An update on Yoggie GPL compliance
An update on Yoggie GPL compliance
Posted Jul 11, 2007 14:02 UTC (Wed) by charlieb (guest, #23340)In reply to: An update on Yoggie GPL compliance by utoddl
Parent article: An update on Yoggie GPL compliance
> Yoggie isn't obligated to make their modified GPL source available
> to me and (probably) you, or even to the iptables maintainers.
Please re-read the GPL. If they do not ship source *with* their product, then they are in fact required to make their GPL source available to me and you. And "any third party".
Posted Jul 11, 2007 15:27 UTC (Wed)
by utoddl (guest, #1232)
[Link]
Posted Jul 12, 2007 1:34 UTC (Thu)
by JesseW (subscriber, #41816)
[Link] (6 responses)
Hm. AFAIK, the FSF has always been intentionally leery of requiring public distribution in the GPL. They are insistent that no-one with object code is ever unable to get the source, but I think they try to avoid requiring unlimited distribution.
Let's look at the relevant text from GPLv2:
"You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following"
"a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, "
"b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,"
"c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)"
That's all the options in version 2 of the GPL. As I hope I showed above, none of them require public distribution. It's about the freedom -- including the freedom to refuse to distribute. (as long as you don't try and give people software they can't use in freedom).
Now, in version 3 of the GPL, things are (slightly) different. There's two new options, for one thing.
"You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:" "a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange." "b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge." Other changes from v2 include the extension of the validity period -- if you keep supporting a product, the offers automatically stay valid, and the option to offer download instead of directly providing a copy. Note that "access to copy" does not need to be given to anyone, just to someone who you have to distribute to under this paragraph.
"c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b." "d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements." "e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d." And that's all the options listed in version 3 of the GPL. Again, no requirement of public or upstream distribution. Please read more carefully before making such claims again.
(This comment also published at my website)
Posted Jul 12, 2007 2:57 UTC (Thu)
by sepreece (guest, #19270)
[Link] (3 responses)
Given the ambiguity, I'm pretty sure most corporate lawyers would avoid risk by assuming the broader reading...
Posted Jul 12, 2007 3:23 UTC (Thu)
by dlang (guest, #313)
[Link] (1 responses)
this would imply that as the upstream provider you aren't required to provide source to people who get the binaries from someone else, that someone else must provide them.
if you are going to be picky about the requirements then you need to be evenly picky otherwise you're just reading it to favor your point of view.
Posted Jul 12, 2007 8:21 UTC (Thu)
by dark (guest, #8483)
[Link]
For example, if you redistribute binaries from the Debian archives, then
That's different from the case under discussion, where the distributor is
Posted Jul 12, 2007 5:52 UTC (Thu)
by JesseW (subscriber, #41816)
[Link]
Does the GPL require that source code of modified versions be posted to the public? says: "But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program's users, under the GPL." supporting the "users-only" view.
And, If I know someone has a copy of a GPL-covered program, can I demand he give me a copy? says: "No. The GPL gives him permission to make and redistribute copies of the program if he chooses to do so. He also has the right not to redistribute the program, if that is what he chooses." (italics in original) which firmly squashes any claims of required public distribution if there are no object code issues.
But, What does this "written offer valid for any third party" mean? Does that mean everyone in the world can get the source to any GPL'ed program no matter what? says: "If you choose to provide source through a written offer, then anybody who requests the source from you is entitled to receive it." which clearly supports the "public distribution" view. Fuzz.
Then there's My friend got a GPL-covered binary with an offer to supply source, and made a copy for me. Can I use the offer myself to obtain the source? which says: "Yes, you can. The offer must be open to everyone who has a copy of the binary that it accompanies." which sounds like it supports the "users-only" view, but isn't conclusive, since maybe "the offer" actually has to be even wider (as the previous question seems to imply).
The question I just found out that a company has a copy of a GPL'ed program, and it costs money to get it. Aren't they violating the GPL by not making it available on the Internet? lays out the FSF's position, but it's a bit vague in a critical area. It says: "It also does not require anyone in particular to redistribute the program. And (outside of one special case), even if someone does decide to redistribute the program sometimes, the GPL doesn't say he has to distribute a copy to you in particular, or any other person in particular." What's the special case? The "written offer"? Or something else?
In total, I agree with you, the GPL FAQ is quite ambiguous and unsure about whether the "written offer" must only apply to people with a copy of it, or to anyone, with or without a copy of it. But a number of things seem to imply the FSF intends the former. Hopefully some FSF staffer is reading this, and can update the FAQ to clarify it.
Posted Jul 12, 2007 8:54 UTC (Thu)
by dark (guest, #8483)
[Link] (1 responses)
The GPLv3 is too new for me to comment on, since I haven't studied it
thoroughly, but I'd like to focus on the wording of clause 3(b) of the
GPLv2:
Accompany it with a written offer [...] to give any third
party ...
Notice that it's not just an offer that is valid for any third
party.
It must be an offer to supply the source to any third party. If I
get such
an offer, and then they refuse to supply the source to any third party,
then they didn't honor the offer they made to me.
As a reminder, I'd like to point out that such an offer doesn't have to
be a
physical token. It must be "written", but it could be written on a web
page or inside an iso9660 image. This is
illlustrated by clause 3(c),
which says:
Accompany it with the information you received as to the
offer ...
So, it doesn't talk about passing on the offer or making copies of the
offer. Information
about the offer is sufficient. This makes sense if the original
offer was already to supply source to any third party. Then knowing about
the offer is just as good as having a "copy", whatever that means exactly.
One detail that's always amused me is that the GPLv2 does not actually say
that you have to honor these offers :) It's not clear to me who would have
standing to sue if you don't.
Posted Jul 12, 2007 15:44 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link]
The copyright holder has standing because you didn't obey the terms of the license to their copyrighted work.
You can say "I don't accept your license", but that means you're admitting to copyright infringement, which is usually a criminal offense, and certainly enough reason for the court to order you to cease distribution.
The immediate recipient of the offer probably has standing because the GPL terms are an implicit component of any contract between you and them for the supply of this software. In particular if money changed hands then I feel pretty sure they'd have standing.
If a third party is trying to use the offer, they probably have standing but they'll need a really good lawyer because they need to make it perfectly clear why this obligation exists between two parties that have no direct relationship. It's definitely possible, there are famous cases where this sort of argument was made, but it's a lot harder than the copyright holder example.
In summary, probably lots of people have standing to sue.
I did re-read it, and you are right. I stand corrected.An update on Yoggie GPL compliance
object code distribution requirements in GPLv2 and GPLv3
OK, so these are the ways you have to distribute source code...
This certainly doesn't require distribution to anyone but customers, i.e. not the public, not upstream.
Now, this is the tricky one. Clearly, this requires distribution to anyone with a copy of the offer (while it is valid). The question is, does it require distribution to someone who does not have a copy of the offer? Effectively, is the offer just an announcement that source is available, or is it proof of eligibility for access to the source? In my view, because of the use of the term "offer", rather than, say, "announcement", having a copy of the offer is required. So, while the distribution mandated by this option is wider than the previous one (since copies of the offer are still valid (see below) the total required distribution is theoretically unlimited), it still doesn't require distribution to the public, or to upstream.
This is the "cheap shortcut" option. It doesn't require any distribution of source code by the Licensee, only that the Licensee distribute copies of the offer they got, so it certainly doesn't require public or upstream distribution.
Slightly different phrasing, but the intent and effect is the same.
This is more specific than in v2; it only applies if you actually sell or give away a physical object (like a disk, or in Yoggie's case, a USB key); but the distribution effect is the same -- the requirement only applies to customers.
This is helpfully much more explicit; it states who the Licensee has to distribute to right there: "anyone who possesses the object code". Not anyone at all, but only anyone who already has the object code. This nicely sidesteps around the ambiguity (which is still present) about whether a copy of the "offer" is required in order for distribution to be mandated. Even if the view is taken that the "offer" is really just an announcement, unlimited distribution is still not required.
This is identical in intent and effect to this option in version 2.
This is one of the two new options, the "download" option. Note that it specifically leaves open the choice of charging for access to the server. No distribution is required, only making sure that the source remains available, and it only needs to be available to the people who download the object code via Licensee's server(s). No public or upstream distribution required here!
This option, while it doesn't directly require the Licensee to provide free public access to the source, cannot be used unless somebody is providing such access. But such access is not required of the Licensee.
I believe the previous notes were reading the ambiguous option (b) of GPLv2 the other way than you did. The wording in GPLv3 suggests that the FSF probably intended your reading (I wouldn't have expected them to make the requirement narrower). Curiously, though, the FSF's GPL FAQ question on this point (which is still based on the GPLv2 text) disagrees and says it means you have to provide source to anyone (though it never discusses the question of whether you can require proof of possession of the written offer). However, to add a little further fuzz, that answer also cites the rationale as being to make sure the source is available to people who got the binaries indirectly, which implies the condition from GPLv3.object code distribution requirements in GPLv2 and GPLv3
according to the FSF if you provide GPL software to a third party that you got from someone else, _you_ are the one responsible for providing the source code, you can't just point at the upstream provider.object code distribution requirements in GPLv2 and GPLv3
Do you have a reference to where the FSF said that? I suspect they're object code distribution requirements in GPLv2 and GPLv3
talking about something else, namely that you cannot pass along a 3(b)
offer if you didn't get one in the first place.
you cannot simply tell people they can get the sources from the Debian
archives themselves, because Debian is using option 3(a) and it never made
any promise to keep the sources there for 3 years.
using option 3(b) to distribute binaries without accompanying source code.
Thanks for bringing up the GPL FAQ. It certainly does have it's share of ambiguities and fuzz.
GPL FAQ
object code distribution requirements in GPLv2 and GPLv3
The word 'offer' is a technical term in law, a contract has two phases, offer and acceptance. "I'll take you to Dover for forty quid", "Here's forty quid" is the formation of a trivial contract. If you choose clause 3(b) of the GNU GPL you must make an offer to everyone. Anyone in the world might accept it. That's such a dangerous thing (think Carbolic smoke ball) to do that I'm surprised any company chooses 3(b) now that 3(a) is so cheap to comply with. object code distribution requirements in GPLv2 and GPLv3