proprietary.}  Over the next decade, the Free Software Foundation (FSF),

which holds copyrights in many GNU programs, was the only visible entity

actively enforcing its GPL'd copyrights on behalf of the community of

was generally a private process; the FSF contacted violators

confidentially and helped them to comply with the license.  Most

violations were pursued this way until the early 2000's.

attention to licensing of upstream software, misconceptions about the

GPL's terms, and poor communication between software developers and their

management.  In this document, we highlight these problems and describe

approach to GPL'd software and avoid future violations.

SFLC continues to conduct GPL enforcement and compliance efforts for many

\chapter{Best Practices to Avoid Common Violations}

\label{best-practices}

typically only require preservation of copyright notices, the GPL places a

number of important requirements upon licensees.  These requirements are

carefully designed to uphold certain values and standards of the software

practices for the incorporation of GPL'd components into a company's

internal development environment.  In this section, we introduce some best

practices for software tool selection, integration and distribution,

establish such practices before building a product based on GPL'd

software.\footnote{This document addresses compliance with GPLv2,

  GPLv3, LGPLv2, and LGPLv3.  Advice on avoiding the most common

been patched or slightly improved by direct modification of their sources,

resulting unequivocally in a derivative work.  Alongside these programs,

companies often distribute fully independent, proprietary programs,

system but do not combine with, link to, modify, or otherwise derive from

the GPL'd components.\footnote{However, these programs do often combine

  with LGPL'd libraries. This is discussed in detail in \S~\ref{lgpl}.}

of third-party proprietary software typically requires a formal

arrangement and management/legal oversight before the developers

incorporate the software.  By contrast, your developers often obtain and

does not mean the oversight is any less necessary.  Just as your legal

and/or management team negotiates terms for inclusion of any proprietary

product.

Simple, engineering-oriented rules help provide a stable foundation for

and have them include a brief description of how they will incorporate it

into the product.  Make sure they use a revision control system, and have

store the upstream versions of all software in a ``vendor branch'' or

of determining and cataloging the presence of GPL'd components is

difficult.  If you are in that situation, we recommend the

\href{http://fossology.org/}{Fossology system}, which analyzes a

the code.  Fossology can help you build a catalog of the sources you have

already used to build your product.  You can then expand that into a more

structured inventory and process.

  as a whole.} and a filesystem.  That filesystem contains various binary

programs, including some GPL'd binaries, alongside some proprietary

binaries that are separate works (i.e., not derived from, nor based on

``scripts to control compilation and installation'' or items ``needed to

generate, install and run'' the GPL'd programs.

Nonetheless, in the interest of goodwill and the spirit of the GPL, most

companies do provide the compiler itself when they are able, particularly

a GCC-based system, it is your prerogative to redistribute that GCC

community encourage you to do this, since it often makes it easier for

users to exercise their software freedom.  However, if you chose to take

this recommendation, ensure that your GCC distribution is itself

that you had at your disposal to build the software.  Therefore, if you

choose not to distribute the compiler, you should include a {\sc readme}

about where you got it, what version it was, and who to contact to acquire

internally developed.

\section{Best Practices and Corresponding Source}

Proactively follow up with synchronous communication means to be sure

communications sent by non-reliable means (such as email) were received.

cooperation, and these values extend to GPL enforcement.  You will

have a reasonable dialogue and will work with you to resolve a violation

once you open the channels of communication in a friendly way.

\begin{itemize}

  often want a company to demonstrate compliance for all GPL'd software in

  a distribution, not just their own.  A copyright holder may refuse to

  reinstate your right to distribute one program unless and until you

\item {\bf Notification to past recipients}.  Users to whom you previously

  distributed non-compliant software should receive a communication

  situations), an alternative form of notice may be required (such as a

  magazine advertisement).

  values personal accountability when things go wrong.  Copyright holders

  often require that you name someone within the violating company

  individual serve as the key public contact for the community when

  compliance concerns arise.

view of the redistributor).

Consider the cost of potential violations in your acquisition process.

wary of vendors who have done so without regard for the licenses.  If your

vendor's costs seem ``too good to be true,'' you may ultimately bear the

burden of the vendor's inattention to GPL compliance.  Ask the right

  and modified within 48 hours of its release.}, users are generally on

notice that they risk voiding their warranties and losing their update and

support services when they make modifications.\footnote{A popular t-shirt

  well-known for modifying products with full knowledge of the

  consequences.  GPLv3's ``Installation Instructions'' section merely

  confirms that reality, and makes sure GPL rights can be fully exercised,

Compliance is straightforward when the entirety of your enterprise is

well-informed and well-coordinated.  The receptionists should know how to

route a GPL source request or accusation of infringement.  The lawyers

disclosure requirements, and should explain those details to the software

developers.  The software developers should use a version control system

that allows them to associate versions of source with distributed

software.  Managers should build systems and procedures that keep everyone

on target.  With these practices in place, any organization can comply

with the GPL without serious effort, and receive the substantial benefits

ready-made for their products.

\vfill