LWN: Comments on "A referendum on GPL enforcement"

This Is Absurd.

Hi-Angel — Thu, 01 Dec 2016 20:54:50 +0000

Your comment got a funny number as a link

On reimbursement of costs for enforcement actions & related issues

paulj — Wed, 20 Jul 2016 21:14:04 +0000

The moral and practical imperative must be to ensure that GPL compliance is more attractive than not, by taking stern action against at least some violators. The best way to make sure action can be taken is for that action to be self-sustaining - paying for the action taken at least, ideally also punitive costs that can then be used to pre-pay for the next action. Anything less would surely be doing a _disservice_ to the viability of the GPL?

The one cautionary bit is that such actions mustn't put off more people from going with GPL software than are attracted to it.

On reimbursement of costs for enforcement actions

paulj — Wed, 20 Jul 2016 21:06:32 +0000

+1 to this. If violating the GPL is cheaper than complying, if violating the GPL could even get you free consulting on compliance from experienced free software people, well then it makes obvious business sense to violate the GPL.

On reimbursement of costs for enforcement actions & related issues

jospoortvliet — Fri, 11 Dec 2015 08:50:17 +0000

Both, I'd say. Celebrate those who come in compliance and pay (if they wish) and condemn those who don't pay.

A referendum on GPL enforcement

njs — Fri, 11 Dec 2015 02:15:15 +0000

Clearly the solution is for Linux contributors to start assigning their copyrights to patent trolls.

Response from Conservancy on this article

pboddie — Thu, 10 Dec 2015 16:12:19 +0000

Your last paragraph is worth repeating...

We are failing not only the people who spend the money to comply, we are failing everyone who would like their employer to behave ethically, and who would like to work for ethical employers. We are failing all the people who would like to purchase products from ethical suppliers. And, of course, we are failing all the people who would like to alter the software in the products they are able [to] buy.

It's like the story of the modern age: "doing the right thing will cost us something, so let's not bother". And once people stop bothering, nobody does the right thing any more, and the right thing becomes socially unfashionable or even objectionable.

I think the term "referendum" is inappropriate, really, although it was maybe coined in haste. What we have here is a survey of people who care enough about copyleft licence compliance that they will give their own money to make sure that random corporations (who are making tidy sums) will comply with Free Software licences applying to code that many of those contributors did not write. In other words, it is not just those people who can afford to defend their own direct interests, but also those who wish to defend their indirect interests (because they may also have written code that is copyleft-licensed), and in some cases those who wish to defend the interests of a cause they merely care about.

It is hard not to feel exploited, not by the Conservancy who is doing a fine job of making sure that licences are being upheld (and who is also being exploited here by showing such generosity in the face of such brazen wrongdoing), but by corporate interests who are no longer merely getting stuff for free: they are effectively being paid while they misuse other people's work.

It would be good if once in a while, those profiting from this industrial-scale copyright infringement were served with injunctions halting sales and distribution of the illicit products concerned. Then, everyone involved (and their apologists) might appreciate how nice and forgiving the Conservancy folk seem to be.

On reimbursement of costs for enforcement actions & related issues

linuxrocks123 — Thu, 10 Dec 2015 10:46:21 +0000

US statutory damages are $750 per work, minimum. On a judgment of infringement, the court has to grant at least that, and may grant more. If the violator distributed 100,000 products, that's $75 million.

Oh, but, if the violator proves (burden on the violator) that they really didn't know, and shouldn't have known, the court can reduce damages to $200 per work. So then you only get $20 million.

That's still $20 million, in the absolute worst case, for what I would imagine to be a fairly low-volume product. What am I missing here?

On reimbursement of costs for enforcement actions & related issues

bkuhn — Tue, 08 Dec 2015 21:22:24 +0000

There are practical reasons to follow our principles, not just moral ones. I think people here are a bit confused what types of damages are even possible in copyright infringement cases. The damages are decided by a judge and/or a jury, and are unpredictable, and you don't find out what they are until you're at the end of the case. And, if you lose the case, you often have to pay the other side's attorney's fees in many jurisdictions.

Even if avarice was maximized in these enforcement cases, the proceeds wouldn't be seen for a very long time.

Anyway, the only logistical way to get large amounts of money quickly and easily is to take pay-offs to look the other way when compliance isn't achieved. There are people making money doing that, which Jon made reference to in the original article. I denounce that as immoral, even if it would be a way to get money easily.

You can see on Conservancy's Form 990s that we did receive money in the BusyBox enforcement, which funded more enforcement. But enforcement where compliance is the paramount goal is only partially self-funding. I hope people will donate to bridge the gap.

On reimbursement of costs for enforcement actions & related issues

pabs — Tue, 08 Dec 2015 06:08:57 +0000

How about the opposite? If they contribute funds to future enforcement actions you could celebrate their new-found compliance and contributions.

On reimbursement of costs for enforcement actions & related issues

lutchann — Tue, 08 Dec 2015 02:58:04 +0000

Yeah. If SFC is casually tossing around the term "savvy violators", it's clear that whatever they're doing is ineffective. Maybe "our primary goal in GPL enforcement is to bring about GPL compliance" should be replaced with "our primary goal in GPL enforcement is to seek large monetary damages as a punitive measure to make violators think twice about doing it again in the future." I'd donate money to get that kind of thing going.

Response from Conservancy on this article

ncm — Sun, 06 Dec 2015 18:59:50 +0000

I would welcome a public debate about the merits of the SFC's "enforcement principles", as formulated, and their interpretation, as regards the ability to achieve actual, you know, enforcement. I also applaud the suggestion of Jon as moderator, in this and in practically any other dispute. (Given the admiration he inspires among all of us who have known him longest, moderating disagreements could even become a new and honorable revenue source to further support his other admirable activities.)

I see the emphasis on the most immediate goal of "achieving compliance" as self-defeating. Compliance, or not, is a consequence of the ecosystem. Each individual case is an opportunity *not* to achieve one instance of compliance, it's one opportunity to both push the ecosystem in a desirable direction, and collect the resources to push it a little farther. To be worth pursuing at all, a series of N cases, cumulatively, should affect not just those N vendors, but the perceptions of all vendors.

Quiet resolutions are actually harmful to the cause, because they make it seem (correctly!) that sufffering any consequences at all for violating the license is extremely unlikely, and that the cost of any such consequences, where there are any, is extremely small. We in Free Software get no benefit from people using Free Software out of license in their products. We *do* benefit, in many ways, when people who use Free Software under license in their products have a competitive advantage over those who do not use it. People using Free Software in products out of license directly undermine those benefits, not just because we cannot reprogram our devices, but because it eliminates the competitive advantage for the compliant. Releasing their code to violators puts them at a positive disadvantage, making compliance an absolute loss.

As long as any significant downside to ignoring the license is so trivial, no one inclined to ethical behavior can justify it to their management. We are failing not only the people who spend the money to comply, we are failing everyone who would like their employer to behave ethically, and who would like to work for ethical employers. We are failing all the people who would like to purchase products from ethical suppliers. And, of course, we are failing all the people who would like to alter the software in the products they are able buy.

On reimbursement of costs for enforcement actions & related issues

ncm — Sun, 06 Dec 2015 06:45:32 +0000

The evidence is by now super-abundant that SFC's "enforcement principles", as formulated, are a failure. This is not to say no morally defensible principles are possible. Rather, out of the universe of possible morally defensible principles, this choice has been amply demonstrated to be poor enough to merit reformulating. There is no shame in admitting the truth. It is not as if the results of all the failed attempts were predictable. They had to be tried, but having been tried, now we know, and can act on what we now know.

The solution may be to start another organization, e.g. The Coding Liberty Cooperative, with more effective principles, sign up authors, and go into competition, maybe pursuing repeat offenders who have been let off too easily by SFC.

Response from Conservancy on this article

happylemur — Sun, 06 Dec 2015 04:20:10 +0000

Ah, I see; my comment was referring to the second sentence of that paragraph, which looks to those involved in past enforcement activities. I'm not personally aware of any examples involving people currently involved in GPL enforcement.

Vance

On reimbursement of costs for enforcement actions & related issues

lukeshu — Sun, 06 Dec 2015 04:10:53 +0000

Thanks for the reply!

It's been my experience that corporate lawyers tend to be very afraid of "technically correct", which is why I asked.

On reimbursement of costs for enforcement actions & related issues

bkuhn — Sun, 06 Dec 2015 03:18:10 +0000

make the violator GPL compliant but then they could also get asked to pay a sum of money or else they will be put on your public list of GPL violators and also be part of a press release.

It's an interesting idea, and I don't find it morally wrong on its face, but I also don't see how it's particularly helpful. If the public shaming comes after they've come into compliance, what shame is there? Everyone makes mistakes, and coming into compliance is they way you correct it. I don't think there is actually anything shameful in making a mistake and then correcting it.

Response from Conservancy on this article

bkuhn — Sun, 06 Dec 2015 03:12:51 +0000

The reference you give shows me disagreeing with someone who opposes copyleft and its enforcement, so it's not an example of any disagreement with other GPL enforcers.

On reimbursement of costs for enforcement actions & related issues

bkuhn — Sun, 06 Dec 2015 03:10:54 +0000

lukeshu asked:

Doesn't the GPLv2 terminate upon violation; That is, even if you can't get them before the product hits EOL, aren't they still affected?

I find myself inspired to quote Futurama: You are technically correct! The best kind of correct!. Yes, indeed, under GPLv2§4, the violator will lose their distribution rights (read more in Copyleft Guide), and that termination relates to any copyrights infringed in the original product. Thus, indeed, if those copyrights are redistributed in a later product, their rights have already been terminated.

But, this is where I again have to say that the GPL isn't magic pixie dust that just works. If the violator doesn't wish to comply, we have to compel them somehow. Termination of rights works the same way as it did in the first product, and has the same tools available. Namely, we can go into court, and seek an injunction; just like we'd have needed to for the first product. The fact that the rights terminated long ago in past product might help us convince the judge to grant an injunction more quickly, and/or show the judge the company acted in bad faith. But, the enforcement process is the same, and note that one way to come into compliance is to stop distributing. Therefore, with regard to the old violation, the company is now in compliance. We're unlikely to therefore get a judge to compel a source release for the old product, since distribution has ceased.

If you, representing a stakeholder in the kernel, show that an organization committed a GPLv2 violation, bring them in to compliance, and (on behalf of the single stakeholder) reinstate the license, isn't the license from every other stakeholder still implicitly revoked?

First, it's worth noting that Conservancy doesn't just represent a coalition of stakeholders (although we do that too), but Conservancy is also a copyright holder in Linux as well, as some stakeholders have outright assigned Linux copyrights to Conservancy. But, that wasn't your question. To answer your question: Yes, you're quite correct about how rights restoration works (at least in the USA and most other jurisdictions I'm familiar with). The negotiation point that both FSF and Conservancy use in that enforcement scenario is simply tell violators that once compliance is achieved, we're on their side and prepared to be an expert witness or otherwise help the former violator oppose any copyright holders knocking at the door for huge settlements. Such copyright holders who came to demand pay-outs after compliance was achieved of course wouldn't be acting under the principles of ethical GPL enforcement anyway.

Response from Conservancy on this article

happylemur — Sun, 06 Dec 2015 02:30:38 +0000

My interpretation was that Jonathan was trying to note that disagreements exist while trying to avoid provoking personality conflicts in the comments by naming names. One example <http://lwn.net/Articles/657851/> immediately came to mind upon reading that paragraph; I don't know if there are others.

Vance

On reimbursement of costs for enforcement actions & related issues

HenrikH — Sat, 05 Dec 2015 23:51:08 +0000

Thanks for your reply!

Regarding the public shaming I wasn't talking about that being a tactic but as a tool for money just like the BSA does. I.e if the case is settled out of court then the #1 priority of the settlement would of course be to make the violator GPL compliant but then they could also get asked to pay a sum of money or else they will be put on your public list of GPL violators and also be part of a press release.

I.e it's not hush money per say and never ever an alternative to be GPL compliant. However I'm sure that you and the conservatory that works with these issues all day already have though long and hard on issues like these, it's easy for some one like me to play armchair layer :-) so once again thanks for your insightful replies!

Btw, please note that I'm in no way promoting BSA tactics, I once worked for a company that where hit hard by them (we had an employee who where responsible for licensing and when he got mad at the management he simply stopped buying licenses and reported the company to BSA and thus not only brought harm to the company but also got a finders fee from the BSA. What I however got out of that whole affair was the notion that the BSA gives you a costly option of avoiding being named in their press release and apparently a lot of companies pay that money [and that sum was bigger than the "license penalty"]).

On reimbursement of costs for enforcement actions & related issues

lukeshu — Sat, 05 Dec 2015 02:45:54 +0000

> Most products with Linux have a life cycle of 18 months or less. Violators realize that the odds are forever in their favor: for any given product, the odds that we can get to them before the product hits end of life are very low.

Doesn't the GPLv2 terminate upon violation; if product A violates, and they therefore loose the license, shouldn't that also terminate their license for product B? That is, even if you can't get them before the product hits EOL, aren't they still affected?

As a side question from that: If you, representing a stakeholder in the kernel, show that an organization committed a GPLv2 violation, bring them in to compliance, and (on behalf of the single stakeholder) reinstate the license, isn't the license from every other stakeholder still implicitly revoked (per §4)?

On reimbursement of costs for enforcement actions & related issues

bkuhn — Fri, 04 Dec 2015 22:13:23 +0000

HenrikH asks:

Would it be possible to extract money the BSA way?

Well, first of all, the BSA tactics, behaviors, and overall strategy have always been abysmal, specifically because they target users. The BSA strategy of GPL enforcement would be to find everyone who bought a GPL infringing product and somehow go after them aggressively. No one should ever do that, IMO. Ethical GPL enforcement, by contrast, fights for rights of users who got that product — to make sure they can recompile and reinstall the GPL'd software they got, and that all the source code for that software is present. Blaming a user who bought an infringing product is akin to blaming the victim of a crime.

Or are these companies not afraid to be publicly known as GPL violaters?

Regarding your more general question about of public shaming, Erik Andersen of the BusyBox project was a fan of this strategy for a while. It has some benefits, but it ceased working for him, which is why he asked me personally (and later Conservancy as a whole) to help him enforce the GPL on his copyrights.

Certainly, Karen and I talk regularly with our enforcement coalitions of copyright holders about using public shaming as a tactic. It certainly is cheaper, and if it was sure to work, we'd use it more often. But, when I see perennial GPL violators constantly mentioned in threads like this, whom Conservancy knows about but whom we've been unable to convince to comply, I conclude that public shaming is not going to work, even though it might have in the past.

On reimbursement of costs for enforcement actions & related issues

HenrikH — Fri, 04 Dec 2015 20:09:14 +0000

Would it be possible to extract money the BSA way? I.e to keep the whole affair a secret but if they don't pay the BSA appointed fee then their violation is made public. Or are these companies not afraid to be publicly known as GPL violaters?

Response from Conservancy on this article

bkuhn — Fri, 04 Dec 2015 17:00:19 +0000

BTW, I would like to apologize to Jon for questioning him in that previous post; my original comment on this subthread was poorly drafted. My original post indicates that Jon's reporting is at fault, but it is not. My concern is actually with those who make statements and claim disagreements with me and Conservancy but don't make them public. In fact, Jon is providing a service by making public that such criticism exist. In particular, we're sure Jon would have quoted those sources by name if they'd agree to go on record. They didn't, that's surely why he said things like “Some have said”.

In that light, Karen and I call on those someones to have a public debate -- maybe moderated by Jon Corbet :) -- to discuss what policy disagreements they have with Conservancy about how we do enforcement. We welcome that debate and if folks want to get in touch with me and Karen soon, we may even be able to have that debate in the Legal and Policy Issues DevRoom in FOSDEM this February.

Finally, thanks to Jon for reporting on this story.

On reimbursement of costs for enforcement actions & related issues

rghetta — Fri, 04 Dec 2015 16:57:47 +0000

+1 Having to fund for gpl compliance makes me sad, however

general response to this thread

jra — Fri, 04 Dec 2015 16:37:42 +0000

Alison, enforcement isn't new for Conservancy. They've been doing this for Samba ever since we joined. It was one of the benefits of being in Conservancy that persuaded us to become a part of it.

Response from Conservancy on this article

bkuhn — Fri, 04 Dec 2015 16:06:05 +0000

Charles, you might want to read Conservancy's by-laws (on our filings page), to understand the corporate officer roles. Most non-profit have these corporate officer roles separate from day-to-day management and execution of regular daily activities of the org. At most non-profits, the Executive Director doesn't report to the President, rather, the Executive Director reports to the Board as a whole.

general response to this thread

bkuhn — Fri, 04 Dec 2015 15:58:48 +0000

Conservancy member projects always have the right to leave Conservancy to form their own org, or switch to another non-profit organization.

As for characterizing licensing compliance as a "new activity", actually, is inaccurate. Conservancy has done license compliance activity for its member projects since about 6 months after its founding (which was nearly a decade ago). Indeed, all the project named at the beginning of this subthread have received some form of license compliance activity from Conservancy. Samba, for example, has a long history even before Conservancy of caring deeply about license compliance.

Ensuring license compliance really is a key service that Conservancy provides to our member projects. The point of Conservancy was to provide key services that other organizations don't provide, including license compliance. Our member projects would have picked other fiscal sponsors if they didn't want these additional services.

Response from Conservancy on this article

cstanhop — Fri, 04 Dec 2015 12:47:12 +0000

Your first paragraph is needlessly off topic, but you're right there could be some confusion about roles. From what I can tell Bradley's role is President, but Karen's is Executive Director. However, SFC's officers page, as of this morning, still had Karen's role prominently listed as Secretary in a heading. The paragraph under her heading lists her role correctly, but at a glance it would be confusing.

https://web.archive.org/web/20151204123552/https://sfconservancy.org/about/officers/

Response from Conservancy on this article

johannbg — Fri, 04 Dec 2015 10:39:03 +0000

"I am left wondering whether some subtle sexism has sneaked into the reporting on Conservancy."

Extreme feminists strike again in the world of political correctness where women demand being allowed wear anything they want without being objectified but at the same time have individuals like Matt Taylor who btw landed a spacecraft on comet apologist for a shirt he was wearing during an interview in hours leading to the contact [1].

I'm going to raise my hand and applaud to people like you and say wow just wow and thank you for reminding me how much progress remains yet to be accomplished here on Earth.

More likely the confusion is due to your own actions where you yourself [2] are running around the internet signing your responses as the president of the software freedom conservancy than Jon being sexist...

"— Bradley M. Kuhn, President, Software Freedom Conservancy"

1. https://www.youtube.com/watch?v=NSv6ZBZtzRA
2. https://lwn.net/Articles/666085/

On reimbursement of costs for enforcement actions & related issues

kleptog — Fri, 04 Dec 2015 08:06:41 +0000

FWIW, you've convinced me. Also, thank you for allowing me to choose the commitment level.

general response to this thread

alison — Fri, 04 Dec 2015 07:47:12 +0000

faramir comments:
> This isn't just going to hurt the only organization actively enforcing GPL, it is also going to cause problems >for projects like SAMBA, Mercurial, Git, QEMU and others.

That aspect worries me, too. I wonder if having a separate organization supporting SFC member projects would not be a good idea? The current situation encourages organizations like LF to argue, "We signed up to support Git and Jquery and Samba, not GPL enforcement." There is some merit to such an argument given that enforcement is (AFAIK) a new activity for SFC. I support both SFC's older mission and GPL enforcement, but can see how there may have been donors to SFC who were surprised to learn that they were underwriting enforcement and wondering about further 'mission creep.'

A referendum on GPL enforcement

pabs — Fri, 04 Dec 2015 05:05:59 +0000

I got interested in LF's money so I went looking for the LF tax forms. I noticed that in 2013, LF membership fees contributed $7,192,649 (30%) of LF revenues. After expenses, LF made $3,473,482 in 2013, or 11 times what SFC is asking to be able to continue enforcement efforts, or! Not only that but the LF could fund SFC enforcement efforts solely from Jim Zemlin's salary and bonuses and have plenty of change left over. The LF revenue and profits appear to be going up over time too. The form doesn't indicate how much the alleged LGPL/GPL violators contributed to the LF revenues, but VMware and Allwinner are both silver members, which means (based on employee numbers from Wikipedia) VMware contributed $20,000 and Allwinner $15,000, or in total about 40% of what SFC is asking to be able to continue basic community services. I can't find out how much funding LF was previously contributing to SFC though.

I would encourage people to ask Linus about GPL/LF/SFC/VMware in one of the public Q&A sessions he regularly holds at conferences.

https://www.charitynavigator.org/index.cfm?bay=search.pro...
http://990finder.foundationcenter.org/990results.aspx?990...
http://990s.foundationcenter.org/990_pdf_archive/460/4605...
http://www.linuxfoundation.org/about/members
http://www.linuxfoundation.org/about/join/corporate
http://www.linuxfoundation.org/about/bylaws
https://en.wikipedia.org/wiki/Allwinner
https://en.wikipedia.org/wiki/VMware
https://sfconservancy.org/docs/conservancy_Form-990_fy-20...

On reimbursement of costs for enforcement actions & related issues

bkuhn — Fri, 04 Dec 2015 02:32:59 +0000

Replying to Felix, who noted:

Otherwise you just provide them with free legal/tech consulting.

Frankly, that's often what we do, from our point of view. Ironically, from the violator's point of view, they are paying a lot for the whole process already, because the first thing they do (these days) is hire high-priced outside attorneys who advises them to fight us. After a GPL enforcement matter gets a year or two into the usual clock, the other side has probably paid many tens of thousands to their counsel advising them to introduce delay and refuse to even acknowledge that they were out of compliance; sunk cost fallacy likely kicks in at that point. By then, the company has paid so much money to their lawyers that they are fed up with the whole process and we're lucky to get them into compliance without a lawsuit, let alone recover our costs.

Felix noted further:

it should be cheaper to ship a compliant product in the first place than to violate the GPL and fix things up later.

I agree that it should be true, but sadly, it's not; violators play the odds. I often point out that Conservancy is aware of hundreds and possibly thousands of GPL violations ongoing, just on Linux, at any given moment. Most products with Linux have a life cycle of 18 months or less. Violators realize that the odds are forever in their favor: for any given product, the odds that we can get to them before the product hits end of life are very low. Plus, when companies have outside vendors who are ultimately responsible for the firmware (and are the primary violator) it's more valuable to the OEM to preserve those relationships than to insist on compliance. Factor that into the (small but nontrivial) cost of complying up front, and you have a corporate decision-making recipe that always says to violate first and comply later (if we ever even have to). Few companies are committed to doing the right thing and not playing those odds. I'm glad some do, but they're rare.

You might reasonably ask why we don't go after the upstream firmware/board manfuacturers directly. We rarely have enough evidence of a board-maker's violation that is sufficient for enforcement action. From the point of view of us and everyone who bought the product, the OEM is the violator, not their firmware vendor. If the OEM protects their upstream vendor at all costs (which they do, since the vendors have a lot of power in the relationship once it's in place), the OEM refuses to even say the vendor was the primary violator. We thus don't have any evidence to pursue the original violator. Not until there is a strong set of Court cases that show such violations won't be tolerated will this behavior change, IMO.

Felix finally noted, quite reasonably:

While I'm happy to donate for [Conservancy] in general I'm not sure I want to keeping paying for GPL enforcement forever if this can be a self-funding endeavor.

Conservancy chose to fund the VMware suit (and set its money aside separately — the funding for VMware is already collected and not at issue in Conservancy's current fundraiser —) as part of a careful strategic plan to maximize the value of the enforcement we can afford to do. We cannot guarantee our donors that GPL enforcement will become self-funding, but we constantly consider ways to make it so, provided that we not compromise the moral principles of GPL enforcement. Personally, I've seen too many cases where well-intentioned people got involved in enforcement and then began to value revenue over compliance — Jon Corbet made reference to one such situation in his main article. For my part, I'm constantly vigilant to ensure any time funds are involved in an enforcement settlement that we are not even close to trading failures in compliance for money. Even doing that a little bit begins the path to corruption.

This fundraising campaign is the culmination of many years of thinking and seeking a formula that generates sustainable self-funding revenue for ethical GPL enforcement. During those years, I have personally been offered high paying jobs if I'd just stop doing GPL enforcement, and some companies have offered funding to Conservancy if we'd just “remove enforcement work from [our] roster”. I suspect that many who care about the GPL but don't work regularly in the enforcement/compliance community will be flabbergasted to learn that powerful for-profit interests seek to curtail enforcement of copyleft. Given this political climate, Karen and I both feel that Conservancy needs a mandate from the public to continue this work. Jon Corbet's phrase for this, a referendum on GPL enforcement, is thus apt.

Meanwhile, I know that Karen and I sometimes may sound dismissive when people come forward with suggestions on better ways to do enforcement. It's because we've tried as many suggestions as we can that don't compromise our enforcement principles — in fact, we've tried most of them at least twice in different time periods; we've done a lot of “well, that didn't work before, but maybe things have changed and it'll work now”. Yet, the situation doesn't get any better. In fact, violation counts increase. In particular, over the last two years, we've seen a rise in companies who are what I call “savvy” violators: companies that knew about the GPL and its requirements but sought specific methods to avoid compliance. GPL violations stopped being just a series of innocent mistakes by n00bs a long time ago.

I realize that's a long winded answer to your point, Felix, but I hope it illuminates that we did not come to this decision to launch this fundraiser lightly. I realize it's frustrating to be asked for an annual donation to do the seemingly simple job of asking other people to follow the rules, and I don't blame you for feeling some donor fatigue, particularly when the wheels of justice move so slowly. (We'd hoped for a decision in the VMware case by now, but it may be a long way away!) The best I can promise you is we're always committed to looking for creative solutions to the problem, and that we operate as transparently as we possibly can (which is why Karen and I are spending time late into the night answering queries on LWN ;)

Finally, I'm glad LWN readers had the opportunity to read about this and ask these questions.

— Bradley M. Kuhn, Distinguished Technologist, Software Freedom Conservancy

Article communicates points Conservancy has tried to express to companies

KarenSandler — Thu, 03 Dec 2015 22:45:40 +0000

"Companies that expend the (often considerable) resources to stay in compliance will be at a disadvantage relative to those that don't bother; eventually the list of companies that don't bother will surely grow."

Thanks, Jon, that quoted text does a good job explaining what I've tried to communicate to companies who comply. I find that it's hard to explain this point effectively to them, but the movement you describe toward more companies ignoring compliance, or focusing on trivial aspects of compliance while ignoring bigger issues, has been evident for some time. I think this is why so many developers who were lukewarm on enforcement 5 years ago now see that it's essential.

On reimbursement of costs for enforcement actions

Felix — Thu, 03 Dec 2015 21:54:16 +0000

I'm honestly a bit baffled by that. I always believed that the infringer *of course* has to cover all costs even if you're settling out of court. Otherwise you just provide them with free legal/tech consulting. Also it should be cheaper to ship a compliant product in the first place than to violate the GPL and fix things up later.

On top I wished each infringing company would have to pay enough extra so you could fund 1-2 future cases so you can go to court if necessary (might be waived in case the infringer makes a binding promise to get their changes upstream in case of new drivers and the like). However I recognize that this might be just wishful thinking.

While I'm happy to donate for the SFC in general I'm not sure I want to keeping paying for GPL enforcement forever if this can be a self-funding endeavor.

A referendum on GPL enforcement

rknight — Thu, 03 Dec 2015 20:43:29 +0000

It is also quite possible that the Linux Foundation might contain infringers among its members :(

More like a certainty as VMWare and AllWinner are both listed as Silver members. There are also a number of members who appear to do a good job with current and new products, but have failed to bring older no longer produced products into compliance.

On reimbursement of costs for enforcement actions

bkuhn — Thu, 03 Dec 2015 18:09:41 +0000

We always ask politely for reimbursement of Conservancy's costs after compliance is achieved in enforcement matters. Rarely do companies pay, and if they do pay, they often pay less than our costs. The only other option to force them to pay is to refuse to permit them to distribute the copyrighted software again, even though they are in compliance. That tactic is not fitting with community principles, in our view. Karen Sandler and I have spent decades developing these competencies, BTW. It's just a very difficult thing to do, no matter how skilled one is, especially when the other side knows you're a non-profit charity with limited resources.

— Bradley M. Kuhn, Distinguished Technologist, Software Freedom Conservancy

general response to this thread

faramir — Thu, 03 Dec 2015 17:53:21 +0000

Rather then commenting individually to the article or comments, I'm going to do a single response:

1. Re: good ideas out there
I've suggested multiple ideas to people at the SFC and in general have been informed why they won't/can't work. In any case, an idea isn't enough and it seems clear that there aren't many people and/or money out there to do anything related to GPL enforcement.

2. Re: making the violators pay to prosecute themselves
The people at the SFC seem philosophically opposed to this. Since they are the ones doing all the work, it seems petty to fault them for this. I've also been told that the SFC has deliberately not taken money from companies who refuse to come into compliance for all GPLed software. i.e. Yes, you can have the busybox code, but no we won't give you our kernel modifications. Should they take the money anyway?

In any case, nothing is stopping copyright holders from doing any type of enforcement action they want. The VMware case involves the SFC funding a developer's case as the SFC owns no copyrights and therefore has no right to take action on its own. Personally, I would be happy to help crowdfund targeted GPL enforcement efforts brought by developers. But legal work in the USA is expensive, so the community is going to have to pony up the resources somewhere.

3. Re: lack of new code releases due to GPL enforcement
While lots of new functionality would be nice, when I put on my end user hat; just being in the position to make minor changes to the GPL based firmware in the products that I purchase would be great. The incomplete source code releases that companies typically put out make this extremely difficult. Who hasn't found a firmware based product that almost met your requirements?

4. Re: GPL using companies should voluntarily fund enforcement
While this would be nice, it is rare for any company to spend money on something that doesn't benefit them economically in the relatively short term. It's not clear how RedHat (for example) would benefit from me being able to modify the firmware on my home router. And it would probably actively hurt their efforts to make sure that VMware and RedHat software worked well together to have funded the current VMware enforcement case.

5. Re: why do these cases take so long
Companies stall and for both practical (costs) and philosophical (educate/not litigate) reasons, the SFC isn't in a position to hurry things along.

6. Re: other SFC work and their funding issues
It should also be noted that the SFC's primary activities involve providing support services for a myriad of small and large free software development projects. It seems that SFC's GPL enforcement efforts have resulted in a drastic reduction in corporate funding. This isn't just going to hurt the only organization actively enforcing GPL, it is also going to cause problems for projects like SAMBA, Mercurial, Git, QEMU and others. Even if you are ambivalent about GPL enforcement, there are any number of other reasons to support SFC.

Response from Conservancy on this article

bkuhn — Thu, 03 Dec 2015 17:51:01 +0000

A lot of the comments on this thread go immediately to some common confusions about GPL enforcement. For example, ssmith32 claims: it's much easier to win a GPL case with the goal of bringing the violator into compliance (by releasing code), then it is to make the case they owe [Conservancy] damages. Ironically, it's the opposite. If Conservancy were inspired only by avarice, as for-profit GPL enforcers are, we could seek huge damages and not care whether the software was in compliance. The expensive time investment comes essentially from putting compliance above all else. Per our enforcement principles (which were co-published with the FSF, and which were co-drafted with OSI's president Allison Randal, and were subsequently endorsed by the OSI), Conservancy will never put money above compliance. This is why GPL enforcement is not self-funding. Unlike for-profit GPL enforcers, we refuse to take payoffs from violators to look the other way while they're out of compliance. We must, and should, wait until the bitter end and 100% full compliance with all FLOSS licenses before accepting money.

Meanwhile, Corbet includes a paragraph of rumor-fueled speculations about me personally. I'm surprised that Jon, who usually has impeccable journalistic integrity, would include rumors as if they were fact. (BTW, anyone who engages in controversial social justice work will have all sorts of false and exaggerated rumors spread about them.) I'd note, in particular, that my primary historical enforcement disagreement was with Harald Welte, and that disagreement was that I personally delayed a coalition of developers from bringing a lawsuit in the original Linsksys GPL violation in 2002. That delay was part of the impetus that led Harlad to start gpl-violations.org; Harald wanted to be litigious when I was still skeptical of whether litigation should be part of GPL enforcement. In the end, Harald convinced me that he was right about that. So, this reference to “disagreements” likely refers to something very different than it seems in the main text. (Harald has also endorsed Conservancy's current work, BTW, and he's asked people to donate to Conservancy.)

More importantly, the main article seems to indicate that I'm the primary leader of Conservancy. Actually, I stepped down from that role when Conservancy had the amazing opportunity almost two years ago to hire Karen Sandler as our Executive Director. Karen is an excellent communicator and is widely heralded as a wonderful person to interact with, including by Linux Foundation's General Counsel, Karen F. Copenhaver. I notice that this article is not the only one that has basically ignored Karen's role as the primary leader of our organization. I am left wondering whether some subtle sexism has sneaked into the reporting on Conservancy.

Finally, this thread has some comments about who has withdrawn funding from Conservancy. Others have already linked to a previous lwn thread about that, and I point specifically at my comment there from Monday. I have no further comment on that issue at this time.

— Bradley M. Kuhn, Distinguished Technologist, Software Freedom Conservancy

A referendum on GPL enforcement

spender — Thu, 03 Dec 2015 16:20:25 +0000

The Linux Foundation cares only about the profits of its members. GPL violators are part of its member list and the company violating our trademark is one of their members as well. We should be making a much bigger deal of their action of dropping support of the SFC; it fully demonstrates their respect for the community and the software its members use.

Has Linus commented publicly on the VMware case? Many other kernel developers have, though I don't know of any who have who receive their funding from the Linux Foundation. I wonder what areas of their integrity they were forced to sign away for their paychecks. I had previously mailed Linus and others about another company using GPL shims to link with proprietary obviously derivative blobs that did little more than act as a license time-bomb for the software. The shims provided getters/setters for many internal Linux structures, with the proprietary code being developed solely for the Linux kernel. None of the people mailed replied or have discussed it publicly. I am very concerned about the blind eye being given to these acts, when Linus and others would be an important voice.

I would like to see more litigation like the VMware case, so there's more case law demonstrating what is acceptable and what is not. When cases are settled out of court, there's nothing for us developers to point to to say "what you're doing is what this other company did, which a judge had this to say about." I think the attempt to be overly-amicable has perpetuated the problem, and reaffirmed the hubris of some companies that they can do whatever they want without consequences, that copyright law is only a tool to be used by the rich and powerful companies, not for the developers whose work is exploited endlessly for profit. I really see little at this point between the GPL and BSD, and the inaction effectively punishes companies who do play by the rules.

It's ridiculous that the problems with VMware have been going on since 2007: http://www.theregister.co.uk/2007/08/16/vmware_derived_fr...
That it took 8 years to take this to court is just crazy to me. I also would have liked to see this tried in US courts with damages, but it's convenient for the Linux Foundation I guess that they pulled funding to essentially guarantee any future cases in US courts will be impossible. This whole situation is incredibly depressing.

Just my armchair thoughts on the matter.

-Brad