Some Thoughts on Conservancy's GPL Enforcement

Bradley M. Kuhn

February 1, 2012

As most of those who know me are aware, I've been involved in GPL enforcement for more than 12 years, across three different organizations, the most recent one being here at the Software Freedom Conservancy. Since 2001, I've written dozens of articles, blog posts, and given at least fifty talks and CLE classes about how to do GPL compliance, and how enforcement actions tend to occur.

This weekend at SCALE [ http://www.socallinuxexpo.org/scale10x ], I gave a version of a talk [ http://www.socallinuxexpo.org/scale10x/presentations/12-years-floss-license-compliance-historical-perspective ] I've [ https://events.linuxfoundation.org/events/collaboration-summit/foss-compliance ] given [ http://sambaxp.org/?id=65 ] many [ http://www.linuxtag.org/2011/en/program/themenschwerpunkte/security-day-by-astaro/details-talkid5.html ] times [ http://www.oscon.com/oscon2011/public/schedule/detail/18820 ] (also available as an oggcast [ http://faif.us/cast/2011/sep/13/0x18/ ]), which I've usually entitled something like 12 Years of Copyleft Compliance: A Historical Perspective. I decided to retire this talk last weekend at SCALE (in part because it's now coming up on 13 years), but before I put that material aside, I thought I'd write a blog post summarizing the more salient points that I make in that talk.

Indeed, After all these years of speaking about, writing about, and doing GPL enforcement, I'm occasionally surprised at how much confusion still exists about how and why it's done. I've focused solely on doing GPL enforcement via 501(c)(3) not-for-profit entities, which means I do it only in the public good. I hope this blog post will give a sense of how it works and why I do it.

Copyleft Through Copyright

The primary goal of every GPL enforcement action is to gain compliance, which means getting to users complete and corresponding source code so they can copy, share, modify and install improved versions. The GPL itself is a copyright license that does a weird hack on copyright: it uses the copyright rules to turn them around, and require people to share software freely (as in freedom) in exchange for permission to copy, modify and distribute the software. A GPL violation occurs when someone fails to meet the license requirements and thereby infringes copyright. The copyright rules themselves then are the only remedy to enforce the license — requiring that the violator come into compliance with the license if they want permission to continue distribution.

Up until now, almost all the enforcement I've done has been purely under GPL version 2 (GPLv2) [ http://www.gnu.org/licenses/gpl-2.0.html ]. GPLv2§4 [ http://www.gnu.org/licenses/gpl-2.0.html#section4 ] says that upon violation, the violator loses permission to engage in those activities governed by copyright: including copying, modifying and distributing the software. The only way to get those permissions back is for the copyright holder to grant them back.

Speaking For the Users

Copyleft's unique way of using copyright means the parties who may enforce are copyright holders (and their designated agents). However, the victims of the violation are typically thousands of users who have bought a product that included the GPL'd program. The goal, therefore, is to get source code that these users can actually use to compile and install the software. In GPLv2-speak, the goal is to get the all the complete source code, which includes the scripts used to control compilation and installation of the executable.

Releases of complete and corresponding source have been instrumental in inspiring new user-driven software development communities like OpenWRT [ https://openwrt.org/ ] and SamyGo [ http://www.samygo.tv/ ], both of which built upon source releases that came from prior BusyBox GPL enforcement efforts.

The Standard Requests

The goal of every enforcement action is to yield a license-compliant source release that works for the users. Every enforcement action opens as a conversation, asking the violator to meet a few simple requests so that their permission to engage in copyright-governed activity can be restored, and they can go about their new business as a fine, upstanding, compliant Free Software redistributor. The typical requests are:

Conservancy's Enforcement Plans

Of course, I encourage everyone to read the rest of the Form 990 too, and note in particular that GPL enforcement is only third on the list of major activities at Conservancy. I've no interest in making license enforcement the primary activity of Conservancy — indeed, it's but one item on Conservancy's extensive list of services [ http://sfconservancy.org/members/services/ ], and Conservancy has 27 (and growing) projects to care for [ http://sfconservancy.org/members/current/ ]. Many of those projects are GPL'd and LGPL'd, and many of them want Conservancy to handle their enforcement, but that work is always balanced with all the other work going on at this thinly staffed organization.

I strongly expect that Free Software license compliance and enforcement will always be a part of my work. I once heard Larry Wall [ http://en.wikipedia.org/wiki/Larry_Wall ], founder of Perl [ http://www.perl.org/ ], say (when I was still merely a Computer Science graduate student): You can never entirely stop being what you once were. That's why it's important to be the right person today, and not put it off till tomorrow. Ever since I heard him say that, I've held it as a fundamental tenet of what I do in the Free Software community. I believe GPL enforcement is right and necessary for the advancement of software freedom. So, I'm glad for the enforcement I've done, and I'm glad to continue doing GPL enforcement for as long as projects come to me and ask me to take care of it for them. Like everything else at Conservancy: I'm glad to do the boring work so Free Software developers can focus on writing code. GPL enforcement surely qualifies there.

I admit, though, that I do find litigation particularly annoying, time-consuming, and litigation also makes GPL compliance take longer than it should. That's why litigation has always been a last resort, and that 99.999% of GPL enforcement matters get resolved without a lawsuit. Lawsuits are only an option, in my view, when a violation is egregious, and multiple attempts to begin a friendly conversation with the violator are consistently ignored. Every lawsuit I've been involved with met these criteria. I hope no violation matters ever meet them again, but that depends on how well the violators respond when someone asks them for the complete and corresponding source code for the GPL'd and LGPL'd components in the product.

I hope that someday, everyone just complies voluntarily with the GPL, so I can go do other things — I used to be a software developer, once upon a time, and I'd love to do that again. But, in the meantime, I'm here to enforce the GPL, to defend software freedom.

Copyright 2012