All distributors of modified or unmodified versions of copylefted works

unmodified versions of the works have compliance obligations.  Common methods

of modifying the works include innumerable common acts, such as:

  \item embedding those works as executable copies

    into a device,

  \item transferring a digital copy of excutable copies to someone else,

  \item posting a patch to the copylefted software to a public mailing list.

\end{itemize}

Such distributors have obligations to (at least) the users to whom they (or

intermediary parties) distribute those copies.  In some cases, distributors

have obligations to third parties not directly receiving their distribution

of the works (depending on the distributors chosen licensing options, as

described later in \S~\ref{binary-distribution-permission}).  In addition,

distributors have compliance obligations to upstream parties, such as

preservation of reasonable legal notices embedded in the code, and

appropriate labeling of modified versions.

Online service providers and distributors alike have other compliance

obligations.  In general, they must refrain from imposing any additional

restrictions on downstream parties. Most typically, such compliance problems

arise from ``umbrella licenses:'' EULAs, or sublicenses that restrict

downstream users’ rights under copyleft. (See \S~\ref{GPLv2s6} and

\S~\ref{GPLv3s10}).

Patent holders having claims reading on GPL'd works they distribute must

refrain from enforcing those claims against parties to whom they distribute.

Furthermore, patent holders holding copyrights on GPLv3'd works must further

grant an explicit patent license for any patent claims reading on the version

they distributed, and therefore cannot enforce those specific patent claims

against anyone making, using or selling a work based on their distributed

version.  All parties must refrain from acting as a provider of services or

distributor of licensed works if they have accepted, or had imposed on them

by judicial action, any legal conditions that would prevent them from meeting

any obligation under GPL\@.  (See \S~\ref{GPLv2s7}, \S~\ref{GPLv3s11} and

\S~\ref{GPLv3s12}.

\section{What Are The Risks of Non-Compliance?}

Copyleft experts have for decades observed a significant mismatch between the

assumptions most businesses make about copyleft compliance and the realities.

Possibly due to excessive marketing of proprietary tools and services from

the for-profit compliance industry, businesses perennially focus on the wrong

concerns.  This tutorial seeks to educate those businesses about what

actually goes wrong, what causes disputes, and how to resolve those disputes.

Many businesses currently invest undue resources to avoid unlikely risks that

have low historical incidence of occurrence and low cost of remediation,

while leaving unmanaged the risks that have historically resulted in all the

litigation and other adverse outcomes.  For example, some ``compliance

industry''\footnote{``Compliance industry'' refers to third-party for-profit

  companies that market proprietary software tools and/or consulting services

  that purport to aid businesses with their Free Software license compliance

  obligations, such as those found in GPL and other copyleft licenses.  This

  tutorial leaves the term in quotes throughout, primarily to communicate the

  skepticism most of this tutorial's authors feel regarding the mere

  existence of this industry.  Not only do copyleft advocates object on

  principle to proprietary software tools in general, and to their ironic use

  specifically to comply with copyleft, but also to the ``compliance

  industry'' vendors' marketing messaging, which some copyleft advocates

  claim as a cause in the risk misassessments discussed herein.  Bradley

  M.~Kuhn, specifically, regularly uses the term ``compliance industrial

  complex''

  \href{http://en.wikipedia.org/wiki/Military-industrial_complex}{to

    analogize the types of problems in this industry to those warned against

    in the phrase of origin}.} vendors insist that great effort must be

expended to carefully list, in the menus or manuals of embedded electronics

products, copyright notices for every last copyright holder that contributed

to the Free Software included in the product.  While nearly all Free Software

licenses, including copylefts like GPL, require preservation and display of

copyright notices, failure to meet this specific requirement is trivially

remedied.  Therefore, businesses should spend just reasonable efforts to

properly display copyright notices, and note that failure to do so is simply

remedied: add the missing copyright notice!

\section{Understanding Who's Enforcing}

\label{compliance-understanding-whos-enforcing}

The mismatch between actual compliance risk and compliance risk management

typically results from a misunderstanding of licensor intentions.  For-profit

businesses often err by assuming other actors have kindred motivations.  The

primary enforcers of the GPL, however, have goals that for-profit businesses

will find strange and perhaps downright alien.

Specifically, community-oriented GPL enforcement organizations (called

``COGEOs'' throughout the remainder of this tutorial) are typically

non-profit charities (such as the FSF and Software Freedom Conservancy) who

declare, as part of their charitable mission, advancement of software freedom

for all users.  In the USA, these COGEOs are all classified as charitable

under the IRS's 501(c)(3) designation, which is reserved for organizations

that have a mission to enhance the public good.

As such, these COGEOs enforce GPL primarily to pursue the policy goals and

motivations discussed throughout this tutorial: to spread software freedom

further.  As such, COGEOs are unified in their primary goal to bring the

violator back into compliance as quickly as possible, and redress the damage

caused by the violation.  COGEOs are steadfast in their position in a

violation negotiation: comply with the license and respect freedom.

Certainly, other entities do not share the full ethos of software freedom as

institutionalized by COGEOs, and those entities pursue GPL violations

differently.  Oracle, a company that produces the GPL'd MySQL database, upon

discovering GPL violations typically negotiates a proprietary software

license separately for a fee.  While this practice is not one a COGEO would

undertaking nor endorsing, a copyleft license technically permits this

behavior.  To put a finer point on this practice already discussed

in~\S~\ref{Proprietary Relicensing}, copyleft advocates usually find copyleft

enforcement efforts focused on extract alternative proprietary licenses

distasteful at best, and a corrupt manipulation of copyleft at worst.  Much

to the advocates' chagrin, such for-profit enforcement efforts seem to

increase rather than decrease.

Thus, unsurprisingly, for-profit adopters of GPL'd software often incorrectly

assume that all copyright holders seek royalties.  Businesses therefore focus

on the risk of so-called ``accidental'' (typically as the result of

unsupervised activity by individual programmers) infringe copyright by

incorporating ``snippets'' of copylefted code into their own proprietary

computer program.  ``Compliance industry'' flagship products, therefore,

focus on ``code scanning'' services that purport to detect accidental

inclusions.  Such effort focuses on proprietary software development and view

Free Software as a foreign interloper.  Such approach not only ignores

current reality that many companies build their products directly on major

copylefted projects (e.g., Android vendor's use of the kernel named Linux),

but also creates a culture of fear among developers, leading them into a

downward spiral of further hiding their necessary reliance on copylefted

software in the company's products.

Fortunately, COGEOs regard GPL compliance failures as an opportunity to

improve compliance.  Every compliance failure downstream represents a loss of

rights by their users. The COGEOs are the guardian of its users’ and

developers' rights.  Their activity seeks to restore those rights, and

to protect the project’s contributors’ intentions in the making of their

software. 

Corresponding Source.

As such, issues of software delivery are the primary frustration for GPL

enforcers. In particular, the following short list accounts for at least 95\%

of the GPL violations ever encountered:

\begin{itemize}

\item The violator fails to provide required information about the presence

  of copylefted programs and their applicable license terms in the product

  they have purchased.

\item The violator fails to reliably deliver \hyperref[CCS

  Definition]{complete, corresponding source} (CCS) for copylefted programs

  the violator knew were included (i.e., the CCS is either delivered but

  incomplete, or is not delivered at all).

\item Requestors are ignored when they communicate with violator's published

  addresses requesting fulfillment of businesses’ obligations.

\end{itemize}

This tutorial therefore focuses primarily on these issue.

Under the terms of LGPL, they must also refrain from license terms on works

based on the licensed work that prohibit replacement of the licensed

components of the larger non-LGPL’d work, or prohibit decompilation or

reverse engineering in order to enhance or fix bugs in the LGPL’d components.

% FIXME-URGENT: integrate, and rewrite so it doesn't laud behavior that is

% ultimately problematic.

\section{FIXME}

companies have often formed beneficial consulting or employment relationships

with project developers they first encountered through compliance

inquiries. In some cases, working together to alter the mode of use of the

project’s code in the company’s products was an explicit element in dispute

resolution. More often, the communication channels opened in the course of

the inquiry served other and more fruitful purposes later.

%FIXME-URGENT: END

% FIXME: s/GPL enforcers/COGEOs/g

%        (the term coined later but not used throughout) This can't be done

%        by rote, since it may not be appropriate everywhere and shouldn't be

%        used *before* it's coined in the early portions of

%        compliance-guide.tex (and it's probably difficult to coin it earlier

%        anyway).  BTW, I admit COGEOs isn't the best acronym, but I started

%        with ``Community Enforcement Organizations'', which makes CEO, which

%        is worse. :)  My other opting was   COEO, which seemed too close to

%        CEO.  Suggestions welcome.

\label{CCS Definition}

\label{GPLv3s12}