Garrett: The ongoing fight against GPL enforcement

Posted Feb 1, 2012 6:52 UTC (Wed) by tbird20d (subscriber, #1901)
In reply to: Garrett: The ongoing fight against GPL enforcement by shmget
Parent article: Garrett: The ongoing fight against GPL enforcement

No. You misunderstand what "unrelated products" means. It means all the TV sets and digital cameras, which we properly release GPL source for. What I don't want is for some trivial mistake by GPL amateurs at some ODM supplier to some obscure product group to result in SFC having review and veto authority over our major Linux-based product lines. This is simply unacceptable.

What I'm saying is that the legal risk far outweighs the value of busybox.

to post comments

Garrett: The ongoing fight against GPL enforcement

Posted Feb 1, 2012 7:37 UTC (Wed) by nim-nim (subscriber, #34454) [Link] (8 responses)

So you write that companies like Sony think auditing their products before release to check they're in compliance with free software licences (and risk being forced to do it systematically) is intolerable?

And at the same time, the very same companies engage in mobile patent wars (sometimes ridiculous design patents) and seize or block each other's products in warehouses to force their opposition in settling. And they find this perfectly reasonable and normal cost of doing business.

Colour me unimpressed.

The only reason they find SFC and GPLvx intolerable is that they're used by little guys that dare asserting legal rights against big corps. And that they can not buy them out. Why should we help them have their ego trip?

Garrett: The ongoing fight against GPL enforcement

Posted Feb 1, 2012 17:55 UTC (Wed) by tbird20d (subscriber, #1901) [Link] (7 responses)

No. I never wrote that. We do audit our products before release to check that they're in compliance, and I would argue we do it as well as anyone in the industry. But Sony is a large place with a lot of different independent product groups. I can attest that, for every product my team works on (which includes set-top boxes, TV sets and cameras, among other things), we are fully compliant and we have no supplier issues or source code release issues.

What I can't be sure of is whether this is true for every Sony product. People keep asserting that it's trivial to perform compliance. It is, for a single group. Sony has standards in place that product teams are supposed to follow for GPL compliance. Unfortunately, I can't be sure that every team is following them, or won't make a mistake. In particular, I can 't be sure of this for sub-contractors. Sub-contractors may claim they have given you corresponding source, but have not. It happens.

What is intolerable is having a 3rd party hold your entire product line hostage, based on some issue with an unrelated product.

Garrett: The ongoing fight against GPL enforcement

Posted Feb 1, 2012 18:34 UTC (Wed) by raven667 (subscriber, #5198) [Link] (6 responses)

> What is intolerable is having a 3rd party hold your entire product line hostage, based on some issue with an unrelated product.

That seems like an irrational fear, I can't imagine the copyright owner getting an injunction against or even pursuing code that you can trivially show the provenance and licensing for. The issue is that, for an organization that is ignorantly shipping code in violation of copyright, the problem is likely not just one software on one product but probably all software on all products and instituting comprehensive license compliance is the simple and efficient option.

Would it be any different if the problem was, for example, the copying of images off of websites for product art rather than properly licensing images from iStockphoto. Just because you can download something off the Internet doesn't mean you can ignore copyright, which is a common misconception for many businesses.

Garrett: The ongoing fight against GPL enforcement

Posted Feb 1, 2012 19:31 UTC (Wed) by tbird20d (subscriber, #1901) [Link] (5 responses)

That seems like an irrational fear, I can't imagine the copyright owner getting an injunction against or even pursuing code that you can trivially show the provenance and licensing for.

Well, since the SFC requests audit rights for all of a company's products that include GPL, I don't think the fear is irrational.

The issue is that, for an organization that is ignorantly shipping code in violation of copyright, the problem is likely not just one software on one product but probably all software on all products and instituting comprehensive license compliance is the simple and efficient option.

I keep hearing this suggestion. Sony HAS a comprehensive license compliance policy, and a compliance committee (which includes me!), and to my knowledge all of our products are compliant. See my mayor metaphor on the other thread for why this is not enough to address the risk.

Garrett: The ongoing fight against GPL enforcement

Posted Feb 1, 2012 20:01 UTC (Wed) by raven667 (subscriber, #5198) [Link] (4 responses)

Which is why your position is even harder to understand because your company is already doing everything that would be requested of it by the SFC as part of a voluntary settlement. If there was a new accidental copyright violation, which in a big company it is always posible for something to fall through the cracks, then fixing that one issue and moving on would seem trivial considering all the infrastructure for doing so is already in place. What do you think is actually going to happen if some random product your company makes were to be found in violation of copyright?

If you think that the SFC would start arbitrarily trying to shut down products, and that a court would enforce those actions, well I think that's nonsense. Based on the written statements by the SFC I don't see them as a bunch of moustache twirlers who are itching to screw companies over using their compliance agreements as a lever, and I don't see any reasonable court enforcing injunctions against unrelated copyright (see RightHaven for how well this would go down in court)

In fact, judging by the SFCs written statements, their whole goal is to work themselves out of existence by getting compliance programs instituted at manufacturers and pushed up the supply chain so that these kind of casual violations don't happen because everyone knows the rules. The problem is that many people think that just because you can download something off the Internet that copyright doesn't exist, convincing your supply chain that this is not the case can fix the problem.

And about your Mayor Metaphor, you can plainly see from the SFCs tax documents that they are not asking for million dollar fines. If we presume this is just a convenient round number for the sake of argument then I guess I don't understand what the complaint is, that spending a thousand dollars on compliance efforts as in your example is somehow a bad thing relative to ignorance until you are caught.

Garrett: The ongoing fight against GPL enforcement

Posted Feb 1, 2012 20:30 UTC (Wed) by tbird20d (subscriber, #1901) [Link] (3 responses)

What do you think is actually going to happen if some random product your company makes were to be found in violation of copyright?

In the case of a busybox violation, I don't know. The information I have seems to indicate that the SFC will want to audit all of my products, going on a fishing expedition for GPL violations. I'm willing to expend resources to avoid finding out if that's the case.

And about your Mayor Metaphor, you can plainly see from the SFCs tax documents that they are not asking for million dollar fines.

That's not what they ask for, but if you total up all the tangible and intangible costs (product delays), that's what a big company hears. That's a simple ballpark placeholder for engaging in any litigation at this level.

that spending a thousand dollars on compliance efforts as in your example

I should have clarified that the $1000 dollars is not spent on compliance - that's already being covered by our compliance policies. That money in the metaphor refers to the amount we'd spend on re-implementing busybox with a BSD license. It's not insurance in the traditional sense. It's more like a payment to someone else, to make the person requesting a million dollars go away permanently. And no, I don't think we can reimplement busybox for $1000. But 10 companies could implement something usable for $10,000 a-piece.

I think this really comes down to the fact that you trust the SFC to behave reasonably, and I don't.

Garrett: The ongoing fight against GPL enforcement

Posted Feb 1, 2012 20:50 UTC (Wed) by raven667 (subscriber, #5198) [Link]

> I think this really comes down to the fact that you trust the SFC to behave reasonably, and I don't.

Yes, I think that is part of our disagreement, also I have the (maybe unfounded) belief that they really don't have the ability to enforce unreasonable actions. If they tried to veto software in bad faith for example then I would ignore their request and punt it to the courts to sort out. It seems likely that the SFC would lose badly if they tried anything in bad faith such as ignoring evidence of license compliance. I don't really have any reason to believe they would try something in bad faith though as it would be all cost and no upside for them.

I guess I don't think there is a need to "trust" the SFC to not turn into a copyright troll and the courts have been showing very little patience with copyright trolls recently.

Garrett: The ongoing fight against GPL enforcement

Posted Feb 3, 2012 12:13 UTC (Fri) by dwmw2 (subscriber, #2063) [Link] (1 responses)

"What do you think is actually going to happen if some random product your company makes were to be found in violation of copyright?"
"In the case of a busybox violation, I don't know. The information I have seems to indicate that the SFC will want to audit all of my products, going on a fishing expedition for GPL violations. I'm willing to expend resources to avoid finding out if that's the case."

I'd be very interested in how you came about this "information", and just what lengths you've been going to already to avoid finding out whether it's accurate.

Have you avoided attending any of Bradley Kuhn's presentations in the last year, and reading his description of the things that SFC actually does request?

"I think this really comes down to the fact that you trust the SFC to behave reasonably, and I don't.

I do. But I also have the option to withdraw their authority to act on my behalf, if they violate that trust. If all the unfounded hyperbole about the SFC's behaviour did turn out true, I would do so.

As it is, though, this hand-wringing just seems like a crude manipulating tactic to discourage copyright holders in other projects from joining with SFC, so that the cynical approach of silencing busybox developers actually does achieve the overall goal of letting GPL violations go completely unpunished.

Garrett: The ongoing fight against GPL enforcement

Posted Feb 3, 2012 19:05 UTC (Fri) by raven667 (subscriber, #5198) [Link]

> I also have the option to withdraw their authority to act on my behalf, if they violate that trust.

I think something that could make understanding this difference of opinion clearer is that they _did_ withdraw support form SFC for enforcing their copyrights on Busybox but SFC has other authors who continue to consent to SFC enforcement and so were unable to stop the enforcements after they lost trust.