The H: So how do you go about finding these violations yourself? What hints can you give free software projects that want to make sure the obligations of the GPL are being fulfilled?
BK: No software scanning tool in the world – proprietary nor FaiF (free as in freedom) – is going to help find these violations. Careful human attention is needed to get those details right, and you don't need an expert to help you: it's pretty obvious what needs to be done and attentive diligence gets you there by itself.
The H: So do you want to see more people doing enforcement and compliance activity?
BK: Certainly we're in an era where lots of people are scrambling to create business models dancing around the issue of GPL compliance, and in using GPL enforcement in nefarious ways. Our community already has too much of that kind of activity, and I certainly don't want more of that.
If, however, someone wanted to start another non-profit charity to do enforcement, I'd certainly welcome it and help them do it. I also encourage any individuals who hold copyrights in projects that Conservancy currently does active enforcement for – namely, BusyBox, Linux, and Samba – to get in touch with me and join our coalition. That's an easy way for those who hold copyrights to get involved with the work Conservancy's already doing in this area.
But, I meanwhile don't actually expect to see new community-oriented enforcement. Frankly, the work just barely pays for itself. For example, I had a contractor once pitch his skills to help do compliance work. He said his rate was €100/hour, and I laughed, saying that I never heard of compliance work paying that much in the non-profit sector, and I asked for his non-profit rate. He countered with "that is my non-profit rate". Perhaps, needless to say, I hired someone else for the work at a much lower rate. The first person later told me he moved on to other types of work because it was more lucrative.
I tell that story to point out that people have the wrong expectations and assumptions about compliance work. It's not making anybody rich, and in fact we barely break-even to pay non-profit wages for the work. Plus, I strive to keep costs down because I don't want the price of coming into compliance to be outrageous. Sure, violators should have some sting of paying something (for-profit companies generally only understand money and nothing else), but the price should be reasonable.
The H: If it's not making anybody rich, what are your motivations for enforcing the GPL then?
BK: The main goal of every non-profit enforcement effort is forward-looking compliance on all GPL'd and LGPL'd programs. Money can't be the driving force, lest the activity be corrupted by the money. I'm glad Conservancy, as a 501(c)(3) charity, is legally required to tell the public exactly how much we got in enforcement and how much we spent.
Unfortunately, in my experience, most people trying to "help with compliance" these days want to make a living at it that matches the kind of living they could make as a software developer or as an executive in the for-profit sector. I don't want to see licence-compliance work designed that way; it gets corrupted if you try to generate that kind of revenue from it.
I suppose it might sound a bit conceited for me to say, but I think people like me, Harald, and RMS are really unique in this area. The three of us have one major thing in common: we believe fundamentally that the freedom of users and developers to modify, improve, and share code is paramount, even above our own self interest. I've had my disagreements with Harald about some tactical issues related to GPL compliance strategy, but I think we agree on this key issue: getting code to users matters most. If there are other people who truly feel that way, I'd love for them to get involved, and there's always volunteer work that they can start with, if they want to get in touch.