The ongoing fight against GPL enforcement

Matthew Garrett

January 30, 2012

GPL enforcement is a surprisingly difficult task. It's not just a matter of identifying an infringement - you need to make sure you have a copyright holder on your side, spend some money sending letters asking people to come into compliance, spend more money initiating a suit, spend even more money encouraging people to settle, spend yet more money actually taking them to court and then maybe, at the end, you have some source code. One of the (tiny) number of groups involved in doing this is the Software Freedom Conservancy [ http://sfconservancy.org/ ], a non-profit organisation that offers various services to free software projects. One of their notable activities is enforcing the license of Busybox, a GPLed multi-purpose application that's used in many embedded Linux environments. And this is where things get interesting

GPLv2 (the license covering the relevant code) contains the following as part of section 4:

Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.

There's some argument over what this means, precisely, but GPLv3 adds the following paragraph:

However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation

which tends to support the assertion that, under V2, once the license is terminated you've lost it forever. That gives the SFC a lever. If a vendor is shipping products using Busybox, and is found to be in violation, this interpretation of GPLv2 means that they have no license to ship Busybox again until the copyright holders (or their agents) grant them another. This is a bit of a problem if your entire stock consists of devices running Busybox. The SFC will grant a new license, but on one condition - not only must you provide the source code to Busybox, you must provide the source code to all other works on the device that require source distribution.

The outcome of this is that we've gained access to large bodies of source code that would otherwise have been kept by companies. The SFC have successfully used Busybox to force the source release of many vendor kernels, ensuring that users have the freedoms that the copyright holders granted to them. Everybody wins, with the exception of the violators. And it seems that they're unenthusiastic about that.

A couple of weeks ago, this page [ http://www.elinux.org/Busybox_replacement_project ] appeared on the elinux.org wiki. It's written by an engineer at Sony, and it's calling for contributions to rewriting Busybox. This would be entirely reasonable if it were for technical reasons, but it's not - it's explicitly stated that companies are afraid that Busybox copyright holders may force them to comply with the licenses of software they ship. If you ship this Busybox replacement instead of the original Busybox you'll be safe from the SFC. You'll be able to violate licenses with impunity.

What can we do? The real problem here is that the SFC's reliance on Busybox means that they're only able to target infringers who use that Busybox code. No significant kernel copyright holders have so far offered to allow the SFC to enforce their copyrights, with the result that enforcement action will grind to a halt as vendors move over to this Busybox replacement. So, if you hold copyright over any part of the Linux kernel, I'd urge you to get in touch with them. The alternative is a strangely ironic world where Sony are simultaneously funding lobbying for copyright enforcement against individuals and tools to help large corporations infringe at will. I'm not enthusiastic about that.

06:10 pm


You?

From Anonymous

January 31, 2012

Aren't you a copyright holder of various bits of the kernel ?

12:04 am (UTC)


Re: You?

From mjg59

January 31, 2012

Most of the past work I've done is in bits of the kernel that are rarely present in infringing devices, and most of my recent work is owned by my employer rather than me.

12:28 am (UTC)


You haven't even got half the story.

From landley.livejournal.com

January 31, 2012

Dude, pay attention. Tim isn't behind it, _I_AM_.

I'm the ex-busybox maintainer who hooked them up with the SFLC in the first place. The guy who wrote little things like the non-stub versions of sed, sort, mount, bunzip2 _before_ becoming the project's maintainer. The guy who lamented that the busybox lawsuits had never produced a SINGLE LINE of usable code added to the busybox repository (unless you count our copyright notice announcement when you run the multiplexer), who tried to _stop_ the self-financing legal machine the FSF hijacked to force Cisco/Linksys to shut down all their Linux development and reassign the developers to work on Windows? Who left the project because a troll who hadn't written a line of code in a decade was trolling about GPLv3...

My toybox project goes back to 2006:

http://landley.net/hg/toybox
http://landley.net/toybox

I explained the rationale for the switch to BSD licensing and the relaunch back when I did it:

http://landley.net/notes-2011.html#13-11-2011

What I'm trying to prevent is FRAGMENTATION of the android command line, which is ALREADY UNDERWAY:

http://beastiebox.sourceforge.net/
http://hg.suckless.org/sbase/

And so on...

You're objecting that someone offered to help me write new code, and get people to use the result? You want to PREVENT the ex-busybox maintainer from writing any more code under a license you disagree with? That's your definition of freedom, we must remain silent if we disagree with you?

You object to Tim Bird PERSONALLY WRITING CODE and contributing it to my project:

http://landley.net/hg/toybox/rev/12add511705e

Sheesh.

Look, I'll write a new blog entry collecting all the darn links in one place. I don't expect you to read them, but maybe somebody will.

04:04 pm (UTC)


Re: You haven't even got half the story.

From mjg59

January 31, 2012

You're welcome to do whatever you want to do. I object to people with vested corporate interests deliberately making it easier for corporations (like the one they work for) to violate the licensing of other GPLed works. If you think the interest in this project is because people just want a BSD-licensed Busybox, I think you're naive.

04:54 pm (UTC)


Re: You haven't even got half the story.

From landley.livejournal.com

January 31, 2012

No, when I thought that hooking up with a lawfirm to launch busybox license enforcement lawsuits would result in any code added to the BusyBox repository, THAT was naieve. Zealots grabbed that and used it to inflict completely unrelated crap like "license compliance officers" sending reports to the Free Software Foundation (which WAS NOT INVOLVED, yet somehow managed to hijack this to further their own agenda).

Sheesh, one reason I got into BusyBox development in the first place was that I wanted to create a Linux system even Richard Stallman wouldn't try to bracket with "Gnu/Linux/Dammit". A Linux system that didn't have a single line of FSF code in it.

When Pamela Jones (of Groklaw) referred me to the SFLC and I had my first phone call with them, one of the first things I asked was whether they had anything to do with the FSF. They explained that Eben Moglen used to run the FSF's legal arm but chose to distance themselves from him as Stallman got increasingly nuts. Then a year later they got back in bed with the FSF and launched the most counterproductive, disruptive crap since the Mepis lawsuit.

Anybody remember the Mepis lawsuit?

http://lwn.net/Articles/193852/

Where tiny Linux company shipping an Ubuntu reskin had a partnership with Ubuntu, with a quote from Ubuntu's founder in their press release announcing the partnership, but pointing to Ubuntu's servers for the packages they HADN'T MODIFIED wasn't good enough for the FSF, which sued them to make darn sure they were mirroring all 43,000 packages in the Debian repository.

You're not bitching about the way the binutils 2.17 tarball on the FSF's website got replaced in November by a new one containing GPLv3 source files, so people who want to stick with the old GPLv2 version get TRICKED into shipping GPLv3 code by RETROACTIVE RELICENSING, and the last GPLv2 release has been DELETED off the website.

ftp://ftp.gnu.org/gnu/binutils/

No, _that_ doesn't bother you.

A 2-clause BSD-licensed SUSv4+ command line is exactly what I'm writing at http://landley.net/toybox and if people choose to add to it, or find more uses for it, good for them.

05:20 pm (UTC)


Re: You haven't even got half the story.

From mjg59

January 31, 2012

There was no retroactive relicensing. Binutils 2.17 is still available under the terms of GPLv2, and anyone who has a license to it under those terms continues to have a license to it under those terms. There was also no Mepis lawsuit - the FSF explained to Mepis that they weren't complying with the FSF's understanding of the license, and Mepis complied. So no, those things don't bother me.

Like I said, I have no problem with you working on a more liberally licensed version of Busybox. I don't even have a problem with *your* motivations. My objection is purely to the fact that the reason other people are interested in this is because they want to reduce the probability of being sued when they violate the GPL.

05:31 pm (UTC)


Copyright 2012 http://mjg59.dreamwidth.org/10437.html