SFC expands license compliance efforts [LWN.net]

By Jake Edge
May 31, 2012

To a large extent, BusyBox has been the "poster child" for GPL enforcement, at least in the US. That may now be changing with the announcement that the Software Freedom Conservancy (SFC) has signed up multiple Linux kernel and Samba developers whose copyrights can be used in license compliance efforts. That expands the scope of license enforcement activities while also removing the need to use the controversial GPLv2 death penalty threat to ensure compliance with the kernel's license—SFC should be able to go directly at kernel enforcement now.

Copyright holders step up

There are three parts to the announcement. First off, the Samba project, which is an SFC member project, has moved its existing compliance efforts over to SFC. Secondly, a new "GPL Compliance Project for Linux Developers" has been created for Linux kernel copyright holders to allow their contributions to be used in enforcing the GPL on that code. So far, seven copyright holders have joined the project. Lastly, several other SFC member projects (Evergreen, Inkscape, Mercurial, Sugar Labs, and Wine) have requested that the organization handle any compliance issues for their code.

The kernel copyright holders that have joined the project are—somewhat curiously—not listed, other than Matthew Garrett, who was the first. In an email exchange with SFC executive director Bradley M. Kuhn, he said that he asked Garrett to "officially speak on behalf of this program", but that the others are welcome to speak up if they wish. Essentially, Kuhn is shielding those developers from having to handle questions if they don't want to, which is part of the mission of SFC: "we take care of boring work for Free Software projects so the developers can focus on the developing the code".

Furthermore, Kuhn recognizes that GPL compliance activities are sometimes controversial in the community. So, he is happy to deflect any criticism in his direction:

I'm aware this issue can be divisive for some (I don't really understand why myself, but I see it's there), so I don't want developers to feel they all have to stand up and take the influx of FUD on this issue. That's my job to do on their behalf.

Similarly, Kuhn asked Jeremy Allison to be the contact person for the Samba copyright holders, who were also unnamed. There were nine of those before the announcement, but Kuhn said that another stepped forward after it went out. Part of the idea behind the announcement is to do just that: attract more copyright holders, particularly kernel copyright holders, to the compliance efforts. Kuhn also expects that some of the copyright holders may make themselves known in "comment threads, blogs and the like".

Copyright coverage

One question that arises when only a subset of the copyrights in a body of code are being used is whether those copyrights are sufficient to be used for compliance purposes. For Samba, there is little question in Kuhn's mind that Allison's contributions would be sufficient by themselves: "Jeremy's copyrights *alone* are so extensively spread across the many Samba codebases for multiple decades that it's probably impossible to have a working Samba binary without including very substantial portions of Jeremy's copyright works". But he is happy to have other Samba developers on board "to show their solidarity and so that they could give input into the process of the compliance activity".

On the kernel side, Garrett himself noted that his copyrights might not be useful for enforcement activities: "Most of the past work I've done is in bits of the kernel that are rarely present in infringing devices, and most of my recent work is owned by my employer rather than me." But that was an off-the-cuff blog comment that Kuhn said "painted a substantially bleaker outlook than the reality" once SFC started investigating Garrett's copyrights. Beyond that, Kuhn said, the addition of the other copyright holders has further strengthened SFC's hand:

Conservancy is confident that those developers who signed up for compliance activity on their Linux copyrights hold enough copyright that the code can't, for example, be trivially written out of Linux by someone who wants to avoid working with Conservancy on a compliance matter related to Linux.

Kuhn said that SFC is now going through the laborious process of registering the copyrights of all of those involved. The basic methodology is "going through git logs, finding commits by a particular developer, verifying their copyright claim to that commit, and then preparing the source code in a form that the copyright office can grok", he said. That will take some time, but, once it's done, those registrations will be searchable by those interested at the US copyright office.

But seven copyright holders is only a tiny fraction of the thousands of contributors to the Linux kernel over the years. To understand the scope of the copyrights that can be enforced, we would need to know just who has signed up with SFC. Until the copyright registration process is completed—or a lawsuit filed—we won't really have a good feel for that it seems.

Compliance, not litigation

When asked about any litigation on the horizon, both Kuhn and Allison were quick to point out that SFC only uses lawsuits as a last resort. The policy has always been to file suit only "when a company simply refuses to respond to repeated requests from Conservancy about compliance problems", Kuhn said, while Allison called lawsuits "a 'LISTEN TO ME !!!!' action" for those who are non-responsive.

In fact, Kuhn said, "the average is less than one lawsuit every three years", though SFC has been accused of being "overly litigious" by some. By way of contrast, SFC deals with more than a hundred minor compliance issues (e.g. some kind of compliance question) each year. In addition, situations that "required complex negotiation" number in the twenties each year, he said. There is also a certain amount of educational work that SFC does, including Kuhn speaking publicly about the issue at various conferences "which (hopefully) reaches a wide audience and (again, hopefully) raises the level of understanding" about compliance for companies beyond those SFC interacts with directly.

The announcement essentially puts companies on warning that there are "cops on the beat", Allison said:

They are low-key cops, who would rather give you a stern talking to and get you to fix your driving on the quiet than drag you publicly into court, but it does mean that if you're using the code in these projects you do have to at least *think* about compliance. You can't just ignore it, there are consequences.

Plans

SFC will be consulting with the copyright holders to determine the compliance steps that are to be taken. The organization is not looking to go its own way, but rather to work with the stakeholders to find a path that is acceptable to all. As the announcement put it:

Conservancy's new effort will be run in a collaborative manner with the project developers. All copyright holders involved will have the opportunity to give input and guidance on Conservancy's strategy in dealing with compliance issues. Thus, all Conservancy's compliance matters will have full support of relevant copyright holders.

That attitude may be helpful in bringing in other developers that might be leery of just appointing SFC as their copyright agent. By making it clear that they will be consulted and are able to help define the strategy and tactics, SFC is clearly trying to alleviate fears in the hopes of bringing in more copyright holders.

The addition of kernel and Samba copyrights (and, likely to a lesser degree, those of the other SFC member projects) will clearly expand the number and kinds of license compliance offenders the organization can target. But Kuhn does not see SFC spending any more time on compliance than it has in the past. It is third on the list of SFC activities as reported in its 2010 Form 990 [PDF], and Kuhn does not see that changing as SFC "doesn't want license compliance to be our sole or even primary focus".

That said, there are a number of things that need to be done. Kuhn said that SFC will be giving the non-responsive companies in its queue "another go-around" in hopes that the announcement will spur them to start engaging. That queue, which numbers around 250 violations, will also need to be re-prioritized based on product age and availability, he said.

Compliance is an important issue for our communities. It is not just that some are completely ignoring the—pretty minimal in the grand scheme—requirements that we put on our freely available code, but also that violators are getting an advantage on their compliant competitors. As Allison put it: "The people who do think about compliance are subsidising their competitors who don't. I think that's unfair."

With this announcement, SFC now has more weapons in its arsenal so that it can reduce that problem, while still working within the community it serves. Compliance may be controversial in some circles, but choosing a license that places restrictions on distribution—as the GPL does—doesn't really make sense unless it is enforced. Those who would rather not see SFC (or others) push compliance on companies might be best served by more permissive licenses.

SFC expands license compliance efforts

Posted Jun 3, 2012 4:12 UTC (Sun) by rahvin (guest, #16953) [Link] (5 responses)

So Sony's plan of a BSD licensed BusyBox clone to avoid the SFC enforcement on all GPL code using the Busybox copyrights just lost it's entire purpose. This is exactly what numerous people said was going to happen after the publicity of the BSD Busybox effort, in that developers from key other projects have stepped forward and giving SFC enforcement rights. So not only is the Kernel in the game but we have Samba, Wine and several others that are key players and used extensively in the commercial Linux ecosystem.

You have to wonder how the people that were complaining about SFC's efforts feel now, given that the Kernel is now available for enforcement as well and there are likely to be far more devices in trouble with the Kernel's GPL requirements than there were with BusyBox.

SFC expands license compliance efforts

Posted Jun 3, 2012 10:01 UTC (Sun) by armijn (subscriber, #3653) [Link] (1 responses)

A few things. First, please stop the Sony FUD as it is simply not true. It has been stated multiple times by both Tim Bird and Rob Landley that Toybox (which is, like BusyBox, a reimplementation of standard Unix and Linux tools) did not come from Sony. Ask Rob, ask Tim, they are both very approachable about this.

Second, Samba has been enforced in the past (as the SFC announcement says), they are just offloading the work onto SFC, so this is not exactly new. Sure, I expect that there will be more enforcement work being done for Samba (and it is badly needed).

Third, Wine is not used as much as you think. I have seen it only a few times in the last 7 years in some management software for wireless devices. Calling them a "key player" in a commercial Linux ecosystem is a bit far fetched. It would be very interesting to see enforcement being done for Wine though.

Fourth, the Linux kernel has already been enforced many times (in Europe). So it is not that it 'is now available'. That would be denying 8 years of enforcement work being done by gpl-violations.org and other copyright holders in the kernel.

You are mixing issues

Posted Jun 7, 2012 19:45 UTC (Thu) by khim (subscriber, #9252) [Link]

First, please stop the Sony FUD as it is simply not true. It has been stated multiple times by both Tim Bird and Rob Landley that Toybox (which is, like BusyBox, a reimplementation of standard Unix and Linux tools) did not come from Sony.

You are mixing issues. It's similar to FSF vs OSI difference. While they support many projects they are not identical and the goals are different.

Tim Bird's Busybox replacement project is now pointless. In fact situation for the potential infringers is even worse then it was before.

Rob Landley's Toybox which was explicitly revived with the goal "to become the default command line implementation of Android systems everywhere" is alive and well.

Fourth, the Linux kernel has already been enforced many times (in Europe). So it is not that it 'is now available'. That would be denying 8 years of enforcement work being done by gpl-violations.org and other copyright holders in the kernel.

Again, you are mixing issues. This is not about enforcement in general. This is about enforcement efforts of SFC. Tim Bird quite explicitly said that he started the projects with the goal to make SFC toothless (the very first message says that) - and this plot failed. Now SFC will just enforce Linux kernel copyright directly without using busybox as a crutch. I'm pretty sure this will stop expected massive rush of busybox/toybox switchers: it makes no sense anymore. In this sense SONY's cynical plot failed. But of course replacement may be better in other senses besides the ability to circumvent SFC's encforcers. This means it'll be used by some new projects.

SFC expands license compliance efforts

Posted Jun 7, 2012 20:26 UTC (Thu) by landley (guest, #6789) [Link] (2 responses)

> So Sony's plan of a BSD licensed BusyBox clone to avoid the SFC
> enforcement on all GPL code using the Busybox copyrights just lost it's
> entire purpose.

That's an impressive number of ways to be wrong in a single sentence.

1) Sony's never been behind toybox, they just considered using it. A few of the more clueless armchair lawyers in the FSF's orbit couldn't quite fit the idea in their head that the guy who _started_ all these license enforcement actions now thinks they're a bad idea, so they picked a random corporation to scapegoat.

2) I'm still working on toybox (8 commits to the repository this week). I should cut another release for checkpoint purposes.

3) Binary-only modules; still legal according to Linus. A Legal action could easily _confirm_ that, given that Alsup just ruled that API/ABIs aren't copyrightable in the Oracle case.

4) People speculate about my financial motives for doing toybox (I'd love it if I _was_ paid to work on it, but I'm not and never was) but nobody goes "Bradley's day job is at the conservancy, and this is drumming up business for his employer"...

5) Android's still got a "no GPL in userspace" policy, so Samba changes nothing. I really hope the kernel stuff doesn't drive Google to do a BSD kernel version (which the iPhone and iPad already showed is quite viable here) the way they rewrote the whole of userspace.

> This is exactly what numerous people said was going to happen after the
> publicity of the BSD Busybox effort, in that developers from key other
> projects have stepped forward and giving SFC enforcement rights.

Because "free software" becoming synonymous with "threat of lawsuit" is really going to improve matters. (Nothing says "hobbyist" like "enforced compliance".)

> So not only is the Kernel in the game but we have Samba, Wine and several
> others that are key players and used extensively in the commercial Linux
> ecosystem.

Covered that. No GPL in userspace isn't new.

Linux on the desktop remains somewhere around 1% market share after 30 years of development, even Vista didn't give us a boost. (On the server we displaced AIX, Sun Microsystems, and the DEC Alpha. Woo.) Linux is mainstream interesting because of Android, because smartphones are displacing the PC the way it replaced the minicomputer and mainframe before it and a fork of Linux is #2 there. Note that Linux itself isn't, the _fork_ is. From the same people that rewrote Java from scratch, and whose defense from the Oracle lawsuit is "we're not using your version". And whose main competitor (which makes 3/4 of the profits from this space, ala http://news.cnet.com/8301-13579_3-57427811-37/apple-samsu... ) is using a BSD kernel to do so.

And you want to sue them? Really? This is your idea of a smart strategic move?

> You have to wonder how the people that were complaining about SFC's
> efforts feel now, given that the Kernel is now available for enforcement
> as well and there are likely to be far more devices in trouble with the
> Kernel's GPL requirements than there were with BusyBox.

Sad, and _really_ hoping this doesn't drive Android to rebase on a BSD kernel.

Rob

SFC expands license compliance efforts

Posted Jun 7, 2012 22:21 UTC (Thu) by corbet (editor, #1) [Link]

Out of curiosity, where did #3 come from? Linus's position is rather more nuanced than you suggest, see here, for example.

The module interface is also somewhat removed from a published API.

SFC expands license compliance efforts

Posted Jun 14, 2012 19:54 UTC (Thu) by oldtomas (guest, #72579) [Link]

> Because "free software" becoming synonymous with "threat of lawsuit" is
> really going to improve matters. (Nothing says "hobbyist" like "enforced
> compliance".)

Now, now. This smells a bit like FUD. Which is better, litigation-wise: GPL or proprietary? BSA anyone?

Please. Let's keep cool.

> And you want to sue them? Really? This is your idea of a smart strategic
> move?

Read again about the SFC's approach: suing is seen as abolute "ultima ratio".

> Sad, and _really_ hoping this doesn't drive Android to rebase on a BSD
> kernel.

Look. BSD is a fine kernel. It's a perfectly reasonable decision to base one's product on that. If you do embedded Windows, you'd have to abide by Microsoft's conditions, if you do Linux, it's GPL V2 (which is way less burdensome, I assume you'd agree), if you do BSD, then it's the BSD license. Where's the problem?