In association with heise online

The H: Is there a toolkit for a potential GPL violations pursuer that you could put together? What would that look like?

BK: It's a funny-sad fact, but I've always said that there are basically two types of GPL violations: ones that the violator tries hard to hide and ones that they don't. The situation with the former would be hopeless: if a violator puts hundreds of person-hours in advance into the unscrupulous job of covering-up their planned violation, I bet no one in the world is ever going to find it.

I obviously can't know for sure, but I don't think anyone actually does that. If you are going to plan ahead and put that much work into covering up a violation, you'd probably just plan ahead even further, and spend that time writing your own software from scratch and be legally in the clear.

People pick Free Software because it has lower barriers to entry. While it's not necessarily "free as in price", it's been shown to be a lot cheaper and to have a quicker time to market. So, people make that choice, and then sometimes cut the corner to save even more money by not bothering to worry about licence compliance. Those are the violations that I see every day: bad planners, who cut corners and just don't bother to comply.

Thus, the need for compliance tools is actually somewhat minimal. I used to have a bar bet (which was rather pointless since I rarely drink alcohol) where I'd tell people that, with a solid internet connection and my laptop, I could find a GPL violation I'd never seen before in fifteen minutes. I could probably still win that bet if I tried; just searching for the phrase "firmware update" in a search engine was usually enough to find a new one a few years ago.

The primary tool I use is a pathetic little Perl script that's of course freely available and is Free Software that we've all been hacking on for years. Folks can take a look at:

That said, I recently have been using binwalk, which is a nice tool that does something roughly similar.

The H: So how do you check things when you think you have found someone who appears to be violating the licence?

BK: The hardest part of GPL compliance is what's called the "Complete, Corresponding Source" verification process, or "CCS check". The GPLv2 and GPLv3 both have clear requirements that the binary distributor needs to provide not just the sources, but also the necessary scripts and information to actually build, compile and install the software. What typically happens is that companies want to keep their build systems proprietary, and so instead of giving us the "real" build system, they give us some hacked-together-one-off build system for the matter at hand. (Years ago, I wondered if that was really GPL-compliant, but it's pretty clear that as long as the build and install scripts work, it doesn't actually matter if they are the "real" ones.)

So, when people talk about how long it takes to come into compliance after an enforcement action, or complain that Conservancy has all sorts of requests, those are usually disingenuous complaints. Fact is, companies don't want to share their proprietary build systems, so they spend a lot of time giving Conservancy build scripts that don't work. We send back problems, and then they give us a new version. Average for this process is about 6 round-trips, spread out over a period of 5 months. The worst I've seen is about 20 round-trips over a period of about 3 years. The quickest is obviously one round in a period of a few weeks.

But, note that CCS work is the most boring engineering work imaginable. You try to make things build and take notes on what you tried and why you couldn't get it work. We then email the report to the violator and ask them to fix it. Rinse, repeat.

The H: Its sounds like pretty much anyone could help with this.

BK: You still need someone who is strong technically to do this very detailed work. Conservancy was accused by a rather nasty violator recently that our engineer was just "not good enough" to figure out to build their stuff. I disagreed, and in fact had anticipated this argument. I only work on my end with people who are really good developers and/or build engineers to make it difficult for the violator to even make that specious argument at all. In that regard, Conservancy currently employs Denver Gingerich one-day-a-week; he does an excellent job at these CCS checks (and is separately a volunteer Free Software developer on other projects, too).

But, I always point out that this "boring" nature of the work is a good reason why compliance work fits well with Conservancy's service plan. Our job is to "do the boring work so Free Software developers don't have to". Licence compliance really is just a service to Free Software projects – like any other – such as negotiating for the best deal with conference venues (which we're also often doing for our projects).

The H: Do you think there are so few individuals in the community that undertake this sort of enforcement work because it is boring or because they get so much criticism for it?

BK: I wonder sometimes how licence compliance became such a controversial topic in Free Software. I've always seen licence compliance activity as the obvious outgrowth of copyleft licensing: an unenforced copyleft is the equivalent of the ISC licence. Yet, many people think somehow that we're doing something controversial when we stand up for the public's right to modify GPL'd software on their devices. I even had a major executive of a large computer company "take me for a walk" at a conference and tell me that if I personally didn't stop enforcing the GPL, his company would stop using Samba and Linux. I told him that he flattered me by suggesting that I alone have the power to change his company's strategic software choices, but that I doubted it was true. (That company is still a big corporate player in the Linux space, by the way.)

I think what's really going on is that companies realise that there aren't that many of us doing this work on behalf of the community. I think that explains why those who do this work are constantly vilified. Those who want enforcement to stop realise that if they just convince and/or pressure a small group of people to stop, the work goes away entirely. Thus, maybe we'd be better off if more people do it, but, on the other hand, if those of us doing it just refuse to stop when pressured, I think that's just as good.

And, frankly, I don't wish this work on anyone. As I explained, it's boring and annoying, but necessary, so I keep doing it.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit