GNU GPL License Enforcementsgit.gnumonks.org/laforge-slides/plain/2010/gpl_enforcement-dc2010/… · GPL Violations and License Enforcement Summary GNU GPL License Enforcements What

FOSS LicensesGPL Violations and License Enforcement

Summary

GNU GPL License EnforcementsWhat the community can do to enforce the GPL

Harald Welte

gpl-violations.orghmw-consulting.de

DORS/CLUC 2010, May 2010, Zagreb/Croatia

Harald Welte GNU GPL License Enforcements


Summary

Outline

1 FOSS LicensesFree Software and CopyleftThe GNU GPLGPL - Embedded SystemsGPL - Compatible source code offerGPL - Derivative Works

2 GPL Violations and License EnforcementGPL ViolationsBusiness Risk of GPL ViolationsGPL Enforcementgpl-violations.org



Summary

About the speaker

Using + playing with Linux since 1994Kernel development since 1999IT security specialist, focus on network protocol securityBoard-level Electrical EngineeringSystem-level Software for PPC, ARM, x86IANAL, but companies not complying with the licenseforced me to spend lots of time with legal issues



Summary

Free Software and CopyleftThe GNU GPLGPL - Embedded SystemsGPL - Compatible source code offerGPL - Derivative Works

Free SoftwareDefinition by the FSF

Free Software has to ensure the following key freedoms:Freedom to use the software for any purposeFreedom to make copies "to help your neighbor"Freedom to study its functionality (source code)Freedom to fix it yourself (make modifications)



Summary


CopyleftA concept to ensure Freedom

Copyleft is an idea to use copyright to ensure SoftwareFreedoms

Use/claim copyright on the softwareCreate a license that is permissive enough for the 4FreedomsHowever, put some conditions/obligations in the license

ensure the source code will always be availableensure nobody is able to remove the 4 Freedoms from thesoftware

Use that license for the software.



Summary


The GNU GPLAn implementation of Copyleft

The GNU General Public License (GPL)is a Copyleft Free Software Licenseassures the original author that his work will always havethe freedomsestablishes a level of fairness: You can use my code, if youshare your additions back with us.is a big motivation factor for many community members



Summary


Revisiting the GPLv2 License Terms

The GNU GPLv2Regulates distribution, not use (running the program)Allows distribution of source code and modified sourcecode, if

The license is mentionedA copy of the license text accompanies each copy

Allows distribution of or modified binaries, ifThe license is mentionedA copy of the license text accompanies each copyThe source code is either included with the copy, or awritten offer is made on how the source can be obtained.



Summary


Complete Corresponding Source CodeAs required by GPLv2

. . . complete source code means all the source code for allmodules it (the software) contains, plus any associatedinterface definition files, plus the scripts used to controlcompilation and installation of the executable.

For a C language program, this meansSource CodeMakefilescompile-time configuration (e.g. kernel .config)

General ruleIntent of the license is to enable the user to run modifiedversions of the programIf you provide everything needed for that, there will be nodiscussion



Summary


Modifications of GPL’d source codeThe details that matter

In the GPL, it does not matter if you have modified theGPL’d program or if you ship it unmodified.You always have to provide the source code!If you modify the source code, your changes have to bevisible/identifiableFor practical reasons, I suggest shipping original upstreamtarball + a diff/patch with your changes



Summary


GPL and Embedded SystemsInterpreting the meaning

The GNU GPLv2 was written for the GNU project, at thetime this project was working on replacing individualapplication programs on top of a proprietary UNIXoperating system kernel.scripts used to control compilation and installation

Intent: To enable the user to modify + run modified versionsIn case of embedded systems, the "scripts used to controlinstallation" include the software required for installing theprogram onto the target device



Summary


GPL and Embedded DRMSometimes called Tivo-ization

Some companies want to lock down their Linux-basedsystem, by

Cryptographic verification of bootloader by ROM loaderCryptographic verification of kernel image by bootloader. . .

This is problematic from a GPL point of view, sinceYou are depriving the user from practically exercising hisright to run modified versions of the programThus, violation not of the GPLv2 wording, but likely of theGPL’s intentionLegal outcome unclear, different scholars have differentopinions, also depends on jurisdiction

GPLv3 makes this intent explicit in the license text



Summary


Complete + Corresponding SourceFor every Release you make

Whenever you distribute GPL licensed software, thelicense applies. This includes

Actual sale of a physical embedded device with thesoftware in flashDownload of a firmware update as a file from a websiteShipping of firmware updates on physical storageDistribution of firmware updates e.g. by over-the-airmechanisms in DVB-S or other networks

Every time, the conditions of the license have to be fulfilled(mention there’s software under GPL, include full licensetext, include or offer complete corresponding source codeFor every release you ever ship (even beta release if it everis shipped only to one customer), you need the completecorresponding source code.



Summary


Derivative WorksKeeping it clean

Derivative works are a question of copyright law, not the GPLwhenever you couple a GPL and a non-GPL programtightly (e.g. static/dynamic linking), your’re entering a legalgrey areathere is little or no precedent on derivative works ofsoftwareyou’re violating the intention of the author. If he wanted youto link from proprietary programs, he would have usedLGPLtry to work with the community, rather than against it



Summary

GPL ViolationsBusiness Risk of GPL ViolationsGPL Enforcementgpl-violations.org

GPL Violations

GPL violations are not new, just like GPL licensed softwareis not newHowever, increased popularity of GNU/Linux basedsystems increase GPL violationsToday, many more people and companies unfamiliar withthe history and values of Free Software start using and(re)distributing FOSS



Summary


Business Risk of GPL ViolationsOr: How to convince your managers

If you ship a product that is incompliant to the GNU GPL,you are committing a copyright infringement not differentfrom shipping a product with unlicensed copies of MSWindowsyou can face civil and criminal charges in courtcivil charges include (German jurisdiction)

immediate cease + desist (halt of product sales)information of which quantity of the product has been soldto whomdamages for lost revenue (see dual licensing)

civil charges can also be filed against everydistributor/store/importer



Summary


Early GPL Enforcement

The Free Software Foundation (FSF) has alway beendoing GPL enforcement on software of which they are thecopyright holder

They do so quietly, without much public noticeThe quiet route sometimes leads to lengthy negotiationsThe FSF only holds copyright on some Free Softwareprograms



Summary


The Linksys WRT54G case

During 2003, the Linksys WRT54G case drew a lot of attentionLinksys was selling 802.11 WLAN Access Points andRoutersLots of GPL licensed software embedded into the device,including Linux, uClibc, busybox, iptablesFSF-led alliance took their usual quiet approachLinksys bought itself a lot of time

Some sources were released two months laterFull GPL compliance only achieved four months later



Summary


Aftermath of the Linksys case

Some developers were not happy with the Linksys caseLinksys didn’t loose anything by not complying from thebeginningFour months delay is a long time given short productlifetimes

More embedded devices started to use Linux and otherFOSSThe netfilter/iptables project started to do their ownenforcement

Using German copyright law against German subsidiary ofvendorUsing direct legal / copyright based approach

The gpl-violations.org was later established



Summary


GPL Enforcement by the Community

The GPL is a Copyright LicenseGPL enforcement is thus Copyright enforcementCopyright enforcement can normally only be done bycopyright holders!Alternative (less tested) legal approaches

Competition / Anti-Trust law (by a GPL-abiding competitor)Consumer protection (The product without source code isincomplete)



Summary


GPL Enforcement Requirements

Clean copyright situationWho wrote which (part of a) softwareWas the copyright transferred to an employer?

Evidence for the violationTest purchase of the software on storage mediumDetailed screenshots of download side, downloadedsoftware imagesEvidence shows no notice of GPL or source codeavailability/offer

Copyright holders who want to do enforcement



Summary


GPL Enforcement by the Community

Authors/Developers of a project need to care about entitiesthat violate their licenseLegal options in case of a violation

One or multiple copyright holders do their own enforcementCopyright transfer to an entity that does enforcement

Free Software Foundationhttp://conservancy.softwarefreedom.org/Fiduciary License Agreement with the FSF Europe



Summary


The gpl-violations.org work

Use all legal means neccessarry to bring infringing productin complianceWe only act where we hold copyright (Linux kernel)We typically only act within Europe, mostly in GermanySuccess so far

More than 100 amicable agreements as results ofsettlementsMore than 5 preliminary injunctions halting sales ofproducts until complianceMultiple actual court cases with court verdict



Summary

SummaryOutlook

Summary

GPL compliance is not difficult if you think about theproblem when you start product development.A large part of the task can be automatized by using aproper build system.There are questionable legal grey areas. To minimize therisk, I’d try to stay out of them.



Summary

SummaryOutlook

Outlook

OutlookBlatant GPL violations in embedded devices are declining,but are likely to continue due to lack of skill or negligence.We’ll see more derivative works types of GPL violations,and we’ll see actual legal enforcement and precedent inthis area over the next years.Stronger copyright protection demanded by contentindustry will also mean stronger protection for FOSSlicenses. Imagine GPL enforcement with "three strikes" lawin France ?!?


Documents

GNU GPL License Enforcementsgit.gnumonks.org/laforge-slides/plain/2010/gpl_enforcement-dc2010/… · GPL Violations and License Enforcement Summary GNU GPL License Enforcements What