Columbia Law School, New York, NY, USA \\

\vspace{.1in}

}

\vspace{.7in}

\begin{abstract}

This one-day course presents the details of five different GPL compliance

cases handled by FSF's GPL Compliance Laboratory.  Each case offers unique

insights into problems that can arise when the terms of GPL are not

managers and executives whose businesses use or distribute Free Software

will also find the course very helpful.

\end{abstract}

\tableofcontents

As we have learned, the assurance that Free Software under GPL remains

Free Software is accomplished through various terms of GPL: \S 3 ensures

that binaries are always accompanied with source; \S 2 ensures that the

license of the software is always GPL for everyone, and that no other

clause is where the legal teeth of the license are rooted.  As a copyright

license, GPL governs only the activities governed by copyright law ---

copying, modifying and redistributing computer software.  Unlike most

copyright licenses, GPL gives wide grants of permission for engaging with

these activities.  Such permissions continue and all parties may exercise

in the permissions that otherwise granted by GPL\@.  Effectively, their

\section{Ongoing Violations}

In conjunction with \S 4's termination of violators' rights, there is one

violation of GPL\@.

In fact, when we discover a GPL violation that occurred only once --- for

example, a user group who distributed copies of a GNU/Linux system without

It is only the cases of {\em ongoing\/} GPL violation that warrant our

active attention.  We vehemently pursue those cases where dozens, hundreds

or thousands of customers are receiving software that is out of

In addition, such ongoing violation shows that a particular company is

committed to a GPL'd product line.  We are thrilled to learn that someone

commons about proper procedures to contribute to the community.

Our central goal is not, in fact, to merely clear up particular violation.

\section{How are Violations Discovered?}

Our enforcement of GPL is not a fund-raising effort; in fact, FSF's GPL

donors).  Our violation reports come from volunteers, who have encountered

in their business or personal life, a device or software product that

Our first order of business, upon receiving such a report, is to seek

independent confirmation.  When possible, we get a copy of the software

product.  For example, if it is an offering that is downloadable from a

website, we download it and investigate ourselves.  When it is not

possible for us to actually get a copy of the software, we ask the

By rough estimation, about 95\% of violations at this stage can be

\begin{quotation}

\end{quotation}

In other words, it is usually more than trivial to confirm that GPL'd

software is included.

FSF does not have the power to enforce GPL in all cases.  Since GPL

operates under copyright law, the powers of enforcement --- to seek

redress once \S 4 has been invoked --- lies with the copyright holder of

In cases where FSF does not hold copyright interest in the software, but

we have confirmed a violation, we contact the copyright holders of the

software, and encourage them to enforce GPL\@.  We offer our good offices

to help negotiate compliance on their behalf, and many times we help as a

copyrights and GPL\@.

\section{First Contact}

works best when you assume the best of others, and only change policy,

procedures and attitudes when some specific event or occurrence indicates

that a change is necessary.  We treat the process of GPL enforcement in

community of software sharing, so we want to open our hand in friendship

to them.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

In our first case study, we will consider Davrik, a company that produces

software and hardware toolkits to assist OEM vendors who products consumer

more evidence was discovered.

FSF was later able to confirm the violation when two additional reports

professional and noticed clear similarities to FSF's GNU GCC\@.  FSF's

Compliance Engineer asked the reporters to run standard tests to confirm

specific devices.  FSF explained the rights that the GPL afforded these

customers and pointed out, for example, that Davrik only needed to provide

source to those in possession of the binaries, and that the users may need

FSF brought the matter to the attention of Davrik, who immediately

escalated the matter to their attorneys.  After a long negotiation, Davrik

acknowledged that their SDK was indeed a derivative work of GCC\@.  Davrik

reaudited the source and discovered that FSF's analysis was correct and

code-base.

\label{davrik-build-problems}

At FSF's request as well, Davrik informed customers who had previously

purchased the product that the source was now available, by announcing

This quelled Davrik's concerns about other patent licensing they sought to

do outside of the GPL'd software, and satisfied FSF's concerns that they

exercised in their GPL'd software release.

Finally, a GPL Compliance Officer inside Davrik was appointed who is

is responsible for informing FSF if the position is given to someone else

inside the company, and making sure that FSF has direct contact

information with Darvik's Compliance Officer.

  GPL education, many users do not fully understand their rights and the

  obligations that companies have.  By working through the investigation

  with reporters, the violation can be properly confirmed, and {\bf the

\item {\bf Confirming compliance is a community effort.}  The whole point

  of making sure that software distributors respect the terms of GPL is to

  violators to make some attempt --- such as via newsletters and the

  company's website --- to inform those who already have the products as

  to their rights under GPL\@.  One of the key thrusts of GPL's \S 1 and

  reaching those who would seek to exercise their freedoms, is essential

  to properly remedy the mistake.

\item {\bf Lines between various copyright, patent, and other legal

  mechanisms must be precisely defined and considered.}  The most

  explicit to assure themselves that the grant is sufficiently narrow for

  their needs.  We understand that there is no reasonable way to determine

  what patent claims read on a company's GPL holdings and which do not, so

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\chapter{Bracken: a Minor Violation in a GNU/Linux Distribution}

Bracken produces a GNU/Linux operating system product that is sold

primarily to OEM vendors to be placed in appliance devices that are used

for a single purpose, such as an Internet-browsing-only device.  The

FSF found out about this violation through a report first posted in a

comment on a Slashdot\footnote{Slashdot is a popular news and discussion

same violation.

Bracken's GNU/Linux product is delivered directly from their website.

  contradicted the permissions granted by GPL\@.

\end{itemize}

immediately ceased distribution of the product temporarily, and set forth

a plan to bring themselves back into compliance.  This plan included the

following steps:

  ever they distributed that way).

\item Bracken attorneys would run an internal seminar for its engineers

  regarding source releases would not occur in the future.

\item Bracken would resume distribution of the product only after FSF

  formally restored Bracken's distribution rights.

\end{itemize}

new EULA text.  They key portion in the EULA relating to GPL read as

follows:

\section{Lessons Learned}

violations in the history of FSF's Compliance Lab.  The ease with which

the problem was resolved shows a number of cultural factors that play a

role in GPL compliance.

\item {\bf Companies that understand Free Software culture better have an

  easier time with compliance.}  Bracken's products were designed and

  engineers were deeply familiar with the Free Software ecosystem, and

  their lawyers had seen and reviewed GPL before.  The violation was

\item {\bf When people in key positions understand the Free Software

  nature of their software products, compliance concerns are as mundane as

  its problems, and successful business often depends on agile response to

  the problems that do come up; avoiding problems altogether is a pipe

  dream.  Minor GPL violations can and do happen even with well-informed

\item {\bf Legally, distribution must stop when a violation is

\item {\bf EULAs are a common area for GPL problems.}  Often, EULAs are

  drafted from boilerplate text that a company uses for all its products.

  licenses.  Drafting a EULA that accounts for such licenses is

  straightforward; the text quoted above works just fine.  The EULA must

  be designed so that it does not trump and rights and permissions already

  overriding license.

\item {\bf Compliance Officers are rarely necessary when companies are

compliance with GPL by releasing the source of GNU tar, with the

cryptographic modifications, to its customers.

Regarding the export control claims, FSF proposed a number of options,

including release of the source from one of Vigorien's divisions overseas

\item {\bf Removing the GPL'd portion of the product is always an option.}

  Many violators' first response is to simply refuse to release the source

  portions from the product and continue along without them indefinitely.

  Every case where this has been suggested has led to the same conclusion.

  Like Vigorien, the violator argues that the product cannot function

  without the GPL'd components and they cannot effectively replace them.

  question is indeed a derivative work of the original GPL'd component.

  If the other components cannot stand on their own and be useful without

  the GPL'd portions, then one cannot effectively argue that the work as a

  whole is not a derivative of the GPL'd portions.

\item {\bf ``Security'' concerns do not exonerate a distributor from GPL

  obligations, and ``security through obscurity'' does not work anyway.}

  by identifying them early.

\item {\bf External regulatory problems can be difficult to resolve.}

  companies to commit criminal offenses for the sake of compliance.  We

  will see more about this issue in our next case study.

\end{enumerate}

\chapter{Haxil, Polgara, and Thesulac: Mergers, Upstream Providers and Radio Devices}

This case study considers an ongoing (at the time of writing) violation

\section{The Facts}

Meanwhile, Haxil was in the midst of being acquired by Polgara.  Polgara

was as surprised as everyone else to discover the product was based on

acquisition.  FSF contacted both Haxil and Polgara, and product managers

the matter.

FSF meanwhile formed a coalition with the other primary copyright holders

\begin{enumerate}

\item {\bf Community outrage, while justified, can often make negotiation

  good faith toward compliance.  Most violations are honest mistakes, and

  FSF sees no reason to publicly admonish violators who genuinely see to

  come into compliance with GPL and to work hard staying in compliance.

  during the acquisition process.  While GPL compliance is not a

  particularly difficult matter, it is an additional obligation that comes

  along with the product line.  When planning mergers and joint ventures,

\item {\bf Compliance problems of upstream providers do not excuse a

  violation for the downstream distributor.}  To paraphrase \S 6, upstream

  providers are not responsible for enforcing compliance of their

  downstream, nor are downstream distributors responsible for compliance

  problems of upstream providers.  However, engaging in distribution of

\item {\bf It behooves upstream providers to advise downstream

  distributors about compliance matters.}  FSF has encouraged Thesulac to

  product, and it is conceivable that such additions can introduce

  compliance.  In FSF's opinion, Thesulac is no way legally responsible

  for such a violation introduced by their customer, but it behooves them

  product.  We can argue whether or not it is your coffee vendor's fault

  if you burn yourself with their product, but (likely) no one on either

  side would dispute the prudence of placing a ``caution: hot'' label on

  simple rule to follow, and following that rule to FSF's satisfaction

  usually means you are following it to the satisfaction of the entire

  Free Software community.

\end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

% LocalWords:  Lessig Lessig's UCITA pre PDAs CDs reshifts GPL's Gentoo glibc

% LocalWords:  TrollTech administrivia LGPL's MontaVista Davrik Davrik's Darvik

% LocalWords:  Darvik's Slashdot sublicensed Vigorien Vigorien's Haxil Polgara