On the boundaries of GPL enforcement [LWN.net]

By Jake Edge
July 20, 2016

Last October, the Software Freedom Conservancy (SFC) and Free Software Foundation (FSF) jointly published "The Principles of Community-Oriented GPL Enforcement". That document described what those organizations believe the goal of enforcement efforts should be and how those efforts should be carried out. Several other organizations endorsed the principles, including the netfilter project earlier this month. It was, perhaps, a bit puzzling that the project would make that endorsement at that time, but a July 19 SFC blog post sheds some light on the matter.

There have been rumblings for some time about a kernel developer doing enforcement in Germany that might not be particularly "community-oriented", but public information was scarce. Based on the blog post by Bradley Kuhn and Karen Sandler, though, it would seem that Patrick McHardy, who worked on netfilter, is the kernel developer in question. McHardy has also recently been suspended from the netfilter core team pending his reply to "severe allegations" with regard to "the style of his license enforcement activities".

The SFC post is a bit more specific about what McHardy has been accused of:

There are few public facts on Patrick's enforcement actions, though there are many rumors. That his enforcement work exists is indisputable, but its true nature, intent, and practice remains somewhat veiled. The most common criticism that we hear from those who have been approached by Patrick is an accusation that he violates one specific Principle: prioritizing financial gain over compliance.

There is, it seems, a subculture of GPL enforcement out there that is effectively doing enforcement for profit:

Specifically, we remain aware of multiple non-community-oriented GPL enforcement efforts, where none of those engaged in these efforts have endorsed our principles nor pledged to abide by them. These "GPL monetizers", who trace their roots to nefarious business models that seek to catch users in minor violations in order to sell an alternative proprietary license, stand in stark contrast to the work that Conservancy, FSF and gpl-violations.org have done for years.

It is not clear whether McHardy is among the GPL monetizers or not, though there is seemingly no evidence that his efforts have led to any code being released. In addition, repeated attempts by both SFC and the netfilter team to discuss his enforcement efforts have not been answered—or even acknowledged. According to the blog post, the SFC invited McHardy to join in the drafting of the principles. That invitation went unanswered, as did another to endorse the principles after they were published. Amid the accusations from companies about his actions, some kind of response to SFC or the netfilter team would seem to make sense. The absence of that response speaks volumes, at least to some.

In fact, if McHardy disagrees with some parts of the principles, the SFC has invited him (or others who are enforcing the GPL) to "publicly propose updates or modifications to the Principles". There is a new mailing list available to host those kinds of discussions.

But if, in fact, the enforcement actions taken by McHardy are being done as a for-profit exercise, it is hard to see what response he could make. He is under no real obligation to work with others who are also enforcing the license. If he disagrees with the principles, engaging with the community about his objections would certainly be welcome, but it is apparently not a priority for him.

It is a topic that should be discussed in our communities, however, and the release of the principles was partly meant to foster that discussion. What should the primary goal of enforcement be? Should companies be "punished" for violating the GPL and, if so, how? If compliance is the goal, how should enforcement activities be funded? And so on.

When the SFC began a fundraising campaign to support its GPL enforcement efforts late last year, some were incredulous that enforcement was not self-sustaining. But prioritizing sustainability has dangers of its own, from taking money to overlook compliance problems to holding up settlements even after the company has come into compliance over monetary issues. If the goal is to get the software released, as the philosophical underpinnings of the GPL imply, then compliance should clearly be the overarching consideration.

There are elements that would like to see the GPL not be enforced at all, of course. In effect, that turns the GPL into the BSD license, which has plenty of implications of its own. There is no real way to know how much the GPL has helped in the rise of Linux versus its non-copylefted alternatives, but it would be hard to argue that the license played no role whatsoever.

If enforcement were to stop, at least in the community-oriented sense, what would be the effect on the companies that work hard (and spend lots of money) to ensure their compliance with the license? They would largely be safe from any for-profit shakedown enforcement efforts, but those with deep pockets are generally already safe from those tactics.

As with many things in open-source communities, there are lots of different—sometimes conflicting—opinions about license enforcement, its benefits and drawbacks, and so forth. There is room for trying multiple approaches, but enforcement, at least under the principles that have been defined so far, is not an inexpensive proposition. That suggests that either some of the deep-pocketed organizations in our communities step up or that we continue muddling along on the current path.

The lack of any real consensus on license enforcement, especially within the commercial side of the community, does leave room for some to abuse the process. Some of that is already happening, but success in GPL shakedowns could lead to more participants. There is a risk of a huge wave of copyright trolls using the GPL to extract money from companies, which would not be a pleasant outcome.

In the end, license enforcement is up to the collective copyright holders; if most of those are happy with the current state of affairs, it is hard to see how things will change. The GPL is meant to level the playing field, so that all participants have the same rights—and responsibilities—to the code. But if that playing field is seen as "level enough", even while GPL violations abound, enforcement may well be seen by major players as more trouble than it is worth.

to post comments

On the efficacy of coyright trolls & testing copyleft in the Courts

Posted Jul 21, 2016 3:44 UTC (Thu) by bkuhn (subscriber, #58642) [Link]

I think this article quite fairly explains the various sides of the issue. I obviously disagree with some parts of it, but I'm a known partisan on this issue, so that's no surprise. :)

The only part I'm inclined to comment on in detail is that I don't think there is any ongoing risk of successful “GPL copyright trolls”. One of the reasons Karen and I wrote Conservancy's blog post is to create an easily net-findable article for newcomer violators, who perpetrated (easily resolvable) infractions of the GPL and have been approached by a “would-be GPL copyright troll”. In my experience, which I've verified by talking to a lot of company representatives, the trolling behavior only works when the violators targeted can't easily find accurate information about the GPL and how to repair violations quickly.

Furthermore, so-called “GPL copyright trolling” only works against companies that fail to come into compliance. Even under GPLv2, German lawyers don't consider termination permanent. In the USA, where consensus is that termination is permanent, judges are unlikely to award huge damages for past violations that only exist due to termination (i.e., if compliance is almost achieved such that only GPLv2§4 remains violated due to past violations). GPL enforcement experts like myself generally believe that you can expect to get your costs back of enforcing the GPL, but huge monetary awards beyond that are really unlikely. (Conservancy's litigation experience has also confirmed that hypothesis.) Any early successes of troll-like behavior is thus short-lived and evaporates as soon as new Linux adopters learn to adapt quickly with compliant behaviors.

Meanwhile, I think the big idea that Jake hints is absolutely correct: GPL as a strategy is at a complicated crossroads. We have a lot of work to do to adjudicate copyleft and verify that the strategy works. Linux has become GPL's ultimate test case. That's because — and even as an old-school GNU fan, I will admit this — Linux is the most important, useful and interesting GPL'd codebase ever created. Thus, it's no surprise that Linux became GPL's true testing ground.

Finally, while discussions about GPL and its derivative/combined works requirements are basically “old hat” to our community, the discussion is completely new to the Courts. We'll have to bring the question to a lot of Courts in a lot of different ways to get clarity. But, once we do that, then we'll know, and everyone can proceed with more certainty.

Are there any "GPL enforcement trolls"?

Posted Jul 25, 2016 17:25 UTC (Mon) by pauly (subscriber, #8132) [Link] (3 responses)

Yes, there are. The university I am working with (and several others) got a cease and desist letter last year.
A German lawfirm who has also been working for Harald Welte
had got themselves the Dutch company SecureW2 BV as a client.
Their claim was about SecureW2, an 802.1X supplicant for use with windows (and later, Android).
Originally started around 2000 as an open source project by the Dutch startup Alfa & Ariss,
it enabled the supplicant shipping with Windows XP to do EAP-TTLS-PAP instead of PEAP for 802.1X authentication.
The software was available for some year, as was the source code. To the best of my knowledge,
the last versions of this software (then called EAPsuite) were distributed binary only although they
were still _supposed_ to be GPL.
In 2007, we dropped it altogether and found a way to support PEAP directly, thus making life easier for
Windows users. But we continued to offer that software for download (binary, of course).
Little surprising, download numbers were tiny after that.

In the mean time, SecureW2 BV had taken over the copyright of that software from Alfa & Ariss.
Their claim was that we distributed their GPL'd software without supplying the source code. Given
the historic lack of source availability on their own part, that claim was weak, of course.
What's more, educational use in Germany almost precludes any commercial use, a German
university is much more similar to a state-run authority than to any commercial entity.

After our legal department had made clear that we would not easily give way, the whole thing fizzled out.
It looks like the unclear state of that software had opened up a niche for dubious (or resourceful, as you like)
lawyers where they could at least try to "enforce" and monetize a Pseudo GPL copyright, contradicting
everything that GPL had been created for. To me, this is dangerous grounds.

Cheers, Martin

Are there any "GPL enforcement trolls"?

Posted Jul 26, 2016 4:08 UTC (Tue) by bkuhn (subscriber, #58642) [Link]

If you're ever in that situation again, just ask them if they are willing to follow the Principles or not. If not, please do in touch with me, or my colleagues at Conservancy or the FSF, about it.

Are there any "GPL enforcement trolls"?

Posted Jul 26, 2016 16:58 UTC (Tue) by pauly (subscriber, #8132) [Link] (1 responses)

This story continues. Quite number of German universities had got that sort of cease and desist letter.
At least two cases went to court, and the universities both lost in first instance (before different local courts).
Currently, I only have this German article as a reference:
https://www.dfn.de/fileadmin/3Beratung/Recht/1infobriefea...
It basically states that SecureW2's claims were fully acknowledged by the first instance courts --
despite the fact that there is accepted evidence that SecureW2 themselves failed to provide the
source code along with the binary files for the last couple of sub-versions of their software.
I have no information on the payments that the rulings would enforce.

At least the more recent case of the two will see an appeal trial.

Martin

Are there any "GPL enforcement trolls"?

Posted Jul 29, 2016 15:12 UTC (Fri) by Wol (subscriber, #4433) [Link]

> accepted evidence that SecureW2 themselves failed to provide the
source code along with the binary files

Can't you argue that, if you distribute the program AS RECEIVED FROM THE COPYRIGHT HOLDER, then this is pretty much automatic GPL compliance?

Either that, or it's entrapment. The copyright holder is distributing an allegedly GPL'd program that cannot be further distributed at all ...

Cheers,
Wol

On the boundaries of GPL enforcement

Posted Jul 28, 2016 5:16 UTC (Thu) by gwg (guest, #20811) [Link] (7 responses)

What isn't addressed by such "community" views on GPL enforcement, is the reality that many individuals and companies making GPL software available also need to be able to make a living. The dual licensing model is a semi-viable way attempting that. Companies have a simple and clear choice - comply with the GPL, or take up a commercial license. Allowing them to prevaricate by "negotiating" compliance with a party that is bending over backwards to get them just to release source code, doesn't compensate for the financial advantage they have enjoyed by not taking up a commercial license in the first place. Not all who make GPL software available are employed to do so, or are able to create substantial software purely in their spare time - and it's hard to write software when you don't have somewhere to live, can't pay for power, or don't have a computer because you are busy giving all your work away and getting little in return financially. Without support for dual licensing, there will be less GPL software available, and part of that support is an effort to enforce the GPL in a way that compensates financially.

[ And I think it is all a little weird anyway - there is no "community" you have to join to make your software available with a GPL - the license is between you and whoever agrees to it by making use of your software. There is no third party to answer to, or who's GPL enforcement rules you have agreed to. ]

On the boundaries of GPL enforcement

Posted Jul 28, 2016 12:16 UTC (Thu) by pizza (subscriber, #46) [Link]

> [ And I think it is all a little weird anyway - there is no "community" you have to join to make your software available with a GPL - the license is between you and whoever agrees to it by making use of your software. There is no third party to answer to, or who's GPL enforcement rules you have agreed to. ]

s/you/everyone who's contributed code/.

One can't unilaterally allow dual-licensing (after the fact) unless one also completely owns everything outright. That's pretty rare unless some sort of contribution agreement is utilized.

proprietary relicensing & software freedom morality in revenue-generation

Posted Jul 28, 2016 19:27 UTC (Thu) by bkuhn (subscriber, #58642) [Link] (5 responses)

Even tough it is possible to generate revenue a particular way does not mean that method of revenue generation has a positive impact. Often, it has a negative impact. There are plenty of examples outside of software (fracking comes to mind).

As long as proprietary software is legally permissible, which it admittedly is, there will be proprietary business models, and people who use them. The danger in proprietary relicensing is it is designed as a trick to convince people to rely on copylefted software, and actually hope that they fail to follow copyleft terms and gouge them.

I deeply dislike Gitlab's business model, but it nevertheless honest and fair, and gives no special powers to Gitlab. Gitlab is not copylefted, and anyone who wants to can take their community edition and make the same business model Gitlab does. It's fair.

Using copyleft for proprietary relicensing takes a tool designed to advance software freedom, and warps it in a nefarious way to turn it into a scare tactic and nearly a shareware-like system. The usage is by default unequal, because it has one of the same flaws that proprietary licensing: certain entities have more rights and powers that other entities do not. This is why I criticize proprietary relicensing almost as harshly as I criticize “mundane”proprietary licensing.

As to your point about how much extra copylefted code is generated as part of the process, I'm not sure that's inherently good, if the tool of copyleft is actually being used to promote proprietary software adoption and creation instead. I don't believe copyleft is a moral good unto itself; it's a tool that can often be utilized to advance software freedom, but any tool can be used for a purpose not within its original intent. I believe the usage of copyleft for proprietary relicensing usually does just that.

Finally, we're past the business model discussion: it's clear that one can earn a living doing only Free Software, but because proprietary software is still permitted, it's really difficult to do so — proprietary software has an unfair advantage over Free Software. Copyleft is a tool to help mitigate that problem, but it's not a perfect tool (as we're discussing). As such, making a living with only Free Software means you probably will be paid less for your work, but I know plenty of people who make a true living wage doing so. It's a question of commitment and values.

proprietary relicensing & software freedom morality in revenue-generation

Posted Jul 28, 2016 21:19 UTC (Thu) by josh (subscriber, #17465) [Link] (4 responses)

Does anyone have a standardized set of terms for the "selling exceptions" approach (as a preferable alternative to selling a proprietary license)?

I'd love to see some templated terms that effectively say "anyone who meets these conditions may ignore the copyleft terms of the license", with "these conditions" being anything from a one-time fee to a royalty model.

proprietary relicensing & software freedom morality in revenue-generation

Posted Jul 29, 2016 15:16 UTC (Fri) by Wol (subscriber, #4433) [Link] (3 responses)

The only exception I would accept - and actually it's an exception I would like to see - is that you can distribute the binary "as received" provided you point the recipient to where they can get the source.

Okay, if the source disappears then your recipients are up a gum tree, but so are you if you didn't download it ... :-)

Cheers,
Wol

proprietary relicensing & software freedom morality in revenue-generation

Posted Jul 29, 2016 16:52 UTC (Fri) by pizza (subscriber, #46) [Link] (2 responses)

>The only exception I would accept - and actually it's an exception I would like to see - is that you can distribute the binary "as received" provided you point the recipient to where they can get the source.

IIRC, the GPLv3 explicitly added this as an option.

proprietary relicensing & software freedom morality in revenue-generation

Posted Jul 29, 2016 18:49 UTC (Fri) by farnz (subscriber, #17727) [Link] (1 responses)

I can't find that option in the GPLv3 - there's section 4 referring to verbatim copies of source code, but section 6, which discusses non-source forms, does not appear to have an exception for "as-received".

proprietary relicensing & software freedom morality in revenue-generation

Posted Jul 29, 2016 19:32 UTC (Fri) by flussence (guest, #85566) [Link]

The way I read 6(d), it sounds like it's okay to distribute unmodified binaries and point people to corresponding source at the upstream project, as long as you take responsibility for preventing dead links.