[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Poor GPL-Enforcers

From: Alexander Terekhov
Subject: Poor GPL-Enforcers
Date: Fri, 23 Jun 2006 14:34:21 +0200

According to former BusyBox maintainer Erik Andersen, violations are
fairly common. "I get roughly three reports every week of some device or
other that is shipping with BusyBox in violation of the license; i.e.,
the vendor fails to support source, fails to offer source, and in many
cases, claims the software is completely proprietary, when in fact it is
obviously running Linux and using BusyBox."

Pursuing legal matters

Andersen says that his father, an attorney, has tried to follow up on
violations, but Andersen calls it an "overwhelming burden" because his
father still needs to pay paralegals, secretaries, and so forth.
Andersen says GPL enforcement "has earned nothing to help pay the
salaries at my dad's law office. Quite understandably, therefore, GPL
enforcement tended to, [out] of necessity, get pushed to the bottom of
the priority list."

Current BusyBox maintainer Rob Landley says that GPL violations not only
cost BusyBox time and effort, but they've caused at least one developer
to abandon the project.

    This problem's been festering for a while, and it's cost us. A year
ago, we lost a prominent developer, Glenn McGrath, who tried his own
license enforcement effort -- prying the source code to the router he
bought out of the company that made it -- and was so burned out by what
turned into a nasty legal battle that he completely lost faith in the
GPL. Others have had similar experiences and stopped contributing code
they thought would just be decommoditized and sucked into proprietary
projects regardless of the license they put it out under.

On the other hand, Ravicher says that GPL violations "are not increasing
at any alarming rate, if at all." He points out that copyright
violations have "almost no statute of limitations" due to copyrights'
longevity, and that companies have little incentive to "violate and keep
it hush-hush" because violations can always be addressed at a later
date. He also says that "no rational business thinks it's a wise thing
to rip of GPLed software."

While Ravicher doesn't observe an increase in violations, Andersen,
Landley, and founder Harald Welte believe the rate is
increasing. The reality may be that violations are not increasing
overall, but the number being reported in the embedded market is
increasing. As Welte states on his blog, "The current rate at which new
GPL violations get reported and/or discovered, especially from the
appliance/embedded market, is really alarming. For example, I haven't
yet seen a single Linux-based NAS product that was even remotely
license-compliant when first analyzing it. And I'm not only talking
about the SoHo NAS boxes with one or two hard disk drives, but even
about enterprise storage systems."

Welte also expresses frustration with the amount of time needed to
pursue GPL compliance. "I'm a die-hard technical guy who loves kernel
development," he says. "While I have excellent legal contacts who are
skilled in both [the] technical and legal worlds, it's still a
neverending amount of hours spent in work that doesn't really seem
'productive' to me. I'm constantly spending between 50% and 60% of my
time with this."


It can be difficult to even find and confirm violations. It takes a fair
amount of work to confirm that a device or program is in violation,
since (by definition) violators usually don't ship source code. This
means that, to prove violations in embedded devices or proprietary
software, the investigating party needs to obtain -- usually at a fair
expense -- a copy of the software or device, then engage in a great deal
of work to confirm that it contains GPLed code. Welte describes some of
the efforts in this entry on his blog:

    So apart from talking to lawyers, proofreading legal paperwork,
negotiating with allegedly infringing companies, and the like, I now
also start having trouble doing test purchases. [I] not only refuse some
retailers to take orders from me, but also if I actually place an order,
it raises new problems.

    The last web store I ordered a test purchase from now asked me for a
complete, readable copy of both sides of my ID card.... This is totally
against any data protection laws. There is absolutely no requirement for
them to know my passport photograph, ID card number, size, or eye
colour. So as a follow-up, I had to write an official complaint with the
Berlin data protection agency -- as if I didn't have any other work to

    Also, for the last months, I find myself giving about EUR 10k in 0%
interest loans to GPL infringing companies. That's the amount of money
spent for test purchases that I had to do to confirm GPL violations, but
which hasn't yet been reimbursed.


Looking to GPLv3

When talking about enforcing the GPL, it's worthwhile to consider the
GPLv3 draft and provisions that would change the termination procedure
for violations. The current version of the GPL automatically terminates
a licensee's rights to copy, modify, distribute, or sublicense GPLed
code from the program. (Note that this doesn't extend to other GPLed
applications, so if a party violates the GPL by distributing an
application such as Gaim in violation of the terms of the GPL applied to
Gaim, the party doesn't lose the right to distribute any GPLed code --
just Gaim.)

The GPLv3 draft changes the termination clause to say that the copyright
holder may terminate rights under the GPL "after having notified you of
the violation by any reasonable means within 60 days of any occurrence."
This puts an additional burden on the copyright holder to notify the
violator and wait 60 days.

Welte says that the new draft "would make enforcement in the way of virtually impossible. There is a ridiculous change
where the rights are only revoked after the copyright holders explicitly
notify the infringing party of the revocation, and then the copyright
holders have to wait ... before they could take any legal action."

If the provision remains as is, Welte says he doubts that the provision
would help compliance. "Where is the advantage of bringing out a product
[that's] GPL-compliant, if the only 'penalty' of noncompliance is that I
have to prepare a source code offer within 60 days after being notified
by the copyright holders?"

However, Welte says that he expects the wording regarding revocation
will be updated in the next draft of the GPLv3.

Eben Moglen, pro bono general counsel for the FSF and chairman of the
SFLC, says that the FSF considers it "harmful" to the GPLv3 process to
reply "to individual comments or commentators in an informal way."


reply via email to

[Prev in Thread] Current Thread [Next in Thread]