Protecting the open-source license commons

By Jonathan Corbet
November 1, 2018

Richard Fontana has a long history working with open-source licenses in commercial environments. He came to the 2018 Open Source Summit Europe with a talk that, he said, had never before been presented outside of "secret assemblies of lawyers"; it gave an interesting view of licenses as resources that are shared within the community and the risks that this shared nature may present. While our licenses have many good properties, including a de facto standardization role, those properties come with some unique and increasing risks when it comes to litigation.

Open-source licenses still matter, he said, even though many people have been downplaying their significance recently. Interest in the community has shifted to other kinds of governance issues, codes of conduct, for example. It is said that today's youth cares little about licenses and has less interest in the surrounding ideology, though he doesn't believe that. There is an increasing level of concern about the sustainability of many communities, and a sense that licenses are not a useful way to define modern open source.

Even so, licenses are still highly relevant for corporate users of open-source software, he said. They are the basic tools that make the whole thing possible. But licenses only matter if they are followed, which is why we are seeing increasing efforts to bring about voluntary compliance, and some increases in enforcement efforts as well.

Enforcement, especially involving version 2 of the GPL, has always been a part of the open-source landscape. It only reached the point of actual litigation in the early 2000s, where we saw enforcement efforts showing up in three broad classes. Community enforcement came directly from the developers, either individually or through organizations like the Software Freedom Conservancy (SFC). Commercial entities have done some enforcement, usually in support of an associated proprietary licensing model. And "non-community developers", such as Patrick McHardy, have been pursuing extortionate actions in search of commercial gain. These are the so-called copyright trolls, though he does not like that term. There has been an increase in all three types of enforcement in the last few years; one outcome has been the SFC enforcement principles that try to distinguish the first two types of enforcement from the last, he said.

A lot of thought has gone into enforcement at his employer Red Hat; Fontana said that enforcement activities should be judged by whether they promote collaboration or not. Enforcement that promotes certainty, predictability, and a level playing field will do that, while commercially motivated enforcement will reduce the incentive to collaborate. So he believes, like many others, that enforcement should not be done for commercial gain. Beyond that, there needs to be transparency around the funding of litigation and the selection of targets. Proceedings should be open; the secrecy built into the German legal system (where much enforcement activity to date has taken place) has not helped here. And, overall, litigation is a poor way to achieve license compliance.

The license commons

Software is a shared resource, a commons that we all benefit from and maintain; this is well understood in the development community. Outsiders do not fully understand that; they often only really learn about it when a disaster strikes, as when an underfunded project is hit by a severe security issue.

Fontana asserted that legal texts are a shared resource as well, even if that may be less obvious. Lawyers share and reuse legal language all the time with no concerns about licensing; that text is just assumed to be in the public domain. Proprietary licenses tend to reuse shared text; end-user license agreements tend not to. But, even with reused text, there is no standard proprietary license; each is unique. So a legal decision may have implications for similar licenses, but the lack of standardization puts limits on those implications. A bad ruling around one product's proprietary license does not necessarily affect other proprietary products.

Open-source licenses are different; they are truly shared licenses, of which there is only a small set. License proliferation has been heavily discouraged over the years, so there is almost no customization of licenses by individual projects. Licenses are shared between communities that may have different policy objectives. There are a lot of benefits to this sharing, including increased certainty and predictability, and the fact that interpretation discussions are not project-specific. But there are risks too, especially when it comes to litigation.

One might think that litigation would increase predictability by creating a body of case law around a license; this view is especially popular among lawyers who lack actual litigation experience. But each case is unique, and cases can have unusual or extreme facts. License interpretations in court will be fact-specific and the resulting decisions will be shaped by the arguments of the litigants — and by judges who are not familiar with open-source licenses. There is little opportunity for the community to influence decisions; all told, there is significant potential for any given case to yield bad results. And, given the standardization of licenses in the community, those results can affect a broad group of projects.

There is, he said, the potential for a lot of litigation to happen, because there are a lot of copyright holders out there. Communities may be stuck with bad decisions as a result. There is no easy solution at hand when one of those decisions comes down. There is, for example, often no license steward who could produce a new version of a license in response to a bad decision, so no license updates are possible. And even when an update is possible, there is a lot of pressure to avoid license revisions, and a difficult path to get a project to accept a new version of a license.

Protecting our licenses

So how can we protect our shared license resources? Fontana said that there can be value to litigation, but he is skeptical of it in general. We should, he said, be advocates for our licenses and look for ways to reduce both the likelihood and the impact of bad legal decisions. Among other things, that implies promoting community enforcement norms. We need to document our license interpretations, refute nonstandard interpretations, and promote modern interpretations that make compliance easier. McHardy, he said, has been trading on some strange interpretations of the GPL that should be refuted. New licenses should be drafted in public and updated more often.

One effort toward some of those goals is the GPL Cooperation Commitment (GPLCC), which seeks to promote community norms for license enforcement. It is based on the idea that licensees with good intentions should not be penalized for mistakes. One concrete step in that direction is extending the GPLv3 termination conditions to GPLv2, since the GPLv2 default is "harsh". This effort started with an enforcement statement put together by the kernel community, but it has since spread well beyond that. Quite a few companies have signed onto it, and more are on the way; it has also picked up signatures from around 200 developers. Efforts are being made to get all GPLv2 or LGPLv2 projects to adopt it; Red Hat now requires it for new GPL-licensed projects.

There have been some criticisms of the GPLCC, he acknowledged. Bruce Perens has said that the new commitment is hollow, since those companies won't enforce the GPL anyway and communities have always given violators more time to come back into compliance. Fontana's response is that companies are normally less forgiving than the community, so the GPLCC represents a change, and McHardy's enforcement was definitely counter to this promise. Bradley Kuhn has complained that the GPLCC has taken only one part of the SFC's enforcement principles, which were really designed to be adopted as a whole. And, according to Kuhn, even the savviest of companies need more than the 30 days given to come back into compliance. Fontana's answer here is that the whole thing is an experiment in establishing a norm that is worth pursuing.

Concluding with a look toward the future, Fontana said that just how license interpretations should be documented is still an open question. The GPLCC group will be looking at other aspects of the interpretation of the GPL with that in mind, and in the hope of preventing future McHardy-like incidents.

Q&A

After the talk, Fontana was asked about the community's work to avoid license proliferation and whether that was, in retrospect, a mistake. He replied that he always thought that proliferation was an overblown concern, and that the community was standardizing on a few licenses anyway. He has not been seeing many new licenses in recent years, though he did acknowledge that companies like MongoDB are trying to change that. The current tendency, though, is to play with the details of standardized licenses — an effort that is driven by the merits of those licenses. Standardization is good, he said, but it does carry a few risks.

Another audience member asked whether the community's interpretation of licenses really influences courts; he replied that, while there is no real evidence of it yet, there has always been an assumption that the courts would pay attention to the community's thoughts. But courts aren't really set up to take outside interpretations into account. The US has a mechanism for amicus briefs, but there are limits to what they can do and it may be harder to express community opinions to courts in other countries.

[Thanks to the Linux Foundation, LWN's travel sponsor, for supporting my travel to the event.]

Index entries for this article
Conference	Open Source Summit Europe/2018

to post comments

Protecting the open-source license commons

Posted Nov 2, 2018 1:49 UTC (Fri) by faramir (subscriber, #2327) [Link] (46 responses)

"So he believes, like many others, that enforcement should not be done for commercial gain."

It is because of this idea (which often results in little or no attempt to recover monetary damages from even blatant violators) that I no longer support the FSF or SFC. Quite simply, essentially ALL commercial violators gained monetarily from doing so. The gains might come from a lower cost of doing business or making it harder for competitors enter the product space or some other method. Unless the ill-gotten gains that resulted from those violations are recaptured by the community, there is no economic incentive to abide by the GPL until a lawsuit is filed. Any companies that automatically meet their obligations under the GPL will be at an economic disadvantage compared to those that don't. Because of this, I believe that the current "community standards" for GPL enforcement are going to actively encourage GPL violations in the long run.

On funding and compliance

Posted Nov 2, 2018 13:59 UTC (Fri) by bkuhn (subscriber, #58642) [Link] (11 responses)

Before responding in detail to faramir's comment, I want to thank Richard Fontana for framing well the question of GPL enforcement. It's really great to see that Red Hat (despite being owned by IBM soon :) is still supportive and in agreement with Conservancy's methods of GPL enforcement.

The rest of my post is primarily in response to faramir's comment (except the last paragraph):

It's truly amusing how Conservancy gets attacked from both sides: (a) from people who oppose GPL enforcement (like the Linux Foundation), who give us a hard time for enforcing the GPL at all, and (b) from former supporters who don't like that copyright claims don't generate sufficient (in their view) financial penalties. The latter often cite McHardy as “finally doing it right”. I think time has shown McHardy's actions, which we at Conservancy were the first to expose publicly, are not the right approach.

Enforcement isn't self-funding for a myriad of complex reasons. The reason McHardy generated some surplus revenue from GPL enforcement is that he offers no assistance whatsoever to violators for proper compliance. This model worked for a while to generate revenue, but even that seems to fail eventually.

If you assist with compliance efforts, which all good enforcement should, then enforcement is time-consuming. When Conservancy resolves a matter, we do ask for payment of our costs at an hourly rate, so in that sense it's self-funding; but, note that a charity asking for cost reimbursement is far from “enforcement for commercial gain” that Fontana criticized.

The “reimburse for costs” approach (which I originally developed in the early 2000s while still working for the FSF) ceased to be self-funding (in the short term), because many companies (these days) refuse to comply and take a “we won't comply, you'll just have to sue us” attitude, like VMware has. In that case, Hellwig (partly funded by Conservancy) continues to invest resources in legal fees as the case drags on through the various courts. In the long term, such enforcement may ultimately be self-funding due to Court awards, but only after many speculative years of litigation.

Litigation is speculative work in all the fields where I've seen and/or studied its use. It really is a fantasy to say: “if Conservancy ‘just did something different’ about GPL enforcement, it'd be self-funding and properly ‘punish’ the violators financially”. McHardy's actions are bearing that out: even if one takes the most captious and least helpful approach to enforcement, as McHardy did, one can still can only generate revenue for a short time. Furthermore, success there also requires the element of surprise (and McHardy has now lost that, so he's no longer successful anyway.)

I have spent most of my career thinking about the question of how to properly fund GPL enforcement in a principled way. The Principles are a culmination of the best way we know how to do enforcement in a community-oriented way. We talk much internally at Conservancy about how to it better, and we of course welcome volunteers and people to speak at CopyleftConf about this (although the CFP closed a few days ago for this year's edition).

Finally, I should correct a minor chronological error in Corbet's summary of Fontana's talk (not sure where the mistake came from, but it's a common chronological misconception). Conservancy and the FSF first published the Principles of Community-Oriented GPL Enforcement, then Karen Sandler and Grant Likely (then TAB Chair) worked with the Linux Foundation on a more general statement, using the Principles as a component for that document. The LF took that document internal after Grant left the TAB, and that document was (apparently) turned into the Linux Kernel Enforcement Statement, which was presented back to the Linux community once the internal LF drafting was done. (The document changed quite a bit from the last draft Conservancy helped on and the one the LF released, but some minor parts of the text we at Conservancy reviewed was still similar). The summary in the main article above hints at a different order of events was different. Also, hopefully, some details of how the documents evolved in the backchannels will be helpful for people to understand how the ideas evolved and spread through the various organizations.

On funding and compliance

Posted Nov 2, 2018 15:51 UTC (Fri) by nilsmeyer (guest, #122604) [Link]

If you pursue a case in Germany, once you go to court as an individual or business (unless you're also a lawyer) you have already lost. Damages awarded are quite limited, there are no punitive damages and you're not fully reimbursed for time spent in court. The only positive result you can expect is to force the opposing party into compliance, which the court may try to compel by levying further fines (which go to the government).

On funding and compliance

Posted Nov 2, 2018 16:46 UTC (Fri) by jebba (guest, #4439) [Link] (5 responses)

bkuhn thanks for all your work for copyleft. :)

Is there much consideration of using other ways to enforce compliance other than via civil copyright claims? Court cases are expensive. Piracy claims can be filed at the National Intellectual Property Rights Coordination Center. People found guilty there can go to jail, unlike in civil cases. That way you can show it isn't for the money, if you like. You don't even have to have "standing" there like you would in court.

https://www.iprcenter.gov/

You could also file complaints about importation of pirated software with US Customs and Border protection (e.g. companies importing switches made in China that are using Debian, but not sharing source).

https://www.cbp.gov/trade/priority-issues/ipr
https://eallegations.cbp.gov/Home/Index2

On funding and compliance

Posted Nov 3, 2018 0:59 UTC (Sat) by pabs (subscriber, #43278) [Link] (1 responses)

I think that sending people to jail would not be an appropriate outcome at all.

Matthew Garret has done the customs-based enforcement thing before, I cannot find any info about how successful that was though.

https://lwn.net/Articles/404450/

On funding and compliance

Posted Nov 3, 2018 2:29 UTC (Sat) by jebba (guest, #4439) [Link]

If the VMWare execs got even a whiff of jail, they would all change their processes immediately... Plenty of people go to jail for pirating Adobe and Microsoft products. So why not for pirating Debian? This guy went to jail for over a year just recycling computers with Windows:

https://www.washingtonpost.com/news/true-crime/wp/2018/04...

On funding and compliance

Posted Nov 3, 2018 14:13 UTC (Sat) by bkuhn (subscriber, #58642) [Link] (1 responses)

Conservancy has done deep dives on many of these programs. They are, in some cases, even more resource intensive than litigation because the timelines are compressed which actually works against small actors like us. The initial filing fees and work to do the initial filing isn't the issue; all of these systems allow appeals and you have to be prepared to fight until the end. As I said, if anyone wants to talk seriously about new ways of doing enforcement, CopyleftConf would be a great place to do it. principles-discuss would be a great mailing list to discuss the same if you can't make the conference.

On funding and compliance

Posted Nov 3, 2018 17:22 UTC (Sat) by jebba (guest, #4439) [Link]

If it is a criminal case (e.g. IPR center), then it is up to the prosecutor and you may be called as a witness. But it isn't up to you do fight the case, like it is in a civil case. Also, you'd only have to win one of these to send a huge message. Get one executive thrown in jail for piracy of GPL software and I assure you they will all have a quick change of attitude.

On funding and compliance

Posted Nov 15, 2018 16:27 UTC (Thu) by Wol (subscriber, #4433) [Link]

> Is there much consideration of using other ways to enforce compliance other than via civil copyright claims? Court cases are expensive.

In Europe - Britain at least - copyright violation for commercial gain is a criminal offence. Although I don't know of any prosecutions for it ...

Cheers,
Wol

On funding and compliance

Posted Nov 2, 2018 19:32 UTC (Fri) by atai (subscriber, #10977) [Link]

(off topic)

the use of the single word Conservancy in your statements may be treated as a signal... Maybe you want to emphasis Software Freedom Conservancy more.

On funding and compliance

Posted Nov 3, 2018 1:51 UTC (Sat) by corbet (editor, #1) [Link] (1 responses)

With regard to the "error", the article doesn't say anything about the relative timing of the kernel community's statement on termination conditions and the SFC's principles. So I don't think there's an error there. The principles definitely came first, but if Richard said that in the talk I missed it.

On funding and compliance

Posted Nov 3, 2018 14:10 UTC (Sat) by bkuhn (subscriber, #58642) [Link]

You said "This effort started " and the "this", I thought, was Red Hat's initiative. The seminal document was the Principles, which started it all. That was my point.

On funding and compliance

Posted Nov 3, 2018 4:01 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

> I have spent most of my career thinking about the question of how to properly fund GPL enforcement in a principled way. The Principles are a culmination of the best way we know how to do enforcement in a community-oriented way.
It's a capitulation document, nothing more. With this approach you might get at most some voluntary compliance but nothing widespread.

In other words, you might force some IoT vendors to disclose their kernels but you won't get Samsung to open source all the kernel modules in the next Galaxy Phone.

If you want something real then go for the jugular. Get core kernel developers and sue large companies for 10-digit sums. And pledge the money to support OpenSource development and further enforcement.

Protecting the open-source license commons

Posted Nov 3, 2018 11:34 UTC (Sat) by paulj (subscriber, #341) [Link] (33 responses)

I too find it difficult to support the SFC because of the increasingly violator-friendly direction of travel of SFC (starting to go down same path as Moglen and the SFLC?).

The notion that GPL copyright holders may not seek financial gain, and that there generally should be no real monetary consequences to corporates who violate the GPL undermines the GPL. It makes it essentially impossible for non-deep-pocketed GPL copyright holders (e.g. individual copyright holders) to be able to do anything about violations. Indeed, if you are an individual contributor who is trying to get something done about deliberate violations of your code, and you obtain legal advice *outside* of the community of Free Software lawyers (who, let's be clear, may be employed by large corporates, or be partly funded by them), the advice you get may well be that you *should* put a monetary price on use of your code outside of any free software licence(s) you have given, to establish the case for damage. Yet, in doing so, you would be going against the SFCs' and Linux Foundations' "principles".

Let that sink in: If you seek independent legal advice about infringement of your GPL code, the advice you may get about what is in _your best interests as a copyright holder to build the case for compliance_ will be at odds with the SFCs' "principles".

To me, that means something is wrong with these principles, when they fundamentally are at odds with what is best for those free software coders who'd like the licence on their code respected.

I have a lot of respect for the work bkuhn has done in the past. However, I have to sit here and watch Linux-Foundation-associated corporates take the piss with code I made available under the GPL or contributed to under the GPL, and on top of that I then have to watch Bradley and the SFC somewhat downplay corporate abuse of Free Software and then undermine the ability of individual contributors to do anything about it. :(

Protecting the open-source license commons

Posted Nov 3, 2018 14:08 UTC (Sat) by bkuhn (subscriber, #58642) [Link] (32 responses)

paulj, I really point you back to my post up-thread. There isn't a magical formula that is going to make enforcement self-funding. The interesting thing about McHardy is we got to run the experiment that said: "What if we prioritized revue, would it even work?" Turns out, "only briefly" is the answer.

Also, I didn't mention in my previous post that we're often confronted these days with that fine-sue-us attitude from violators. In those cases, what money would we take? Take money from companies that are still violating and refuse to comply? I can't see a discernible difference between that and selling proprietary licenses. So, the only option is to make decisions to file lawsuits against those bad actors.

Protecting the open-source license commons

Posted Nov 4, 2018 1:28 UTC (Sun) by rgmoore (✭ supporter ✭, #75) [Link]

I think you're missing the point. To many people, the goal of monetary damages is not to make enforcement self-funding but to serve as a punishment for willful violations. Trying to bring violators into compliance is fine for people who don't know any better, but willful violators will see it as proof that there's no real penalty for ignoring the license. There needs to be a big stick to use as a threat against companies that thing they can violate the license with impunity.

Protecting the open-source license commons

Posted Nov 4, 2018 9:51 UTC (Sun) by paulj (subscriber, #341) [Link] (29 responses)

Who said anything about "self-funding"?

That sounds like you're thinking about this from the perspective of an organisation that might be repeatedly involved in such cases, and how such an organisation might sustain itself. It is of course perfectly understandable that you'd have that perspective, and I'm fully in support of you finding a way for a pro-copyleft organisation to sustain itself.... However, that's not the perspective that matters to J Random Copyleft Developer who dislikes seeing corporates taking the piss with their GPL code.

What matters to our J is getting infringement stopped. And I'm telling you that - in at least some jurisdictions - to be able to take action requires demonstrating damage (for various practical reasons, even if not entirely in principle). And that legal counsel will tell you that this is best done by putting a price on use/distribution outside of the terms of the copyleft licence that was given.

Your "principles" disallow this.

Your principles mean J Random Copyleft Developer must choose between adhering to your definition of what it means to be a "community orientated" copyleft developer, and following advice of independent counsel about how to get the licence on their code properly respected by abusive corporates. Given that, it seems to to me that these principles show far more consideration for respecting these abusive corporates, than respecting the copyright interests of J Random Copyleft Developer.

I can't support something that cares more about soothing the sensitivities of abusive corporates, than it cares for what is best for random copyleft developers who are sick of seeing said abusive corporates take the piss with their copyleft code.

Protecting the open-source license commons

Posted Nov 4, 2018 10:42 UTC (Sun) by paulj (subscriber, #341) [Link] (24 responses)

Oh, and one of the consequences for J Random Copyleft Developer of sticking to these "principles", is that the wider population of commercial copyright legal professionals will not be interested in taking on the case, as there's no other money to be pursued to make it worth the lawyer taking an interest themselves in the case - cause your "principles" disallow this.

The practical consequence of that is the only legal help left to J will be from non-profit orgs interested in copyleft. E.g. SFC. J effectively is restricted to getting help from just a _tiny_ pool of lawyers. The set of lawyers/paralegals in the world who work for non-profit, copyleft organisations.

Now, if you're one of those few non-profits, I guess that's a nice way to get more control over how copyleft is enforced.

However, that sucks for J: Those few organisations have few resources to help J, and their interests are not necessarily fully aligned with the best interests of J.

Limiting enforcement - practically at least - to a small-set of non-profits is an obvious scaling issue. Those organisations have to be very selective about what they take on, simple because of resourcing. Further, in the worst case, those few organisations are ripe targets for corporates to (slowly) capture, via funding - which can lead to further selection bias (thinking of one org where this may well have happened already).

This means copyleft compliance can not scale, and the little that can be done is weak and fragile.

tl;dr: This "no monetary gain" thing in the principles is an absolute _gift_ to abusive corporates (who have no qualms at all about gaining monetarily by abusing copyleft). :(

Protecting the open-source license commons

Posted Nov 6, 2018 3:52 UTC (Tue) by bkuhn (subscriber, #58642) [Link] (23 responses)

paulj, I think you haven't read the Principles carefully. I don't see anywhere that says punitive awards should be refused and never sought. The Principle says that monetary gain should never receive precedence over compliance. To quote:

> Financial penalties are a legitimate tool to achieve compliance when used judiciously.
> Logically, if the only penalty for violation is simply compliance with the original rules, bad
> actors will just wait for an enforcement action before even reading the GPL.

I urge you to read the rest as well. It doesn't preclude any of the things you are likely asking for, as long as the enforcer is also getting compliance first and foremost.

Meanwhile, it seems you keep asking for someone to do work that no one knows how to do. If you have a plan that will get compliance, and properly create deterrent punitive measures, then please share it.

I've spent a lifetime studying how to make copyleft succeed. I am willing to learn more from anyone who has something to teach, but I don't see anything in your posts that show a way to modify enforcement such that it will achieve what both you and I want: more compliance by more bad actors.

You keep talking about making companies more liable financially than they currently are to come into compliance. What method do you propose we do that? What path of legal action can we take that will yield that? How do we fund that work to begin with? How do we assure that work doesn't become corrupted by avarice and fail to reach the policy goals of copyleft?

It's easy to say: "everyone who has tried this is doing it wrong". It's much harder to participate in a real discussion on how to do it better. I encourage you to do the latter instead of the former.

Protecting the open-source license commons

Posted Nov 7, 2018 12:30 UTC (Wed) by paulj (subscriber, #341) [Link] (22 responses)

Punitive awards are not possible in the jurisdiction I am in, to my understanding. You can only seek compensation for damage. Which means you must demonstrate some kind of loss, and if that's to be in any way meaningful to deterring abusive corporates, there must be a relatively non-disputable way to put that loss into monetary terms. The advice I have from a commercial solicitor specialising in copyright is that the best/most-obvious/least-arguable way to achieve that in the jurisdiction I was in is to tell abusers that there is a price on non-copyleft-licence-conforming use (which arises from the value of the software, and copyright).

This would mean the copyleft copyright holder could gain monetarily though. If you say that that is fine, great - but the "principles" do seem to strongly discourage doing that. E.g., here's the text immediately after what you have quoted:

" Copyright holders (or their designated agent) therefore are reasonable to request compensation for the cost of their time providing the compliance education that accompanies any constructive enforcement action. Nevertheless, pursuing damages to the full extent allowed by copyright law is usually unnecessary, and can in some cases work against the purpose of copyleft."

Firstly, the copyleft copyright holder is instructed to only seek compensation for the /time spent on compliance/ - which is a smaller amount than the many years prior that may have gone into developing the software itself. And it then discourages seeking even that (??).

Are you saying that if I go to a corporate who I believe (based on advice) is abusing the licence on copylefted code of mine and tell them (roughly) "Any further use and/or distribution of my code outside the copyleft licence I granted will require compensation of x% of your revenue", and I later try act to recover that compensation, that the Conservancy principles are OK with that?

If you want to chat to me more in private, I tried to get help from the Conservancy before on my particular problem a good while ago. Feel free to reply. ;)

Protecting the open-source license commons

Posted Nov 7, 2018 13:07 UTC (Wed) by paulj (subscriber, #341) [Link]

Oh, the other aspect to the jurisdiction I was in is that you _can not_ get all your costs awarded to you, should you end up having to take it to court. You /will/ be paying a significant amount of your legal costs, _even if you win_. (You don't want to go to court, but these types of considerations end up influencing pre-court action anyway, e.g. the extent to which the abuser can think you're likely to be able to go take it to court).

So the damage from the copyright infringement has to be significant enough for you to be able to pay your (non-trivial) legal costs.

If you're subscribed to a set of principles that say the only damages you should seek should be your legal costs, then you're going to end up with significant legal bills,
*even if you win*. So these principles may render any real enforcement out of reach for any non-wealthy private copyleft copyright holder.

There are other practical problems with the Conservancy's apparent "can't seek damages beyond compliance costs" that further put a non-well-resourced private copyleft copyright holder in a weak position, in at least some jurisdictions.

Protecting the open-source license commons

Posted Nov 7, 2018 16:39 UTC (Wed) by pabs (subscriber, #43278) [Link] (20 responses)

Hmm, I would have thought that one would just define the damage as the total revenue the abuser made from sale of GPL-violating products, rather than the price of something that is usually not for sale at any price (a non-copyleft license to the code), unless of course you are running a dual licensing business like MySQL or MongoDB.

Protecting the open-source license commons

Posted Nov 7, 2018 18:34 UTC (Wed) by mpr22 (subscriber, #60784) [Link] (19 responses)

You can define what you want the damages to be however you please.

Whether you can persuade the court to accept your definition is another question, and "I charge advertised fees of $MEDIUMNUM/copy (or $HUGENUM for a one-off licence) for a licence to make non-copyleft-compliant copies of my software, and this company has made BIGNUM non-copyleft-compliant copies of my software without paying my fees, so my total damages are either $HUGENUM, or $MEDIUMNUM * BIGNUM" is much easier to make a case for in court than "they made $BIGNUM from selling a product that included non-copyleft-compliant copies of my code, so my damages are $BIGNUM".

Especially if the offender is a hardware vendor.

Protecting the open-source license commons

Posted Nov 8, 2018 2:24 UTC (Thu) by pabs (subscriber, #43278) [Link] (18 responses)

In the case we are talking about, there is no advertised fee for non-copyleft licenses and the copyright holder isn't interested in selling such licenses.

So $MEDIUMNUM = ∞, $HUGENUM = ∞ and damages = ∞ but I guess we must round that down to the value of the company, since money isn't infinite.

It seems likely that the court are more likely to accept setting damages to revenue (or a percentage) they made from violating the only available license than setting damages to ownership of the entire company.

If we are talking about non-∞ values for $MEDIUMNUM and $HUGENUM then that sounds like a proprietary relicensing business rather than what paulj was talking about?

Are there any other models for damages that would be appropriate and would be accepted by the courts?

Protecting the open-source license commons

Posted Nov 8, 2018 10:49 UTC (Thu) by paulj (subscriber, #341) [Link]

See my other reply to you: https://lwn.net/Articles/770625/ - you're mixing some stuff up.

See also mpr22's reply to you. You have to word things in a way that makes sense legally and will stand up. I'm not a lawyer, so you'll have to find one to get a real explanation. However, my hand-wavy, probably completely wrong, opinion is that you can't really define "damage" self-referentially - damage must refer to something else, something you lost or were deprived of, etc.

Protecting the open-source license commons

Posted Nov 8, 2018 19:06 UTC (Thu) by mpr22 (subscriber, #60784) [Link] (16 responses)

If you do not offer proprietary licences at any price, then MEDIUMNUM and HUGENUM are not Inf.

They are NaN.

Protecting the open-source license commons

Posted Nov 12, 2018 3:45 UTC (Mon) by GoodMirek (guest, #101902) [Link] (15 responses)

I would be really interested in reply of bkuhn on this. I have also stopped supporting SFC on same basis as paulj. I have told them that, the answer I got from them did not address my concerns.

Protecting the open-source license commons

Posted Nov 12, 2018 15:47 UTC (Mon) by bkuhn (subscriber, #58642) [Link] (14 responses)

> I would be really interested in reply of bkuhn on this

I have replied many times in this thread. paulj appears to be misreading what the Principles say, and keeps making arguments about what he thinks they say, and then arguing that if they said that, they'd be bad. I just don't have time to keep refuting that same point.

What we've seen is that companies like MongoDB who put profit above compliance end up acting corruptly. Monetary gain should never go ahead of getting compliance in Principled enforcement. I stand by that. I know some of Conservancy's donors are annoyed that we don't put money first, and they stopped giving because they feel we should. I'd rather have a few annoyed donors than be on the path to corruption.

The Principles themselves address this point that paulj keeps making:

> Logically, if the only penalty for violation is simply compliance with the original rules, bad actors will just wait for an enforcement action before even reading the GPL. That social model for copyleft and its enforcement is untenable and unsustainable. An enforcement system without a financial penalty favors bad actors over good ones, since the latter bear the minimal (but non-trivial) staffing cost of compliant distribution while the former avoid it.

The Principles do not preclude punitive damages. Elsewhere in this thread, I talk about the complexity of getting them in the real world. No one in this thread has yet to put forward an idea for how to do enforcement that Conservancy hasn't carefully vetted and investigated.

Protecting the open-source license commons

Posted Nov 12, 2018 16:31 UTC (Mon) by paulj (subscriber, #341) [Link] (11 responses)

I've asked you a question in https://lwn.net/Articles/770915/ and between the bits of the Principles that say you should not seek damages beyond your compliance costs (which seems a recipe for being left with significant legal costs in jurisdictions where you will never be awarded all your costs), and the bits you're quoting that say you may seek punitive damages (but... there is no such thing as punitive damages in some jurisdictions), I still have no idea what the SFCs' position is. The question again:

“Are you saying that if I go to a corporate who I believe (based on advice) is abusing the licence on copylefted code of mine and tell them (roughly) "Any further use and/or distribution of my code outside the copyleft licence I granted will require compensation of x% of your revenue", and I later try act to recover that compensation, that the Conservancy principles are OK with that?>”

Yes or no?

(Note, I'm not saying where, if obtained, that theoretical compensation would go, after legal costs [see 'b' above] - it could go to a nice new TV, to charity, FOSS or more general, etc.).

Protecting the open-source license commons

Posted Nov 12, 2018 17:04 UTC (Mon) by bkuhn (subscriber, #58642) [Link] (10 responses)

Feel free to join the principles-discuss mailing list if you want to discuss the efficacy of the Principles.

Protecting the open-source license commons

Posted Nov 12, 2018 17:14 UTC (Mon) by paulj (subscriber, #341) [Link] (9 responses)

You don't respond to private email. You refuse to give a direct answer here. What's the point joining an email list to have the question not answered there?

I don't know why you/the SFC has not responded to any of my emails seeking help on licensing. It's strange.

It's making me wonder if it was because in my first email to the SFC on this topic that I one of the corporates that I noted as being involved happens to one of your sponsors (I didn't think of that at the time of writing, have to say). And that's sad. :(

Protecting the open-source license commons

Posted Nov 12, 2018 17:43 UTC (Mon) by bkuhn (subscriber, #58642) [Link] (8 responses)

You're not likely to get useful replies if you swing around unsubstantiated accusations of corruption against Conservancy like you just did. Please do refresh any thread you have with compliance@sfconservancy.org and ask for status. As we've stated many times, we're usually tracking hundreds of GPL violations at any given time. I'm sorry that we didn't take action on the one that bothered you most, but if you have a violation report, regardless of who it is against, we want to know about it and triage it along with the hundreds of other ones.

You seem to think that if we did things exactly as you said, we'd have so much money to pursue enforcement we wouldn't know what to do with it. We've tried many the things you said. If you haven't read the entirety of the documents in the BusyBox cases, you should. We asked for actual and statutory damages both. It is just not worth anyone's time to engage in hypotheticals of what we might do if copyright law were different and we had different remedies available. We have the remedies we have in the USA: statutory and actual damages. Conservancy pursues both in enforcement cases, and there is detailed Court evidence to show that we did in the BusyBox cases.

I sympathize with what you are feeling. It angers me too that big companies get away with GPL violations because the GPL enforcement remains expensive and complicated. But I'm not sure alienating the only organization doing something about the problem by captiously attacking Principles they wrote in an effort to avoid corruption is going to yield an outcome that helps you or anyone else.

There is a place for discussion of the Principles and to air concerns about them; I invited you there. LWN is not really the right place.

Also, sending personal email to me is not the way to do it, and claiming that I am not engaging with the community because I don't answer your personal emails is just unfair. (BTW, I can find no emails from anyone with username paulj in my archives nor the violation report archives, so I don't know which emails you're referring to anyway.) Also, BTW, if I answered every email I get from the general public, I'd spend my entire day every day answering emails. It's just untenable to expect someone who is a public figure to do that.

I did engage heavily with this thread because people raised questions and I've addressed them. I know you don't like the answers, and you want more attention to your points. I wish I had time to engage for unbounded amounts of time with everyone who has feedback on GPL enforcement. But I have to get back to the work that you keep urging me to be doing. :)

Protecting the open-source license commons

Posted Nov 12, 2018 18:08 UTC (Mon) by paulj (subscriber, #341) [Link] (7 responses)

It'd be: paul@ - I have emailed apply@ before, and karen@, and bkuhn@ the other day.

I don't think there is some magic money pot. I never claimed anything like that.

I think that - even if the principles work for the SFConservancy in the jurisdiction the SFC prefers - it's crippling to other copyleft developers in other jurisdictions. Given that you and Karen are clearly extremely busy and overloaded and can't deal with all the cases you have, clearly some of those developers are going to have to seek help elsewhere (e.g., commercial solicitors). What I'm saying is that the SFC principles render a difficult (financially) situation impossible there, based on my understanding of legal advice.

Protecting the open-source license commons

Posted Nov 12, 2018 18:31 UTC (Mon) by bkuhn (subscriber, #58642) [Link] (6 responses)

I don't think Conservancy's enforcement work for Linux, Samba, etc. is harming the enforcement efforts of others. The only enforcement efforts we've condemned are McHardy's (and general proprietary relicensing business models), because they are clearly prioritizing revenue above compliance.

I'm dubious of solicitors/lawyers who seek to make money from enforcement, mainly because they are likely to pressure a client to prioritize revenue over compliance. However, the Principles take no position against using for-profit law firms as part of enforcement, and you should do so for your copyrights if you think it will help. I urge you to follow the Principles when you do.

It seems the violations you're concerned about are not related to any copyrights Conservancy holds, nor any member project of Conservancy, so we're not really part of the conversations you'd need to have in any event.

Protecting the open-source license commons

Posted Nov 12, 2018 19:00 UTC (Mon) by GoodMirek (guest, #101902) [Link] (2 responses)

As paulj explained in detail, in our jurisdictions we cannot perform sustainable (in terms of covering expenses) GPL enforcement without proprietary relicensing business models.

Protecting the open-source license commons

Posted Nov 13, 2018 4:47 UTC (Tue) by pabs (subscriber, #43278) [Link] (1 responses)

It wasn't clear until now that paulj and yourself were talking about wanting/needing proprietary relicensing business models in order to achieve GPL compliance. I think this should have been stated much more clearly much earlier in the subthread.

Personally, a proprietary relicensing business model achieving GPL compliance sounds like an oxymoron to me.

Could you explain how this might work?

Is the idea to sell enough cheaper proprietary licenses to smaller businesses such that you can afford to take abusively non-compliant large corporations to court? You would then achieve GPL compliance by telling them that due to their license violations (both proprietary and GPL) you won't sell them the proprietary license and then take them to court to get compliance with both the GPL and with the more expensive large-corporation-sized proprietary license? So the end result of such an enforcement action, if successful, would be a number of smaller businesses with non-GPL-compliant codebases (due to proprietary licenses, for the time period specified by those licenses), one large corporation with a GPL-compliant codebase and more money to go after the next abusively non-compliant large corporation.

Protecting the open-source license commons

Posted Nov 13, 2018 5:43 UTC (Tue) by paulj (subscriber, #341) [Link]

No, no.. I have not argued for a proprietary licensing scheme at all! Read https://lwn.net/Articles/770625/ again.

In my personal case, even if *I* did take action against abusers to recover compensation for prior use of my code in the work concerned, outside the copyleft licence I gave, there are (many) other copyright holders, and *in no way* could any abusers I took action against ever receive a "proprietary licence" as a result!

That said, I am not against proprietary licensing at all, if it allows the developers of copyleft software to get the following types of corporates to fund and pay for the development of copyleft software:

a) Corporates who would otherwise avoid using and contributing to copyleft software, as much as possible.

b) Corporates who would otherwise parasitically use and abuse copyleft software

The non-profit model just isn't going to fly. If a non-profit gains traction, it will just be captured by the type-b corporates via donations. I've been in one and watched it happen. It just destroys copyleft software and communities. A few developers benefit perhaps, but the rest is destroyed.

Protecting the open-source license commons

Posted Nov 14, 2018 15:58 UTC (Wed) by paulj (subscriber, #341) [Link] (2 responses)

The Conservancy doesn't hold any copyrights in these violations because the application to join the Conservancy went nowhere, for reasons never communicated to me. Even though you personally reached out to me in '17 encouraging me to apply. Eventually, after 9 months odd of waiting (and other reasons) I gave up waiting to hear back.

So yes, you don't hold the copyright.

On whether I can stick to the Principles in any enforcement I do myself. I have no idea. The Principles are - at best - contain statements in tension with each (if not self-contradictory) and need interpretation, and you refuse to give direct answers to requests for clarifications.

I do wish you and the Conservancy all the best, in furthering the interests of the community the Conservancy represents. (Regrettably, it doesn't include me, but you can't say I didn't try to join it ;) ).

Protecting the open-source license commons

Posted Nov 15, 2018 18:13 UTC (Thu) by bkuhn (subscriber, #58642) [Link] (1 responses)

paulj, I have an email from you on 2017-11-10 in which you say "there was no point in pursuing SF Conservancy" membership for your project. That's the reason we didn't proceed.

As for "inviting you to apply", as a matter of historical record, the first inquiry about joining was indeed from *you* in Feb 2017. I do see in April 2017 I joined the thread, responding to your Feb 2017 inquiry (which Karen and already answered twice in Feb and March) and encouraged you to submit the application materials. We do write back to project leaders and encourage them to apply after they've shown initial interest, but that's not the same as "reaching out" as a cold contact, which your prior posts seem to indicate. (I think the number of times Conservancy has contacted projects on a cold-contact basis and asked them to apply is less than three in our more than ten years of existence. Our typical experience is we have a large queue of inquiries and cannot possible accept all the projects who want to join us given our limited resources.)

It's not uncommon from the date the application is submitted to acceptance in Conservancy to take 6-8 months. We got your application on 2017-04-12 and sent you updates along the way, and then received the withdraw of your application on 2017-11-10 and removed it from the queue. We carefully vet applications and make sure the project is a good fit. I'm sorry that timeline didn't work well for your project; we are not the right fit for fiscal sponsorship of all projects by any means, and there are less involved fiscal sponsors with smaller service plans (i.e., who don't do GPL enforcement) that can accept a project faster. Our commitment to our projects is stronger than most fiscal sponsors so we have to be deliberate in our decision-making.

Anyway, thanks for your kind words for Conservancy and I wish you success in resolving GPL violations on your copyrights. If you have questions about the principles, there is a mailing list for it, principles-discuss, as I mentioned in an earlier thread.

Protecting the open-source license commons

Posted Nov 28, 2018 15:51 UTC (Wed) by paulj (subscriber, #341) [Link]

I don't know, I didn't hear from the Conservancy for 3 months after the month where I'd been told the application would be considered. Maybe it's my fault for being impatient, and not realising it would take 8+ months to even look at the application. ;) Doesn't matter anyway.

I wish you well. I do though hope you process my concerns on the Principles as they are, with regard to the lack of clarity (at least) on points that are very important to the practicality of enforcement in at least some places. It seems I am not alone. As you're now aware of those concerns, I don't see a reason why I need to post to another mailing list (I've been subscribed to that list for a good while FWIW, if you want to discuss further and post there I'll see it).

All the best.

Protecting the open-source license commons

Posted Nov 12, 2018 18:05 UTC (Mon) by GoodMirek (guest, #101902) [Link] (1 responses)

bkuhn, I really appreciate your response. The valid point paulj makes and which is of my concern is that in many European jurisdictions including mine the Principles can never work the way they work in USA. In my understanding, paulj is asking whether lost profit damages are acceptable enforcement under the Principles.
The question is asked because only sustainable way to enforce GPL in my and many other European jurisdictions is via the lost profit damages.
In my eyes Principles are against that way of enforcement and you seem to second the Principles.
Am I misreading?

Protecting the open-source license commons

Posted Nov 15, 2018 17:10 UTC (Thu) by Wol (subscriber, #4433) [Link]

As a European myself, I look at it simply ...

If I had any copyrights, I would contact a violator and say "we need to fix this". If they engage with me and want to put things right, legal enforcement should be unnecessary.

If on the other hand, they come back with a "sue me" attitude, I'd sue for everything I could get. And I don't see that as conflicting with the ethos of the GPL at all! If they wilfully ignore it, why shouldn't I go for every penny? But if it was accidental, and they are genuine, it would never have got that far.

Cheers,
Wol

Protecting the open-source license commons

Posted Nov 4, 2018 11:20 UTC (Sun) by pabs (subscriber, #43278) [Link] (3 responses)

Putting a price on distribution outside of the terms of the copyleft licence that was given seems like it would be in conflict with getting non-compliance stopped as it basically amounts to offering a proprietary license, which our J presumably is not interested in doing. Also in some situations (like the Linux kernel) it would be impossible to achieve agreement from all copyright holders.

Can you really say in court "you are violating our copyright, you must pay us one trillion dollars to not get a proprietary license" for copyleft software that is usually available for only the cost of license compliance (which is usually trivial)?

Protecting the open-source license commons

Posted Nov 4, 2018 11:35 UTC (Sun) by farnz (subscriber, #17727) [Link]

Putting a price on it means two things, in practice (at least in the jurisdictions I understand well enough to talk about - check with your lawyer first):

It opens up the possibility of punitive damages or fines - given that they did not negotiate paying beforehand, and they should have done, there's now legal wiggle room to deprive them of any possibility of making a profit from infringement. E.g. if a device costs $20, and includes copyright infringement to the tune of $1 per device, a court can legitimately take $1 per device in damages to the copyright holder, plus $19 in fines or damages depending on jurisdiction, resulting in you making a loss on every device sold.
It makes certain classes of injunction possible; if there's no financial damage, then there's no cause to recall the devices from all buyers, or to prevent the copyright holder from continuing to sell them. If there's financial damages, then you can stop the sale while the case is decided, and recall of all sold devices is an option. If there's no financial damage, then there's no reason to stop the sale of infringing devices until after the case is decided, and there's no harm done by leaving previously sold devices in customer hands.

One of the problems is that different jurisdictions have different rules - and you need your enforcement regime to handle that in a sane way.

Protecting the open-source license commons

Posted Nov 4, 2018 12:35 UTC (Sun) by paulj (subscriber, #341) [Link]

That J Random Developer gives a price for otherwise unlicensed use of their portion of the code, does not mean they're giving a licence of other portions of the code that others have copyright to. It doesn't stop those /other/ copyright holders from also naming their own price, or taking their own action, as they wish. It does not mean there is any ongoing licence even. It need not mean the infringing party can continue to distribute or even use the code.

And yes, a copyright holder _can_ name their price. That's precisely what copyright is intended to allow the likes of J to do - to have economic control over various uses of their work. That J chooses to allow certain uses for no monetary price under certain conditions (e.g. copyleft terms, perhaps because of a belief in a wider social good), does not mean J gives up the right to name a price for uses under /other/ conditions. And indeed, J _should retain that right_ if J ever wishes to be able to enforce the non-monetary licence without having to spend vast sums of money (that many developers will not be able to afford).

Anyone who does not like the copyleft conditions, or feels the price for other use/distribution is unreasonably high, is still quite free to not use/distribute the work (there's a clause in the GPL about this ;) ).

A set of "community principles" which try estop J from ever being able to name a price on non-copyleft use is a set of principles that ultimately render that licence literally valueless and hence practically unenforceable (in at least some places, for many private individuals), if held to. Which suits the corporate abusers no end.

Protecting the open-source license commons

Posted Nov 4, 2018 18:59 UTC (Sun) by rgmoore (✭ supporter ✭, #75) [Link]

Putting a price on distribution outside of the terms of the copyleft licence that was given seems like it would be in conflict with getting non-compliance stopped as it basically amounts to offering a proprietary license, which our J presumably is not interested in doing.

Not really. At least under American copyright law- and I believe something similar is true elsewhere- the process of dealing with past violations is separate from future ones. So a copyright holder can demand compensation for past copyright violations and an injunction to prevent the violator from continuing to infringe. It would be very strange if the law did otherwise. Why should a copyright holder be required to choose between being paid for lost value from previous violations and the power to control distribution in the future?

Consider the case of a movie studio that discovers somebody selling unlicensed copies of their movies. They're well within their rights to demand all the money the unlicensed seller made by selling the unlicensed copies and to demand they be prevented from selling any more in the future. There's no reason the rule should be any different for software.

Protecting the open-source license commons

Posted Nov 4, 2018 13:01 UTC (Sun) by paulj (subscriber, #341) [Link]

To be clear, I'm not arguing SFC should take money from abusers to not take action.

I do think abusers should become /liable/ for large amounts of money, when they deliberately abuse Free Software licenses. E.g., because Free Software copyright holders name a price (perhaps conditioned on gross revenue, or some other mechanism to make cost of abuse proportionate to the size of the abuser) for use/distribution outside of the copyleft licence.

And I believe that because of what I've been told by commercial copyright solicitors.

Protecting the open-source license commons

Posted Nov 2, 2018 17:38 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (29 responses)

TLDR; version - "business as usual".

Feel free to violate GPL and in the _worst_ case you might eventually have to comply with the license. But probably not, since nobody is going to enforce it anyway.

If you get a strongly worded letter or two from GPL hippies, just ignore them.

Protecting the open-source license commons

Posted Nov 2, 2018 18:04 UTC (Fri) by Paf (subscriber, #91811) [Link] (25 responses)

As Bradley said above:
He's open to suggestions.

Protecting the open-source license commons

Posted Nov 2, 2018 18:10 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (24 responses)

I have two suggestions:
1) Convert Linux to Apache 2 license just to be honest with everyone.
2) Change the Linux mascot to a giraffe.

More seriously, I want to see concerted efforts to sue violating companies from the core IP holders of Linux (to avoid VMWare's "minor contributor" issues).

And no wishy-washy "sue for compliance". Sue for damages, including punitive damage in jurisdictions that allow for it.

The current status quo actually rewards companies that are behaving badly, while hurting the honest players.

Protecting the open-source license commons

Posted Nov 2, 2018 19:18 UTC (Fri) by mpr22 (subscriber, #60784) [Link] (15 responses)

> Sue for damages, including punitive damage in jurisdictions that allow for it.

I would find it very satisfying to see high-profile infringers get sued for enormous piles of money.

I don't think I'd find the job losses attendant on the subsequent liquidations, or the increased ability for anti-software-freedom propagandists to point to "real cases" that "support" their "GPL is burning radioactive poison and you shouldn't let it get anywhere near your computers" stance, anywhere near as satisfying.

So I'm kind of conflicted on the subject.

Protecting the open-source license commons

Posted Nov 2, 2018 19:40 UTC (Fri) by farnz (subscriber, #17727) [Link] (13 responses)

On the other hand, in the current situation, I've had big vendors (under NDA, or I'd disclose names) tell me that their closed-source Linux kernel (not kernel modules - entire kernel binaries) are fine, because there are no real cases of someone being sued and facing real penalties for failing to distribute source.

It's a tradeoff - do you want semiconductor vendors to consider it OK to send binaries only for their entire "SDK" that you're supposed to modify and redistribute, or do you want to risk the anti-freedom people pointing to real cases?

Protecting the open-source license commons

Posted Nov 2, 2018 20:54 UTC (Fri) by pbonzini (subscriber, #60935) [Link] (12 responses)

You had received a derivative work of Linux and you were entitled to receive the sources in the form preferred to make modifications.

So why didn't you request sources? This is not about _you_ getting sued, it's about then not getting sued _by you_.

Protecting the open-source license commons

Posted Nov 2, 2018 20:57 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

Because large hardware vendors just say: "Sucks to be you. Go on sue us. Make my day"

Protecting the open-source license commons

Posted Nov 2, 2018 21:22 UTC (Fri) by jebba (guest, #4439) [Link] (3 responses)

When I asked Dell lawyers for source to one of their $10k+ Debian based switches (S4048T-ON), they said no one had asked before. They subsequently pointed me to a newly created repo they had of the linux kernel. It wasn't complete sources, but they did something. I think if more people just push to get sources from big companies like that, they'll start to provide more.

Protecting the open-source license commons

Posted Nov 2, 2018 21:27 UTC (Fri) by jebba (guest, #4439) [Link]

It looks like they have added more:

737.7 MB OS10_10.4.0-R3_debian_source.tgz

https://bintray.com/dell-networking/os10-linux-sources/linux

Protecting the open-source license commons

Posted Nov 2, 2018 21:51 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Dell are good guys, remember DKMS and those nice Dell laptops with Linux?

The main offenders are companies making mobile or IoT hardware. There's not a single smartphone out there that runs without binary kernel modules.

Protecting the open-source license commons

Posted Nov 4, 2018 23:22 UTC (Sun) by excors (subscriber, #95769) [Link]

I'd be very surprised if that was true, since I've worked with a few kernels for various SoCs and don't remember seeing anything in the kernel that wasn't built from source. The only exception I remember is that VTune supplied some profiling drivers as .ko files, but they were only used by a few people during development.

They do usually have kernel drivers that are designed to work exclusively with userspace binary blobs that the phone vendor doesn't have full source access to (for 3D graphics, cameras, etc), or to work with firmware blobs, but that's probably not a GPL issue since the kernel driver source is released and the binary parts are clearly separate from the kernel.

Protecting the open-source license commons

Posted Nov 2, 2018 21:13 UTC (Fri) by farnz (subscriber, #17727) [Link] (6 responses)

We did request sources - they pointed out that, under the NDA we'd signed, we could not ask for sources. And how exactly could we have sued them - we weren't ourselves copyright holders in the Linux kernel - as the GPL does not give us standing to sue when they say that they are not distributing to us under the GPL?

Protecting the open-source license commons

Posted Nov 6, 2018 3:57 UTC (Tue) by bkuhn (subscriber, #58642) [Link] (5 responses)

farnz, as I understand the situation you describe, it sounds likely that both parties involved are violating the GPL. (IANAL and TINLA and I'd need to study the situation closer to be sure of anything). I have heard about these kinds of NDAs, and even been shown them by GPL violation reporters. If you'd like to report the violation to Conservancy, compliance@sfconservancy.org is the address.

Protecting the open-source license commons

Posted Nov 6, 2018 9:06 UTC (Tue) by farnz (subscriber, #17727) [Link] (4 responses)

At the time, we reported it to the SFC, SFLC and FSFE; none of you were able to take sufficient action to get the violator to do anything.

AFAICT, the violator we informed you of at the time is still functioning this way several years later - they've certainly approached my current employer with a similar setup, and been forcefully declined.

Protecting the open-source license commons

Posted Nov 6, 2018 18:06 UTC (Tue) by bkuhn (subscriber, #58642) [Link] (3 responses)

Please refresh the thread with Conservancy if you don't mind. Of those organizations, Conservancy is the only one that enforces the GPL for Linux (and I believe, at all). I'll mention to Denver to expect your email when next he works (he works only one day a week).

Protecting the open-source license commons

Posted Nov 6, 2018 18:09 UTC (Tue) by farnz (subscriber, #17727) [Link] (2 responses)

I no longer have access to the thread - I've changed employer, and thus don't have access to my old employer's email system.

At the time, IIRC, it all fizzled out because our legal advisor stopped us sharing with you (because we had agreed to the NDA, and were getting distribution from the vendor under the NDA), and you could not take action without more evidence of the infringement than we could provide given the NDA we had agreed to.

Protecting the open-source license commons

Posted Nov 16, 2018 16:28 UTC (Fri) by Wol (subscriber, #4433) [Link] (1 responses)

iirc, farnz, you're British? And in Britain, violating copyright for commercial gain is a criminal offence.

NDAs are unenforceable when they're used to cover up illegal behaviour.

Of course that's the theory. Practice may be different ... but I really think that if they sue you for breaking the NDA, and you come back to the Judge "hey, they are behaving criminally and asking us to cover it up", the Judge will at least have to investigate that claim, and chuck the case out if you're right.

Cheers,
Wol

Protecting the open-source license commons

Posted Nov 16, 2018 16:49 UTC (Fri) by farnz (subscriber, #17727) [Link]

It's not as simple as "violating copyright for commercial gain is a criminal offence". The offences in the Copyright. Designs and Patents Act 1988 only apply if the violator has reason to believe that they're not violating; in the case I'm thinking of, the violator believed that as they were copyright owner of one part of the combined work, their license supersedes the GPL. Had they also committed the offence named in 107 subsection 2A (which requires monetary damages to the owner of the infringed copyright, not just infringement), then our legal advisor thought a prosecution might succeed; as it is, the violator raised the SFC's "principles of enforcement" as reason that they did not commit that offence.

Protecting the open-source license commons

Posted Nov 2, 2018 19:42 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

> I don't think I'd find the job losses attendant on the subsequent liquidations
Use the money from damages to fund OpenSource projects. Duh.

> or the increased ability for anti-software-freedom propagandists to point to "real cases" that "support" their "GPL is burning radioactive poison and you shouldn't let it get anywhere near your computers" stance, anywhere near as satisfying.
Then switch GPL to Apache 2 to be honest.

Protecting the open-source license commons

Posted Nov 3, 2018 14:19 UTC (Sat) by bkuhn (subscriber, #58642) [Link] (7 responses)

Cyberax, more Linux copyright holders joining our coalition at Conservancy would be welcome. "The more, the better" is always the case, and the coalition gets incrementally more strong with each person added. If you want to recruit for that, please do.

Note that another thing companies have done is sought to keep Conservancy representatives from speaking at places where Linux copyright holders are likely to go, in an effort to prevent those copyright holders from receiving the message that there is a GPL enforcement option for Linux copyright holders.

I think many of the critics of Conservancy who want more aggressive GPL enforcement are not realistic about what is politically viable in the current climate. We aren't capitulating by any means, but remember that every single day, big companies involved in Linux have a high agenda item to see if they can end GPL enforcement. This is a political reality. We are working around it, but it's not a trivially solvable problem. If you have ideas on how to succeed in this political struggle, again, I'm open to ideas.

Protecting the open-source license commons

Posted Nov 3, 2018 17:32 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (6 responses)

> Cyberax, more Linux copyright holders joining our coalition at Conservancy would be welcome. "The more, the better" is always the case, and the coalition gets incrementally more strong with each person added. If you want to recruit for that, please do.
My past employer is one of the good guys who takes licensing seriously, and I personally donated quite a bit to the SFC. I'm on board of several small private companies and as long as I'm there, they won't be doing GPL violations.

> I think many of the critics of Conservancy who want more aggressive GPL enforcement are not realistic about what is politically viable in the current climate. We aren't capitulating by any means
Yes you do. You said that yourself: "more aggressive GPL enforcement is not realistic".

> We are working around it, but it's not a trivially solvable problem. If you have ideas on how to succeed in this political struggle, again, I'm open to ideas.
Get a bunch of core kernel copyright holders (to make sure that they are not "minor contributors") and start lawsuits. Do it without resources from the Linux Foundation or any other violator-friendly body. It's really as simple as that.

Alternatively just relicense the kernel under Apache 2 to be honest with the good members of the community.

Protecting the open-source license commons

Posted Nov 5, 2018 7:48 UTC (Mon) by jospoortvliet (guest, #33164) [Link] (2 responses)

Wrt your last point - I think bhuhn has been reasonably clear that if he had those volunteers and resources, you could expect a lot more enforcement. I would also like to see a large corp pay significant damages or see an exec jailed for violations as I agree the good guys pay and bad ones don't right now but I am sure it isn't as easy as you male it seem.

Protecting the open-source license commons

Posted Nov 5, 2018 8:15 UTC (Mon) by paulj (subscriber, #341) [Link] (1 responses)

The solution is easy: Put a (significant) price on use outside of the copyleft licence conditions.

Protecting the open-source license commons

Posted Nov 5, 2018 10:43 UTC (Mon) by pizza (subscriber, #46) [Link]

There is another strategy that can sometimes be employed -- In some jurisdictions, removing copyright information/attribution from the work in question is a separate offence, with statutory penalties unrelated to actual damages.

Protecting the open-source license commons

Posted Nov 6, 2018 4:08 UTC (Tue) by bkuhn (subscriber, #58642) [Link] (2 responses)

> Get a bunch of core kernel copyright holders (to make sure that they are not "minor
> contributors") and start lawsuits. Do it without resources from the Linux Foundation or any
> other violator-friendly body. It's really as simple as that.

Funding lawsuits is not easy, because even if you expect to win, you won't get your judgement and attorney's fees paid until the *end* of the case, which could be a decade away. If you'd like to make a very large directed donation to Conservancy for a GPL enforcement lawsuit, Karen would be glad to talk to you about it.

If additional lawsuits were done as easily as you say, we'd have done them already, of course. There are certainly bad actor violators who refuse to comply and are taking a "fine, sue us" attitude.

But keep in mind that in addition to the expense of doing the litigation, there are powerful political actors who are working regularly to discredit and attack Conservancy to prevent us from moving forward on enforcement as well. They aren't fully successful by any means, but dealing with those attacks is still non-trivial effort.

Protecting the open-source license commons

Posted Nov 6, 2018 6:02 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

I can make a sizeable donation personally, but I probably won't be able to fund the whole lawsuit. How about a crowd-funding campaign though?

I understand that the actual lawsuits are not easy, but you do have to start somewhere.

It would be nice if you changed your policy to reflect that you WILL sue for punitive damages. To avoid moral conflict, pledge all the damages (minus lawsuit costs) to fund OpenSource development and further enforcement.

Protecting the open-source license commons

Posted Nov 6, 2018 18:04 UTC (Tue) by bkuhn (subscriber, #58642) [Link]

Not sure what you mean by punitive damages. Copyright cases in the USA have actual and statutory damages. In the BusyBox cases, Conservancy asked for both the maximum allowable. The cases settled, but our claim was for the most the court would allow.

Protecting the open-source license commons

Posted Nov 2, 2018 18:28 UTC (Fri) by lkundrak (subscriber, #43452) [Link] (1 responses)

Yes, this. Not sure whether I qualify as a "GPL hippie," but I've surely written a couple of letters asking for source for various Linux-running hardware I've bought. Most of the time I was politely told to fuck off, sometimes ignored and only in a small minority of cases I've got the source.

I guess everyone who tried to get sources for their Android phone or embedded device did have the same experience.

I can entirely understand why McHardy thought his reaction is appropriate. I don't wish luck to hardware vendors that violate my freedoms and I have no good reasons to assume they're merely being stupid, not evil.

Protecting the open-source license commons

Posted Nov 15, 2018 18:04 UTC (Thu) by Wol (subscriber, #4433) [Link]

The trouble with McHardy was (a) he structured the agreement so he made money, and (b) part of his strategy was to target companies who *wanted* to comply.

Cheers,
Wol

Protecting the open-source license commons

Posted Nov 2, 2018 23:03 UTC (Fri) by mageta (subscriber, #89696) [Link]

I agree.

But it seems the biggest copyright holders in the kernel space don't want to enforce the GPL, so it will never be enforced.

At least there is some will to try to bring some selected folks into compliance - I remember Microsoft suddenly "donating" source code for their HyperV Network drivers -, whether or not this works well, I can not really judge, but its better than nothing. If it was just something like Apache 2, not even this would happen.

Protecting the open-source license commons

Posted Nov 9, 2018 18:09 UTC (Fri) by metasequoia (guest, #119065) [Link]

There needs to be more recognition of the threat to free software posed by the emergence of an entangling web of secretive trade and investment 'agreements' - a world within which natural people - (as opposed to multinational corporations) as well as the 'gift to everybody' that FOSS represents, have no 'standing' to speak, nor will FOSS be seen by these entities or its ideology as legitimate economic activity deserving of protection because its not for 'profit', the sole yardstick that it uses to measure all value. (a very disturbing aspect of it, IMHO.)

Instead FOSS is likely to be framed (and it seems has already been framed in documents presented to the WTO) as a 'taking' from entitled 'stakeholders'.

I can see this battle shaping up, and its not pretty.

FOSS and _people_, are being systematically excluded from participation in the important, supranational level of global economic governance.

And it seems many aren't even aware that this threat exists or the fact that these rules now are controlling 'services' approximately 75% of the global economy ('everything you cannot drop on your foot') impacting many aspects of our lives, such as the policy space we have to solve almost all of our most pressing problems.

Instead of compromise and democracy, we only have one choice, measures that are 'minimally trade restrictive' as defined by an ideology that none of us would ever have voted for. How did this happen?

It wasn't by accident that we, the people, were never told.

There is a discussion about standing for the public interest in the first panel of this long video about ISDS (a very bad thing) and an European Investment Court, (which I dont think is a good idea either). Its worth watching.

https://www.youtube.com/watch?v=LeHYMsGPx1c

We need to have representation for humanity in these fora, where our governments are totally controlled by the biggest corporations and their lobbies.

They are pushing for concepts like indirect expropriation which embed an extremist ideology which seems inherently to conflict with things like FOSS.

In short, even though it is a gift to everybody the new cult-like ideology will frame it as a theft of profits to some - who matter much more than everybody else, precisely because of their money.

All valuable public services, including the very existence, globally of public goods like higher education, water, health care, financial services like social security, medicare and health insurance are also coming under a stealth attack as is the public's ability to restore them in the future by the vote. Without paying for the restoration valued in terms of future expected lost profits. Its a theft of the commons, such as one exists. As well as the right to have one.

So there you have it.

It wont go away by our ignoring it. Democracy is in serious danger, globally.

Thank you.