A referendum on GPL enforcement
When software is distributed in ways that violate the GPL, the first order of business is always to open a discussion with the person or company doing the distribution in the hope of effecting a change. Should that discussion fail, though, the only alternative may well be the court system. One has to look long and hard to find examples of the GPL being enforced through legal action, though. The Germany-based gpl-violations.org project has posted some notable successes over the years, but the project has been dormant for some time (it's worth noting, though, that the news page says that enforcement activity should restart in 2016). One hears murmurings about a specific kernel developer launching quiet suits as a revenue-generation activity, but there is no public record of — and little public support for — that work. About the only other group doing GPL enforcement is the Software Freedom Conservancy (SFC), which is based in the US.
The SFC is, of course, supporting the ongoing suit against VMware. Beyond that, the group does a fair amount of quiet enforcement activity that does not end up in court. The SFC has found itself in a tight financial position, though, as the result of a loss of corporate funding. In response, it has launched a fundraising campaign aimed at building a new financial base consisting of individual supporters. Some 750 supporters ($90,000/year) are needed to keep "basic community services" running, and 2,500 ($300,000/year) to support the GPL enforcement operation (beyond the VMware suit, which has separate funding). These are daunting amounts of money to raise, but, as anybody who has run an organization of any size knows, the SFC is not asking for a lot.
Your editor has heard people claim that the SFC's problems are self-made. The aggressive BusyBox enforcement actions of a few years back are seen by many as having scared many companies away while having brought about the release of little, if any, interesting source. The use of BusyBox as a lever to force compliance for other projects (such as the kernel) that were not a party to the action was also disturbing to some. SFC president Bradley Kuhn is not as diplomatic an interface to the organization as some might like; even others working in the GPL enforcement area have had significant disagreements with him.
Whatever the reasons may be, the simple fact is that the SFC is in a bit of a lonely position. To an extent, that loneliness may be an inherent part of a GPL enforcer's role. Without a willingness to litigate, GPL enforcement lacks teeth, but a willingness to litigate may necessarily bring with it a reputation for litigiousness.
None of that changes the fact that, for now, only the SFC seems willing to take on this lonely role. Companies have made it clear that that they do not wish to take an active role in GPL enforcement; even the companies that are the most enthusiastic code contributors and the most meticulous about observing the GPL in their own activities seem unwilling to work to ensure that others do the same. Perhaps the only significant case of a company asserting the GPL was when IBM raised GPL-violation charges against the SCO Group more than ten years ago; even then, IBM had to come under significant attack itself before employing the GPL in its own defense.
For those who care about the GPL, enforcement is important. It seems safe to say that, if the GPL is not enforced, its provisions will eventually come to have no meaning. Companies that expend the (often considerable) resources to stay in compliance will be at a disadvantage relative to those that don't bother; eventually the list of companies that don't bother will surely grow. A world in which the GPL is not enforced is a world where the GPL loses its force and becomes much like the BSD license in actual effect. If ignoring the provisions of the GPL becomes the norm, we may find ourselves without an effective copyleft license for software.
Some might welcome that development; to them, the GPL is an overly complex holdover from the past that is not necessary in today's world. But it can be argued that the GPL deserves a lot of credit for the success of Linux relative to other free operating systems. Its source-release requirements helped to prevent forks and made it safe for companies to contribute in the knowledge that their competitors could not take undue advantage of their work. A world without the GPL could be a world with more fragmentation — and more proprietary software.
It seems clear that the GPL must be respected if it is to remain a viable license. That said, there may be room for people to differ on how that respect should be ensured. Those who think that the SFC is not going about things in the right way would do well to propose alternatives. There must certainly be some good ideas circulating for other ways to increase GPL compliance.
For those who do appreciate the role the SFC plays in the GPL-enforcement area, this would probably be a good time to think about how that work is funded. It seems safe to say that corporations cannot be counted on to ensure that GPL enforcement happens. The SFC has chosen not to pursue GPL-enforcement lawsuits as a revenue-generation technique, saying, probably rightly, that it would compromise the real goal: bringing companies into compliance. So it is up to the individuals who care enough about this activity to support it going forward.
As Bradley put it in this
posting, the current fundraising campaign is a sort of referendum on
whether the community likes the work the SFC is doing and wants it to
continue. It is possible that the answer is "no," but, regardless of the
outcome, this
seems like a question that deserves serious consideration; the consequences
of the answer, either way, could be felt for years into the future.
Posted Dec 3, 2015 3:19 UTC (Thu)
by ncm (guest, #165)
[Link] (27 responses)
Why should compliant people and organizations even further subsidize violators? Violators would be getting off easy paying many times SFC's current budget. SFC should go farther and offer a bounty to those license holders who lend their weight to SFC's efforts by inviting SFC's help enforcing their rights. SFC could and should provide many code authors a good living.
Maybe enforcement could be relaxed when "the Capitalist State withers away" on its own. I don't see that happening anytime soon, nor do I see any value in pretending it's imminent, or likely ever to happen. Violators are extracting huge revenues through their abuse, have no reasonable expectation to be allowed to continue it, and can easily afford both to comply and to pay continuing damages for past willful abuse.
There was a time when Free Software had a shaky position in the world, and needed all the goodwill it could muster. That time is long in the past. Today few can afford to compete without distributing Free Software because full compliance (even while paying damages, even in perpetuity) is much, much cheaper than the alternatives. Our sympathy should be reserved for the compliant, and for the authors.
There will never be any shortage of violators, or of potential revenue from violators, however many come into compliance. SFC is in a position to sponsor new development, directly subsidizing authors' choice to release their work under an enforceably copyleft license. Too many authors and maintainers suffer for their efforts to contribute, many unnecessarily.
Posted Dec 3, 2015 6:52 UTC (Thu)
by ssmith32 (subscriber, #72404)
[Link] (25 responses)
Posted Dec 3, 2015 7:29 UTC (Thu)
by ncm (guest, #165)
[Link] (1 responses)
Posted Dec 3, 2015 8:33 UTC (Thu)
by philh (subscriber, #14797)
[Link]
Have you noticed how "simple" the facts were to establish in e.g. the SCO case, or the current VMware case?
> but the law is pretty clear about penalty amounts for willful violations.
AFAIK "willful" is a concept that is meaningful only to US courts, where (in some cases) it is a reason to triple damages, but for that to provide any clarity one would need to have some expectation of the damages before they were to be tripled. Some courts seem to have been befuddled by the fact that Free Software does not have a per-copy fee, and so have been unable to come up with sensible damages.
It is generally considered better for all involved if violators learn to comply, as that means that their future products might continue to comply. Setting up a perverse incentive for the SFC to do a less constructive thing in order to gain income hardly seems like a good idea.
Anyway, I've already voted with my wallet ... please do likewise.
Posted Dec 3, 2015 9:00 UTC (Thu)
by mjthayer (guest, #39183)
[Link] (21 responses)
Posted Dec 3, 2015 9:39 UTC (Thu)
by pabs (subscriber, #43278)
[Link]
https://sfconservancy.org/copyleft-compliance/principles....
IIRC the latest FaiF explains that they do ask for expenses but don't insist if the company comes into compliance and doesn't end up paying.
Posted Dec 3, 2015 18:09 UTC (Thu)
by bkuhn (subscriber, #58642)
[Link] (19 responses)
We always ask politely for reimbursement of Conservancy's
costs after compliance is achieved in enforcement matters. Rarely do
companies pay, and if they do pay, they often pay less than our costs. The
only other option to force them to pay is to refuse to permit them to
distribute the copyrighted software again, even though they are in
compliance. That tactic is not fitting with community principles, in our
view. Karen Sandler and I have spent decades developing these competencies, BTW. It's just a very difficult thing
to do, no matter how skilled one is, especially when the other side knows you're a non-profit charity with limited
resources. — Bradley M. Kuhn, Distinguished Technologist,
Software Freedom Conservancy
Posted Dec 3, 2015 21:54 UTC (Thu)
by Felix (guest, #36445)
[Link] (18 responses)
On top I wished each infringing company would have to pay enough extra so you could fund 1-2 future cases so you can go to court if necessary (might be waived in case the infringer makes a binding promise to get their changes upstream in case of new drivers and the like). However I recognize that this might be just wishful thinking.
While I'm happy to donate for the SFC in general I'm not sure I want to keeping paying for GPL enforcement forever if this can be a self-funding endeavor.
Posted Dec 4, 2015 2:32 UTC (Fri)
by bkuhn (subscriber, #58642)
[Link] (16 responses)
Frankly, that's often what we do, from our point of view. Ironically,
from the violator's point of view, they are paying a lot for the whole
process already, because the first thing they do (these days) is
hire high-priced outside attorneys who advises them to fight us. After a GPL
enforcement matter gets a year or two into the usual clock, the other side
has probably paid many tens of thousands to their counsel advising them to
introduce delay and refuse to even acknowledge that they were out of
compliance; sunk cost fallacy likely kicks in at that point. By then, the
company has paid so much money to their lawyers that they are fed up with the
whole process and we're lucky to get them into compliance without a lawsuit,
let alone recover our costs. Felix noted further:
I agree that it should be true, but sadly, it's not; violators
play the odds. I often point out that Conservancy is aware of hundreds and
possibly thousands of GPL violations ongoing, just on Linux, at any given
moment. Most products with Linux have a life cycle of 18 months or less.
Violators realize that the odds are forever in their favor: for any given
product, the odds that we can get to them before the product hits end of life
are very low. Plus, when companies have outside vendors who are ultimately
responsible for the firmware (and are the primary violator) it's more
valuable to the OEM to preserve those relationships than to insist on
compliance. Factor that into the (small but nontrivial) cost of complying up
front, and you have a corporate decision-making recipe that always says to
violate first and comply later (if we ever even have to). Few companies are
committed to doing the right thing and not playing those odds. I'm glad some
do, but they're rare. You might reasonably ask why we don't go after the upstream firmware/board
manfuacturers directly. We rarely have enough evidence of a board-maker's
violation that is sufficient for enforcement action. From the point of
view of us and everyone who bought the product, the OEM is the violator,
not their firmware vendor. If the OEM protects their upstream vendor at
all costs (which they do, since the vendors have a lot of power in the
relationship once it's in place), the OEM refuses to even say the vendor
was the primary violator. We thus don't have any evidence to pursue the
original violator. Not until there is a strong set of Court cases that
show such violations won't be tolerated will this behavior change, IMO. Conservancy chose to fund the VMware suit (and set its money aside
separately — the funding for VMware is already collected and not
at issue in Conservancy's current fundraiser —) as part of a
careful strategic plan to maximize the value of the enforcement we can
afford to do. We cannot guarantee our donors that GPL
enforcement will become self-funding, but we constantly consider ways to
make it so, provided that we not compromise the moral principles of
GPL enforcement. Personally, I've seen too many cases where
well-intentioned people got involved in enforcement and then began to
value revenue over compliance — Jon Corbet made reference to one
such situation in his main article. For my part, I'm constantly
vigilant to ensure any time funds are involved in an enforcement
settlement that we are not even close to trading failures in compliance
for money. Even doing that a little bit begins the path to
corruption. This fundraising campaign is the culmination of many years of thinking and seeking a formula that generates sustainable
self-funding revenue for ethical GPL enforcement. During those years, I have personally
been offered high paying jobs if I'd just stop doing GPL enforcement,
and some companies have offered funding to Conservancy if we'd just
“remove enforcement work from [our] roster”. I suspect that
many who care about the GPL but don't work regularly in the
enforcement/compliance community will be flabbergasted to learn that powerful for-profit interests seek to curtail enforcement of
copyleft. Given this political climate, Karen and I both feel that Conservancy needs a mandate from the public to continue this work. Jon Corbet's phrase for this,
a referendum on GPL enforcement, is thus apt. Meanwhile, I know that Karen and I sometimes may sound dismissive when people
come forward with suggestions on better ways to do enforcement. It's
because we've tried as many suggestions as we can that don't compromise our enforcement principles — in
fact, we've tried most of them at least twice in different time periods;
we've done a lot of “well, that didn't work
before, but maybe things have changed and it'll work now”. Yet,
the situation doesn't get any better. In fact, violation counts
increase. In particular, over the last two years, we've seen a rise in
companies who are what I call “savvy” violators: companies
that knew about the GPL and its requirements but sought specific methods
to avoid compliance. GPL violations stopped being just a series of
innocent mistakes by n00bs a long time ago. I realize that's a long winded answer to your point, Felix, but I
hope it illuminates that we did not come to this decision to launch this
fundraiser lightly. I realize it's frustrating to be asked for an
annual donation to do the seemingly simple job of asking other people to
follow the rules, and I don't blame you for feeling some donor fatigue,
particularly when the wheels of justice move so slowly. (We'd hoped for a decision in the VMware case by now, but
it may be a long way away!) The best I can
promise you is we're always committed to looking for creative solutions
to the problem, and that we operate as transparently as we possibly can
(which is why Karen and I are spending time late into the night answering queries on
LWN ;) Finally, I'm glad LWN readers had the opportunity to read about this
and ask these questions. — Bradley M. Kuhn, Distinguished Technologist,
Software Freedom Conservancy
Posted Dec 4, 2015 8:06 UTC (Fri)
by kleptog (subscriber, #1183)
[Link] (1 responses)
Posted Dec 4, 2015 16:57 UTC (Fri)
by rghetta (subscriber, #39444)
[Link]
Posted Dec 4, 2015 20:09 UTC (Fri)
by HenrikH (subscriber, #31152)
[Link] (5 responses)
Posted Dec 4, 2015 22:13 UTC (Fri)
by bkuhn (subscriber, #58642)
[Link] (4 responses)
Well, first of all, the BSA tactics, behaviors, and overall strategy have always been abysmal, specifically because they target users. The BSA strategy of GPL enforcement would be to find everyone who bought a GPL infringing product and somehow go after them aggressively. No one should ever do that, IMO. Ethical GPL enforcement, by contrast, fights for rights of users who got that product — to make sure they can recompile and reinstall the GPL'd software they got, and that all the source code for that software is present. Blaming a user who bought an infringing product is akin to blaming the victim of a crime. Regarding your more general question about of public shaming, Erik Andersen of the BusyBox project was a fan of this strategy for a while. It has some benefits, but it ceased working for him, which is why he asked me personally (and later Conservancy as a whole) to help him enforce the GPL on his copyrights. Certainly, Karen and I talk regularly with our enforcement coalitions of copyright holders about using public shaming as a tactic. It certainly is cheaper, and if it was sure to work, we'd use it more often. But, when I see perennial GPL violators constantly mentioned in threads like this, whom Conservancy knows about but whom we've been unable to convince to comply, I conclude that public shaming is not going to work, even though it might have in the past.
Posted Dec 5, 2015 23:51 UTC (Sat)
by HenrikH (subscriber, #31152)
[Link] (3 responses)
Regarding the public shaming I wasn't talking about that being a tactic but as a tool for money just like the BSA does. I.e if the case is settled out of court then the #1 priority of the settlement would of course be to make the violator GPL compliant but then they could also get asked to pay a sum of money or else they will be put on your public list of GPL violators and also be part of a press release.
I.e it's not hush money per say and never ever an alternative to be GPL compliant. However I'm sure that you and the conservatory that works with these issues all day already have though long and hard on issues like these, it's easy for some one like me to play armchair layer :-) so once again thanks for your insightful replies!
Btw, please note that I'm in no way promoting BSA tactics, I once worked for a company that where hit hard by them (we had an employee who where responsible for licensing and when he got mad at the management he simply stopped buying licenses and reported the company to BSA and thus not only brought harm to the company but also got a finders fee from the BSA. What I however got out of that whole affair was the notion that the BSA gives you a costly option of avoiding being named in their press release and apparently a lot of companies pay that money [and that sum was bigger than the "license penalty"]).
Posted Dec 6, 2015 3:18 UTC (Sun)
by bkuhn (subscriber, #58642)
[Link] (2 responses)
It's an interesting idea, and I don't find it morally wrong on its face, but I also don't see how it's particularly helpful. If the public shaming comes after they've come into compliance, what shame is there? Everyone makes mistakes, and coming into compliance is they way you correct it. I don't think there is actually anything shameful in making a mistake and then correcting it.
Posted Dec 8, 2015 6:08 UTC (Tue)
by pabs (subscriber, #43278)
[Link] (1 responses)
Posted Dec 11, 2015 8:50 UTC (Fri)
by jospoortvliet (guest, #33164)
[Link]
Posted Dec 5, 2015 2:45 UTC (Sat)
by lukeshu (guest, #105612)
[Link] (2 responses)
Doesn't the GPLv2 terminate upon violation; if product A violates, and they therefore loose the license, shouldn't that also terminate their license for product B? That is, even if you can't get them before the product hits EOL, aren't they still affected?
As a side question from that: If you, representing a stakeholder in the kernel, show that an organization committed a GPLv2 violation, bring them in to compliance, and (on behalf of the single stakeholder) reinstate the license, isn't the license from every other stakeholder still implicitly revoked (per §4)?
Posted Dec 6, 2015 3:10 UTC (Sun)
by bkuhn (subscriber, #58642)
[Link] (1 responses)
I find myself inspired to quote
Futurama: But, this is where I again have to say that the GPL isn't magic pixie dust
that just works. If the violator doesn't wish to comply, we have to
compel them somehow. Termination of rights works the same way as it did in the first product, and has the same tools available. Namely, we can go
into court, and seek an injunction; just like we'd have needed to for the first product. The fact that the rights terminated
long ago in past product might help us convince the judge to grant an
injunction more quickly, and/or show the judge the company acted in bad
faith. But, the enforcement process is the same, and note that one way to
come into compliance is to stop distributing. Therefore, with regard to the
old violation, the company is now in compliance. We're unlikely to therefore
get a judge to compel a source release for the old product, since
distribution has ceased. First, it's worth noting that Conservancy doesn't just represent a
coalition of stakeholders (although we do that too), but Conservancy is also
a copyright holder in Linux as well, as some stakeholders have outright
assigned Linux copyrights to Conservancy. But, that wasn't your question. To answer your question:
Yes, you're quite correct about how rights restoration works (at least in the
USA and most other jurisdictions I'm familiar with). The negotiation point
that both FSF and Conservancy use in that enforcement scenario is simply tell violators that
once compliance is achieved, we're on their side and prepared to be an expert
witness or otherwise help the former violator oppose any copyright
holders knocking at the door for huge settlements. Such copyright holders
who came to demand pay-outs after compliance was achieved of course wouldn't
be acting under the
principles of ethical GPL enforcement anyway.
Posted Dec 6, 2015 4:10 UTC (Sun)
by lukeshu (guest, #105612)
[Link]
It's been my experience that corporate lawyers tend to be very afraid of "technically correct", which is why I asked.
Posted Dec 6, 2015 6:45 UTC (Sun)
by ncm (guest, #165)
[Link] (4 responses)
The solution may be to start another organization, e.g. The Coding Liberty Cooperative, with more effective principles, sign up authors, and go into competition, maybe pursuing repeat offenders who have been let off too easily by SFC.
Posted Dec 8, 2015 2:58 UTC (Tue)
by lutchann (subscriber, #8872)
[Link] (3 responses)
Posted Dec 8, 2015 21:22 UTC (Tue)
by bkuhn (subscriber, #58642)
[Link] (2 responses)
Even if avarice was maximized in these enforcement cases, the proceeds wouldn't be seen for a very long time.
Anyway, the only logistical way to get large amounts of money quickly and easily is to take pay-offs to look the other way when compliance isn't achieved. There are people making money doing that, which Jon made reference to in the original article. I denounce that as immoral, even if it would be a way to get money easily.
You can see on Conservancy's Form 990s that we did receive money in the BusyBox enforcement, which funded more enforcement. But enforcement where compliance is the paramount goal is only partially self-funding. I hope people will donate to bridge the gap.
Posted Dec 10, 2015 10:46 UTC (Thu)
by linuxrocks123 (subscriber, #34648)
[Link]
Oh, but, if the violator proves (burden on the violator) that they really didn't know, and shouldn't have known, the court can reduce damages to $200 per work. So then you only get $20 million.
That's still $20 million, in the absolute worst case, for what I would imagine to be a fairly low-volume product. What am I missing here?
Posted Jul 20, 2016 21:14 UTC (Wed)
by paulj (subscriber, #341)
[Link]
See also: https://paul.jakma.org/2009/12/21/killing-free-software-w...
The one cautionary bit is that such actions mustn't put off more people from going with GPL software than are attracted to it.
Posted Jul 20, 2016 21:06 UTC (Wed)
by paulj (subscriber, #341)
[Link]
Posted Dec 1, 2016 20:54 UTC (Thu)
by Hi-Angel (guest, #110915)
[Link]
Posted Dec 3, 2015 11:24 UTC (Thu)
by zack (subscriber, #7062)
[Link]
FWIW this part is answered in the article and by SFC already:
> The SFC has chosen not to pursue GPL-enforcement lawsuits as a revenue-generation technique, saying, probably rightly, that it would compromise the real goal: bringing companies into compliance.
Posted Dec 3, 2015 4:00 UTC (Thu)
by jra (subscriber, #55261)
[Link] (1 responses)
The only comment I'd like to add is that the goal of source code releases for things like Busybox isn't necessarily to get new and interesting source code. The goal for releases of sources we already have is to help create a community of hackers around a product. Remember, from GPLv2:
"The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
It's that last part that makes the difference, and allows projects like dd-wrt and http://www.samygo.tv/ to exist at all. I think the community would be poorer without them.
Posted Dec 3, 2015 22:45 UTC (Thu)
by KarenSandler (subscriber, #105592)
[Link]
Thanks, Jon, that quoted text does a good job explaining what I've tried to communicate to companies who comply. I find that it's hard to explain this point effectively to them, but the movement you describe toward more companies ignoring compliance, or focusing on trivial aspects of compliance while ignoring bigger issues, has been evident for some time. I think this is why so many developers who were lukewarm on enforcement 5 years ago now see that it's essential.
Posted Dec 3, 2015 8:08 UTC (Thu)
by pabs (subscriber, #43278)
[Link] (5 responses)
I'd like to see FLOSS license compliance on the list of membership requirements for FLOSS trade associations like the Linux Foundation, Linaro, OpenStack etc.
Posted Dec 3, 2015 8:45 UTC (Thu)
by amacater (subscriber, #790)
[Link] (1 responses)
Enforcement of the GPL - FSF, Conservancy or, just possibly, the Linux distributions on behalf of their contributors. Debian, for example, is working with Conservancy at the moment to establish a framework for Debian developers to work together to assign copyrights, enforce licences etc as a larger body.
As someone else pointed out: a lot of this work depends on a very small number of skilled people in a small number of places.
It is also quite possible that the Linux Foundation might contain infringers among its members :(
Posted Dec 3, 2015 20:43 UTC (Thu)
by rknight (subscriber, #26792)
[Link]
More like a certainty as VMWare and AllWinner are both listed as Silver members. There are also a number of members who appear to do a good job with current and new products, but have failed to bring older no longer produced products into compliance.
Posted Dec 3, 2015 11:08 UTC (Thu)
by dunlapg (guest, #57764)
[Link]
Indeed, the Linux Foundation used to be a supporter of the SFC, but is no longer, and that seems to be in large part because of the VMWare trial. Do note that VMWare is a member of the Linux Foundation.
I think that it is companies that benefit from the GPL that primarily ought to be funding enforcement activities, not private individuals.
Posted Dec 3, 2015 16:20 UTC (Thu)
by spender (guest, #23067)
[Link] (1 responses)
Has Linus commented publicly on the VMware case? Many other kernel developers have, though I don't know of any who have who receive their funding from the Linux Foundation. I wonder what areas of their integrity they were forced to sign away for their paychecks. I had previously mailed Linus and others about another company using GPL shims to link with proprietary obviously derivative blobs that did little more than act as a license time-bomb for the software. The shims provided getters/setters for many internal Linux structures, with the proprietary code being developed solely for the Linux kernel. None of the people mailed replied or have discussed it publicly. I am very concerned about the blind eye being given to these acts, when Linus and others would be an important voice.
I would like to see more litigation like the VMware case, so there's more case law demonstrating what is acceptable and what is not. When cases are settled out of court, there's nothing for us developers to point to to say "what you're doing is what this other company did, which a judge had this to say about." I think the attempt to be overly-amicable has perpetuated the problem, and reaffirmed the hubris of some companies that they can do whatever they want without consequences, that copyright law is only a tool to be used by the rich and powerful companies, not for the developers whose work is exploited endlessly for profit. I really see little at this point between the GPL and BSD, and the inaction effectively punishes companies who do play by the rules.
It's ridiculous that the problems with VMware have been going on since 2007: http://www.theregister.co.uk/2007/08/16/vmware_derived_fr...
Just my armchair thoughts on the matter.
-Brad
Posted Dec 4, 2015 5:05 UTC (Fri)
by pabs (subscriber, #43278)
[Link]
I would encourage people to ask Linus about GPL/LF/SFC/VMware in one of the public Q&A sessions he regularly holds at conferences.
https://www.charitynavigator.org/index.cfm?bay=search.pro...
Posted Dec 3, 2015 17:51 UTC (Thu)
by bkuhn (subscriber, #58642)
[Link] (9 responses)
A lot of the comments on this thread go immediately to some common
confusions about GPL enforcement. For example, ssmith32 claims: Meanwhile, Corbet includes a paragraph of rumor-fueled speculations
about me personally. I'm surprised that Jon, who usually has impeccable
journalistic integrity, would include rumors as if they were fact. (BTW, anyone who engages in controversial social justice work will have all sorts of false and exaggerated rumors spread about them.) I'd note, in particular, that my primary historical enforcement disagreement was with Harald
Welte, and that disagreement was that I personally delayed a coalition of
developers from bringing a lawsuit in the original Linsksys GPL violation in
2002. That delay was part of the impetus that led Harlad to start
gpl-violations.org; Harald wanted to be litigious when I was still skeptical
of whether litigation should be part of GPL enforcement. In the end, Harald
convinced me that he was right about that. So, this reference to
“disagreements” likely refers to something very different than it
seems in the main text. (Harald has also
endorsed Conservancy's current work, BTW, and he's asked people to donate to Conservancy.) More importantly, the main article seems to indicate that I'm the primary
leader of Conservancy. Actually, I stepped down from that role when
Conservancy had the amazing opportunity
almost two years ago to hire Karen Sandler as our Executive Director.
Karen is an excellent communicator and is widely heralded as a wonderful
person to interact with, including by Linux Foundation's General Counsel,
Karen F. Copenhaver. I notice that this article is not the only one that has
basically ignored Karen's role as the primary leader of our organization. I
am left wondering whether some subtle sexism has sneaked into the reporting
on Conservancy. Finally, this thread has some comments about who has withdrawn funding
from Conservancy. Others have already linked to a previous lwn thread about
that, and I point specifically at my comment there from Monday. I
have no further comment on that issue at this time. — Bradley M. Kuhn, Distinguished Technologist,
Software Freedom Conservancy
Posted Dec 4, 2015 10:39 UTC (Fri)
by johannbg (guest, #65743)
[Link] (2 responses)
Extreme feminists strike again in the world of political correctness where women demand being allowed wear anything they want without being objectified but at the same time have individuals like Matt Taylor who btw landed a spacecraft on comet apologist for a shirt he was wearing during an interview in hours leading to the contact [1].
I'm going to raise my hand and applaud to people like you and say wow just wow and thank you for reminding me how much progress remains yet to be accomplished here on Earth.
More likely the confusion is due to your own actions where you yourself [2] are running around the internet signing your responses as the president of the software freedom conservancy than Jon being sexist...
"— Bradley M. Kuhn, President, Software Freedom Conservancy"
1. https://www.youtube.com/watch?v=NSv6ZBZtzRA
Posted Dec 4, 2015 12:47 UTC (Fri)
by cstanhop (subscriber, #4740)
[Link] (1 responses)
Your first paragraph is needlessly off topic, but you're right there could be some confusion about roles. From what I can tell Bradley's role is President, but Karen's is Executive Director. However, SFC's officers page, as of this morning, still had Karen's role prominently listed as Secretary in a heading. The paragraph under her heading lists her role correctly, but at a glance it would be confusing.
https://web.archive.org/web/20151204123552/https://sfconservancy.org/about/officers/
Posted Dec 4, 2015 16:06 UTC (Fri)
by bkuhn (subscriber, #58642)
[Link]
Posted Dec 4, 2015 17:00 UTC (Fri)
by bkuhn (subscriber, #58642)
[Link] (5 responses)
BTW, I would like to apologize to Jon for questioning him in that previous
post; my original comment on this subthread was poorly drafted. My original
post indicates that Jon's reporting is at fault, but it is not. My concern
is actually with those who make statements and claim disagreements with me
and Conservancy but don't make them public. In fact, Jon is providing a
service by making public that such criticism exist. In particular, we're
sure Jon would have quoted those sources by name if they'd agree to go on
record. They didn't, that's surely why he said things like “Some have said”. In that light, Karen and I call on those someones to have a public debate --
maybe moderated by Jon Corbet :) -- to discuss what policy disagreements they
have with Conservancy about how we do enforcement. We welcome that debate
and if folks want to get in touch with me and Karen soon, we may even be able
to have that debate in the Legal and Policy Issues DevRoom in FOSDEM this
February. Finally, thanks to Jon for reporting on this story.
Posted Dec 6, 2015 2:30 UTC (Sun)
by happylemur (subscriber, #95669)
[Link] (2 responses)
Vance
Posted Dec 6, 2015 3:12 UTC (Sun)
by bkuhn (subscriber, #58642)
[Link] (1 responses)
Posted Dec 6, 2015 4:20 UTC (Sun)
by happylemur (subscriber, #95669)
[Link]
Vance
Posted Dec 6, 2015 18:59 UTC (Sun)
by ncm (guest, #165)
[Link] (1 responses)
I see the emphasis on the most immediate goal of "achieving compliance" as self-defeating. Compliance, or not, is a consequence of the ecosystem. Each individual case is an opportunity *not* to achieve one instance of compliance, it's one opportunity to both push the ecosystem in a desirable direction, and collect the resources to push it a little farther. To be worth pursuing at all, a series of N cases, cumulatively, should affect not just those N vendors, but the perceptions of all vendors.
Quiet resolutions are actually harmful to the cause, because they make it seem (correctly!) that sufffering any consequences at all for violating the license is extremely unlikely, and that the cost of any such consequences, where there are any, is extremely small. We in Free Software get no benefit from people using Free Software out of license in their products. We *do* benefit, in many ways, when people who use Free Software under license in their products have a competitive advantage over those who do not use it. People using Free Software in products out of license directly undermine those benefits, not just because we cannot reprogram our devices, but because it eliminates the competitive advantage for the compliant. Releasing their code to violators puts them at a positive disadvantage, making compliance an absolute loss.
As long as any significant downside to ignoring the license is so trivial, no one inclined to ethical behavior can justify it to their management. We are failing not only the people who spend the money to comply, we are failing everyone who would like their employer to behave ethically, and who would like to work for ethical employers. We are failing all the people who would like to purchase products from ethical suppliers. And, of course, we are failing all the people who would like to alter the software in the products they are able buy.
Posted Dec 10, 2015 16:12 UTC (Thu)
by pboddie (guest, #50784)
[Link]
Your last paragraph is worth repeating... It's like the story of the modern age: "doing the right thing will cost us something, so let's not bother". And once people stop bothering, nobody does the right thing any more, and the right thing becomes socially unfashionable or even objectionable. I think the term "referendum" is inappropriate, really, although it was maybe coined in haste. What we have here is a survey of people who care enough about copyleft licence compliance that they will give their own money to make sure that random corporations (who are making tidy sums) will comply with Free Software licences applying to code that many of those contributors did not write. In other words, it is not just those people who can afford to defend their own direct interests, but also those who wish to defend their indirect interests (because they may also have written code that is copyleft-licensed), and in some cases those who wish to defend the interests of a cause they merely care about. It is hard not to feel exploited, not by the Conservancy who is doing a fine job of making sure that licences are being upheld (and who is also being exploited here by showing such generosity in the face of such brazen wrongdoing), but by corporate interests who are no longer merely getting stuff for free: they are effectively being paid while they misuse other people's work. It would be good if once in a while, those profiting from this industrial-scale copyright infringement were served with injunctions halting sales and distribution of the illicit products concerned. Then, everyone involved (and their apologists) might appreciate how nice and forgiving the Conservancy folk seem to be.
Posted Dec 3, 2015 17:53 UTC (Thu)
by faramir (subscriber, #2327)
[Link] (3 responses)
1. Re: good ideas out there
2. Re: making the violators pay to prosecute themselves
In any case, nothing is stopping copyright holders from doing any type of enforcement action they want. The VMware case involves the SFC funding a developer's case as the SFC owns no copyrights and therefore has no right to take action on its own. Personally, I would be happy to help crowdfund targeted GPL enforcement efforts brought by developers. But legal work in the USA is expensive, so the community is going to have to pony up the resources somewhere.
3. Re: lack of new code releases due to GPL enforcement
4. Re: GPL using companies should voluntarily fund enforcement
5. Re: why do these cases take so long
6. Re: other SFC work and their funding issues
Posted Dec 4, 2015 7:47 UTC (Fri)
by alison (subscriber, #63752)
[Link] (2 responses)
That aspect worries me, too. I wonder if having a separate organization supporting SFC member projects would not be a good idea? The current situation encourages organizations like LF to argue, "We signed up to support Git and Jquery and Samba, not GPL enforcement." There is some merit to such an argument given that enforcement is (AFAIK) a new activity for SFC. I support both SFC's older mission and GPL enforcement, but can see how there may have been donors to SFC who were surprised to learn that they were underwriting enforcement and wondering about further 'mission creep.'
Posted Dec 4, 2015 15:58 UTC (Fri)
by bkuhn (subscriber, #58642)
[Link]
As for characterizing licensing compliance as a "new activity", actually, is inaccurate. Conservancy has done license compliance activity for its member projects since about 6 months after its founding (which was nearly a decade ago). Indeed, all the project named at the beginning of this subthread have received some form of license compliance activity from Conservancy. Samba, for example, has a long history even before Conservancy of caring deeply about license compliance.
Ensuring license compliance really is a key service that Conservancy provides to our member projects. The point of Conservancy was to provide key services that other organizations don't provide, including license compliance. Our member projects would have picked other fiscal sponsors if they didn't want these additional services.
Posted Dec 4, 2015 16:37 UTC (Fri)
by jra (subscriber, #55261)
[Link]
Posted Dec 11, 2015 2:15 UTC (Fri)
by njs (subscriber, #40338)
[Link]
This Is Absurd.
This Is Absurd.
This Is Absurd.
This Is Absurd.
This Is Absurd.
This Is Absurd.
On reimbursement of costs for enforcement actions
On reimbursement of costs for enforcement actions
Replying to Felix, who noted:
On reimbursement of costs for enforcement actions & related issues
Otherwise you just provide them with free legal/tech consulting.
it should be cheaper to ship a compliant product in the
first place than to violate the GPL and fix things up later.
While I'm happy to donate for [Conservancy] in general I'm not sure I want to
keeping paying for GPL enforcement forever if this can be a self-funding
endeavor.
On reimbursement of costs for enforcement actions & related issues
+1
Having to fund for gpl compliance makes me sad, however
On reimbursement of costs for enforcement actions & related issues
On reimbursement of costs for enforcement actions & related issues
HenrikH asks:
On reimbursement of costs for enforcement actions & related issues
Would it be possible to extract money the BSA way?
Or are these companies not afraid to be publicly known as GPL violaters?
On reimbursement of costs for enforcement actions & related issues
On reimbursement of costs for enforcement actions & related issues
make the violator GPL compliant but then they could also get asked to pay a sum of money or else they will be put on your public list of GPL violators and also be part of a press release.
On reimbursement of costs for enforcement actions & related issues
On reimbursement of costs for enforcement actions & related issues
On reimbursement of costs for enforcement actions & related issues
lukeshu asked:
On reimbursement of costs for enforcement actions & related issues
Doesn't the GPLv2 terminate upon violation; That is, even if you can't get
them before the product hits EOL, aren't they still affected?
You are technically correct! The best kind of
correct!
. Yes, indeed, under GPLv2§4,
the violator will lose their distribution rights (read
more in Copyleft Guide), and that termination relates to any
copyrights infringed in the original product. Thus, indeed, if those
copyrights are redistributed in a later product, their rights have already
been terminated.
If you, representing a stakeholder in the kernel, show that an organization
committed a GPLv2 violation, bring them in to compliance, and (on behalf of
the single stakeholder) reinstate the license, isn't the license from every
other stakeholder still implicitly revoked?
On reimbursement of costs for enforcement actions & related issues
On reimbursement of costs for enforcement actions & related issues
On reimbursement of costs for enforcement actions & related issues
On reimbursement of costs for enforcement actions & related issues
On reimbursement of costs for enforcement actions & related issues
On reimbursement of costs for enforcement actions & related issues
On reimbursement of costs for enforcement actions
This Is Absurd.
This Is Absurd.
A referendum on GPL enforcement
Article communicates points Conservancy has tried to express to companies
A referendum on GPL enforcement
A referendum on GPL enforcement
A referendum on GPL enforcement
A referendum on GPL enforcement
I'd like to see the Linux Foundation take on the role of GPL enforcement for Linux. They have a lot of members paying a lot of fees that could fund a lot of enforcement work.
A referendum on GPL enforcement
That it took 8 years to take this to court is just crazy to me. I also would have liked to see this tried in US courts with damages, but it's convenient for the Linux Foundation I guess that they pulled funding to essentially guarantee any future cases in US courts will be impossible. This whole situation is incredibly depressing.
A referendum on GPL enforcement
http://990finder.foundationcenter.org/990results.aspx?990...
http://990s.foundationcenter.org/990_pdf_archive/460/4605...
http://www.linuxfoundation.org/about/members
http://www.linuxfoundation.org/about/join/corporate
http://www.linuxfoundation.org/about/bylaws
https://en.wikipedia.org/wiki/Allwinner
https://en.wikipedia.org/wiki/VMware
https://sfconservancy.org/docs/conservancy_Form-990_fy-20...
Response from Conservancy on this article
it's much
easier to win a GPL case with the goal of bringing the violator into
compliance (by releasing code), then it is to make the case they owe [Conservancy]
damages
. Ironically, it's the opposite. If Conservancy were inspired
only by avarice, as for-profit GPL enforcers are, we could seek huge damages and
not care whether the software was in compliance. The expensive time
investment comes essentially from putting compliance above all else. Per our
enforcement principles (which were co-published with the FSF, and which
were co-drafted with OSI's president Allison Randal, and were subsequently endorsed by the OSI), Conservancy
will never put money above compliance. This is why GPL enforcement is not
self-funding. Unlike for-profit GPL enforcers, we refuse to take payoffs
from violators to look the other way while they're out of compliance. We
must, and should, wait until the bitter end and 100% full compliance with all
FLOSS licenses before accepting money.Response from Conservancy on this article
2. https://lwn.net/Articles/666085/
Response from Conservancy on this article
Response from Conservancy on this article
Response from Conservancy on this article
Response from Conservancy on this article
Response from Conservancy on this article
Response from Conservancy on this article
Response from Conservancy on this article
Response from Conservancy on this article
We are failing not only the people who spend the money to comply, we are failing everyone who would like their employer to behave ethically, and who would like to work for ethical employers. We are failing all the people who would like to purchase products from ethical suppliers. And, of course, we are failing all the people who would like to alter the software in the products they are able [to] buy.
general response to this thread
I've suggested multiple ideas to people at the SFC and in general have been informed why they won't/can't work. In any case, an idea isn't enough and it seems clear that there aren't many people and/or money out there to do anything related to GPL enforcement.
The people at the SFC seem philosophically opposed to this. Since they are the ones doing all the work, it seems petty to fault them for this. I've also been told that the SFC has deliberately not taken money from companies who refuse to come into compliance for all GPLed software. i.e. Yes, you can have the busybox code, but no we won't give you our kernel modifications. Should they take the money anyway?
While lots of new functionality would be nice, when I put on my end user hat; just being in the position to make minor changes to the GPL based firmware in the products that I purchase would be great. The incomplete source code releases that companies typically put out make this extremely difficult. Who hasn't found a firmware based product that almost met your requirements?
While this would be nice, it is rare for any company to spend money on something that doesn't benefit them economically in the relatively short term. It's not clear how RedHat (for example) would benefit from me being able to modify the firmware on my home router. And it would probably actively hurt their efforts to make sure that VMware and RedHat software worked well together to have funded the current VMware enforcement case.
Companies stall and for both practical (costs) and philosophical (educate/not litigate) reasons, the SFC isn't in a position to hurry things along.
It should also be noted that the SFC's primary activities involve providing support services for a myriad of small and large free software development projects. It seems that SFC's GPL enforcement efforts have resulted in a drastic reduction in corporate funding. This isn't just going to hurt the only organization actively enforcing GPL, it is also going to cause problems for projects like SAMBA, Mercurial, Git, QEMU and others. Even if you are ambivalent about GPL enforcement, there are any number of other reasons to support SFC.
general response to this thread
> This isn't just going to hurt the only organization actively enforcing GPL, it is also going to cause problems >for projects like SAMBA, Mercurial, Git, QEMU and others.
general response to this thread
general response to this thread
A referendum on GPL enforcement