A Guide to GPL Compliance
for Software Engineers and Managers (07:40)

Bradley M. Kuhn

Tuesday 5 August 2008

GPL Compliance (07:50)

• Not a new topic. (07:55)

• FUD machine makes it seem mysterious. (08:05)

• Let’s clear up misconceptions. (08:13)

My Credentials (08:18)

• Intimately involved with every major USA enforcement since 1999. (08:50)

• At old employer, created first formalized GPL enforcement program in history. (09:05)

• Helped found the GPL enforcement team at SFLC. (10:05)

• IANAL. (import std.disclaimer) (10:20)

Audience (10:25)

This talk has material for two types of GPL redistributors. (10:38)

The Clueful: Constant Vigilance! (10:42)

• Planning to begin incorporating FLOSS. (10:50)

• Want to learn best practices. (11:10)

However, Some Remain Clueless (11:20)

• They still think Dilbert is relevant. (11:35)

• They refuse to read the GPL. (11:44)

• They don’t even look to see if GPL’d stuff is in their distribution. (12:10)

My Assumption (12:25)

You are clueful, but you sometimes advise people who are clueless. (12:30)

• Material in this talk is for both (12:40)

Two Ways of Examining Problem (12:47)

• Clueful: Plan your development process to make GPL compliance easy. (12:54)

• Clueless: Wait to get a letter from a GPL copyright holder. (13:10)

Clueful Route First (13:15)

• Plan best practices to avoid violation. (13:25)

• GPL software is here to stay. (13:46)

• Design development, integration and acquisition to pre-handle it. (14:12)

Compliance-Friendly Development (14:43)

• Use revision control … (14:56)
  • … to pull in vendor branch. (15:48)
  • … to tag releases. (16:30)
• Avoid “Build Guru” … (17:11)
  • … by documenting build process. (17:15)
  • … and versioning it, too. (17:40)
• Use Fossology! (17:45)
  • http://fossology.org/ (18:12)

Why Is Compliance Necessary? (18:30)

• Binaries are modified versions of source. (19:15)

• Modification controlled by copyright, thus by GPL. (20:40)

• This separation is where nearly all violations occur. (21:13)

After all, what is binary distribution of software but a rudimentary form of DRM?

—Richard Fontana, during the GPLv3 process

GPL Binary Requirements (21:40)

(v2 § 3, v3 § 6)

• Four options: (22:20)
  • Source alongside binary (v2/v3). (22:28)
  • Offer for source (v2/v3). (22:45)
  • Internet side-by-side distribution (v3). (22:50)
  • Torrent distribution (v3). (23:00)

Source Alongside Binary (23:05)

• Simplest option. (23:30)

• Obligations end at distribution time. (24:00)

• Physical media required. (24:34)

Offer For Source (24:49)

• Useful if not shipping CD already. (25:30)

• Lasts three years. (26:52)

• Mail fulfillment required (not in v3). (27:46)

New v3 Options (27:51)

• Pure Internet, both source and binary (28:10)
  • was always tolerated under v2 anyway. (28:30)
  • not possible for embedded systems. (29:06)
• Torrents (29:13)
  • Rarely used. (29:42)

Preparing Corresponding Source (30:12)

(v2 § 3, v3 § 1)

• Make sure all sources are present. (30:35)
  • revision system helps a lot here. (31:06)
• Build scripts (31:22)
  • rule of thumb: (31:27)
  • make sure someone skilled in art can build it. (33:02)

When the Letter Comes (33:25)

• Communication is key. (34:43)

• Understand the termination provisions … (34:55)

Termination (35:47)

(v2 § 4, v3 § 8)

• v2 is automatic and permanent. (36:37)

• v3 has auto-reinstatement. (36:48)
  • 60 day self-correction timeout (37:09)
  • 30 day penalty-less after notice (37:15)

• Usually, you need copyright holder to reinstate. (37:30)

Standard Requests to Expect (38:10)

• Compliance on all FLOSS copyrights. (39:05)

• Notification to past recipients. (39:44)

• Appoint GPL Compliance Officer. (40:50)

• Periodic compliance reports. (41:17)

Clueless: The Upstream Problem (42:02)

When I said that I was king of forwards, you got to understand that I don’t come up with this stuff. I just forward it along. You wouldn’t arrest a guy who was just passing drugs from one guy to another.

—Michael Scott, The Office

Don’t be Michael Scott (42:08)

• You are a distributor, just like your upstream is. (42:40)

• You share the same obligations. (43:11)

• Ask due diligence questions before buying. (44:18)

• Require them to teach you to comply. (44:40)

• Get indemnified! (45:22)

User Products (45:40)

(v3 only, § 6)

• Much FUD about Installation Information for User Products. (46:30)

• The implications are not unlike what is already true. (46:45)

• Users can modify, voiding warranties. (47:03)

• You must allow them to install; you don’t have to support it. (48:15)

Derivative Works Discussion? (48:25)

• Truth is, it rarely comes up in GPL enforcement. (48:43)

• Never has a violator in my experience disputed our interpretation. (49:48)

• Uses are primarily mundane; lines are clear. (50:23)

• Anyway, in the dicey cases … (50:32)
  • … a seasoned software copyright lawyer should study the facts. (51:19)
  • … the modifiers are already extremely sophisticated, anyway. (51:46)

More Info? (51:50)

Paper on these issues at: http://www.softwarefreedom.org/resources

(52:30)

License of Slides and Talk

This talk and the slides are

Copyright © 2008, Bradley M. Kuhn.

Everyone is permitted to make and distribute verbatim copies of the slides and/or recordings of the talk.

Source code of slides.