BusyBox settles another lawsuit

> Rob, Erik, this is really really scary.

I'm not speaking for Erik, nor for the SFLC either.  Never said I was.

I'm saying that a lot of people go into "deer caught in headlights" mode 
when the subject of GPLv2 compliance comes up because they think the 
source code being publicly available is sufficient, when they haven't 
identified it specifically enough for us to have a clue what they used 
(nor have they even _checked_ to see if their developers modified it).

If you understand a developer's motivations for approaching you, it's 
easier to satisfy them.  The core of GPLv2 is "show me the code".  How you 
go about this is details.

> You guys talk enforcement but seem intent on shooting yourselves in the
> foot.

*shrug*  Once you actually wind up in court, the full requirements of 
GPLv2 get enforced, including little details like clause 3c only applying 
to non-commercial distribution.  I'm talking about staying _out_ of court.  
My previous message is really about how far a small developer like the one 
who started this thread can usually stretch 3c before it breaks.

Many people just assume "the source is already on the web, that means I'm 
covered", which isn't quite sufficient and there are _reasons_ it isn't 
sufficient, which I attempted to explain.

> When starting the uClinux project where a lot of these things
> (uClibc etc) came from I did so so that people could benefit, not be
> afraid of what they need to do because of license uncertainty!

Obviously a full reading of the GPLv2 can tell you more about how to 
comply with that license than I can, and thus you're free to ignore 
anything I have to say about it.  Although who said "medium customarily 
used for software interchange" (a phrase from section 3a which predates 
the escape of web servers from CERN) does _not_ include "base tarball plus 
patch file"?  Isn't that what you customarily find in source RPMs?

Technically, GPLv2 probably still allows you to mail out a 9 track tape 
containing the source (since that's what was customarily used when the 
license was drafted in 1991, and what the FSF itself did for many years).  
Certainly you could charge people $5 to burn a CD and mail it to them 
under section 3b.  Heck, materials plus postage plus amortized 
depreciation on your equipment plus 15 minutes at your hourly consulting 
rate, you can probably get away with charging $50 or more.  Thus your 
written offer could include "mail a check to this address" as a 
precondition, and GPLv2 explicitly allows it.

Do you see any text in the license that _requires_ you to put up a web 
mirror?

Yes, I have actually thought about this before.  There are ways to not 
play nice while complying with the letter of GPLv2, and there are ways to 
not play nice while trying to enforce GPLv2.  I prefer to play nice.

> Threatening "SFLC will sue [if you don't]" but posting misunderstandings
> like above is exactly the opposite of what is needed here.

I'm not threatening anything.  (License complaints go straight to the SFLC 
these days via gpl@busybox.net.  I don't even see 'em until after the SFLC 
has investigated the issue, contacted the company, and already decided 
they're unable to resolve it out of court.  Thus I don't see most of 'em, 
which _are_ dealt with out of court, and if somebody does contact me 
directly I forward them to the laywers.  The exception is when I volunteer 
to analyze the resulting code they get to confirm that it's complete and 
corresponding, of which I have a half dozen backlogged that I haven't had 
time to look at properly yet.)

All I'm pointing out is that if you haven't identified a specific version, 
and identified your changes against that version (including explicitly 
stating "there were no changes" if that is indeed the case) sufficiently 
for us to reproduce what you did, then there's no way any GPLv2 project's 
developers can really be satisfied with your license compliance.  Not even 
under section 3c.  And that this is what motivates copyright holders (or 
their designated representatives) to take enforcement action in the first 
place.

No, I didn't go into "what constitutes complete and corresponding source 
code" and whether that includes your config files (which is a case by case 
judgement call as far as I'm concerned).

I'm also aware that the FSF browbeat Mepis (a tiny garage operation) into 
buying a high bandwidth web mirror for packages that were already in the 
Ubuntu repository, despite Mepis having partnered with Ubuntu (with a 
press release quoting Mark Shuttleworth and everything).  How Mepis can 
delegate an ISP to mirror the packages for them when they couldn't 
delegate Ubuntu to do it, I have no idea.  (What really seems to have 
happend is that Mepis didn't have the time/energy/expertise/money to 
defend itself in court when the FSF came trolling, but then I wasn't a 
party to any of that so I don't really know.  And I'll concede that a real 
troll could probably do a sco-style lawsuit and keep things tied up in 
court for a while as long as they had money to pay lawyers, but that's not 
specific to any particular license, and the FSF itself doesn't seem to 
care about GPLv2 anymore now that v3 is out.)

Is that what you wanted me to tell a developer who's already publishing a 
public SVN repository before we even _asked_?  "Be afraid of frivolous 
lawsuits, despite your existing show of good faith?"  Or maybe "beware the 
FSF trying to make an example of you?"  "Here's every fiddly corner case 
of copyright law that you may ever have to worry about if you ever use 
anybody else's code?"

Doesn't seem useful in this context.  "Here's how you can avoid motivating 
most developers to take action against you."  That seemed useful.