BusyBox settles another lawsuit

This should not be a problem... people can verify if your binaries are built this way from the
sources, by modifying the sources to hard code the  dates you have in your binaries... 

What Rob posted were what he cares about as a rights holder. Anyone providing the information
he asked for should be trivially able to satisfy the letter of the license if anyone actually
asked them to do so. [I'd say that anyone capable of realistically doing anything useful with
the source would also be able to satisfy her needs with that information.]

The license terms are what they are. Most rights holders seem content with one or another
thing equivalent to the license terms. Offering downloads, for instance, does not satisfy the
license, but does satisfy most rights holders [and, I imagine, most people who want the
sources.]

However, you're right that anyone shipping GPLed code needs to be aware of the actual terms,
needs to meet at least the notification requirements, and needs to be prepared to provide
source if requested.

> Rob, Erik, this is really really scary.

I'm not speaking for Erik, nor for the SFLC either.  Never said I was.

I'm saying that a lot of people go into "deer caught in headlights" mode 
when the subject of GPLv2 compliance comes up because they think the 
source code being publicly available is sufficient, when they haven't 
identified it specifically enough for us to have a clue what they used 
(nor have they even _checked_ to see if their developers modified it).

If you understand a developer's motivations for approaching you, it's 
easier to satisfy them.  The core of GPLv2 is "show me the code".  How you 
go about this is details.

> You guys talk enforcement but seem intent on shooting yourselves in the
> foot.

*shrug*  Once you actually wind up in court, the full requirements of 
GPLv2 get enforced, including little details like clause 3c only applying 
to non-commercial distribution.  I'm talking about staying _out_ of court.  
My previous message is really about how far a small developer like the one 
who started this thread can usually stretch 3c before it breaks.

Many people just assume "the source is already on the web, that means I'm 
covered", which isn't quite sufficient and there are _reasons_ it isn't 
sufficient, which I attempted to explain.

> When starting the uClinux project where a lot of these things
> (uClibc etc) came from I did so so that people could benefit, not be
> afraid of what they need to do because of license uncertainty!

Obviously a full reading of the GPLv2 can tell you more about how to 
comply with that license than I can, and thus you're free to ignore 
anything I have to say about it.  Although who said "medium customarily 
used for software interchange" (a phrase from section 3a which predates 
the escape of web servers from CERN) does _not_ include "base tarball plus 
patch file"?  Isn't that what you customarily find in source RPMs?

Technically, GPLv2 probably still allows you to mail out a 9 track tape 
containing the source (since that's what was customarily used when the 
license was drafted in 1991, and what the FSF itself did for many years).  
Certainly you could charge people $5 to burn a CD and mail it to them 
under section 3b.  Heck, materials plus postage plus amortized 
depreciation on your equipment plus 15 minutes at your hourly consulting 
rate, you can probably get away with charging $50 or more.  Thus your 
written offer could include "mail a check to this address" as a 
precondition, and GPLv2 explicitly allows it.

Do you see any text in the license that _requires_ you to put up a web 
mirror?

Yes, I have actually thought about this before.  There are ways to not 
play nice while complying with the letter of GPLv2, and there are ways to 
not play nice while trying to enforce GPLv2.  I prefer to play nice.

> Threatening "SFLC will sue [if you don't]" but posting misunderstandings
> like above is exactly the opposite of what is needed here.

I'm not threatening anything.  (License complaints go straight to the SFLC 
these days via gpl@busybox.net.  I don't even see 'em until after the SFLC 
has investigated the issue, contacted the company, and already decided 
they're unable to resolve it out of court.  Thus I don't see most of 'em, 
which _are_ dealt with out of court, and if somebody does contact me 
directly I forward them to the laywers.  The exception is when I volunteer 
to analyze the resulting code they get to confirm that it's complete and 
corresponding, of which I have a half dozen backlogged that I haven't had 
time to look at properly yet.)

All I'm pointing out is that if you haven't identified a specific version, 
and identified your changes against that version (including explicitly 
stating "there were no changes" if that is indeed the case) sufficiently 
for us to reproduce what you did, then there's no way any GPLv2 project's 
developers can really be satisfied with your license compliance.  Not even 
under section 3c.  And that this is what motivates copyright holders (or 
their designated representatives) to take enforcement action in the first 
place.

No, I didn't go into "what constitutes complete and corresponding source 
code" and whether that includes your config files (which is a case by case 
judgement call as far as I'm concerned).

I'm also aware that the FSF browbeat Mepis (a tiny garage operation) into 
buying a high bandwidth web mirror for packages that were already in the 
Ubuntu repository, despite Mepis having partnered with Ubuntu (with a 
press release quoting Mark Shuttleworth and everything).  How Mepis can 
delegate an ISP to mirror the packages for them when they couldn't 
delegate Ubuntu to do it, I have no idea.  (What really seems to have 
happend is that Mepis didn't have the time/energy/expertise/money to 
defend itself in court when the FSF came trolling, but then I wasn't a 
party to any of that so I don't really know.  And I'll concede that a real 
troll could probably do a sco-style lawsuit and keep things tied up in 
court for a while as long as they had money to pay lawyers, but that's not 
specific to any particular license, and the FSF itself doesn't seem to 
care about GPLv2 anymore now that v3 is out.)

Is that what you wanted me to tell a developer who's already publishing a 
public SVN repository before we even _asked_?  "Be afraid of frivolous 
lawsuits, despite your existing show of good faith?"  Or maybe "beware the 
FSF trying to make an example of you?"  "Here's every fiddly corner case 
of copyright law that you may ever have to worry about if you ever use 
anybody else's code?"

Doesn't seem useful in this context.  "Here's how you can avoid motivating 
most developers to take action against you."  That seemed useful.

> FWIW, I used to work for a company that used some GPL and other free software in its
product. We found the easiest way to comply was to simply build the tarballs from our CVS and
include them on the product CD. The customer thus got the version we were using, including any
mods. This, of course, assumes you're not trying to hide the fact that you're using free
software.

My employer does something similar, though we aren't in the end-user business.  Instead, we
actually ship to our customers a full source tree. One of the targets of the build system
takes all of the GPL'd components and emits a nice tarball of the exact source used to build a
binary image.

"It seems like some training in copyright should be increasingly viewed as necessary
background for professional software developers."

What they need to do is simplify copyright law so that people can get it a little better
without needing a degree in it.

Furthermore, musicians and others have the same problems. Good luck with that.

all the best,

drew
http://zotzbro.blogspot.com/