GPL

GPL compliance – Is it important?

Posted on Posted in GPL

Open Source Software Licensing Principles

GPL is one of numerous Open Source Software (OSS) licences available today. These licences generally fall into one of two categories, Permissive licences which allow the software to be reused in any project as long as obligations of the licences are met or Copyleft Licences which require derivative works of the software to be licensed on the same terms.

There are a number of Copyleft licences but the primary Copyleft licence is the GNU General Public License (GPL).  The GPL has various versions and editions such as GPLv2, GPLv3, LGP and AGPL. The aim of Copyleft licensing is to provide a framework that allows ongoing sharing of a published work with clear permissions that grant and defend its users’ freedoms. These freedoms are:

  • The freedom to run the program, for any purpose.
  • The freedom to study how the program works, and modify it.
  • The freedom to redistribute copies.
  • The freedom to distribute copies of modified versions to others.

Copyleft is a strategy to leverage copyright law to ensure these freedoms are maintained even in derivative works. Copyleft enables licensors to achieve legal protection for free sharing. So Copyleft enables licensors to defend, uphold and propagate software freedom.

Open Source Software Compliance

Open Source Software is being broadly adopted in organisations via many routes such as internally developed code (many companies are creating their own apps), reused/third party code from sites such as Github and Nuget, and outsourced code. The rate of adoption of OSS is being driven by technology benefits and business’ processes for managing business risk lags behind.

Organisations that are risk averse and/or regulated industries such as finance and health will have Open Source policies in place to manage licence compliance of Open Source Software

However many organisations particularly from a business level perspective either are oblivious to the licence compliance risks of OSS or decide the cost of managing the OSS is disproportionate to actual risk therefore deem OSS compliance management as an unnecessary or low priority investment. It is quite common to hear the statement “well who will enforce compliance”

Two organisations today that lead efforts globally to ensure compliance with the GPL family of licences, they are the Free Software Foundation (FSF) and Software Freedom Conservancy The FSF began copyleft enforcement in the 1980s, and The Software Freedom Conservancy has enforced the GPL for many of its member projects since its founding nearly a decade ago. An example case would be the suit against Cisco more details of which can be found here.

FSF holds the copyright of many GNU packages and although they can only enforce the licences on works to which they hold the copyright they can and do assist with enforcement elsewhere. In the world of proprietary software copyright holders seek monetary damages when their licence is violated for example the work undertaken by the Business Software Alliance . Whereas the goal of the Free Software Foundation is a desire for violators to become compliant and repair any harm to the free software community.

The FSF receive numerous violation reports each month via license-violation@gnu.org . The FSF Licensing Compliance Lab will the follow a process to resolve the situation:

  1. Investigate and validate a violation has happened.
  2. Inform the violating party they are in violation of the GPL and they have lost their right to distribute the software in question.
  3. Enter into a discussion to resolve the issue – Generally the issue is down to a lack of knowledge or understanding and are easily resolved.
  4. If it is not a straightforward resolution the FSF has access to legal counsel and resources from the Software Freedom Law Center.

Naturally however straightforward the issue is, having to be reactive will be disruptive, time consuming and potentially costly to an organisation.

New GPL Compliance Issues

In recent years there have been an increase in legal challenges to organisations related to GPL enforcement. One example of this is an Linux kernel developer who worked on netfilter. Patrick is going against community enforcement principles and monetising GPL compliance.

The Software Freedom Conservancy were moved to make a public statement about this work  which can be found at link…

In summary:

  • Patrick McHardy – Linux Kernel developer, IP troll
  • Seeks monetary gain
  • Estimated 50+ approaches – retailers, telcos, producers, importers

Another example is  Harald Welte announcement of an OSS Compliance Company gpl-violations.org link….

  • Enforcement of the GPL
  • European geographic focus
  • Civil charges in Germany
  • Cease and desist notices
  • Damages for lost revenue

With the increased adoption of open source software the need to manage compliance will become even more imperative and needs to be taken seriously.

 

How to manage Open Source GPL Compliance

To help guide end users, organisations, modifiers and redistributors of Open Source Software on software compliance issues and to help ensure enforcement work is undertaken in a community oriented fashion the FSF and Free Software Conservancy have issued a statement of principles which summarised below

The primary goal in GPL enforcement is to bring about GPL compliance

Copyleft’s overarching policy goal is to make respect of users’ freedoms the norm. The FSF designed the GNU GPL’s text towards this end.

Enforcement done in this spirit focuses on stopping incorrect distribution, encouraging corrected distribution, and addressing damage done to the community and users by the past violation.

Addressing past damage often includes steps to notify those who have already received the software how they can also obtain its source code, and to explain the scope of their related rights.

No other ancillary goals should supersede full compliance with the GPL and respect for users’ freedoms to copy, share, modify and redistribute the software.

Legal action is a last resort.

Most GPL violations occur by mistake, without ill will. Copyleft enforcement should assist these distributors to become helpful participants in the free software projects on which they rely.

Occasionally, violations are intentional or the result of severe negligence, and there is no duty to be empathetic in those cases. Even then, a lawsuit is a last resort; mutually agreed terms that fix (or at least cease) further distribution and address damage already done are much better than a battle in court.

Confidentiality can increase receptiveness and responsiveness

Supporters of software freedom rightly view confidentiality agreements with distrust, and prefer public discussions. However, in compliance work, initiating and continuing discussions in private demonstrates good faith, provides an opportunity to teach compliance without fear of public reprisal, and offers a chance to fix honest mistakes.

Enforcement actions that begin with public accusations are much more likely to end in costly and lengthy lawsuits, and less likely to achieve the primary goal of coming into compliance. Accordingly, enforcers should, even if reluctantly, offer confidentiality as a term of settlement.

If it becomes apparent that the company is misusing good faith confidentiality to cover inaction and unresponsiveness, the problems may be publicized, after ample warning.

Community-oriented enforcement must never prioritise financial gain

Financial penalties are a legitimate tool to achieve compliance when used judiciously. Logically, if the only penalty for violation is simply compliance with the original rules, bad actors will just wait for an enforcement action before even reading the GPL.

That social model for copyleft and its enforcement is untenable and unsustainable. An enforcement system without a financial penalty favours bad actors over good ones, since the latter bear the minimal (but non-trivial) staffing cost of compliant distribution while the former avoid it.

Copyright holders (or their designated agent) therefore are reasonable to request compensation for the cost of their time providing the compliance education that accompanies any constructive enforcement action.

Nevertheless, pursuing damages to the full extent allowed by copyright law is usually unnecessary, and can in some cases work against the purpose of copyleft.

Community-oriented compliance work does not request nor accept payment to overlook problems

Community-oriented enforcement cannot accept payments in exchange for ignoring a violation or accepting incomplete solutions to identified compliance problems.

Ideally, copyright holders should refuse any payment entirely until the distributor repairs the past violation and commits formally (in writing) to plans for future compliance.

Community-oriented compliance work starts with carefully verifying violations and finishes only after a comprehensive analysis

The implications of this are the need to fully check reports and confirming violations before accusing an entity of violating the GPL.

Then, all of the relevant software should be examined to ensure any compliance problems, beyond those identified in initial reports and those relating to any clauses of the relevant licenses, are raised and fixed.

This is important so that the dialogue ends with reasonable assurance for both sides that additional violations are not waiting to be discovered. (Good examples of compliance already exist to help distributors understand their obligations.)

Community-oriented compliance processes should extend the benefit of GPLv3-like termination, even for GPLv2-only works

GPLv2 terminates all copyright permissions at the moment of violation, and that termination is permanent.

GPLv3’s termination provision allows first-time violators automatic restoration of distribution rights when they correct the violation promptly, and gives the violator a precise list of copyright holders whose forgiveness it needs. GPLv3’s collaborative spirit regarding termination reflects a commitment to and hope for future cooperation and collaboration.

It is a good idea to follow this approach in compliance situations stemming from honest mistakes, even when the violations are on works under GPLv2.

Conclusion

Organisations should take seriously and fully understand the business risk associated with licence compliance of free and Open Source Software.

If organisations are unclear of what if any Open Source Software is in their organisation then undertake a software review. This should include in house developed software, third party developed applications and packaged applications from independent software vendors which unclear licensing and maintenance terms.

Once there is clarity of the use of Open Source Software then organisations should define an Open Source Policy which should be implemented through a combination of education and enforcement within the organisation. The ultimate goal should be a systems of continuous compliance program.

Further Reading

 

The Principles of Community-Oriented EnforcementSoftware Freedom Conservancy

Free Software Foundation Licensing & Compliance TeamFree Software Foundation

How to choose a license for your own workGNU Operating System

Checklist on how to report a Genera Public License violationGNU Operating System

Statement in support of Software Freedom Conservancy and Christoph Hellwig, General Public License enforcement lawsuitFree Software Foundation

Free Software Foundation Settles Suit Against CiscoFree Software Foundation

Originally published 20th October 2015

Update 26th May 2017

4 thoughts on “GPL compliance – Is it important?

  1. “Thanks Martin. The community I run is at http://www.limsforum.com. It focuses on LIMS (laboratory information management system) and Laboratory Informatics in general. There is a shortage of good Open Source software for this industry and I have sponsored a number of FOSS

  2. “Handy summary, thanks Martin. The other area to look at is IP clauses in cloud services provision. It may not affect decisions, but where there is a non-assert clause, then companies need to know what they are trading away.”

Leave a Reply

Your email address will not be published.