File diff 8b4497c6dbfb → 746eff5786b2
compliance-guide.tex
Show inline comments
...
 
@@ -1116,201 +1116,201 @@ your own, you must still seek a reinstatement of rights from the copyright
 
holders whose licenses you violated, lest you remain liable for
 
infringement for even compliant distributions made subsequent to the
 
initial violation.
 

	
 
GPLv3 is more lenient.  If you have distributed only v3-licensed programs,
 
you may be eligible under v3~\S~8 for automatic reinstatement of rights.
 
You are eligible for automatic reinstatement when:
 
\begin{itemize}
 
\item you correct the violation and are not contacted by a copyright
 
  holder about the violation within sixty days after the correction, or
 

	
 
\item you receive, from a copyright holder, your first-ever contact
 
  regarding a GPL violation, and you correct that violation within thirty
 
  days of receipt of copyright holder's notice.
 
\end{itemize}
 

	
 
In addition to these permanent reinstatements provided under v3, violators
 
who voluntarily correct their violation also receive provisional
 
permission to continue distributing until they receive contact from the
 
copyright holder.  If sixty days pass without contact, that reinstatement
 
becomes permanent.  Nonetheless, you should be prepared to cease
 
distribution during those initial sixty days should you receive a
 
termination notice from the copyright holder.
 

	
 
Given that much discussion of v3 has focused on its so-called more
 
complicated requirements, it should be noted that v3 is, in this regard,
 
more favorable to violators than v2.
 

	
 
However, note that most Linux-based systems typically include some software
 
licensed under GPLv2-only, and thus the copyright holders have withheld
 
permission to redistribute under terms of GPLv3.  In larger aggregate
 
distributions which include GPLv2-only works (such as the kernel named
 
Linux), redistributors must operate as if termination is immediate and
 
permanent, since the technological remove of GPLv2-only works from the larger
 
distribution requires much more engineering work than the negotiation
 
required to seek restoration of rights for distribution under GPLv2-only
 
after permanent termination.
 

	
 
\chapter{Standard Requests}
 

	
 
As we noted above, different copyright holders have different requirements
 
for reinstating a violator's distribution rights.  Upon violation, you no
 
longer have a license under the GPL\@.  Copyright holders can therefore
 
set their own requirements outside the license before reinstatement of
 
rights.  We have collected below a list of reinstatement demands that
 
copyright holders often require.
 

	
 
\begin{itemize}
 

	
 
\item {\bf Compliance on all Free Software copyrights}.  Copyright holders of Free Software
 
  often want a company to demonstrate compliance for all GPL'd software in
 
  a distribution, not just their own.  A copyright holder may refuse to
 
  reinstate your right to distribute one program unless and until you
 
  comply with the licenses of all Free Software in your distribution.
 
 
 
\item {\bf Notification to past recipients}.  Users to whom you previously
 
  distributed non-compliant software should receive a communication
 
  (email, letter, bill insert, etc.) indicating the violation, describing
 
  their rights under the GPL, and informing them how to obtain a gratis source
 
  distribution.  If a customer list does not exist (such as in reseller
 
  situations), an alternative form of notice may be required (such as a
 
  magazine advertisement).
 

	
 
\item {\bf Appointment of a GPL Compliance Officer.}  The software freedom community
 
  values personal accountability when things go wrong.  Copyright holders
 
  often require that you name someone within the violating company
 
  officially responsible for Free Software license compliance, and that this
 
  individual serve as the key public contact for the community when
 
  compliance concerns arise.
 

	
 
\item {\bf Periodic Compliance Reports.}  Many copyright holders wish to
 
  monitor future compliance for some period of time after the violation.
 
  For some period, your company may be required to send regular reports on
 
  how many distributions of binary and source have occurred.
 
\end{itemize}
 

	
 
These are just a few possible requirements for reinstatement.  In the
 
context of a GPL violation, and particularly under v2's termination
 
provision, the copyright holder may have a range of requests in exchange
 
for reinstatement of rights.  These software developers are talented
 
professionals from whose work your company has benefited.  Indeed, you are
 
unlikely to find a better value or more generous license terms for similar
 
software elsewhere.  Treat the copyright holders with the same respect you
 
treat your corporate partners and collaborators.
 

	
 
\chapter{Special Topics in Compliance}
 

	
 
There are several other issues that are less common, but also relevant in
 
a GPL compliance situation.  To those who face them, they tend to be of
 
particular interest.
 

	
 
\section{LGPL Compliance}
 
\label{lgpl}
 

	
 
GPL compliance and LGPL compliance mostly involve the same issues.  As we
 
discussed in \S~\ref{derivative-works}, questions of modified versions of
 
software are highly fact-dependant and cannot be easily addressed in any
 
software are highly fact-dependent and cannot be easily addressed in any
 
overview document.  The LGPL adds some additional complexity to the
 
analysis.  Namely, the various LGPL versions permit proprietary licensing
 
of certain types of modified versions.  These issues are well beyond the
 
scope of this document, but as a rule of thumb, once you have determined
 
of certain types of modified versions.  These issues are discussed in greater
 
detail in Chapter~\ref{LGPLv2} and~\ref{LGPLv3}.  However, as a rule of thumb, once you have determined
 
(in accordance with LGPLv3) what part of the work is the ``Application''
 
and what portions of the source are ``Minimal Corresponding Source'', then
 
you can usually proceed to follow the GPL compliance rules that we
 
discussed, replacing our discussion of ``Corresponding Source'' with
 
you can usually proceed to follow the GPL compliance rules that
 
discussed above, replacing our discussion of ``Corresponding Source'' with
 
``Minimal Corresponding Source''.
 

	
 
LGPL also requires that you provide a mechanism to combine the Application
 
with a modified version of the library, and outlines some options for
 
this.  Also, the license of the whole work must permit ``reverse
 
engineering for debugging such modifications'' to the library.  Therefore,
 
you should take care that the EULA used for the Application does not
 
contradict this permission.
 

	
 
%FIXME-URGENT: integrate
 

	
 
Under the terms of LGPL, they must also refrain from license terms on works
 
based on the licensed work that prohibit replacement of the licensed
 
components of the larger non-LGPL’d work, or prohibit decompilation or
 
reverse engineering in order to enhance or fix bugs in the LGPL’d components.
 

	
 
Section 2(a) states that if a licensed work is a software library (defined in
 
\S0 as ``a collection of software functions and/or data prepared so as to be
 
conveniently linked with application programs (which use some of those
 
functions and data) to form executables'') permission is given to distribute
 
modified versions only if those versions are themselves libraries. LGPLv2.1
 
code can therefore not be compliantly taken from its context in a library and
 
placed in a non-library modified version or work based on the work. Section 6
 
does not provide an exception for this rule: a combination may be made of a
 
modified version of an LGPL’d library with other code, but the LGPL’d code
 
must continue to be structured as a library, and to that library the terms of
 
the license continue to apply.
 

	
 
%FIXME-URGENT: END
 

	
 
\section{Upstream Providers}
 
\label{upstream}
 

	
 
With ever-increasing frequency, software development (particularly for
 
embedded devices) is outsourced to third parties.  If you rely on an
 
upstream provider for your software, note that you \emph{cannot ignore
 
  your GPL compliance requirements} simply because someone else packaged
 
the software that you distribute.  If you redistribute GPL'd software
 
(which you do, whenever you ship a device with your upstream's software in
 
it), you are bound by the terms of the GPL\@.  No distribution (including
 
redistribution) is permissible absent adherence to the license terms.
 

	
 
Therefore, you should introduce a due diligence process into your software
 
acquisition plans.  This is much like the software-oriented
 
recommendations we make in \S~\ref{best-practices}.  Implementing
 
practices to ensure that you are aware of what software is in your devices
 
can only improve your general business processes.  You should ask a clear
 
list of questions of all your upstream providers and make sure the answers
 
are complete and accurate.  The following are examples of questions you
 
should ask:
 
\begin{itemize}
 

	
 
\item What are all the licenses that cover the software in this device?
 

	
 
\item From which upstream vendors, be they companies or individuals, did
 
  \emph{you} receive your software before distributing it to us?
 

	
 
\item What are your GPL compliance procedures?
 

	
 
\item If there is GPL'd software in your distribution, we will be
 
  redistributors of this GPL'd software.  What mechanisms do you have in
 
  place to aid us with compliance?
 

	
 
\item If we follow your recommended compliance procedures, will you
 
  formally indemnify us in case we are nonetheless found to be in
 
  violation of the GPL?
 

	
 
\end{itemize}
 

	
 
This last point is particularly important.  Many GPL enforcements are
 
escalated because of petty finger-pointing between the distributor and its
 
upstream.  In our experience, agreements regarding GPL compliance issues
 
and procedures are rarely negotiated up front.  However, when they are,
 
violations are resolved much more smoothly (at least from the point of
 
view of the redistributor).
 

	
 
Consider the cost of potential violations in your acquisition process.
 
Using Free Software allows software vendors to reduce costs significantly, but be
 
wary of vendors who have done so without regard for the licenses.  If your
 
vendor's costs seem ``too good to be true,'' you may ultimately bear the
 
burden of the vendor's inattention to GPL compliance.  Ask the right
 
questions, demand an account of your vendors' compliance procedures, and
 
seek indemnity from them.
 

	
 
% FIXME-URGENT: integrate
 

	
 
In such instances it is advisable that you exercise your own rights as a user
 
to request C\&CS for all the GPL programs that your suppliers provided to you,
 
preferably in an automated process. Once you receive such C\&CS, passing it
 
along with your product will ensure your compliance with the license.
 

	
 
% FIXME-URGENT: Needs a new section
 
% \section{Mergers and Acquisitions}
 

	
 
[GPLv3] Section 10 also clarifies that in business acquisitions, whether by
 
sale of assets or transfers of control, the acquiring party is downstream