Enforcing the GPL with Judo moves
by Richard Hillesley
"In judo, the goal is to use the momentum of the person attacking you to defend yourself, and that is exactly what copyleft does"
The intent of free software is to render the code that runs the machines that run our lives transparent. In the words of Lawrence Lessig, free software is "free in the sense that the control coders build be transparent to all, and that anyone have the right to take that control, and modify it as he or she sees fit."
The mechanism by which free software achieves this is copyleft. Copyleft is a hack on copyright law that takes away the exclusive rights of the copyright holder and shares them with the user, who is given the right to modify, copy, share and redistribute the software, but must pass on the same rights to any subsequent users. "If you use and adapt a free software program, and then release that adapted version to the public, the released version must be as free as the version it was adapted from."
The GPL promotes the rights of the user, but the defenders of those rights are the copyright holders, who may be the original coder(s) or any body to which ownership of the copyright has been assigned. The benefit for the copyright holder is that changes to the code are made available and can be fed back upstream. The user wins because the code is transparent, and can be adapted for further use.
Bradley Kuhn takes an analogy from martial arts, and says that "'copyleft is a judo move on copyright'. In judo, the goal is to use the momentum of the person attacking you to defend yourself, and that is exactly what copyleft does. As copyright law gets broader and broader, copyleft takes that momentum and pushes back with the same force. So copyleft is always as strong as copyright."
Free software gives access to the work of thousands of coders, is relatively cost free, and removes the need for endless re-inventions of the wheel. Sharing the code is useful to everyone, or so the theory goes.
But the application of copyleft depends upon the willingness of suppliers of GPL'd software to comply with the terms of the licence, and/or the willingness of copyright holders to act in defence of the GPL. And for a variety of reasons the terms of the GPL are often ignored by the distributors of free software and the holders of copyrights have not always been willing to get involved.
The only requirement of the GPL is that the source code be made accessible to end users, but this requirement is often forgotten, especially when the code is re-used in firmware and embedded devices.
Manufacturers of mobile devices operate in a rapidly changing environment with short product cycles and shorter time-to-market. Last year's mainstream product is already obsolete, and the margins are slim. The market is highly competitive, and every new product comes to market with a new range of features. In this context, releasing the source code, and risking the exposure of the company's "trade secrets" for a product that may be relatively short-lived, is a trivial risk when set alongside the advantages that accrue from using Linux and other GPL-licensed software, especially when it is remembered that it is only the GPL'd code that has to be made available to others (on a web site, or by other means) – but complying with the GPL is low on the list of priorities.
Firmware is a source of licence compliance problems all of its own, according to Kuhn, because "sometimes an OEM sources the guts of a product from someone else who makes the firmware that is configured for the device..." and they will say that "'We don't sell software. We only sell hardware', and we have to tell them the software is in the firmware."
In many cases "they won't say who their upstream supplier is", either for market reasons or to protect their supplier. Sometimes "their upstream have lost the source code... so it can take a while to get a source release that actually matches the binary they distributed."
For the user
The objective of GPL enforcement is to protect the rights of the user and, even where no code finds its way back to the upstream project that was the origin of the code, this can have some useful and positive side effects. Examples include "the OpenWrt project, or the SamyGO project", where end users and developers "have taken releases that companies have done for a specific family of devices, in the first case wireless routers, and in the second case televisions, and made their own firmware to run on those devices". This was based on code released as a result of GPL enforcement by the FSF and Software Freedom Conservancy.
"In both cases," says Kuhn, "there is a vibrant firmware modification and user community that has sprung out of GPL enforcement." GPL enforcement has been a positive force for the good of free software and the end user, and a useful source of developer feedback for the device manufacturers.
Enforcement of the GPL may be off-putting to chip vendors and suppliers who have to balance the considerable advantages of cost effectiveness, speed to market, and the accessibility of pre-written and tested code against the bother of releasing the code. That entails a potential loss of "trade secrets" which may be a consequence of using GPL'd software, but the costs and overheads are trivial compared to those of a commercial licence.
Most infringements are not deliberate, and can probably be attributed to a mixture of apathy, misunderstanding, ignorance and confusion. According to Kuhn "99.999 per cent of violations get resolved without court proceedings. Most of the companies that have had enforcement actions against them nobody's ever heard of, and they came into compliance without much fanfare."
Harald Welte has his own perspective on this. "I think there are still far too many GPL violations out there, and we need to see more enforcement in order to get all the major players in their respective lines of business into compliance. But dealing with embedded devices in 2012 and still getting compliance outright wrong really means that there has not been the least bit of attention on this subject. And without enforcement, it is never going to change. People who want no enforcement should simply use MIT-style licenses."