Some Thoughts on Conservancy's GPL Enforcement

Bradley M. Kuhn

February 1, 2012

As most of those who know me are aware, I've been involved in GPL enforcement for more than 12 years, across three different organizations, the most recent one being here at the Software Freedom Conservancy. Since 2001, I've written dozens of articles, blog posts, and given at least fifty talks and CLE classes about how to do GPL compliance, and how enforcement actions tend to occur.

This weekend at SCALE [ http://www.socallinuxexpo.org/scale10x ], I gave a version of a talk [ http://www.socallinuxexpo.org/scale10x/presentations/12-years-floss-license-compliance-historical-perspective ] I've [ https://events.linuxfoundation.org/events/collaboration-summit/foss-compliance ] given [ http://sambaxp.org/?id=65 ] many [ http://www.linuxtag.org/2011/en/program/themenschwerpunkte/security-day-by-astaro/details-talkid5.html ] times [ http://www.oscon.com/oscon2011/public/schedule/detail/18820 ] (also available as an oggcast [ http://faif.us/cast/2011/sep/13/0x18/ ]), which I've usually entitled something like 12 Years of Copyleft Compliance: A Historical Perspective. I decided to retire this talk last weekend at SCALE (in part because it's now coming up on 13 years), but before I put that material aside, I thought I'd write a blog post summarizing the more salient points that I make in that talk.

Indeed, After all these years of speaking about, writing about, and doing GPL enforcement, I'm occasionally surprised at how much confusion still exists about how and why it's done. I've focused solely on doing GPL enforcement via 501(c)(3) not-for-profit entities, which means I do it only in the public good. I hope this blog post will give a sense of how it works and why I do it.

Copyleft Through Copyright

The primary goal of every GPL enforcement action is to gain compliance, which means getting to users complete and corresponding source code so they can copy, share, modify and install improved versions. The GPL itself is a copyright license that does a weird hack on copyright: it uses the copyright rules to turn them around, and require people to share software freely (as in freedom) in exchange for permission to copy, modify and distribute the software. A GPL violation occurs when someone fails to meet the license requirements and thereby infringes copyright. The copyright rules themselves then are the only remedy to enforce the license — requiring that the violator come into compliance with the license if they want permission to continue distribution.

Up until now, almost all the enforcement I've done has been purely under GPL version 2 (GPLv2) [ http://www.gnu.org/licenses/gpl-2.0.html ]. GPLv2§4 [ http://www.gnu.org/licenses/gpl-2.0.html#section4 ] says that upon violation, the violator loses permission to engage in those activities governed by copyright: including copying, modifying and distributing the software. The only way to get those permissions back is for the copyright holder to grant them back.

Speaking For the Users

Copyleft's unique way of using copyright means the parties who may enforce are copyright holders (and their designated agents). However, the victims of the violation are typically thousands of users who have bought a product that included the GPL'd program. The goal, therefore, is to get source code that these users can actually use to compile and install the software. In GPLv2-speak, the goal is to get the all the complete source code, which includes the scripts used to control compilation and installation of the executable.

Releases of complete and corresponding source have been instrumental in inspiring new user-driven software development communities like OpenWRT [ https://openwrt.org/ ] and SamyGo [ http://www.samygo.tv/ ], both of which built upon source releases that came from prior BusyBox GPL enforcement efforts.

The Standard Requests

The goal of every enforcement action is to yield a license-compliant source release that works for the users. Every enforcement action opens as a conversation, asking the violator to meet a few simple requests so that their permission to engage in copyright-governed activity can be restored, and they can go about their new business as a fine, upstanding, compliant Free Software redistributor. The typical requests are:

Compliance with all Open Source and Free Software licenses in the product.
I started using this request regularly around 2002 because violators express a concern that, if they come into compliance due to my efforts, what stops others from coming to complain, in sequence, and wasting their time? I suggested that if they came into compliance all at once, on all FLOSS licenses involved, it would be easy for me to be on their side, should someone else complain. Namely, I'd come to their defense and say: Yes, they were out of compliance, but we've checked everything and they're now in compliance throughout this product. Those who are now complaining are being unfair, since — while this violator had trouble initially — their compliance with all FLOSS licenses is now adequate.

Of course, the detailed license requirements are different for different licenses, so I've had to become an expert on the specific requirements of all FLOSS licenses over the years. For example, for permissive, BSD [ http://www.opensource.org/licenses/bsd-license.php ] -like licenses, the only compliance required is typically that copyright notices be displayed appropriately on proprietarized versions. Meanwhile, the LGPL [ http://www.gnu.org/licenses/lgpl.html ] permits some types of proprietary combinations, but not others. GPLv2 [ http://www.gnu.org/licenses/gpl-2.0.html ] and GPLv3 [ http://www.gnu.org/copyleft/gpl.html ], of course, have different requirements when it gets down to some details. The goal is to make sure that whatever each license requires is what's being done for the program under that license.

Meanwhile, particularly with embedded systems, requiring compliance on everything is basically a de-facto necessity anyway. Most embedded firmwares are built with a single build system (or, a set of steps that expect all relevant sources to be present), and as such, asking for the GPLv2-required scripts used to control compilation and installation of the executable for one program means asking for them for other programs too, since it's the same scripts.
Appoint a Compliance Officer.
This is a requirement that actually predates my involvement in enforcement. I believe it was instituted at other organizations back in the 1990s. The goal is simple: have a single point of contact who can be reached regarding any future violations.

The goal, as always, is to help a violator become a productive member of the Free Software business community. Ideally, future violation matters should never be escalated very much: the company should have a person that has some expertise about GPL compliance who can work with anyone who might have concerns about any later product.
Pay Our Cost of Bringing You Into Compliance.
This was the toughest requirement for me to institute, and I struggled for years about whether it was the right thing to do. I avoided it until someone pointed out to me: If you're doing GPL enforcement for a non-profit, who should pay the cost of doing enforcement: the folks who send you charitable donations to support [ http://sfconservancy.org/donate/ ] your other non-compliance work, or the violators who actually violated the license? Indeed, those who donate [ http://sfconservancy.org/donate/ ] probably always comply with GPL themselves, so if violators aren't charged the cost of enforcement, compliant people end up subsidizing violations with their donations.

Ultimately, that was a compelling enough argument for me, but there's one other argument: there must be a deterrent. If the cost of violating the GPL is: “you must merely come into compliance when you're caught violating”, then very few companies would comply voluntarily. How many people would always violate the automobile speed limits if, when the driver is pulled over for speeding, all that ever happened was a stern warning?

A few sometimes ask: well, where does the money go?. This question is why I think it's essential for GPL enforcement to be done by a 501(c)(3) not-for-profit entity like Conservancy. As I wrote in my previous Conservancy blog post [ http://sfconservancy.org/blog/2012/jan/16/fy-2010-form-990/ ], Conservancy's financial documents are publicly disclosed. So, you want to know the details of the enforcement money from FY 2010? Download Conservancy's FY 2010 Form 990 [ http://sfconservancy.org/docs/conservancy_Form-990_fy-2010.pdf ], and take a look at Line 4(c) on page 2, Line 2(b) on page 9, and Line 11(b) on page 10. It's as simple as that.

Conservancy's Enforcement Plans

Of course, I encourage everyone to read the rest of the Form 990 too, and note in particular that GPL enforcement is only third on the list of major activities at Conservancy. I've no interest in making license enforcement the primary activity of Conservancy — indeed, it's but one item on Conservancy's extensive list of services [ http://sfconservancy.org/members/services/ ], and Conservancy has 27 (and growing) projects to care for [ http://sfconservancy.org/members/current/ ]. Many of those projects are GPL'd and LGPL'd, and many of them want Conservancy to handle their enforcement, but that work is always balanced with all the other work going on at this thinly staffed organization.

I strongly expect that Free Software license compliance and enforcement will always be a part of my work. I once heard Larry Wall [ http://en.wikipedia.org/wiki/Larry_Wall ], founder of Perl [ http://www.perl.org/ ], say (when I was still merely a Computer Science graduate student): You can never entirely stop being what you once were. That's why it's important to be the right person today, and not put it off till tomorrow. Ever since I heard him say that, I've held it as a fundamental tenet of what I do in the Free Software community. I believe GPL enforcement is right and necessary for the advancement of software freedom. So, I'm glad for the enforcement I've done, and I'm glad to continue doing GPL enforcement for as long as projects come to me and ask me to take care of it for them. Like everything else at Conservancy: I'm glad to do the boring work so Free Software developers can focus on writing code. GPL enforcement surely qualifies there.

I admit, though, that I do find litigation particularly annoying, time-consuming, and litigation also makes GPL compliance take longer than it should. That's why litigation has always been a last resort, and that 99.999% of GPL enforcement matters get resolved without a lawsuit. Lawsuits are only an option, in my view, when a violation is egregious, and multiple attempts to begin a friendly conversation with the violator are consistently ignored. Every lawsuit I've been involved with met these criteria. I hope no violation matters ever meet them again, but that depends on how well the violators respond when someone asks them for the complete and corresponding source code for the GPL'd and LGPL'd components in the product.

I hope that someday, everyone just complies voluntarily with the GPL, so I can go do other things — I used to be a software developer, once upon a time, and I'd love to do that again. But, in the meantime, I'm here to enforce the GPL, to defend software freedom.