A discussion on GPL compliance

Among its many activities, the Software Freedom Conservancy (SFC) is one of the few organizations that does any work on enforcing the GPL when other compliance efforts have failed. A suggestion by SFC executive director Karen Sandler to have a Q&A session about compliance and enforcement at this year's Kernel Summit led to a prolonged discussion, but not to such a session being added to the agenda. However, the co-located Linux Plumbers Conference set up a "birds of a feather" (BoF) session so that interested developers could hear more about the SFC's efforts, get their questions answered, and provide feedback. Sandler and SFC director of strategic initiatives Brett Smith hosted the discussion, which was quite well-attended—roughly 70 people were there at a 6pm BoF on November 3.

Sandler started by noting that she is passionate about free software in part because she has a heart defibrillator implanted in her body, but has no access to the software running there. Smith recently joined SFC after stints with the Free Software Foundation as a license compliance engineer and as a system administrator at the World Wide Web Consortium (W3C). The SFC currently has 40 projects under its umbrella, for which it handles various administrative tasks, but the organization also runs the GPL compliance project for Linux kernel developers, which was the topic for the session.

Sandler laid out the ground rules for the discussion: no recordings and to ask people before quoting them (which we have followed here). As is generally the case, those who spoke up are not representing the company they work for, but were speaking for themselves. And, of course, Sandler is a lawyer, but was not giving any legal advice ("iaal, but tinla, ianyl" from her slides).

The only current legal action that the SFC is involved with is Christoph Hellwig's GPL enforcement suit against VMware, which was filed in 2015 and dismissed back in August—though Hellwig is appealing. The SFC is funding the suit as part of its GPL compliance project. Hellwig spoke up to say that he was particularly interested in hearing the opinions of those in the room who are not part of the SFC GPL compliance project.

Sandler noted that the SFC had just released copies of the template agreements for developers who join the compliance project, either anonymously [PDF] or under their own name [PDF]. That is an effort to be more transparent about the project, which is, as with all GPL enforcement efforts undertaken by the SFC and others, done under "The Principles of Community-Oriented GPL Enforcement". That document makes it clear that the goal is for GPL compliance and that legal action is a last resort. That document is "codifying our gentle approach" to enforcement, she said.

McHardy suits

She asked the room who had heard of Patrick McHardy and the GPL-enforcement lawsuits in Germany. Those suits appear to be well outside community expectations of how enforcement should be done (as well as running afoul of the Principles). Most in the room seemed to have heard of the suits, so Sandler did not give an introduction to all of that.

An audience member asked why it is that people have such a negative view of enforcement. Sandler said there is lots of confusion out there about lawsuits; they also tend to make people skittish. One key thing to remember is that today's violators are tomorrow's contributors, which is something that it is rare for companies to acknowledge—Samsung has been comfortable talking about that transition, but few others are. There is also a lot of "fear, uncertainty, and doubt" (FUD) about lawsuits, which muddies the waters. The Principles are meant to help with that by bringing clarity so that companies and others know what to expect with respect to GPL enforcement.

Lawsuits have a cost, in terms of time, money, opportunity, and other things, Smith said. It is natural for some in the community to question whether a particular suit was worth it, which can also lead some to have a negative view of enforcement actions.

But the McHardy suits are entirely different; James Bottomley called them a "generic shakedown". It means that there is a "copyright troll" in the community who is extracting a "couple of hundred thousand euros" in settlements from companies, he said. The existence of that troll makes companies have the mindset that the GPL is bad, he said. It makes for a "nasty environment" where companies will tar and feather anyone launching lawsuits because they associate them with the McHardy shakedown.

Grant Likely noted that there is more to the GPL than simply a license; it is a value statement as well. Using the GPL says that a project values collaboration and openness; it is both a social document and a legal document. Likely said that stressing that to companies helps when talking to them about the GPL.

Hellwig said that he preferred to refer to his suit as a copyright action, rather than a GPL-enforcement action. In the end, that is what it is and copyright lawsuits happen all the time in industry. But if the Linux community uses that same tool, suddenly it becomes a big problem.

The Linux community has been so lax in its enforcement of the GPL that it has made it much easier for McHardy to find targets, David Woodhouse said. If the community had pushed harder for compliance and done more enforcement, those companies would have been in compliance, which would have left McHardy with fewer (or no) companies to go after. Though Tim Bird pointed out that more enforcement may have led to fewer kernel contributors; that was one point that Linus Torvalds was making in the long ksummit-discuss thread, Bird said.

BusyBox is often brought up as an example of a community that was "killed" by the GPL enforcement done on its behalf, Laura Abbott said. It is a common complaint, she said, but is it true? Sandler said that it was an exaggeration, but that the BusyBox community "took a hit" for its enforcement actions. The suits bolstered other GPL projects, but companies switched away from using BusyBox. On the other hand, in-house counsel at some of the affected companies thanked those who brought the suits for making it easier to get the internal attention needed to address compliance issues.

Bird asked if anyone had evaluated removing McHardy's code from the kernel. Bottomley said that the Linux Foundation had done that analysis and found that there was simply too much of it to remove and replace. But Likely objected to the idea of removing the code at all, noting that the principles behind the GPL are important. Removing code that is covered by the GPL in order to avoid lawsuits is not the right way forward; it sends the wrong message to companies and others about what the GPL means.

Matthew Garrett said that the message about why compliance is a good thing needs to get out; the benefits of compliance need to be clear, since compliance for its own sake "doesn't gain us anything". The number of times where a company doesn't want to comply is small, but they are often unable to do so because they don't have the code or even know what was shipped. Compliance is not just about getting the code upstream, it is proof that the company even can be responsible to update their devices for security flaws.

Sandler said that manufacturers are starting to require complete source code from their vendors because of the need to be able to do security updates, rather than only to be able to comply with the GPL and other licenses. The television industry is definitely in that camp, Smith said. In a world where TVs listen to everything we say near them, access to the source code becomes even more important.

But it is not just about making sure the license is respected for existing code, Ted Ts'o said, it is also about making sure that new projects choose copyleft licenses. There have been some who are claiming that the GPL and other copyleft licenses are in decline. He also wondered about using the term "enforcement" as it is a word that can be scary. Sandler agreed and said that the SFC tries to use "compliance" in preference to "enforcement".

Transparency

Ts'o said that he knew that the SFC can't talk about all that it does, but that he would like to see some kind of report that at least gives an indication of how much compliance work is going on. He suggested something like the transparency reports that other organizations provide. It could show how many reports of violations were received and what compliance steps had been taken for those in general terms.

Sandler said that the SFC is working on figuring out how to get numbers out there. It is publishing what it can, but there are a number of privacy and other considerations that need to be taken into account. Ts'o suggested that reports of that nature could help with fundraising as some might be more inclined to "open their wallet if they could see progress" without resorting to lawsuits.

Pursuing GPL compliance is a tortuous process, Sandler said. Once the SFC is in contact with a violator, it often takes many rounds going back and forth with deliberate delays between each. On average, the SFC gets twenty different source candidates from a violator before getting a version that is complete and correct. In the VMware case, that process finally stalled out after three years or so before the SFC realized that litigation would be required.

Smith said that he was at the FSF when it sued Linksys. Before that happened, there was an "infinite loop" of finding a product with a license problem, starting to work to resolve that problem, then finding that a new product with the same license problems had been released. The Linksys compliance process simply wasn't working so, after four years of these discussions, it was time to escalate to a lawsuit.

There are a lot of small and medium-sized companies out there that are rattled and scared by the McHardy suits, Thomas Gleixner said. There is a need to get information to them so they know what to do and how to comply. Sandler agreed and asked if there were good ways to get that information to them. Gleixner suggested that various trade organizations and the like that had these companies as members might be one way to do so. It is important for those companies to get the information from the "good people" first, before they are contacted by McHardy.

One audience member wondered about compliance tests or certifications that vendors could use to demonstrate that they are following the licenses. That certification would allow buyers to choose suppliers who comply and would encourage vendors to comply instead of forcing them to through enforcement efforts. Smith noted that the FSF Respects Your Freedom certification goes further than just license compliance, but it does provide a carrot for suppliers.

Hellwig noted that most companies that work with software will already have some kind of compliance officer (or should). Most software licenses in the industry are complicated, but the GPL is quite simple.

With that, time was running out. Sandler said that the SFC only performs compliance activities as a service to and under the direction of the developers that are part of the coalition. The organization is trying to be as transparent as it can about those efforts and the BoF was part of that. She encouraged anyone with feedback to bring it to the SFC. Woodhouse ended things by encouraging developers to sign up with the compliance project so they could have a say in what direction those compliance efforts take.

[ Thanks to LWN subscribers for supporting my travel to Santa Fe for LPC. ]