{% extends "base_compliance.html" %}

{% block subtitle %}Copyleft Compliance Projects - {% endblock %}

{% block submenuselection %}AboutCompliance{% endblock %}

{% block content %}

<h1>Conservancy's Copyleft Compliance Projects</h1>

<p>Free and open source software is

        everywhere and in everything; yet our software freedom is constantly

        eroded.  With the help of its volunteers, <a href="/members/current/">member projects</a>, and <a href="/about/staff/">staff</a>,

  Conservancy stands up for users' software freedom via its copyleft compliance work.</p>

<p>Conservancy engages in copyleft compliance work in two different ways: by acting directly

on behalf of <a href="/projects/">Conservancy's Member Projects</a> who request

Free and Open Source License compliance efforts, and for

specific, targeted member projects for communities of developers.</p>

<p>Conservancy's Copyleft Compliance Projects are run in a collaborative manner with

the project developers.  All copyright holders involved have the opportunity

to give input and guidance on Conservancy's strategy in dealing with

compliance issues.  Thus, all Conservancy's compliance matter have full

  support of relevant copyright holders.</p>

<p>In addition to taking feedback internally from those who participate as

  part of the coalitions described below, Conservancy also welcomes feedback

  and discussion with the general public about our copyleft compliance

  efforts.  This discussion happens on

  Conservancy's <a href="https://lists.sfconservancy.org/mailman/listinfo/principles-discuss">principles-discuss</a>

  mailing list, which is named

  for <a href="/copyleft-compliance/principles.html">Principles of

  Community-Oriented GPL Enforcement</a> which Conservancy follows in all our

  copyleft compliance.</p>

<h2>Compliance Project For Our Fiscally Sponsored Projects</h2>

<p>Historically, Conservancy was well-known for its ongoing license

compliance efforts on behalf of its BusyBox member project.  Today, Conservancy

does semi-regular compliance work for its BusyBox, Evergreen, Git, Inkscape, Mercurial,

Samba, Sugar Labs, QEMU and Wine member projects.  If you are a copyright holder

in any member project of Conservancy, please contact the project's leadership committtee,

via <a href="mailto:PROJECTNAME@sfconservancy.org">&lt;PROJECTNAME@sfconservancy.org&gt;</a>

for more information on getting involved in compliance efforts in that project.

</p>

<h2 id="linux">GPL Compliance Project For Linux Developers</h2>

<p>In May

2012, <a href="/news/2012/may/29/compliance/">Conservancy

launched</a> the <cite>GPL

Compliance Project for Linux Developers</cite>, which handles compliance and

enforcement activities on behalf of more than a dozen Linux copyright

holders.</p>

<p>The GPL Compliance Project for Linux Developers is comprised of copyright

holders in the kernel, Linux, who have contributed to Linux under its

license, <a href="http://www.gnu.org/licenses/gpl-2.0.html">the

GPLv2</a>. These copyright holders have formally asked Conservancy to engage

in compliance efforts for their copyrights in the Linux kernel.  In addition,

some developers have directly assigned their copyrights on Linux to Conservancy,

so Conservancy also enforces the GPL on Linux via its own copyrights in Linux.</p>

<p>Linux copyright holders who wish to assign copyright to or sign an enforcement agreement with

Conservancy should

  contact <a href="mailto:linux-services@sfconservancy.org">&lt;linux-services@sfconservancy.org&gt;</a>.

  In 2016,

  Conservancy <a href="/news/2016/nov/03/linux-compliance-agreements/">made

    public the template agreements used as part of this project</a>; both the

  <a href="/docs/blank_linux-enforcement-agreement.pdf">non-anonymous</a> and

  <a href="/docs/blank_anonymous-linux-enforcement-agreement.pdf">anonymous</a>

  versions are available.  However, please <strong>do not</strong> sign these

  unilaterally without contacting and discussing

  with <a href="mailto:linux-services@sfconservancy.org">&lt;linux-services@sfconservancy.org&gt;</a>

  first.</p>

<h2>The Debian Copyright Aggregation Project</h2>

<p>In August 2015, <a href="/news/2015/aug/17/debian/">Conservancy announced the Debian Copyright Aggregation

Project</a>.  This project allows Debian contributors to assign copyrights to

Conservancy, or sign enforcement agreements allowing Conservancy to enforce

Free and Open Source (FOSS) licenses on their behalf.  Many Debian contributors

have chosen each of these options already, and more continue to join.</p>

<p>Debian contributors who wish to assign copyright to or sign an enforcement agreement with

Conservancy should contact <a href="mailto:debian-services@sfconservancy.org">&lt;debian-services@sfconservancy.org&gt;</a>.</p>

<h2>Conservancy's Commitment to Copyleft License Compliance</h2>

<p>Conservancy is dedicated to encouraging all users of software to comply

  with Free Software licenses. Toward this goal, in its compliance efforts,

  Conservancy helps distributors of Free Software in a friendly spirit of

  cooperation and participation.  In this spirit, Conservancy has co-published,

  follow in their compliance efforts</a>.

  Also in collaboration with the FSF, Conservancy also sponsors

  the <a href="https://copyleft.org/guide/"><cite>Copyleft and the GNU

  General Public License:A Comprehensive Tutorial and Guide</cite></a>,

  which <a href="/news/2014/nov/07/copyleft-org/">formally

  launched in fall 2014</a>.  The Guide includes tutorial materials about

  copyleft and compliance with copyleft licenses,

  including <a href="https://copyleft.org/guide/comprehensive-gpl-guidepa2.html"><cite>A

  Practical Guide to GPL Compliance</cite></a>.  The materials

  on <a href="https://copyleft.org/">copyleft.org</a> have been developed and

  improved since 2002, and are themselves copylefted, and developed

  collaboratively in public.</p>

<p>However, the Guide is admittedly a large document, so for those who are

  interested in a short summary of describing how Conservancy handles GPL

  enforcement and compliance

  work, <a href="https://sfconservancy.org/blog/2012/feb/01/gpl-enforcement/">this

  blog post outlining the compliance process</a> is likely the best source.</p>

<h2>Reporting GPL Violations To Us</h2>

<p>If you are aware of a license violation or compliance issue regarding

  Debian, Linux, or

  any <a href="https://sfconservancy.org/members/current/">Conservancy member

  project</a> (&mdash; in particular BusyBox, Evergreen, Inkscape, Mercurial,

  Samba, Sugar Labs, or Wine),

  please <a href="mailto:compliance@sfconservancy.org">contact us by email at

    &lt;compliance@sfconservancy.org&gt;</a>.</p>

<p>If you think you've found a GPL violation, we encourage you to

   read <a href="http://ebb.org/bkuhn/blog/2009/11/08/gpl-enforcement.html">this

   personal blog post by our Distinguished Technologist, Bradley M. Kuhn</a>,

   about good practices in discovering and reporting GPL violations.  (We'd

   also like someone to convert the text of that blog post into a patch for

   <a href="http://compliance.guide">The Compliance Guide on

   copyleft.org</a>; submit it

   via <a href="https://k.copyleft.org/guide/">k.copyleft.org</a>.)</p>

<h2>Donate to Support This Work</h2>

<p>Finally, Conservancy welcomes <a href="#donate-box"

  class="donate-now">donations</a> in support of our GPL Compliance Projects,

  and we encourage you to become a <a href="/supporter/">an official

  Supporter of Software Freedom Conservancy</a>. </p>

</div>

{% endblock %}

<li><strong>Our primary goal in GPL enforcement is to bring about GPL

compliance.</strong>  Copyleft's overarching policy

goal is to make  respect of users' freedoms the norm.

The FSF designed the GNU GPL's text towards this end.

Copyleft enforcement done in this spirit focuses on stopping

incorrect distribution, encouraging corrected distribution, and

addressing damage done to the community and users by the past

violation. Addressing past damage often includes steps to notify those

who have already received the software how they can also obtain its

source code, and to explain the scope of their related rights. No

other ancillary goals should supersede full compliance

with the GPL and respect for users' freedoms to copy, share, modify

and redistribute the software.

</li>

<li><strong>Legal action is a last resort. Compliance actions are primarily

education and assistance processes to aid those who are not following the

license.</strong>

Most GPL violations occur by mistake, without ill will.

Copyleft enforcement should assist these distributors to

become helpful participants in the free software

projects on which they rely. Occasionally, violations are intentional

or the result of severe negligence, and there is no duty to be

empathetic in those cases.  Even then, a lawsuit is a

last resort; mutually agreed terms that fix (or at least cease)

further distribution and address damage already done are much better than a battle in court.

</li>

<li><strong>Confidentiality can increase receptiveness and

responsiveness.</strong> Supporters of software

freedom rightly view confidentiality agreements with

distrust, and prefer public discussions.  However, in compliance

work, initiating and continuing discussions in private demonstrates

good faith, provides an opportunity to teach compliance without fear

of public reprisal, and offers a chance to fix honest mistakes.

Enforcement actions that begin with public accusations are much more

likely to end in costly and lengthy lawsuits, and less likely to achieve the

primary goal of coming into compliance. Accordingly, enforcers should,

even if reluctantly, offer confidentiality as a term of settlement. If

it becomes apparent that the company is misusing good faith

confidentiality to cover inaction and unresponsiveness, the problems

may be publicized, after ample warning.</li>

<li><strong>Community-oriented enforcement must never prioritize

financial gain.</strong>

Financial penalties are a legitimate tool to achieve compliance when

used judiciously. Logically, if the only penalty for violation is

simply compliance with the original rules, bad actors will just wait

for an enforcement action before even reading the GPL. That social

model for copyleft and its enforcement is untenable and unsustainable.

An enforcement system without a financial penalty favors bad actors

over good ones, since the latter bear the minimal (but non-trivial)

staffing cost of compliant distribution while the former avoid it.

Copyright holders (or their designated agent) therefore are reasonable

to request compensation for the cost of their time providing the

compliance education that accompanies any constructive enforcement

action. Nevertheless, pursuing damages to the full extent allowed by

copyright law is usually unnecessary, and can in some cases work against

the purpose of copyleft. </li>

<li><strong>Community-oriented compliance work does not request nor accept payment

to overlook problems.</strong>

Community-oriented enforcement cannot accept payments in exchange for

ignoring a violation or accepting incomplete solutions to identified

compliance problems. Ideally, copyright holders should refuse any

payment entirely until the distributor repairs the past violation and

commits formally (in writing) to plans for future compliance.</li>

<li><strong>Community-oriented compliance work starts with carefully

verifying violations and finishes only after a comprehensive

analysis.</strong>

This means fully checking reports and confirming violations before accusing

an entity of violating the GPL. Then, all of the relevant

software should be examined to ensure any compliance problems, beyond

those identified in initial reports and those relating to any clauses of the

relevant licenses, are raised and fixed. This is important so that

the dialogue ends with reasonable assurance for both sides that additional

violations are not waiting to be discovered.

(<a href="http://gpl.guide/pristine-example">Good examples of

compliance</a> already exist to help distributors understand their

obligations.)</li>

<li><strong>Community-oriented compliance processes should extend the

benefit of GPLv3-like termination, even for GPLv2-only

works. </strong> GPLv2 terminates all copyright permissions at the

moment of violation, and that termination is permanent. GPLv3's

termination provision allows first-time violators automatic

restoration of distribution rights when they correct the violation

promptly, and gives the violator a precise list of copyright holders

whose forgiveness it needs. GPLv3's collaborative spirit regarding

termination reflects a commitment to and hope for future cooperation

and collaboration. It's a good idea to follow this approach in

compliance situations stemming from honest mistakes, even when the

violations are on works under GPLv2.</li>

</ul>

<p>These principles are not intended as a strict set of rules.

Achieving compliance requires an understanding of the violator's

situation, not so as to excuse the violation, but so as to see how

to bring that violator into compliance.  Copyleft licenses do not

state specific enforcement methodologies (other than license termination itself)

in part because the real world situation of GPL violations varies;

rigidity impedes success. </p>

<p>In particular, this list of principles purposely does not seek to

create strict criteria and/or “escalation and mediation

rules” for enforcement action. Efforts to do that limit the

ability of copyright holders to use copyleft licenses for their

intended effect: to stand up for the rights of users to copy, modify,

and redistribute free software.</p>

<p>The GPL,

enforced when necessary according to these principles, provides a

foundation for respectful, egalitarian, software-sharing

communities.

</p>

<div class="doc-footer">

  <p>This document is also published on <a href="https://fsf.org/licensing/enforcement-principles">FSF's site</a>.</p>

  <p>We revise these principles from time to time based on community feedback.  Please <a href="https://lists.sfconservancy.org/mailman/listinfo/principles-discuss">subscribe to our principles-discuss list</a> to follow the discussion and share your thoughts with us.</p>

</div>

<p>Copyright &copy; 2015, Free Software Foundation, Inc., Software Freedom Conservancy, Inc., Bradley M. Kuhn, Allison Randal, Karen M. Sandler.

<br/>Licensed under the <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0">Creative Commons Attribution-ShareAlike 4.0 International License</a>.

<a href="https://fsf.org/licensing/enforcement-principles">[2]</a>) are preserved in modified and/or redistributed versions.</p>

{% endblock %}

및

&ldquo;<a href="https://copyleft.org/guide/comprehensive-gpl-guidepa3.html#x26-152000III">GPL

시행 관련 사례 연구(Case Studies in GPL Enforcement)</a>&rdquo; (FSF 및

컨서번시 블로그에서 요약 설명본을 확인할 수 있다)와 같은 섹션이 포함되어

있다.  커뮤니티의 자유를 위해 노력하는 성실한 일꾼으로서, 우리는 기업이

사용자의 카피레프트 소프트웨어 카피, 공유, 변경 및/혹은 재배포를 방해하는

경우, 사용자의 대리인으로서의 역할을 수행한다. 모든 사용자의 자유를 보호하고,

사용자 자유를 존중하는 기업을 지원하며, 동시에 악행 기업들을 저지시키고

처벌하기 위해 모든 배포자가 GPL 을 준수하도록 요구하고 있다.</p>

<p>카피레프트는 저작권(copyright)을 기준으로 한다: 사용자의 프로그램 변경 및

재배포를 제한하기보다는 변경하고 재배포할 수 있는 자유를 보호하기 위해

저작권의 권한을 활용한다. 전통적인 저작권 라이선스는 작업물을 허가 없이

타인에게 전달하는 경우 위반으로 간주한다: 하지만, 카피레프트 라이선스는

타인에 의한 추후 재배포를 예방 하기 위해 규제를 가하는 것을 위반으로

본다. 그럼에도 불구하고, 저작권법에 근거를 두고 있는 카피레프트 라이선스는

다른 저작권 라이선스와 동일한 언어와 프로세스를 사용하는 등 동일한 메커니즘을

통해 시행된다. 카피레프트 시행에 있어 우리는 카피레프트의 궁극적인 자유를

확보하는 것 즉, 카피레프트의 목적을 널리 확산시키되 지나치거나 처벌적인

접근법에 초점을 맞추거나 저작권 시스템에 내재된 불공정한 측면을 합법화하는

쪽으로 기울지않도록 노력해야 한다. 따라서 컨서번시와 FSF 는 2001 년 FSF 가

처음 마련한 커뮤니티 중심의 원칙에 따른 시행을 추구한다.</p>

<h4>커뮤니티 중심의 GPL 시행 지침 원칙</h4>

<ul>

<li><strong>GPL 시행에 있어 우리의 주요 목적은 GPL 컴플라이언스를 실현하는 것이다.</strong>

카피레프트의 가장 중요한 정책적 목표는 사용자의 자유를 존중하는 일을 규범으로

만드는 일이다. FSF 는 이러한 취지로 GNU GPL 의 규정을 마련했다. 이러한 정신에

의거한 카피레프트 시행은 부정확한 배포를 중단시키고, 올바른 배포가

이루어지도록 하며 과거의 위반 사례로 손해를 입은 커뮤니티와 사용자 문제를

해결하는 것에 초점을 두고 있다. 과거의 피해를 해결하는 작업에는 이미

소프트웨어를 받은 이들에게 관련 소스코드를 받을 수 있는 방법을 알려주고 관련된

권리 범위를 설명하기 위한 절차를 따르는 일 등이 포함된다. 기타 부수적인 목적이

GPL 에 대한 전적인 컴플라이언스 및 사용자가 소프트웨어를 카피, 공유, 변경,

재배포할 수 있는 자유를 존중하는 일보다 우선시 되어서는 안 된다.</li>

<li><strong>법적 조치는 최후의 수단이다. 컴플라이언스 관련 조치는 주로

라이선스를 따르지 않는 사람을 돕기 위한 교육과 지원 프로세스를

의미한다.</strong> 대부분의 GPL 위반 사례는 악의가 아닌 실수로

발생한다. 카피레프트의 시행은 이러한 배포자가 그들이 의지할 수 있는 자유

소프트웨어 프로젝트에 있어 유용한 참여자가 되도록 지원하는 방향에서

이루어져야 한다. 때때로, 고의로 혹은 심각한 부주의로 인해 위반 사례가

발생하기도 하는데 그러한 사례에 대해서는 인정을 베풀 필요가 없다. 하지만

그러한 경우라도, 소송은 마지막 수단이며, 추가적인 배포를 해결(혹은 최소한

중단하는)하고자 하는 양측의 합의 및 이미 발생한 피해를 해결하는 것이 소송으로

인한 분쟁보다 훨씬 낫다.</li>

<li><strong>비밀유지(confidentiality)는 수용도와 반응성을 높일 수

    있다.</strong>  소프트웨어 자유

지지자들은 당연히 비밀유지 협약을 불신하며 공개 논의를 선호한다. 하지만

컴플라이언스 작업에서는 개인적인 논의를 시작하고 지속시키는 것이 선의를

드러내고 공개적 보복의 두려움 없이 컴플라이언스를 설파하며 고의가 아닌

실수(honest mistake)를 바로잡을 기회를 제공한다. 공개 비난으로 시작된

컴플라이언스 조치는 많은 시간과 비용이 소요되는 법적 소송으로 끝날 가능성이

매우 크고, 컴플라이언스 실행이라는 주목적을 실현할 가능성이 작다. 따라서

집행자는 그리 내키지는 않더라도 기밀유지를 합의 조건으로 제안해야 한다. 만약,

해당 기업이 선의의 기밀유지 제안을 무대책(inaction)과

무반응(unresponsiveness)을 은폐하기 위한 수단으로 오용하는 것이 분명해진 경우,

충분한 경고 후, 해당 문제를 공론화할 수 있다.</li>

<li><strong>

커뮤니티 중심의 시행이 재정적 이익을 우선시해서는 안 된다.</strong> 분별력 있는 벌금의

활용은 컴플라이언스를 달성하기 위한 하나의 적법한 수단이 될 수 있다. 위반에

대한 유일한 처벌이 원래 규정을 준수하는 것이라면, GPL 을 읽어보지도 않고 시행

조치가 내려질 때까지 기다리는 파렴치한들이 생길지도 모른다. 카피레프트와

관련한 사회적 모델과 이에 대한 시행은 불안정하고 지속 불가능하다. 벌금이 없는

 시행 체제는 시행을 따르는 선의의 실천자보다 이를 따르지 않는 악의를 지닌

자들에게 더 유리하다. 전자의 경우 컴플라이언스에 의한 배포를 위해

최소한의(미미한 비용은 아님) 인력 활용 비용을 부담해야 하는 반면, 후자는 이에

대한 비용을 부담하지 않기 때문이다. 따라서 저작권 소유자(혹은 그들의 지정

대리인)는 건설적인 시행 조치를 동반하는 컴플라이언스 교육을 제공하는데 소요된

시간 비용에 대한 보상을 요구하는 것이 당연하다. 그럼에도 불구하고, 저작권법에

의해 허용된 모든 범위에 대한 보상을 요구하는 것은 보통 불필요한 것으로

간주되며 어떤 경우에는 그것이 카피레프트의 목적에 어긋나게 작용할 수도 있다.</li>

<li><strong>커뮤니티 중심의 컴플라이언스 노력 중 문제를 눈감아주기 위해 돈을

요청하거나 받지 않는다.</strong> 커뮤니티 중심의 시행에 있어 위반 행위를

간과하거나 확인된 컴플라이언스 문제에 대한 불완전한 해결책을 수용하는 대가로

비용을 받아서는 안 된다. 이상적으로는, 저작권 소유자들이 배포자가 과거의 위반

행위를 바로잡고 차후 컴플라이언스를 위해 공식적으로 계획을 수립하겠다는

약속(서면으로)을 받기 전까지는 어떠한 보상도 지급 받지 않아야 한다.</li>

<li><strong>커뮤니티 중심의 컴플라이언스 노력은 위반 사례에 대한 세심한 확인 작업을

시작으로 하고, 포괄적인 분석을 실시한 후에만 종료한다.</strong> 이는 어떤 기관이 GPL 을

위반했다고 비난하기 전에 관련 보고와 위반 내용을 완전히 확인해야 함을 의미한다.

그리고 나서 초기 보고에서 확인된 것과 관련 라이선스의 조항과 관련한 문제 외

컴플라이언스 문제를 파악하고 바로잡기 위해 모든 관련 소프트웨어를 살펴보아야

한다. 이는 양측의 합리적인 조치로 대화를 마무리하여 차후 부가적인 위반 사항이

발견되지 않도록 하기 위해 중요하다 (배포자들이 그들의 의무를 이해할 수 있도록

도와줄 <a href="http://gpl.guide/pristine-example">컴플라이언스 예시</a>가

  이미 마련되어 있다).</li>

<li><strong>커뮤니티 중심의 컴플라이언스 프로세스에 GPLv3 의 권한 박탈 조항의 혜택을 확대

적용 시키고, GPLv2 에 기반한 작업에도 이를 적용시켜야 한다.</strong> GPLv2 는 위반 시

모든 저작권 승인을 영구적으로 박탈시킨다. GPLv3 의 권한 박탈(termination)

조항은 최초 위반자일 경우 위법 사항을 즉시 시정 시 배포권을 자동적으로

복원시키고 선처를 요청할 저작권 소유자의 명확한 명단을 해당 위반자에게

제공한다. 권한 박탈과 관련한 GPLv3 의 협업 정신은 향후 협력과 협업에 대한

약속과 희망을 반영하고 있다. 정직한 실수에 근거한 컴플라이언스 상황에 이러한

접근방법을 적용시키는 것은 좋은 아이디어이며 위반 사례가 GPLv2 의 의거한

  작업일 경우에도 마찬가지이다.</li>

</ul>

<p>이 원칙은 엄격한 규정으로써 이를 적용하기 위함이 아니다. 컴플라이언스를

달성하기 위해서는 위반자의 상황에 대한 이해가 요구되며 이는 위반에 대한 핑계를

찾기 위함이 아니라 해당 위법자를 컴플라이언스 이행으로 이끌 수 있는 방법을

파악하기 위함이다. 카피레프트 라이선스는(라이선스 권한 박탈 그 자체는 제외)

구체적인 시행 방법을 기술하고 있지 않는데 실제 GPL 위반 상황이 매우 다양하고,

  너무 혹독한 규제가 오히려 성공을 저해하기 때문이다.</p>

<p>특히, 본 원칙 목록은 엄격한 기준 및/혹은 시행 조치 관련 “상정 및 중재

규칙” 등을 수립하지 않고 있다. 이를 위한 노력이 오히려 소프트웨어를 카피,

변형, 재배포할 수 있는 사용자 권리를 옹호하고자 하는 저작권자들의 카피레프트

라이선스를 사용 능력을 저해할 수 있다.</p>

<p>GPL 은 필요시 이러한 원칙에 의거 시행되었을 때 존경받는, 평등한 소프트웨어

공유 커뮤니티 형성을 위한 기반을 제공한다.</p>

<p></em>[ 본 문서는 <a href="https://fsf.org/licensing/enforcement-principles">FSF

    사이트</a> 에서도 확인할 수 있습니다. ]</em></p>

<p>Copyright &copy; 2015, Free Software Foundation, Inc., Software Freedom Conservancy, Inc., Bradley M. Kuhn, Allison Randal, Karen M. Sandler.

<br/>Licensed under the <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0">Creative Commons Attribution-ShareAlike 4.0 International License</a>.

<br/>에 의거

허가됨. 해당 라이선스의 제 3 조제(a)항제(1)호제(A)목제(i)단 및

제 3 조제(a)항제(1)호제(A)목제(v)단에 의거하여 본 문서의 저작권자는 본 문서의

<a href="https://fsf.org/licensing/enforcement-principles">[2]</a>)

유지되기를 요청하는 바입니다.<br/>

이 번역자료는 한국저작권위원회(www.copyright.or.kr)의 지원으로 번역, 배포 되었습니다.<br/>

This content has been translated and distributed by <a href="http://www.copyright.or.kr">Korean Copyright Commission</a>.</p>

{% endblock %}

{% extends "base_compliance.html" %}

{% block subtitle %}Copyleft Compliance Projects - {% endblock %}

{% block submenuselection %}VMwareLawsuitAppeal{% endblock %}

{% block content %}

<h2>The time has come to stand up for the GPL.</h2>

<p><em>In March 2015, Conservancy <a href="/news/2015/mar/05/vmware-lawsuit/">announced Christoph Hellwig's

    lawsuit against VMware in Germany</a>.  In July 2016,

    we <a href="/news/2016/aug/09/vmware-appeal/">announced that Christoph

    would appeal the lower court's ruling</a>.</p>

    Support Conservancy's and Christoph's efforts in this area

    by <a href="https://sfconservancy.org/supporter/">becoming a Conservancy

    supporter</a> or <a href="#donate-box" class="donate-now">donating via

    the link on the right</a>.</em></p>

<p>We were told to ask nicely and repeatedly, so we did.</p>

<p>We asked allies to help us make contact in friendly and professional

  ways.</p>

<p>Everyone asked us to give companies as many chances as possible and as

  much help as possible to comply with copyleft, so we did.</p>

<p>We've worked for years to help VMware comply with the GPL, but they

refuse. Negotiations broke down for the last time when they insisted on an 

NDA just to discuss settlement terms!</p>

<p>Christoph is among the most active developers of Linux.  As of Feburary 

19, 2015, Christoph has contributed 279,653 lines of code to the Linux kernel, 

and ranks 20th among the 1,340 developers involved in the latest 3.19 kernel 

release.  Christoph also

ranks 4th among those who have reviewed third-party source code, tirelessly

corrected and commented on other developers' contributions.  Christoph

licenses his code to the public under the terms of the GPL for practical and

ideological reasons.  VMware, a company with net revenue of over $1 billion

and over 14,000 employees, ignored Christoph's choice.  They took Christoph's

code from Linux and modified it to work with their own kernel without releasing

source code of the resulting complete work.  This is precisely the kind of

activity Christoph and other kernel developers seek to prevent by choosing

the GPL.  The GPL was written to prevent this specific scenario!</p>

<h3>This is a matter of principle.</h3>

<p>Free and open source software is everywhere and in everything; yet our

  software freedom is constantly eroded.</p>

<p>We want companies to incorporate our software into new products, but there

are a few simple rules.  Copylefted free software is so prevalent because

there's no way a company can compete without using a significant amount of

free software to bring products to market in reasonable time. They get so

much benefit from our work.  Allowing the whole community to review, use,

improve and work with the code seems very little to ask in return.  Copyleft

also ensures competitors cannot undercut those who contribute.  Without active enforcement, the GPL is

effectively no different from a non-copyleft license.</p>

<p>What point is there for companies to make sure that they're compliant if

there are no consequences when the GPL is violated? Many will continue to

ignore the rules without enforcement.  We know that there are so many

companies that willingly comply and embrace GPL as part of their business.

Some are temporarily out of compliance and need to be brought up to speed,

but willingly comply once they realize there is an issue.  Sadly, VMware sits

in the rare but infamous class of perpetually non-compliant companies. VMware

has been aware of their noncompliance for years but actively refuses to do

the right thing.  Help us do right by those who take the code in the spirit

it was given and comply with copyleft, and stop those don't.</p>

<p>We know that copyleft isn't a favorite licensing strategy for some in our

community.  Even so, this case will help bring clarity on the question of

combined and derivative works, and is essential to the future of all software

freedom.  This case deserves support from copyleft and non-copyleft free

software communities alike.</p>

<h3>Show you care</h3>

<p>Bad actors have become complacent because they think you don't care.  A

  strong show of public support for Conservancy and Christoph's position will

  help our legal case and demonstrate the interpretive context for it.

  Please <a href="#donate-box" class="donate-now">donate</a> to our campaign to enforce the GPL.  Help Conservancy

  increase its number of individual donors, so we have clear evidence to show

  bad actors that the GPL matters to the individuals in our community.

  After you <a href="#donate-box" class="donate-now">donate</a>, go and tell the world: &ldquo;Play by the rules, @VMware. I defend the #GPL with Christoph &amp; @Conservancy. #DTRTvmware  Help at https://sfconservancy.org/supporter/ &rdquo; on your blog or microblog.

  </p>

<h3>Isn't the combined works and/or derivative works question a legal grey area?</h3>

<p>We don't think so, but this case will let the court to decide that question.

Either way, it's beneficial to our entire community to find out what the

information</a>.)</p>

<p>Help us pay for this expensive lawsuit and to generally defend software

  freedom and the GPL.  Help us show the world that copyleft matters.  We are excited 

  to announce that we already reached an anonymous match for this campaign, where every dollar donated 

  was matched up to $50,000. However, that $100,000 is just an initial step

  and there is so much GPL enforcement work to do.  So, please

  donate now: by becoming <a href="/supporter/">a Conservancy Supporter</a> or

  via <a href="#donate-box" class="donate-now">donate link on the right</a>.</p>

<h3>Want To Know More?</h3>

<p>Watch the video below of Conservancy Executive Director, Karen Sandler,

  <a href="/news/2015/mar/31/libreplanet/">delivering a keynote on this topic

  at

    LibrePlanet 2015</a>:</p>

<p>

 <video controls

         preload="auto" class="video-js vjs-default-skin"

         data-setup='{"height": 276,

                      "width": 640 }'>

    <source src="https://media.libreplanet.org/mgoblin_media/media_entries/113/karen-sandler-keynote-2015.medium.webm"

              type="video/webm; codecs="vp8, vorbis""

             />

 </video>

</p>

    the lawsuit</a>.</p>

{% endblock %}

{% extends "base_compliance.html" %}

{% block subtitle %}Copyleft Compliance Projects - {% endblock %}

{% block submenuselection %}VMwareLawsuitFAQ{% endblock %}

{% block content %}

<h1>Frequently Asked Questions about Christoph Hellwig's VMware Lawsuit</h1>

<p>Conservancy maintains this

  <abbr title="Frequently Asked Questions">FAQ</abbr> list regarding

  <a href="/news/2015/mar/05/vmware-lawsuit/">Christoph Hellwig's lawsuit against VMware

  in Germany over alleged GPL violations on Linux</a> as a service to the

  Free Software community, and in particular, the copyleft community.  Conservancy

  realizes this lawsuit generates many questions and interest

  from the community.  Legal counsel (both Conservancy's own, and

  Christoph's lawyer, Till Jaeger) correctly advise us to limit our public

  comments regarding specific details of the case while litigation remains

  pending in court.  Nevertheless, Conservancy, as a

  non-profit charity serving the public good, seeks to be as transparent as

  possible.  If you have additional questions you'd like to see answered

  here, please <a href="mailto:info@sfconservancy.org">email

  &lt;info@sfconservancy.org&gt;</a>, but understand that we may often need

  to answer: <q>We cannot comment on this while litigation is pending</q>.</p>

<dl>

  <dt>Who is the Plaintiff in the lawsuit?</dt>

  <dd>Christoph is one of most active developers of the Linux kernel. He has

   contributed 279,653 lines of code to the latest Linux 3.19 kernel, and

   thus ranks 20th among the 1,340 developers involved in that release.

   Christoph also ranks 4th among those who have reviewed third-party source

   code, and he has tirelessly corrected and commented on other developers'

   contributions.</dd>

  <dt id="court-documents">Are the court documents released?</dt>

  <dd>Not currently.  Court proceedings are not public by default in Germany

  (unlike in the USA).  Conservancy will continue to update this FAQ with

  information that Conservancy knows about the case.  We would all also

  welcome an agreement with VMware whereby both sides would agree to publish

  all Court documents.  Unfortunately, VMware has explicitly asked for the

  filings not to be published.   Accordingly, Conservancy itself has not

  even been able to review VMware's statement of defense nor Christoph's

  response to that statement of defense.</dd>

  <dt id="funding">Who's funding this lawsuit?</dt>

  <dd>Conservancy has engaged in a grant agreement with Christoph Hellwig for

  the purposes of pursuing this specific legal action in Germany.

  Conservancy is funding this legal action specifically as part of

  Conservancy's program activity in

  Project for Linux Developers</a>.</dd>

  <dt id="combined-and-derivative-works">Is this the Great Test Case of Combined / Derivative Works?</dt>

  <dd>This case is specifically regarding a combined work that VMware

  allegedly created by combining their own code (“vmkernel”) with

  portions of Linux's code, which was licensed only under GPLv2.  As such,

  this, to our knowledge, marks the first time an enforcement case is

  exclusively focused on this type of legal question relating to GPL.

  However, there are so many different ways to make combined and/or

  derivative works that are covered by GPL that no single case could possibly

  include all such issues. </dd>

  <dt id="why-lawsuit">Why must you file a lawsuit?  Isn't there any other way to convince

    VMware to comply with GPL?</dt>

  <dd><p>Neither Conservancy nor Christoph takes this action lightly nor without

  exhausting every other possible alternative first.  This lawsuit is the

    outgrowth of years of effort to convince VMware to comply with GPL.</p>

    <p>In October 2011, Conservancy received a GPL violation report on

  BusyBox for VMware's ESXi products.  Conservancy opened the matter in its

  usual, friendly, and non-confrontational way.  Nevertheless, VMware

  immediately referred Conservancy to VMware's outside legal counsel in the

  USA, and Conservancy negotiated with VMware's legal counsel throughout

  late 2011, 2012 and 2013.  We exchanged and reviewed

  <a title="Complete, Corresponding Source" href="https://copyleft.org/guide/comprehensive-gpl-guidech6.html#x9-470005.2.1">CCS</a> candidates, and

  admittedly, VMware made substantial and good efforts toward compliance on

  BusyBox.  However, VMware still refused to fix a few minor and one major

  compliance problem that we discovered during the process.  Namely, there

  was a major violation regarding Linux itself that ultimately became

  Christoph's key complaint in this lawsuit.</p>

 <p>Meanwhile, when Conservancy realized in late 2012 there might be a major

 Linux violation still present in VMware's ESXi products, Conservancy

 representatives sought every industry contact we had for assistance,

 including those from trade associations, companies (both competitors and

 collaborators with VMware), and everyone else we could think of who might be

 able to help us proceed with friendly negotiations that would achieve

 compliance.  While we cannot name publicly the people we asked for help

 to convince VMware to comply, they include some of the most notable

 executives, diplomats, and engineering managers in the Linux community.  No

 one was able to assist Conservancy in convincing VMware to comply with the

 GPL.  Then, in early 2014, VMware's outside legal counsel in the USA finally

 took a clear and hard line with Conservancy stating that they would not

 comply with the GPL on Linux and argued (in our view, incorrectly) that they

 were already in compliance.</p>

 <p>Conservancy in parallel informed Christoph fully of the details of the

   Linux violation on Christoph's copyrights, and based on Conservancy's

   findings, Christoph began his own investigation and confirmed

   Conservancy's compliance conclusions.  Christoph then began his own

   enforcement effort with legal representation from Till Jaeger.  Christoph has

   been unable to achieve compliance, either, through his negotiations in

   2014.  VMware's last offer was a proposal for a settlement agreement that VMware would

   only provide if Christoph signed an NDA, and Christoph chose (quite

   reasonably) not to sign an NDA merely to look at the settlement offer.</p>

 <p>Thus, this lawsuit comes after years of negotiations by Conservancy to

 achieve compliance — negotiations that ended in an outright refusal by

 VMware's lawyers to comply.  Those events were then followed by a year of

   work by Christoph and Till to achieve compliance in a separate action.</p>

 <p>Simply put, Conservancy and Christoph fully exhausted every possible

 non-litigation strategy and tactic to convince VMware to do the right thing

 before filing this litigation.</p>

  </dd>    

  <dt>What are VMware's primary defenses for their alleged copyright

    infringement?</dt>

  <dd>With the guidance of counsel, Christoph was able to provide Conservancy

  with a high-level summary of VMware's statement of defense, which we share

  in this FAQ.  Specifically, VMware's statement of defense primarily focuses

  on two issues.  First, VMware questions Christoph's copyright interest in

  the Linux kernel and his right to bring this action.  Second, VMware claims

  vmklinux is an “interoperability module” which communicates

  through a stable interface called VMK API.</dd>

  <dt>How did Christoph respond to VMware's statement of defense?</dt>

  <dd>Christoph's response discusses his extensive contributions to the Linux

  kernel and disputes the technical merits of VMware's assertions. The

  response points out that vmklinux is <strong>not</strong> an

  interoperability module, but rather an arbitrary separation of the Linux

  derived module from vmkernel.   Specifically, vmklinux is nonfunctional

  with any non-ESX OS, and vmklinux is tied intimately to a specific version

  of ESXi.  Vmklinux does not allow reuse of unmodified Linux drivers in

  binary or source form.  Christoph further points out that if the Court

  allows proprietarization of an arbitrary split portion of GPL'd computer

  programs, it could allow redistributors to trivially bypass the strong

  copyleft terms found in the GPL.  Finally, the response explains that

  vmkernel and vmklinux don't “communicate over an interface”,

  rather they run in the same process as a single computer program.  Thus,

  VMK API, as used by vmklinux, is not an “interface” as set

  forth in

  the <a href="http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32009L0024&from=EN">EU

      Directive 2009/24/EC</a>.</dd>

  <dt id="tech">Can you explain further how VMware incorporated code from Linux into

  their kernel?</dt>

  <dd>

  <p id="diagram">

    Conservancy prepared this diagram to show the technical situation as we

    understand it.  The diagram compares the technical architecture of a full,

    running Linux kernel with a full, running VMware kernel:

    <p>

    </p>

    <p>If you want to download the diagram, it's available

    (German)</a>.</p>

  </dd>

  <dt>Can you explain further in words (rather than a picture) about the central

  component in ESXi that the lawsuit alleges violates the GPL?</dt>

<dd>

    <p>The GPL violation at issue involves VMware's ESXi product.

    Conservancy independently reviewed ESXi 5.5 and its incomplete

      <abbr title="complete, corresponding source">CCS</abbr>

    release as part of our GPL enforcement efforts described above.</p>

    <p>Conservancy's preliminary investigation indicated that the operating

    system kernel of VMware ESXi product consists of three key components:

        <ul>

          <li> the proprietary component &ldquo;vmkernel&rdquo;, which is

            released in binary form only,</li>

            <li>the kernel module &ldquo;vmklinux&rdquo;, which contains modified Linux

Code, and for which (at least some) source code is provided.

            <li>other kernel modules with device drivers, most of which are

            modified Linux drivers, and for which (at least some) source code

              is provided.</li>

        </ul>

    <p>Conservancy examined the incomplete CCS alongside the

           binary “vmkernel” component.  Such examination indicates that functions

           in “vmkernel” do make function calls to Linux's kernel code

      in the usual way for a single program written in C.</p></dd>

    <dt>Doesn't VMware's &ldquo;shim layer&rdquo; insulate them from GPL

    obligations and allow them to keep certain code in their kernel

    proprietary?</dt>

    <dd>

    <p>Many in the media have talked about the possibility that VMware might

    use some so-called “shim layer” between Linux code and

    VMware's proprietary code.  While, for decades, there has been much talk of

    various mechanisms of GPL obligation avoidance, Conservancy believes that

    merely modifying technical details of a combination's construction

    does not typically influence the legal analysis in a combined or

    derivative work scenario.</p>

    <p>Furthermore, the technical details of VMware's alleged GPL violation

    do not even mirror the typical scenarios that have usually been called

    “shim layers”.  Conservancy's analysis of VMware's ESXi

    product, in fact, indicates that VMware rather flagrantly combined Linux

    code in their own kernel, and evidence seems to indicate the work as a

    whole was developed by modifying Linux code in tandem with

    modifications to &ldquo;vmkernel&rdquo; in a tightly coupled manner.</p>

    </dd>

   <dt id="shim-meaningless">Is Conservancy proposing a &ldquo;shim

      layer&rdquo; as a viable solution for GPL compliance?</dt>

    <dd>No, in fact, as we say above, Conservancy doesn't think the phrase

        “shim layer” has any meaning, despite regular use of that

        phrase in the media.  Conservancy generally doubts there is any

        technological manipulation that changes the outcome of a

        combined/derivative work analysis.</dd>

    <dt id="example">Can you give a <em>specific</em> example, with code, showing how

    VMware combined Linux source code with their binary-only components?</dt>

     <dd><p>There are numerous examples available that show this.  The

       details of alleged infringement specifically relating to Hellwig's

       contributions to Linux are of course the main matter of the

       allegations in the litigation, and Conservancy

       released <a href="#diagram">the diagram above</a> to exemplify that

       issue.  Conservancy continues to <a href="#court-documents">hope VMware will

       agree to make public all court documents</a> as a matter of public

       good, since the court documents discuss the specifics of alleged

         infringement on Hellwig's copyrights.</p>

       <p>However, Conservancy examined VMware's ESXi 5.5 product in detail

       even before Hellwig's enforcement action began.  Below is one example

       among many where VMware's CCS was incomplete per GPLv2§2(c) and

       GPLv2§3(a).  (One can verify these results by

       <a href="#verify">downloading and installing the binary and source

       packages for VMware's ESXi 5.5 Update 2</a>.)  Note that this

       example below is not necessarily regarding

       Hellwig's copyrights; VMware incorporated Linux code copyrighted by

       many others as well into their kernel.</p>

       <h3>Example of &ldquo;vmkernel&rdquo;'s combination with Linux code</h3>

       <p>Our example begins with examination of the file

           called <code>vmkdrivers/src_92/vmklinux_92/vmware/linux_pci.c</code>,

           which can be found in the “Open Source” release for

           ESXi 5.5.0 Update 2 (5.5U2).  A small excerpt from that file, found in the

           function <code>LinuxPCIDeviceRemoved()</code>, reads as follows:</p>

<pre>

#include <linux/pci.h>

[...]

/*

 * This function [...] is modelled after pci_remove_device, the function which would

 * be called in a linux system.

 */

static void

LinuxPCIDeviceRemoved(vmk_PCIDevice vmkDev)

{

   LinuxPCIDevExt *pciDevExt;

   struct pci_dev *linuxDev;

[...]

  if (unlikely(

    vmk_PCIGetDeviceName(vmkDev, vmkDevName, sizeof(vmkDevName)-1) != VMK_OK))

  {

      vmkDevName[0] = 0;

  }

[...]

VMKAPI_MODULE_CALL_VOID(pciDevExt->moduleID,

                        linuxDev->driver->remove,

                        linuxDev);

</pre>        

<h4>Combination of &ldquo;vmkernel&rdquo; code with &ldquo;vmkdrivers&rdquo;</h4>

<p>The function, <code>vmk_PCIGetDeviceName()</code> must be defined, with an

      implementation, for this code above to work, or even compile.

      Inside <code>BLD/build/HEADERS/vmkapi-current-all-public/vmkernel64/release/device/vmkapi_pci_incompat.h</code>,

      found in the <code>vmkdrivers</code> package of ESXi 5.5U2, shows a

      function header definition for <code>vmk_PCIGetDeviceName()</code>.

      However, the source of its implementation is not provided there or

      anywhere in the source release.</p>

<p>Further evidence that the implementation of this function occurs elsewhere

  can by found by running <code>objdump -x</code> on the un-vmtar'ed

  <code>vmklinux_9</code> module.  Note the following output in the &ldquo;SYMBOL

  TABLE&rdquo; section:</p>

<pre>

       &mdash; namely the code derived from <code>tg3.c</code>

       and <code>pci.h</code>.  Thus, the single running binary may be

       distributed in binary form only under permissions provided under GPLv2

       — in

       particular <a href="https://gnu.org/licenses/gpl-2.0.html#section2">GPLv2&sect;2</a>

       and <a href="https://gnu.org/licenses/gpl-2.0.html#section3">GPLv2&sect;3</a>.</li>

      <li>GPLv2&sect;3(a&ndash;b) requires that <q>complete corresponding

          machine-readable source code</q> must accompany binary

          distributions such as these.  GPLv2§3 further states

          that <q>for an executable work, complete source code means all the

          source code for all modules it contains</q>.</li>

      <li>The binary work in question contains modules from <code>k.b00</code>,

        <code>vmlinux_9</code> and <code>tg3</code>.</li>

      <li>VMware did not provide source code for any modules found in

        <code>k.b00</code>.</li>

      <li>Therefore, VMware failed to comply with the GPLv2, as such

      compliance requires source code (or an offer therefor) for the material

        in <code>k.b00</code>.</li>

    </ul>

<p>The above is but one piece of evidence among many, but hopefully it helps

  to explain some of the “combined work” violations found in