Though Harald Welte's contributions to the free software community are
many, the work he is best known for may well be the gpl-violations.org
pursuing those who ship his code (and that of others he represents) without
complying with the source requirements of the GPL, Harald has secured the
release of much code into the community, established a precedent upholding
the GPL in German court, and greatly increased the respect many companies
have for the GPL. Thanks to Harald, the GPL has some teeth.
Back in February, Harald complained that
the number of non-compliant products on the market was exploding, and that
he did not have the time to deal with them all. He suggested that the
time was right to incorporate gpl-violations.org into a nonprofit
organization which could pursue violators while allowing Harald to get back
to hacking. Those plans are moving forward, with the possibility that this
new organization could be created by August, and operating by the end of
the year. We were recently able to talk with Harald about this effort; so,
without further ado...
LWN: How many GPL violations have you found over the last year? How
many of those have been brought to some sort of resolution?
There were 158 reports during the last 12 months, of which about 100
were real violations, about 50 have been addressed, and 40 of them
resolved, others are still going on.
The difference between 'reported real violations' and 'addressed
violations' is due to:
- lack of time
- bad enforcement prospect due to difficult jurisdiction and no sale
in EU countries
Up to today, since the project was started, there was not a single
legally unsuccessful enforcement. By legally unsuccessful I want to
say that legally those formerly infringing companies are now clear.
However, a small number (about 3) have decided to withdraw the product
from the market rather than releasing source code. So those cases,
while legally successful, haven't been successful with regard to the
ideas of Free Software.
You seem to be unique in carrying out this effort. Do you know of
others who have been digging out GPL violations (in the kernel or
There are two 'others' that I'm aware of: The FSF in the US, where
David Turner from the FSF compliance lab is enforcing the GPL
(out-of-court) for software that the FSF holds copyright.
The other one is MySQL, which only enforces the GPL on their DB
software in order to motivate people to buy alternative licenses. It
still is GPL enforcement, though ;)
The FSF has a "GPL Compliance Lab" which only rarely draws attention
to itself. Rather than incorporating a separate nonprofit, might
there be an advantage in folding this effort into the work the FSF
does? Why, or why not?
There are a number of reasons. First, the FSF only enforces (and can
only enforce) the GPL on software which they hold copyright on. So
joining efforts with the FSF GPL Compliance Lab would also mean that
I (and other copyright holders that I represent) would have to transfer
their rights to the FSF.
Secondly, the FSF has a quite different enforcement strategy. They are
doing enforcement in a "softer" way, meaning that they don't pull as
many legal strings as gpl-violations.org does. This difference is
partly due to a difference in the US / German legal system and legal
culture, but also intentional. My whole reason for starting
gpl-violations.org was that I think a different strategy is more helpful
in the end, since publicizing GPL violations will actually prevent new
Third, the FSF is based in the US, whereas gpl-violations.org is based
in Germany. There are many legal differences in copyright law, and also
many differences in the kind of companies we can take action against in
our local jurisdiction.
Having said that, I can assure you that there is a very friendly
cooperation between the FSF GPL Compliance Lab and gpl-violations.org.
We're passing on cases between each other, sometimes get active
independently in the same violation and share information, etc.
Would you be seeking funding to get this operation off the ground?
What sort of individual or company, do you think, might be interested
in funding this effort?
Obviously some initial funding would help to get moving more quickly.
However, I don't think it will be required for making it work.
As for your second question, I think a lot of individuals, both
developers and users within the Free Software community, are very
sympathetic to what gpl-violations.org does. I think some of them were
willing to show their support by donating. However, I've discouraged
them from doing it so far, since they would basically donate 'to me',
and I would have to treat it like regular income, i.e. pay taxes on it,
etc. Also, since there is no separate legal entity yet, there is no
public accountability, i.e. you cannot audit the books, verify that your
donation has only been spent in "the right way", etc.
As for companies, there also are companies supporting the work we do at
the project. I'm not sure whether I would be able to name them here,
but let's say companies who do oblige to the GPL and take it seriously,
and who think their competitors are gaining an illegal competitive
advantage by using GPL licensed software but not following the GPL.
Would you anticipate this effort being self-funding in the long term?
Yes, not only in the long-term. Looking at the rate of new violations
that we now have consistently for a number of years in the embedded
market, it should very much be possible to make it self-funding.
gpl-violations.org has been able to obtain various donations to
charitable organizations such as EDRi, FoeBuD, CCC, FSF Europe, Bridge
Foundation, ... during enforcement. Those donations are usually part of
a settlement that allows the respective vendor to sell already-produced
products (without a GPL license text or written offer) during a grace
So the idea is to redirect those donations (or at least part of it) to
the newly established gpl-violations.org organization. This way we can
hire somebody to take care of the administrative and paper work.
If that kind of self-funding stops for some time, then apparently we
don't have as many GPL violations anymore, and the purpose of
gpl-violations.org does no longer exist. That's the ideal case, and we
can suspend or even dissolve the organization :)
What do you think are the prospects of expanding the GPL compliance
work beyond Germany?
We're actually doing GPL enforcement outside Germany already. We have
been able to obtain declarations to cease and desist from a number of
formerly-violating companies in Taiwan and Korea, for example.
To the casual observer, it looks like the rate of GPL violations is
not decreasing - if anything, the opposite is happening. So far, the
community has been quite accommodating to those who violate the GPL,
being (for the most part) satisfied if the company involved brings
itself into compliance. Might it be that the risk involved with
violating the GPL is simply not high enough to deter people? Should
the community start seeking damages against GPL violators?
The absolute rate is definitely increasing. But you have to set this
in relation with the overall massive growth of the Linux embedded
market. I don't have any figures on this (and I doubt anyone can have
good figures), but I think that the percentage of Linux-using embedded
devices that ship out of compliance is decreasing, or at most: steady.
There are people suggesting that the penalty should be higher, and we
should seek damages. I think for 95% of all cases this would be the
wrong decision. The vast majority of GPL violations happens because
some Taiwanese or Korean OEM/ODM does something (sometimes even in clear
violation with the contract to their customer!) that the Vendor that
we're approaching isn't really aware of.
Also, most of the companies who once had a GPL problem actually have a
good record ever since. Yes, there are occasional "problem companies",
such as D-Link or Sitecom. But in general, I have the feeling they take
gpl-violations.org quite seriously.
If we start asking for huge amounts of damages and try to raise the bar,
then we will frighten vendors from using/buying embedded Linux at all.
I am definitely not in favor of Linux adoption without GPL compliance.
But we have to carefully draw the line between legally indicating that
we don't accept GPL compliance, and on the other hand not frightening
people who fear to make a mistake at some time from using Linux / GPL
licensed software at all.
Also, when you ask for (and actually get) damages, you have the problem
of what to do with it. Distributing it between all the authors is
virtually impossible, because in most cases the transaction fees will be
higher than whatever the individual developer will get. Donating it to
some organization? To which? Who decides on that? ...
As a summary: I think for now, gpl-violations.org draws that line at a
reasonable position. In the mid-term future that might be different,
and for individual cases I might share the view that higher penalties
are justified. But not in general.
Anything else you think a clueless LWN writer should know about this
What is most interesting about having some organization backing this
project, is that we can actually do "more interesting" legal action than
I can do now. So far, we've only enforced very clear cases, from a legal
point of view. Until now, gpl-violations.org has not helped to
produce any legal precedents on important questions such as derivative
works or binary-only kernel modules. However, after funding the
organization later this year, and thus the legal risk landing on that
organization rather than me personally, I could very much imagine that
we would look into getting some court decisions on that area, too. So
stay tuned, there is probably an exciting time ahead in the next couple
of years ;)
I would like to thank Armijn Hemel who is basically doing almost as much
work in gpl-violations.org than me these days, and I would like to thank
JBB Rechtsaenwaelte, the Law firm that has so far helped us win all the
cases we did :)
So do you anticipate taking an action based specifically on binary-only
I'm not planning anything concretely. But I expect sooner or later we
will face such an issue. And I think that matter needs clarification -
whether or not we (as in the Free Software enthusiasts) will like the
results. At least afterwards, there is some precedent either way, and a
much more clean situation for anybody doing software development in
mixed Free / proprietary environments.
Many thanks are due to Harald for taking the time to answer all of these
to post comments)