedom (such as nearly all of
 Microsoft's and Oracle's offerings).
 Keep in mind that none of the terms ``software freedom'', ``open source''
 and ``free software'' are known to be trademarked or otherwise legally
 restricted by any organization in
 any jurisdiction.  As such, it's quite common that these terms are abused and
 misused by parties who wish to bank on the popularity of software freedom.
 When one considers using, modifying or redistributing a software package that
 purports to be Open Source or Free Software, one \textbf{must} verify that
 the license grants software freedom.
 Furthermore, throughout this text, we generally prefer the term ``software
 freedom'', as this is the least ambiguous term available to describe software
 that meets the Free Software Definition.  For example, it is well known and
 often discussed that the adjective ``free'' has two unrelated meanings in
 English: ``free as in freedom'' and ``free as in price''.  Meanwhile, the
 term ``open source'' is even more confusing, because it appears to refer only to the
 ``freedom to study'', which is merely a subset of one of the four freedoms.
 The remainder of this section considers each of each component of software
 freedom in detail.
 \subsection{The Freedom to Run}
 \label{freedom-to-run}
 The first tenet of software freedom is the user's fully unfettered right to
 run the program.  The software's license must permit any conceivable use of
 the software.  Perhaps, for example, the user has discovered an innovative
 use for a particular program, one that the programmer never could have
 predicted.  Such a use must not be restricted.
 It was once rare that this freedom was restricted by even proprietary
 software; but such is quite common today. Most End User License Agreements
 (EULAs) that cover most proprietary software typically restrict some types of
 uses.  Such restrictions of any kind are an unacceptable restriction on
 software freedom.
 \subsection{The Freedom to Change and Modify}
 Perhaps the most useful right of software freedom is the users' right to
 change, modify and adapt the software to suit their needs.  Access to the
 source code and related build and installation scripts are an essential part
 of this freedom.  Without the source code, and the ability to build and
 install the binary applications from that source, users cannot effectively
 exercise this freedom.
 Programmers directly benefit from this freedom.  However, this freedom
 remains important to users who are not programmers.  While it may seem
 counterintuitive at first, non-programmer users often exercise this freedom
 indirectly in both commercial and noncommercial settings.  For example, users
 often seek noncommercial help with the software on email lists and in user
 groups.  To make use of such help they must either have the freedom to
 recruit programmers who might altruistically assist them to modify their
 software, or to at least follow rote instructions to make basic modifications
 themselves.
 More commonly, users also exercise this freedom commercially.  Each user, or
 group of users, may hire anyone they wish in a competitive free market to
 modify and change the software.  This means that companies have a right to
 hire anyone they wish to modify their Free Software.  Additionally, such
 companies may contract with other companies to commission software
 modifications.
 \subsection{The Freedom to Copy and Share}
 Users share Free Software in a variety of ways. Software freedom advocates
 work to eliminate a fundamental ethical dilemma of the software age: choosing
 between obeying a software license and friendship (by giving away a copy of a
 program to your friend who likes the software you are using). Licenses that
 respect software freedom, therefore, permit altruistic sharing of software
 among friends.
 The commercial environment also benefits from this freedom.  Commercial sharing
 includes selling copies of Free Software: that is, Free Software can
 be distributed for any monetary
 price to anyone.  Those who redistribute Free Software commercially also have
 the freedom to selectively distribute (i.e., you can pick your customers) and
 to set prices at any level that redistributor sees fit.
 Of course, most people get copies of Free Software very cheaply (and
 sometimes without charge).  The competitive free market of Free Software
 tends to keep prices low and reasonable.  However, if someone is willing to
 pay billions of dollars for one copy of the GNU Compiler Collection, such a
 sale is completely permitted.
 Another common instance of commercial sharing is service-oriented
 distribution.  For example, some distribution vendors provide immediate
 security and upgrade distribution via a special network service.  Such
 distribution is not necessarily contradictory with software freedom.
 (Section~\ref{Business Models} of this tutorial talks in detail about some
 common Free Software business models that take advantage of the freedom to
 share commercially.)
 \subsection{The Freedom to Share Improvements}
 The freedom to modify and improve is somewhat empty without the freedom to
 share those improvements.  The software freedom community is built on the
 pillar of altruistic sharing of improved Free Software. Historically
 it was typical for a
 Free Software project to sprout a mailing list where improvements
 would be shared
 freely among members of the development community.\footnote{This is still
 commonly the case, though today there are additional ways of
 sharing Free Software.}  Such noncommercial
 sharing is the primary reason that Free Software thrives.
 Commercial sharing of modified Free Software is equally important.
 For commercial support to exist in a competitive free market, all
 developers -- from single-person contractors to large software
 companies -- must have the freedom to market their services as
 augmenters of Free Software.  All forms of such service marketing must
 be equally available to all.
 For example, selling support services for Free Software is fully
 permitted. Companies and individuals can offer themselves as ``the place
 to call'' when software fails or does not function properly.  For such a
 service to be meaningful, the entity offering that service needs the
 right to modify and improve the software for the customer to correct any
 problems that are beyond mere user error.
 Software freedom licenses also permit any entity to distribute modified
 versions of Free Software.  Most Free Software programs have a ``standard
 version'' that is made available from the primary developers of the software.
 However, all who have the software have the ``freedom to fork'' -- that is,
 make available nontrivial modified versions of the software on a permanent or
 semi-permanent basis.  Such freedom is central to vibrant developer and user
 interaction.
 Companies and individuals have the right to make true value-added versions
 of Free Software.  They may use freedom to share improvements to
 distribute distinct versions of Free Software with different functionality
 and features.  Furthermore, this freedom can be exercised to serve a
 disenfranchised subset of the user community.  If the developers of the
 standard version refuse to serve the needs of some of the software's
 users, other entities have the right to create a long- or short-lived fork
 to serve that sub-community.
 \section{How Does Software Become Free?}
 The previous section set forth key freedoms and rights that are referred to
 as ``software freedom''.  This section discusses the licensing mechanisms
 used to enable software freedom.  These licensing mechanisms were ultimately
 created as a community-oriented ``answer'' to the existing proprietary
 software licensing mechanisms.  Thus, first, consider carefully why
 proprietary software exists in the first place.
 \label{explaining-copyright}
 The primary legal regime that applies to software is copyright law.
 Proprietary software exists at all only because copyright law governs
 software.\footnote{This statement is admittedly an oversimplification. Patents and
   trade secrets can cover software and make it effectively non-Free, and one
   can contract away their rights and freedoms regarding software, or source
   code can be practically obscured in binary-only distribution without
   reliance on any legal system.  However, the primary control mechanism for
   software is copyright, and therefore this section focuses on how copyright
   restrictions make software proprietary.} Copyright law, with respect to
 software, typically governs copying, modifying, and redistributing that
 software (For details of this in the USA, see
 \href{http://www.copyright.gov/title17/92chap1.html#106}{\S~106} and
 \href{http://www.copyright.gov/title17/92chap1.html#117}{\S~117} of
 \href{http://www.law.cornell.edu/uscode/text/17}{Title 17} of the
 \textit{United States Code}).\footnote{Copyright law in general also governs
   ``public performance'' of copyrighted works. There is no generally agreed
   definition for public performance of software and both GPLv2 and GPLv3 do
   not restrict public performance.} By law (in the USA and in most other
 jurisdictions), the copyright holder (most typically, the author) of the work controls
 how others may copy, modify and/or distribute the work. For proprietary
 software, these controls are used to prohibit these activities. In addition,
 proprietary software distributors further impede modification in a practical
 sense by distributing only binary code and keeping the source code of the
 software secret.
 Copyright is not a natural state, it is a legal construction. In the USA, the
 Constitution permits, but does not require, the creation of copyright law as
 federal legislation.  Software, since it is an ``original work of authorship
 fixed in any tangible medium of expression ...  from which they can be
 perceived, reproduced, or otherwise communicated, either directly or with the
 aid of a machine or device'' (as stated in
 \href{http://www.law.cornell.edu/uscode/text/17/102}{17 USC \S~102}), is thus
 covered by the statute, and is copyrighted by default.
 However, software, in its natural state without copyright, is Free
 Software. In an imaginary world with no copyright, the rules would be
 different. In this world, when you received a copy of a program's source
 code, there would be no default legal system to restrict you from sharing it
 with others, making modifications, or redistributing those modified
 versions.\footnote{Note that this is again an oversimplification; the
   complexities with this argument are discussed in
   Section~\ref{software-and-non-copyright}.}
 Software in the real world is copyrighted by default and is automatically
 covered by that legal system.  However, it is possible to move software out
 of the domain of the copyright system.  A copyright holder can often
 \defn{disclaim} their copyright. (For example, under USA copyright law
 it is possible for a copyright holder to engage in conduct resulting
 in abandonment of copyright.)  If copyright is disclaimed, the software is
 effectively no longer restricted by copyright law.   Software not restricted by copyright is in the
 ``public domain.''
 \subsection{Public Domain Software}
 In the USA and other countries that
 are parties to the Berne Convention on Copyright, software is copyrighted
 automatically by the author when she fixes the software in a tangible
 medium.  In the software world, this usually means typing the source code
 of the software into a file.
 Imagine if authors could truly disclaim those default controls of copyright
 law.  If so, the software is in the public domain --- no longer covered by
 copyright.  Since copyright law is the construction allowing for most
 restrictions on software (i.e., prohibition of copying, modification, and
 redistribution), removing the software from the copyright system usually
 yields software freedom for its users.
 Carefully note that software truly in the public domain is \emph{not} licensed
 in any way.  It is confusing to say software is ``licensed for the
 public domain,'' or any phrase that implies the copyright holder gave
 express permission to take actions governed by copyright law.
 Copyright holders who state that they are releasing their code into
 the public domain are effectively renouncing copyright controls on
 the work.  The law gave the copyright holders exclusive controls over the
 work, and they chose to waive those controls.  Software that is, in
 this sense, in the public domain
 is conceptualized by the developer as having no copyright and thus no license. The software freedoms discussed in
 Section~\ref{Free Software Definition} are all granted because there is no
 legal system in play to take them away.
 Admittedly, a discussion of public domain software is an oversimplified
 example.
 Because copyright controls are usually automatically granted and because, in
 some jurisdictions, some copyright controls cannot be waived (see
 Section~\ref{non-usa-copyright} for further discussion), many copyright
 holders sometimes incorrectly believe a work has been placed in the public
 domain.  Second, due to aggressive lobbying by the entertainment industry,
 the ``exclusive Right'' of copyright, that was supposed to only exist for
 ``Limited Times'' according to the USA Constitution, appears to be infinite:
 simply purchased on the installment plan rather than in whole.  Thus, we must
 assume no works of software will fall into the public domain merely due to
 the passage of time.
 Nevertheless, under USA law it is likely that the typical
 disclaimers of copyright or public domain dedications we see in the
 Free Software world would be interpreted by courts as copyright
 abandonment, leading to a situation in which the user effectively receives a
 maximum grant of copyright freedoms, similar to a maximally-permissive
 Free Software license.
 The best example of software known to truly be in the public domain is software
 that is published by the USA government.  Under
 \href{http://www.law.cornell.edu/uscode/text/17/105}{17 USC 101 \S~105}, all
 works published by the USA Government are not copyrightable in the USA.
 \subsection{Why Copyright Free Software?}
 If simply disclaiming copyright on software yields Free Software, then it
 stands to reason that putting software into the public domain is the
 easiest and most straightforward way to produce Free Software. Indeed,
 some major Free Software projects have chosen this method for making their
 software Free. However, most of the Free Software in existence \emph{is}
 copyrighted. In most cases (particularly in those of FSF and the GNU
 Project), this was done due to very careful planning.
 Software released into the public domain does grant freedom to those users
 who receive the standard versions on which the original author disclaimed
 copyright. However, since the work is not copyrighted, any nontrivial
 modification made to the work is fully copyrightable.
 Free Software released into the public domain initially is Free, and
 perhaps some who modify the software choose to place their work into the
 public domain as well. However, over time, some entities will choose to
 proprietarize their modified versions. The public domain body of software
 feeds the proprietary software. The public commons disappears, because
 fewer and fewer entities have an incentive to contribute back to the
 commons. They know that any of their competitors can proprietarize their
 enhancements. Over time, almost no interesting work is left in the public
 domain, because nearly all new work is done by proprietarization.
 A legal mechanism is needed to redress this problem. FSF was in fact
 originally created primarily as a legal entity to defend software freedom,
 and that work of defending software freedom is a substantial part of
 its work today. Specifically because of this ``embrace, proprietarize and
 extend'' cycle, FSF made a conscious choice to copyright its Free Software,
 and then license it under ``copyleft'' terms. Many, including the
 developers of the kernel named Linux, have chosen to follow this paradigm.
 \label{copyleft-definition}
 Copyleft is a strategy of utilizing copyright law to pursue the policy goal
 of fostering and encouraging the equal and inalienable right to copy, share,
 modify and improve creative works of authorship.  Copyleft (as a general
 term) describes any method that utilizes the copyright system to achieve the
 aforementioned goal.  Copyleft as a concept is usually implemented in the
 details of a specific copyright license, such as the
 \hyperref[GPLv3-full-text]{GNU General Public License (GPL)} and the Creative
 Commons Attribution Share Alike License (the latter of which is the license
 of this work itself).  Copyright holders of creative work can unilaterally
 implement these licenses for their own works to build communities that
 collaboratively share and improve those copylefted creative works.
 Copyleft uses functional parts of the copyright system to achieve an unusual
 result (legal protection for free sharing). Copyleft modifies, or ``hacks''
 copyright law, which is usually employed to strengthen the rights of authors
 or publishers, to strengthen instead the rights of users.  Thus, Copyleft is
 a legal strategy and mechanism to defend, uphold and propagate software
 freedom. The basic technique of copyleft is as follows: copyright the
 software, license it under terms that give all the software freedoms, but use
 the copyright law controls to ensure that all who receive a copy of the
 software have equal rights and freedom. In essence, copyleft grants freedom,
 but forbids others to forbid that freedom to anyone else along the
 distribution and modification chains.
 Copyleft's ``reciprocity'' or ``share and share alike'' rule protects both
 developers, who avoid facing a ``prioritized'' competitor of their project,
 and users, who can be sure that they will have all four software freedoms ---
 not only in the present version of the program they use, but in all its
 future improved versions.
 Copyleft is a general concept. Much like ideas for what a computer might
 do must be \emph{implemented} by a program that actually does the job, so
 too must copyleft be implemented in some concrete legal structure.
 ``Share and share alike'' is a phrase that is used often enough to explain the
 concept behind copyleft, but to actually make it work in the real world, a
 true implementation in legal text must exist, written as a ``copyright
 license''.  The GPL implements the concept of copyleft for software-oriented
 and other functional works of a technical nature.  The ``CC BY SA'' license
 implements copyleft for works of textual, musical and visual authorship, such
 as this tutorial.
 Copyleft advocates often distinguish between the concept of a ``strong
 copyleft'' or a ``weak copyleft''.  However, ``strong vs. weak'' copyleft is
 not a dichotomy, it's a spectrum.  The strongest copylefts strive to the
 exclusive rights that copyright  grants to authors as extensively as possible
 to maximize software freedom.  As a copyleft gets ``weaker'', the copyleft
 license typically makes ``trade offs'' that might impede software freedom,
 but reach other tactic goals for the community of users and developers of the
 work.
 In other words, strong copyleft licenses place the more requirements on how
 ``the work'' is licensed.  The unit of copyright law is ``the work''.  In
 that sense, the ``work'' referenced by the licenses is anything that can be
 copyrighted or will be subject to the terms of copyright law.  Strong
 copyleft licenses exercise their scope fully.  Anything which is ``a work''
 or a ``work based on a work'' licensed under a strong copyleft is subject to
 its requirements, including the requirement of complete, corresponding source
 code\footnote{Copyleft communities' use of the term ``strong copyleft'' is
   undoubtedly imprecise.  For example, most will call the GNU GPL a ``strong
   copyleft'' license, even though the GPL itself has various exceptions, such
   as the \hyperref[GPLv3-system-library-exception]{GPLv3's system library
     exception} written into the text of the license itself.  Furthermore, the
   copyleft community continues to debate where the a license cross the line
   from ``strong copyleft'' to ``license that fails to respect software
   freedom'', although ultimately these debates are actually regarding whether
   the license fits \hyperref[Free Software Definition]{Free Software
     definition} at all.}.  Thus, copyleft licenses, particularly strong ones,
 seek to ensure the same license covers every version of ``work based on the
 work'', as recognized by local copyright law, and thereby achieve the
 specific strategic policy aim of ensuring software freedom for all users,
 developers, authors, and readers who encounter the copylefted work.
 \subsection{Software and Non-Copyright Legal Regimes}
 \label{software-and-non-copyright}
 The use, modification and distribution of software, like many endeavors,
 simultaneously interacts with multiple different legal regimes.  As was noted
 early via footnotes, copyright is merely the \textit{most common way} to
 restrict users' rights to copy, share, modify and/or redistribute software.
 However, proprietary software licenses typically use every mechanism
 available to subjugate users.  For example:
 \begin{itemize}
 \item Unfortunately, despite much effort by many in the software freedom
   community to end patents that read on software (i.e., patents on
   computational ideas), they still exist.  As such, a software
   program might otherwise seem to be unrestricted, but a patent might read on
   the software and ruin everything for its users.\footnote{See
   \S\S~\ref{gpl-implied-patent-grant},~\ref{GPLv2s7},~\ref{GPLv3s11} for more
   discussion on how the patent system interacts with copyleft, and read
   Richard M.~Stallman's essay,
   \href{http://www.wired.com/opinion/2012/11/richard-stallman-software-patents/}{\textit{Let's
       Limit the Effect of Software Patents, Since We Can't Eliminate Them}}
   for more information on the problems these patents present to society.}
 \item Digital Restrictions Management (usually called \defn{DRM}) is often
   used to impose technological restrictions on users' ability to exercise
   software freedom that they might otherwise be granted.\footnote{See
     \S~\ref{GPLv3-drm} for more information on how GPL deals with this issue.}
   The simplest (and perhaps oldest) form of DRM, of course, is separating
   software source code (read by humans), from their compiled binaries (read
   only by computers).  Furthermore,
   \href{http://www.law.cornell.edu/uscode/text/17/1201}{17 USC~\S1201} often
   prohibits users legally from circumventing some of these DRM systems.
 \item Most EULAs also include a contractual agreement that bind users further
   by forcing them to agree to a contractual, prohibitive software license
   before ever even using the software.
 \end{itemize}
 Thus, most proprietary software restricts users via multiple interlocking
 legal and technological means.  Any license that truly respect the software
 freedom of all users must not only grant appropriate copyright permissions,
 but also \textit{prevent} restrictions from other legal and technological
 means like those listed above.
 \subsection{Non-USA Copyright Regimes}
 \label{non-usa-copyright}
 Generally speaking, copyright law operates similarly enough in countries that
 have signed the Berne Convention on Copyright, and software freedom licenses
 have generally taken advantage of this international standardization of
 copyright law.  However, copyright law does differ from country to country,
 and commonly, software freedom licenses like the GPL must be considered under the
 copyright law in the jurisdiction where any licensing dispute occurs.
 Those who are most familiar with the USA's system of copyright often are
 surprised to learn that there are certain copyright controls that cannot be
 waived nor disclaimed.  Specifically, many copyright regimes outside the USA
 recognize a concept of moral rights of authors.  Typically, moral rights are
 fully compatible with respecting software freedom, as they are usually
 centered around controls that software freedom licenses generally respect,
 such as the right of an authors to require proper attribution for their work.
 \section{A Community of Equality}
 The previous section described the principles of software freedom, a brief
 introduction to mechanisms that typically block these freedoms, and the
 simplest ways that copyright holders might grant those freedoms to their
 users for their copyrighted works of software.  The previous section also
 introduced the idea of \textit{copyleft}: a licensing mechanism to use
 copyright to not only grant software freedom to users, but also to uphold
 those rights against those who might seek to curtail them.
 Copyleft, as defined in \S~\ref{copyleft-definition}, is a general term for this
 mechanism.  The remainder of this text will discuss details of various
 real-world implementations of copyleft -- most notably, the GPL\@.
 This discussion begins first with some general explanation of what the GPL is
 able to do in software development communities.  After that brief discussion
 in this section, deeper discussion of how GPL accomplishes this in practice
 follows in the next chapter.
 Simply put, though, the GPL ultimately creates a community of equality for
 both business and noncommercial users.
 \subsection{The Noncommercial Community}
 A GPL'd code base becomes a center of a vibrant development and user
 community.  Traditionally, volunteers, operating noncommercially out of
 keen interest or ``scratch an itch'' motivations, produce initial versions
 of a GPL'd system.  Because of the efficient distribution channels of the
 Internet, any useful GPL'd system is adopted quickly by noncommercial
 users.
 Fundamentally, the early release and quick distribution of the software
 gives birth to a thriving noncommercial community.  Users and developers
 begin sharing bug reports and bug fixes across a shared intellectual
 commons.  Users can trust the developers, because they know that if the
 developers fail to address their needs or abandon the project, the GPL
 ensures that someone else has the right to pick up development.
 Developers know that the users cannot redistribute their software without
 passing along the rights granted by the GPL, so they are assured that every
 one of their users is treated equally.
 Because of the symmetry and fairness inherent in GPL'd distribution,
 nearly every GPL'd package in existence has a vibrant noncommercial user
 and developer base.
 \subsection{The Commercial Community}
 By the same token, nearly all established GPL'd software systems have a
 vibrant commercial community.  Nearly every GPL'd system that has gained
 wide adoption from noncommercial users and developers eventually begins
 to fuel a commercial system around that software.
 For example, consider the Samba file server system that allows Unix-like
 systems (including GNU/Linux) to serve files to Microsoft Windows systems.
 Two graduate students originally developed Samba in their spare time and
 it was deployed noncommercially in academic environments.\footnote{See
   \href{http://turtle.ee.ncku.edu.tw/docs/samba/history}{Andrew Tridgell's
     ``A bit of history and a bit of fun''}}  However, very
 soon for-profit companies discovered that the software could work for them
 as well, and their system administrators began to use it in place of
 Microsoft Windows NT file-servers.  This served to lower the cost of
 running such servers by orders of magnitude. There was suddenly room in
 Windows file-server budgets to hire contractors to improve Samba.  Some of
 the first people hired to do such work were those same two graduate
 students who originally developed the software.
 The noncommercial users, however, were not concerned when these two
 fellows began collecting paychecks off of their GPL'd work.  They knew
 that because of the nature of the GPL that improvements that were
 distributed in the commercial environment could easily be folded back into
 the standard version.  Companies are not permitted to proprietarize
 Samba, so the noncommercial users, and even other commercial users are
 safe in the knowledge that the software freedom ensured by the GPL will remain
 protected.
 Commercial developers also work in concert with noncommercial
 developers.  Those two now-long-since graduated students continue to
 contribute to Samba altruistically, but also get paid work doing it.
 Priorities change when a client is in the mix, but all the code is
 contributed back to the standard version.  Meanwhile, many other
 individuals have gotten involved noncommercially as developers,
 because they want to ``cut their teeth on Free Software,'' or because
 the problems interest them.  When they get good at it, perhaps they
 will move on to another project, or perhaps they will become
 commercial developers of the software themselves.
 No party is a threat to another in the GPL software scenario because
 everyone is on equal ground.  The GPL protects rights of the commercial
 and noncommercial contributors and users equally. The GPL creates trust,
 because it is a level playing field for all.
 \subsection{Law Analogy}
 In his introduction to Stallman's \emph{Free Software, Free Society},
 Lawrence Lessig draws an interesting analogy between the law and Free
 Software. He argues that the laws of a free society must be protected
 much like the GPL protects software.  So that I might do true justice to
 Lessig's argument, I quote it verbatim:
 \begin{quotation}
 A ``free society'' is regulated by law. But there are limits that any free
 society places on this regulation through law: No society that kept its
 laws secret could ever be called free.  No government that hid its
 regulations from the regulated could ever stand in our tradition. Law
 controls.  But it does so justly only when visibly.  And law is visible
 only when its terms are knowable and controllable by those it regulates,
 or by the agents of those it regulates (lawyers, legislatures).
 This condition on law extends beyond the work of a legislature.  Think
 about the practice of law in American courts.  Lawyers are hired by their
 clients to advance their clients' interests.  Sometimes that interest is
 advanced through litigation. In the course of this litigation, lawyers
 write briefs. These briefs in turn affect opinions written by judges.
 These opinions decide who wins a particular case, or whether a certain law
 can stand consistently with a constitution.
 All the material in this process is free in the sense that Stallman means.
 Legal briefs are open and free for others to use.  The arguments are
 transparent (which is different from saying they are good), and the
 reasoning can be taken without the permission of the original lawyers.
 The opinions they produce can be quoted in later briefs.  They can be
 copied and integrated into another brief or opinion.  The ``source code''
 for American law is by design, and by principle, open and free for anyone
 to take. And take lawyers do---for it is a measure of a great brief that
 it achieves its creativity through the reuse of what happened before.  The
 source is free; creativity and an economy is built upon it.
 This economy of free code (and here I mean free legal code) doesn't starve
 lawyers.  Law firms have enough incentive to produce great briefs even
 though the stuff they build can be taken and copied by anyone else.  The
 lawyer is a craftsman; his or her product is public.  Yet the crafting is
 not charity. Lawyers get paid; the public doesn't demand such work
 without price.  Instead this economy flourishes, with later work added to
 the earlier.
 We could imagine a legal practice that was different --- briefs and
 arguments that were kept secret; rulings that announced a result but not
 the reasoning. Laws that were kept by the police but published to no one
 else. Regulation that operated without explaining its rule.
 We could imagine this society, but we could not imagine calling it
 ``free.''  Whether or not the incentives in such a society would be better
 or more efficiently allocated, such a society could not be known as free.
 The ideals of freedom, of life within a free society, demand more than
 efficient application.  Instead, openness and transparency are the
 constraints within which a legal system gets built, not options to be
 added if convenient to the leaders.  Life governed by software code should
 be no less.
 Code writing is not litigation.  It is better, richer, more
 productive.  But the law is an obvious instance of how creativity and
 incentives do not depend upon perfect control over the products
 created.  Like jazz, or novels, or architecture, the law gets built
 upon the work that went before. This adding and changing is what
 creativity always is.  And a free society is one that assures that its
 most important resources remain free in just this sense.\footnote{This
 quotation is Copyright \copyright{} 2002, Lawrence Lessig. It is
 licensed under the terms of
 \href{http://creativecommons.org/licenses/by/1.0/}{the ``Attribution
 License'' version 1.0} or any later version as published by Creative
 Commons.}
 \end{quotation}
 In essence, lawyers are paid to service the shared commons of legal
 infrastructure.  Few citizens defend themselves in court or write their
 own briefs (even though they are legally permitted to do so) because
 everyone would prefer to have an expert do that job.
 The Free Software economy is a market ripe for experts.  It
 functions similarly to other well established professional fields like the
 law. The GPL, in turn, serves as the legal scaffolding that permits the
 creation of this vibrant commercial and noncommercial Free Software
 economy.
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{A Tale of Two Copyleft Licenses}
 \label{tale-of-two-copylefts}
 While determining the proper methodology and criteria to yield an accurate
 count remains difficult, the GPL is generally considered one of the most
 widely used Free Software licenses.  For most of its history --- for 16 years
 from June 1991 to June 2007 --- there was really only one version of the GPL,
 version 2.
 However, the GPL had both earlier versions before version 2, and, more well
 known, a revision to version 3.
 \section{Historical Motivations for the General Public License}
 The earliest license to grant software freedom was likely the Berkeley
 Software Distribution (``BSD'') license.  This license is typical of what are
 often called lax, highly permissive licenses.  Not unlike software in the
 public domain, these non-copyleft licenses (usually) grant software freedom
 to users, but they do not go to any effort to uphold that software freedom
 for users.  The so-called ``downstream'' (those who receive the software and
 then build new things based on that software) can restrict the software and
 distribute further.
 The GNU's Not Unix (``GNU'') project, which Richard M.~Stallman (``RMS'')
 founded in 1984 to make a complete Unix-compatible operating system
 implementation that assured software freedom for all.  However, RMS saw that
 using a license that gave but did not assure software freedom would be
 counter to the goals of the GNU project.  RMS invented ``copyleft'' as an
 answer to that problem, and began using various copyleft licenses for the
 early GNU project programs.\footnote{RMS writes more fully about this topic in
   his essay entitled simply
   \href{http://www.gnu.org/gnu/thegnuproject.html}{\textit{The GNU Project}}.
     For those who want to hear the story in his own voice,
     \href{http://audio-video.gnu.org/audio/}{speech recordings} of his talk,
     \textit{The Free Software Movement and the GNU/Linux Operating System}
     are also widely available}
 \section{Proto-GPLs And Their Impact}
 %FIXME-LATER: bad line break:
 %\href{http://www.free-soft.org/gpl_history/emacs_gpl.html}{The Emacs
 %  General Public License}
 The earliest copyleft licenses were specific to various GNU programs.  For
 example,  The Emacs
 General Public License was likely the first copyleft license ever
 published.  Interesting to note that even this earliest copyleft license
 contains a version of the well-known GPL copyleft clause:
 \begin{quotation}
 You may modify your copy or copies of GNU Emacs \ldots provided that you also
 \ldots cause the whole of any work that you distribute or publish, that in
 whole or in part contains or is a derivative of GNU Emacs or any part
 thereof, to be licensed at no charge to all third parties on terms identical
 to those contained in this License Agreement.
 \end{quotation}
 This simply stated clause is the fundamental innovation of copyleft.
 Specifically, copyleft \textit{uses} the copyright holders' controls on
 permission to modify the work to add a conditional requirement.  Namely,
 downstream users may only have permission to modify  the work if they pass
 along the same permissions on the modified version that came originally to
 them.
 These original program-specific proto-GPLs give an interesting window into
 the central ideas and development of copyleft.  In particular, reviewing them
 shows how the text of the GPL we know has evolved to address more of the
 issues discussed earlier in \S~\ref{software-and-non-copyright}.
 \section{The GNU General Public License, Version 1}
 \label{GPLv1}
 In January 1989, the FSF announced that the GPL had been converted into a
 ``subroutine'' that could be reused not just for all FSF-copyrighted
 programs, but also by anyone else.  As the FSF claimed in its announcement of
 the GPLv1:\footnote{The announcement of GPLv1 was published in the
   \href{http://www.gnu.org/bulletins/bull6.html\#SEC8}{GNU's Bulletin, vol 1,
     number 6 dated January 1989}.  (Thanks very much to Andy Tai for his
   \href{http://www.free-soft.org/gpl_history/}{consolidation of research on
     the history of the pre-v1 GPL's}.)}
 \begin{quotation}
 To make it easier to copyleft programs, we have been improving on the
 legalbol architecture of the General Public License to produce a new version
 that serves as a general-purpose subroutine: it can apply to any program
 without modification, no matter who is publishing it.
 \end{quotation}
 This, like many inventive ideas, seems somewhat obvious in retrospect.  But,
 the FSF had some bright people and access to good lawyers when it started.
 It took almost five years from the first copyleft licenses to get to a
 generalized, reusable GPLv1.  In the context and mindset of the 1980s, this
 is not surprising.  The idea of reusable licensing infrastructure was not
 only uncommon, it was virtually nonexistent!  Even the early BSD licenses
 were simply copied and rewritten slightly for each new use.\footnote{It
   remains an interesting accident of history that the early BSD problematic
   ``advertising clause'' (discussion of which is somewhat beyond the scope of
   this tutorial) lives on into current day, simply because while the
   University of California at Berkeley gave unilateral permission to remove
   the clause from \textit{its} copyrighted works, others who adapted the BSD
   license with their own names in place of UC-Berkeley's never have.}  The
 GPLv1's innovation of reusable licensing infrastructure, an obvious fact
 today, was indeed a novel invention for its day.\footnote{We're all just
   grateful that the FSF also opposes business method patents, since the FSF's
   patent on a ``method for reusable licensing infrastructure'' would have
   not expired until 2006!}
 \section{The GNU General Public License, Version 2}
 The GPLv2 was released two and a half years after GPLv1, and over the
 following sixteen years, it became the standard for copyleft licensing until
 the release of GPLv3 in 2007 (discussed in more detail in the next section).
 While this tutorial does not discuss the terms of GPLv1 in detail, it is
 worth noting below the three key changes that GPLv2 brought:
 \begin{itemize}
 \item Software patents and their danger are explicitly mentioned, inspiring
   (in part) the addition of GPLv2~\S\S5--7.  (These sections are discussed in
   detail in \S~\ref{GPLv2s5}, \S~\ref{GPLv2s6} and \S~\ref{GPLv2s7} of this
   tutorial.)
 \item GPLv2~\S2's copyleft terms are expanded to more explicitly discuss the
   issue of combined works.  (GPLv2~\S2 is discussed in detail in
   \S~\ref{GPLv2s2} in this tutorial).
 \item GPLv2~\S3 includes more detailed requirements, including the phrase
  ``the scripts used to control compilation and installation of the
   executable'', which is a central component of current GPLv2 enforcement.
   (GPLv2~\S3 is discussed in detail in
   \S~\ref{GPLv2s3} in this tutorial).
 \end{itemize}
 The next chapter discusses GPLv2 in full detail, and readers who wish to dive
 into the section-by-section discussion of the GPL should jump ahead now to
 that chapter.  However, the most interesting fact to note here is how GPLv2
 was published with little fanfare and limited commentary.  This contrasts
 greatly with the creation of GPLv3.
 \section{The GNU General Public License, Version 3}
 RMS began drafting GPLv2.2 in mid-2002, and FSF ran a few discussion groups
 during that era about new text of that license.  However, rampant violations
 of the GPL required more immediate attention of FSF's licensing staff, and as
 such, much of the early 2000's was spent doing GPL enforcement
 work.\footnote{More on GPL enforcement is discussed in \tutorialpartsplit{a
     companion tutorial, \textit{A Practical Guide to GPL
       Compliance}}{Part~\ref{gpl-compliance-guide} of this tutorial}.}  In
 , FSF began in earnest drafting work for GPLv3.
 The GPLv3 process began in earnest in January 2006.  It became clear that
 many provisions of the GPL could benefit from modification to fit new
 circumstances and to reflect what the entire community learned from
 experience with version 2.  Given the scale of revision it seems proper to
 approach the work through public discussion in a transparent and accessible
 manner.
 The GPLv3 process continued through June 2007, culminating in publication of
 GPLv3 and LGPLv3 on 29 June 2007, AGPLv3 on 19 November 2007, and the GCC
 Runtime Library Exception on 27 January 2009.
 All told, four discussion drafts of GPLv3, two discussion drafts of LGPLv3
 and two discussion drafts of AGPLv3 were published and discussed.
 Ultimately, FSF remained the final arbiter and publisher of the licenses, and
 RMS himself their primary author, but input was sought from many parties, and
 these licenses do admittedly look and read more like legislation as a result.
 Nevertheless, all of the ``v3'' group are substantially better and improved
 licenses.
 GPLv3 and its terms are discussed in detail in Chapter~\ref{GPLv3}.
 \section{The Innovation of Optional ``Or Any Later'' Version}
 An interesting fact of all GPL licenses is that there are ultimately multiple
 choices for use of the license.  The FSF is the primary steward of GPL (as
 discussed later in \S~\ref{GPLv2s9} and \S~\ref{GPLv3s14}).  However, those
 who wish to license works under GPL are not required to automatically accept
 changes made by the FSF for their own copyrighted works.
 Each licensor may chose three different methods of licensing, as follows:
 \begin{itemize}
 \item explicitly name a single version of GPL for their work (usually
   indicated in shorthand by saying the license is ``GPLv$X$-only''), or
 \item name no version of the GPL, thus they allow their downstream recipients
   to select any version of the GPL they choose (usually indicated in shorthand
   by saying the license is simply ``GPL''), or
 \item name a specific version of GPL and give downstream recipients the
   option to choose that version ``or any later version as published by the
   FSF'' (usually indicated by saying the license is
   ``GPLv$X$-or-later'')\footnote{The shorthand of ``GPL$X+$'' is also popular
     for this situation.  The authors of this tutorial prefer ``-or-later''
     syntax, because it (a) mirrors the words ``or'' and ``later from the
     licensing statement, (b) the $X+$ doesn't make it abundantly clear that
     $X$ is clearly included as a license option and (c) the $+$ symbol has
     other uses in computing (such as with regular expressions) that mean
     something different.}
 \end{itemize}
 \label{license-compatibility-first-mentioned}
 Oddly, this flexibility has received (in the opinion of the authors, undue)
 criticism, primarily because of the complex and oft-debated notion of
 ``license compatibility'' (which is explained in detail in
 \S~\ref{license-compatibility}).  Copyleft licenses are generally
 incompatible with each other, because the details of how they implement
 copyleft differs.  Specifically, copyleft works only because of its
 requirement that downstream licensors use the \textit{same} license for
 combined and modified works.  As such, software licensed under the terms of
 ``GPLv2-only'' cannot be combined with works licensed ``GPLv3-or-later''.
 This is admittedly a frustrating outcome.
 Other copyleft licenses that appeared after GPL, such as the Creative Commons
 ``Attribution-Share Alike'' licenses, the Eclipse Public License and the
 Mozilla Public License \textbf{require} all copyright holders choosing
 to use any version of those licenses to automatically allow use of their
 copyrighted works under new versions.\footnote{CC-BY-SA-2.0 and greater only
 permit licensing of adaptations under future versions; 1.0 did not have
 any accomodation for future version compatibility.}  Of course, Creative
 Commons, the Eclipse Foundation, and the Mozilla Foundation (like the FSF)
 have generally served as excellent stewards of their licenses.  Copyright
 holders using those licenses seems to find it acceptable to fully delegate
 all future licensing decisions for their copyrights to these organizations
 without a second thought.
 However, note that FSF gives herein the control of copyright holders to
 decide whether or not to implicitly trust the FSF in its work of drafting
 future GPL versions.  The FSF, for its part, does encourage copyright holders
 to chose by default ``GPLv$X$-or-later'' (where $X$ is the most recent
 version of the GPL published by the FSF).  However, the FSF \textbf{does not
   mandate} that a choice to use any GPL requires a copyright holder ceding
 its authority for future licensing decisions to the FSF.  In fact, the FSF
 considered this possibility for GPLv3 and chose not to do so, instead opting
 for the third-party steward designation clause discussed in
 Section~\ref{GPLv3s14}.
 \section{Complexities of Two Simultaneously Popular Copylefts}
 Obviously most GPL advocates would prefer widespread migration to GPLv3, and
 many newly formed projects who seek a copyleft license tend to choose a
 GPLv3-based license.  However, many existing copylefted projects continue
 with GPLv2-only or GPLv2-or-later as their default license.
 While GPLv3 introduces many improvements --- many of which were designed to
 increase adoption by for-profit companies --- GPLv2 remains a widely used and
 extremely popular license.  The GPLv2 is, no doubt, a good and useful
 license.
 However, unlike GPLv1 before it,
 GPLv2 remains an integral part of the copyleft licensing infrastructure.  As such, those who seek to have expertise in current
 topics of copyleft licensing need to study both the GPLv2 and GPLv3 family of
 licenses.
 Furthermore, GPLv3 is more easily understood by first studying GPLv2.
 This is not only because of their chronological order, but also because much
 of the discussion material available for GPLv3 tends to talk about GPLv3 in
 contrast to GPLv2.  As such, a strong understanding of GPLv2 helps in
 understanding most of the third-party material found regarding GPLv3.  Thus,
 the following chapter begins a deep discussion of GPLv2.
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{Running Software and Verbatim Copying}
 \label{run-and-verbatim}
 This chapter begins the deep discussion of the details of the terms of
 GPLv2\@. In this chapter, we consider the first two sections: GPLv2 \S\S
 --2. These are the straightforward sections of the GPL that define the
 simplest rights that the user receives.
 \section{GPLv2~\S0: Freedom to Run}
 \label{GPLv2s0}
 GPLv2~\S0, the opening section of GPLv2, sets forth that copyright law governs
 the work.  It specifically points out that it is the ``copyright
 holder'' who decides if a work is licensed under its terms and explains
 how the copyright holder might indicate this fact.
 A bit more subtly, GPLv2~\S0 makes an inference that copyright law is the only
 system that can restrict the software.  Specifically, it states:
 \begin{quote}
 Activities other than copying, distribution and modification are not
 covered by this License; they are outside its scope.
 \end{quote}
 In essence, the license governs \emph{only} those activities, and all other
 activities are unrestricted, provided that no other agreements trump GPLv2
 (which they cannot; see Sections~\ref{GPLv2s6} and~\ref{GPLv2s7}).  This is
 very important, because the Free Software community heavily supports
 users' rights to ``fair use'' and ``unregulated use'' of copyrighted
 material.  GPLv2 asserts through this clause that it supports users' rights
 to fair and unregulated uses.
 Fair use (called ``fair dealing'' in some jurisdictions) of copyrighted
 material is an established legal doctrine that permits certain activities
 regardless of whether copyright law would otherwise restrict those activities.
 Discussion of the various types of fair use activity are beyond the scope of
 this tutorial.  However, one important example of fair use is the right to
 quote portions of the text in a larger work so as to criticize or suggest
 changes.  This fair use right is commonly used on mailing lists when
 discussing potential improvements or changes to Free Software.
 Fair use is a doctrine established by the courts or by statute.  By
 contrast, unregulated uses are those that are not covered by the statue
 nor determined by a court to be covered, but are common and enjoyed by
 many users.  An example of unregulated use is reading a printout of the
 program's source code like an instruction book for the purpose of learning
 how to be a better programmer.  The right to read something that you have
 access to is and should remain unregulated and unrestricted.
 \medskip
 Thus, the GPLv2 protects users' fair and unregulated use rights precisely by
 not attempting to cover them.  Furthermore, the GPLv2 ensures the freedom
 to run specifically by stating the following:
 \begin{quote}
 ''The act of running the Program is not restricted.''
 \end{quote}
 Thus, users are explicitly given the freedom to run by GPLv2~\S0.
 \medskip
 The bulk of GPLv2~\S0 not yet discussed gives definitions for other terms used
 throughout.  The only one worth discussing in detail is ``work based on
 the Program''.  The reason this definition is particularly interesting is
 not for the definition itself, which is rather straightforward, but
 because it clears up a common misconception about the GPL\@.
 The GPL is often mistakenly criticized because it fails to give a
 definition of ``derivative work'' or ``combined work''.  In fact, it would be incorrect and
 problematic if the GPL attempted to define these terms.  A copyright license, in
 fact, has no control over the rules of copyright themselves.  Such rules are
 the domain of copyright law and the courts --- not the licenses that utilize
 those systems.
 Copyright law as a whole does not propose clear and straightforward guidelines
 for identifying the derivative and/or combined works of software.  However,
 no copyright license --- not even the GNU GPL --- can be blamed for this.
 Legislators and court opinions must give us guidance in borderline cases.
 Meanwhile, lawyers will likely based their conclusions on the application of rules
 made in the context of literary or artistic copyright to the different
 context of computer programming and by analyzing the (somewhat limited) case
 law and guidance available from various sources.
 (Chapter~\ref{derivative-works} discusses this issue in depth.)
 \section{GPLv2~\S1: Verbatim Copying}
 \label{GPLv2s1}
 GPLv2~\S1 covers the matter of redistributing the source code of a program
 exactly as it was received. This section is quite straightforward.
 However, there are a few details worth noting here.
 The phrase ``in any medium'' is important.  This, for example, gives the
 freedom to publish a book that is the printed copy of the program's source
 code.  It also allows for changes in the medium of distribution.  Some
 vendors may ship Free Software on a CD, but others may place it right on
 the hard drive of a pre-installed computer.  Any such redistribution media
 is allowed.
 Preservation of copyright notice and license notifications are mentioned
 specifically in GPLv2~\S1.  These are in some ways the most important part of
 the redistribution, which is why they are mentioned by name.  GPL
 always strives to make it abundantly clear to anyone who receives the
 software what its license is.  The goal is to make sure users know their
 rights and freedoms under GPL, and to leave no reason that users might be
 surprised the software is GPL'd. Thus
 throughout the GPL, there are specific references to the importance of
 notifying others down the distribution chain that they have rights under
 GPL.
 Also mentioned by name is the warranty disclaimer. Most people today do
 not believe that software comes with any warranty.  Notwithstanding
 \href{http://mlis.state.md.us/2000rs/billfile/hb0019.htm}{Maryland's} and \href{http://leg1.state.va.us/cgi-bin/legp504.exe?001+ful+SB372ER}{Virginia's} UCITA bills, there are few or no implied warranties with software.
 However, just to be on the safe side, GPL clearly disclaims them, and the
 GPL requires re-distributors to keep the disclaimer very visible. (See
 Sections~\ref{GPLv2s11} and~\ref{GPLv2s12} of this tutorial for more on GPL's
 warranty disclaimers.)
 Note finally that GPLv2~\S1 creates groundwork for the important defense of
 commercial freedom.  GPLv2~\S1 clearly states that in the case of verbatim
 copies, one may make money.  Re-distributors are fully permitted to charge
 for the re-distribution of copies of Free Software. In addition, they may
 provide the warranty protection that the GPL disclaims as an additional
 service for a fee. (See Section~\ref{Business Models} for more discussion
 on making a profit from Free Software redistribution.)
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{Derivative Works: Statute and Case Law}
 \label{derivative-works}
 As described in the \hyperref[copyleft-definition]{earlier general discussion
   of copyleft}, strong copyleft licenses such as the GPL seek to uphold
 software freedom via the copyright system.  This principle often causes
 theoretical or speculative dispute among lawyers, because ``the work'' ---
 the primary unit of consideration under most copyright rules -- is not a unit
 of computer programming. In order to determine whether a ``routine'' an
 ``object'', a ``function'', a ``library'' or any other unit of software is
 part of one ``work'' when combined with other GPL'd code, we must ask a
 question that copyright law will not directly answer in the same technical
 terms.
 Therefore, this chapter digresses from  discussion of GPL's exact text to
 consider the matter of combined and/or derivative works --- a concept that we must
 understand fully before considering GPLv2~\S\S2--3\@.  At least under USA
 copyright law, The GPL, and Free
 Software licensing in general, relies critically on the concept of
 ``derivative work'' since software that is ``independent,'' (i.e., not
 ``derivative'') of Free Software need not abide by the terms of the
 applicable Free Software license. As much is required by \S~106 of the
 Copyright Act, 17 U.S.C. \S~106 (2002), and admitted by Free Software
 licenses, such as the GPL, which (as we have seen) states in GPLv2~\S0 that ``a
 `work based on the Program' means either the Program or any derivative
 work under copyright law.'' It is being a derivative work of Free Software
 that triggers the necessity to comply with the terms of the Free Software
 license under which the original work is distributed. Therefore, one is
 left to ask, just what is a ``derivative work''? The answer to that
 question differs depending on which court is being asked.
 The analysis in this chapter sets forth the differing definitions of
 derivative work by the circuit courts. The broadest and most
 established definition of derivative work for software is the
 abstraction, filtration, and comparison test (``the AFC test'') as
 created and developed by the Second Circuit. Some circuits, including
 the Ninth Circuit and the First Circuit, have either adopted narrower
 versions of the AFC test or have expressly rejected the AFC test in
 favor of a narrower standard. Further, several other circuits have yet
 to adopt any definition of derivative work for software.
 As an introductory matter, it is important to note that literal copying of
 a significant portion of source code is not always sufficient to establish
 that a second work is a derivative work of an original
 program. Conversely, a second work can be a derivative work of an original
 program even though absolutely no copying of the literal source code of
 the original program has been made. This is the case because copyright
 protection does not always extend to all portions of a program's code,
 while, at the same time, it can extend beyond the literal code of a
 program to its non-literal aspects, such as its architecture, structure,
 sequence, organization, operational modules, and computer-user interface.
 \section{The Copyright Act}
 The copyright act is of little, if any, help in determining the definition
 of a derivative work of software. However, the applicable provisions do
 provide some, albeit quite cursory, guidance. Section 101 of the Copyright
 Act sets forth the following definitions:
 \begin{quotation}
 A ``computer program'' is a set of statements or instructions to be used
 directly or indirectly in a computer in order to bring about a certain
 result.
 A ``derivative work'' is a work based upon one or more preexisting works,
 such as a translation, musical arrangement, dramatization,
 fictionalization, motion picture version, sound recording, art
 reproduction, abridgment, condensation, or any other form in which a work
 may be recast, transformed, or adapted. A work consisting of editorial
 revisions, annotations, elaborations, or other modifications which, as a
 whole, represent an original work of authorship, is a ``derivative work.''
 \end{quotation}
 These are the only provisions in the Copyright Act relevant to the
 determination of what constitutes a derivative work of a computer
 program. Another provision of the Copyright Act that is also relevant to
 the definition of derivative work is \S~102(b), which reads as follows:
 \begin{quotation}
 In no case does copyright protection for an original work of authorship
 extend to any idea, procedure, process, system, method of operation,
 concept, principle, or discovery, regardless of the form in which it is
 described, explained, illustrated, or embodied in such work.
 \end{quotation}
 Therefore, before a court can ask whether one program is a derivative work
 of another program, it must be careful not to extend copyright protection
 to any ideas, procedures, processes, systems, methods of operation,
 concepts, principles, or discoveries contained in the original program. It
 is the implementation of this requirement to ``strip out'' unprotectable
 elements that serves as the most frequent issue over which courts
 disagree.
 \section{Abstraction, Filtration, Comparison Test}
 As mentioned above, the AFC test for determining whether a computer
 program is a derivative work of an earlier program was created by the
 Second Circuit and has since been adopted in the Fifth, Tenth, and
 Eleventh Circuits. Computer Associates Intl., Inc. v. Altai, Inc., 982
 F.2d 693 (2nd Cir. 1992); Engineering Dynamics, Inc. v. Structural
 Software, Inc., 26 F.3d 1335 (5th Cir. 1994); Kepner-Tregoe,
 Inc. v. Leadership Software, Inc., 12 F.3d 527 (5th Cir. 1994); Gates
 Rubber Co. v. Bando Chem. Indust., Ltd., 9 F.3d 823 (10th Cir. 1993);
 Mitel, Inc. v. Iqtel, Inc., 124 F.3d 1366 (10th Cir. 1997); Bateman
 v. Mnemonics, Inc., 79 F.3d 1532 (11th Cir. 1996); and, Mitek Holdings,
 Inc. v. Arce Engineering Co., Inc., 89 F.3d 1548 (11th Cir. 1996).
 Under the AFC test, a court first abstracts from the original program its
 constituent structural parts. Then, the court filters from those
 structural parts all unprotectable portions, including incorporated ideas,
 expression that is necessarily incidental to those ideas, and elements
 that are taken from the public domain. Finally, the court compares any and
 all remaining kernels of creative expression to the structure of the
 second program to determine whether the software programs at issue are
 substantially similar so as to warrant a finding that one is the
 derivative work of the other.
 Often, the courts that apply the AFC test will perform a quick initial
 comparison between the entirety of the two programs at issue in order to
 help determine whether one is a derivative work of the other. Such a
 holistic comparison, although not a substitute for the full application of
 the AFC test, sometimes reveals a pattern of copying that is not otherwise
 obvious from the application of the AFC test when, as discussed below,
 only certain components of the original program are compared to the second
 program. If such a pattern is revealed by the quick initial comparison,
 the court is more likely to conclude that the second work is indeed a
 derivative of the original.
 \subsection{Abstraction}
 The first step courts perform under the AFC test is separation of the
 work's ideas from its expression. In a process akin to reverse
 engineering, the courts dissect the original program to isolate each level
 of abstraction contained within it. Courts have stated that the
 abstractions step is particularly well suited for computer programs
 because it breaks down software in a way that mirrors the way it is
 typically created. However, the courts have also indicated that this step
 of the AFC test requires substantial guidance from experts, because it is
 extremely fact and situation specific.
 By way of example, one set of abstraction levels is, in descending order
 of generality, as follows: the main purpose, system architecture, abstract
 data types, algorithms and data structures, source code, and object
 code. As this set of abstraction levels shows, during the abstraction step
 of the AFC test, the literal elements of the computer program, namely the
 source and object code, are defined as particular levels of
 abstraction. Further, the source and object code elements of a program are
 not the only elements capable of forming the basis for a finding that a
 second work is a derivative of the program. In some cases, in order to
 avoid a lengthy factual inquiry by the court, the owner of the copyright in
 the original work will submit its own list of what it believes to be the
 protected elements of the original program. In those situations, the court
 will forgo performing its own abstraction, and proceed to the second step of
 the AFC test.
 \subsection{Filtration}
 The most difficult and controversial part of the AFC test is the second
 step, which entails the filtration of protectable expression contained in
 the original program from any unprotectable elements nestled therein. In
 determining which elements of a program are unprotectable, courts employ a
 myriad of rules and procedures to sift from a program all the portions
 that are not eligible for copyright protection.
 First, as set forth in \S~102(b) of the Copyright Act, any and all ideas
 embodied in the program are to be denied copyright protection. However,
 implementing this rule is not as easy as it first appears. The courts
 readily recognize the intrinsic difficulty in distinguishing between ideas
 and expression and that, given the varying nature of computer programs,
 doing so will be done on an ad hoc basis. The first step of the AFC test,
 the abstraction, exists precisely to assist in this endeavor by helping
 the court separate out all the individual elements of the program so that
 they can be independently analyzed for their expressive nature.
 A second rule applied by the courts in performing the filtration step of
 the AFC test is the doctrine of merger, which denies copyright protection
 to expression necessarily incidental to the idea being expressed. The
 reasoning behind this doctrine is that when there is only one way to
 express an idea, the idea and the expression merge, meaning that the
 expression cannot receive copyright protection due to the bar on copyright
 protection extending to ideas. In applying this doctrine, a court will ask
 whether the program's use of particular code or structure is necessary for
 the efficient implementation of a certain function or process. If so, then
 that particular code or structure is not protected by copyright and, as a
 result, it is filtered away from the remaining protectable expression.
 A third rule applied by the courts in performing the filtration step of
 the AFC test is the doctrine of scenes a faire, which denies copyright
 protection to elements of a computer program that are dictated by external
 factors. Such external factors can include:
 \begin{itemize}
   \item The mechanical
 specifications of the computer on which a particular program is intended
 to operate
   \item Compatibility requirements of other programs with which a
 program is designed to operate in conjunction
   \item Computer manufacturers'
 design standards
   \item Demands of the industry being serviced, and widely accepted programming practices within the computer industry
 \end{itemize}
 Any code or structure of a program that was shaped predominantly in
 response to these factors is filtered out and not protected by
 copyright. Lastly, elements of a computer program are also to be filtered
 out if they were taken from the public domain or fail to have sufficient
 originality to merit copyright protection.
 Portions of the source or object code of a computer program are rarely
 filtered out as unprotectable elements. However, some distinct parts of
 source and object code have been found unprotectable. For example,
 constants, the invariable integers comprising part of formulas used to
 perform calculations in a program, are unprotectable. Further, although
 common errors found in two programs can provide strong evidence of
 copying, they are not afforded any copyright protection over and above the
 protection given to the expression containing them.
 \subsection{Comparison}
 The third and final step of the AFC test entails a comparison of the
 original program's remaining protectable expression to a second
 program. The issue will be whether any of the protected expression is
 copied in the second program and, if so, what relative importance the
 copied portion has with respect to the original program overall. The
 ultimate inquiry is whether there is ``substantial'' similarity between
 the protected elements of the original program and the potentially
 derivative work. The courts admit that this process is primarily
 qualitative rather than quantitative and is performed on a case-by-case
 basis. In essence, the comparison is an ad hoc determination of whether
 the protectable elements of the original program that are contained in the
 second work are significant or important parts of the original program. If
 so, then the second work is a derivative work of the first. If, however,
 the amount of protectable elements copied in the second work are so small
 as to be de minimis, then the second work is not a derivative work of the
 original.
 \section{Analytic Dissection Test}
 The Ninth Circuit has adopted the analytic dissection test to determine
 whether one program is a derivative work of another. Apple Computer,
 Inc. v. Microsoft Corp., 35 F.3d 1435 (9th Cir. 1994). The analytic
 dissection test first considers whether there are substantial similarities
 in both the ideas and expressions of the two works at issue. Once the
 similar features are identified, analytic dissection is used to determine
 whether any of those similar features are protected by copyright. This
 step is the same as the filtration step in the AFC test. After identifying
 the copyrightable similar features of the works, the court then decides
 whether those features are entitled to ``broad'' or ``thin''
 protection. ``Thin'' protection is given to non-copyrightable facts or
 ideas that are combined in a way that affords copyright protection only
 from their alignment and presentation, while ``broad'' protection is given
 to copyrightable expression itself. Depending on the degree of protection
 afforded, the court then sets the appropriate standard for a subjective
 comparison of the works to determine whether, as a whole, they are
 sufficiently similar to support a finding that one is a derivative work of
 the other. ``Thin'' protection requires the second work be virtually
 identical in order to be held a derivative work of an original, while
 ``broad'' protection requires only a ``substantial similarity.''
 \section{No Protection for ``Methods of Operation''}
 The First Circuit has taken the position that the AFC test is inapplicable
 when the works in question relate to unprotectable elements set forth in
 \S~102(b).  Their approach results in a much narrower definition
 of derivative work for software in comparison to other circuits. Specifically,
 the
 First Circuit holds that ``method of operation,'' as used in \S~102(b) of
 the Copyright Act, refers to the means by which users operate
 computers. Lotus Development Corp. v. Borland Int'l., Inc., 49 F.3d 807
 (1st Cir. 1995).  In Lotus, the court held that a menu command
 hierarchy for a computer program was uncopyrightable because it did not
 merely explain and present the program's functional capabilities to the
 user, but also served as a method by which the program was operated and
 controlled. As a result, under the First Circuit's test, literal copying
 of a menu command hierarchy, or any other ``method of operation,'' cannot
 form the basis for a determination that one work is a derivative of
 another.  As a result, courts in the First Circuit that apply the AFC test
 do so only after applying a broad interpretation of \S~102(b) to filter out
 unprotected elements. E.g., Real View, LLC v. 20-20 Technologies, Inc.,
 F. Supp.2d 147, 154 (D. Mass. 2010).
 \section{No Test Yet Adopted}
 Several circuits, most notably the Fourth and Seventh, have yet to
 declare their definition of derivative work and whether or not the
 AFC, Analytic Dissection, or some other test best fits their
 interpretation of copyright law. Therefore, uncertainty exists with
 respect to determining the extent to which a software program is a
 derivative work of another in those circuits. However, one may presume
 that they would give deference to the AFC test since it is by far the
 majority rule among those circuits that have a standard for defining
 a software derivative work.
 \section{Cases Applying Software Derivative Work Analysis}
 In the preeminent case regarding the definition of a derivative work for
 software, Computer Associates v. Altai, the plaintiff alleged that its
 program, Adapter, which was used to handle the differences in operating
 system calls and services, was infringed by the defendant's competitive
 program, Oscar. About 30\% of Oscar was literally the same code as
 that in Adapter. After the suit began, the defendant rewrote those
 portions of Oscar that contained Adapter code in order to produce a new
 version of Oscar that was functionally competitive with Adapter, without
 having any literal copies of its code. Feeling slighted still, the
 plaintiff alleged that even the second version of Oscar, despite having no
 literally copied code, also infringed its copyrights. In addressing that
 question, the Second Circuit promulgated the AFC test.
 In abstracting the various levels of the program, the court noted a
 similarity between the two programs' parameter lists and macros. However,
 following the filtration step of the AFC test, only a handful of the lists
 and macros were protectable under copyright law because they were either
 in the public domain or required by functional demands on the
 program. With respect to the handful of parameter lists and macros that
 did qualify for copyright protection, after performing the comparison step
 of the AFC test, it was reasonable for the district court to conclude that
 they did not warrant a finding of infringement given their relatively minor
 contribution to the program as a whole. Likewise, the similarity between
 the organizational charts of the two programs was not substantial enough
 to support a finding of infringement because they were too simple and
 obvious to contain any original expression.
 In the case of Oracle America v. Google, 872 F. Supp.2d 974 (N.D. Cal. 2012),
 the Northern District of California District Court examined the question of
 whether the application program interfaces (APIs) associated with the Java
 programming language are entitled to copyright protection.  While the
 court expressly declined to rule whether all APIs are free to use without
 license (872 F. Supp.2d 974 at 1002), the court held that the command
 structure and taxonomy of the APIs were not protectable under copyright law.
 Specifically, the court characterized the command structure and taxonomy as
 both a ``method of operation'' (using an approach not dissimilar to the
 First Circuit's analysis in Lotus) and a ``functional requirement for
 compatibility'' (using Sega v. Accolade, 977 F.2d 1510 (9th Cir. 1992) and
 Sony Computer Ent. v. Connectix, 203 F.3d 596 (9th Cir. 2000) as analogies),
 and thus unprotectable subject matter under \S~102(b).
 Perhaps not surprisingly, there have been few other cases involving a highly
 detailed software derivative work analysis. Most often, cases involve
 clearer basis for decision, including frequent bad faith on the part of
 the defendant or over-aggressiveness on the part of the plaintiff.
 \section{How Much Do Derivative Works Matter?}
 It is certainly true that GPL intends for any work that is determined a
 ``derivative work'' under copyright law must be licensed as a whole under
 GPL\@, as will be discussed in the following chapter.  However, as we finish
 up our discussion derivative works, we must note that preparation of a
 derivative work is by far not the only way to create a new work covered by
 GPL\@.
 In fact, while derivative work preparation is perhaps the most exciting area
 of legal issues to consider, the more mundane ways to create a new work
 covered by GPL are much more common.  For example, copyright statutes
 generally require permission from the copyright holder to grant explicit
 permission to modify a work in any manner.  As discussed in the next chapter,
 the GPL {\em does} grant such permission, but requires the modified work must
 also be licensed under the terms of the GPL (and only GPL:
 see\S~\label{GPLv2s6} in this tutorial).  Determining whether software was
 modified is a substantially easier analysis than the derivative work
 discussions and considerations in this chapter.
 The question of derivative works, when and how they are made, is undoubtedly
 an essential discussion in the interpretation and consideration of copyleft.
 That is why this chapter was included in this tutorial.  However, as we
 return from this digression and resume discussion of the detailed text of the
 GPLv2, we must gain a sense of perspective: most GPL questions center around
 questions of modification and distribution, not preparation of derivative
 works.  Derivative work preparation is ultimately a small subset of the types
 of modified versions of the software a developer might create, thus, while an
 excessive focus on derivative works indulges us in the more exciting areas of
 copyleft, we must keep a sense of perspective regarding their relative
 importance.
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \chapter{Modified Source and Binary Distribution}
 \label{source-and-binary}
 In this chapter, we discuss the two core sections that define the rights
 and obligations for those who modify, improve, and/or redistribute GPL'd
 software. These sections, GPLv2~\S\S2--3, define the central core rights and
 requirements of GPLv2\@.
 \section{GPLv2~\S2: Share and Share Alike}
 \label{GPLv2s2}
 For many, this is where the ``magic'' happens that defends software
 freedom upon redistribution.  GPLv2~\S2 is the only place in GPLv2
 that governs the modification controls of copyright law.  If users

0 comments (0 inline, 0 general)