In association with heise online

The death penalty

The rationale for this perspective is that it removes problems further down the line for the manufacturer. After all there is still a legal and moral obligation to comply with the licence for any other module that you are putting out to market. If you are complying with the GPL for BusyBox, why not comply with all GPL components that are included with the device, or risk litigation from other copyright holders in the future?

Kuhn says "the reason we have this requirement is because I wanted folks to not have to deal with each copyright holder individually. I say to them: 'We're the first ones to approach you on this issue, but if you comply and somebody then complains about your violations in the past we will be on your side. I'd be happy to be an expert witness and say Yes, your honour, they once had a problem but they've fixed it now.'"

"They get the problem resolved quickly and nobody else is going to come after them."

Kuhn says: "People talk about 'the death penalty clause'" (which in GPLv2 reads:

You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their license terminated so long as such parties remain in full compliance.)

"... but that clause is the only hook you have to ensure that other people comply with the licence. You have to stop doing the things that copyright law governs, so people call it the 'death penalty'. But in the end the goal in every enforcement action I have been involved with has been to restore peoples' right to produce a GPL compliant distribution," and GPLv2 Section 4 is a last resort.

Where the approach of Harald Welte differs from SFC is that SFC uses the re-instatement of the BusyBox licence as "a lever to obtain source code for other programs like the Linux kernel", and in Welte's experience this hasn't been necessary. "Not everything that is possible legally is ethically the right thing to do. But then, ethics and legal customs differ widely in the FOSS communities, as they do in society in general. Some countries and communities believe in the death penalty, others don't. Some countries allow abortion, others don't. Some allow prostitution, others don't. So when judging about whether that 'reinstatement lever' is acceptable or not, we have to accept that there may be different lines of thought."

His conclusion is that "the far superior method is, beyond doubt, to have a rights holder on those other programs in order to make any demand for source code (as opposed to a mere request without implicit or explicit legal threat)" – a view that is shared by SFC.

From both points of view, the goal is compliance, not litigation, removal of products or punishment of mistakes. There is a large gap between the perception of legal manoeuvrings and their application in the real world.

The poster child

The over reliance on the copyright holders of BusyBox is definitely a problem for SFC, and is recognised as such by Kuhn. "I was surprised that the people on the LWN threads were so upset about (SFC's approach to GPL enforcement) as I have always done it the same way", he says. Some issue was made of the income derived from enforcement activities, but SFC is a charitable non-profit and declares its income. Bruce Perens commented on this in the context of his work as a consultant for companies contacted by SFC. "I've also had to pay SFC for the technical work on the audit," he wrote. "They charge a lot less than I do, and less than any sane legal-technical practitioner in New York City should charge."

Kuhn argues that "if you support copyleft you have to support enforcement because an unenforced copyleft is the same as the Apache Licence, and I'm enough of a masochist to do it. I too am afraid of GPL enforcement for the profit motive." But, he also says, "the criticism I take from the other side of the argument is that more projects should be involved in GPL enforcement. It should not just be about BusyBox. BusyBox has been asking me for years to get other people involved, so that is what I'm doing right now. I'm trying to build a wide coalition of projects to get involved in GPL enforcement so that BusyBox is no longer the poster child for enforcement."

On the issue of a BusyBox replacement, he says, "switching away from BusyBox isn't really the answer, because people aren't going to switch away from other GPL programs. And rewriting code that already exists isn't the answer." If BusyBox goes away, and is replaced by an MIT licensed alternative, the problem of GPL compliance will not disappear, or as Welte puts it, "anyone who thinks that by replacing Busybox with a non-GPL licensed project they can evade GPL enforcement: It will not work. There are others out there enforcing the GPL."

Unsurprisingly, Rob Landley, an ex-BusyBox maintainer who has become disillusioned with Busybox and its role in GPL compliance, the GPL, the FSF and SFC, has an entirely different perspective and has released toybox "under a 2 clause BSD license," and wants it "to become the default command line implementation of Android systems everywhere." Landley's position is that GPLv3 and GPL enforcement are pushing companies away from open source adoption, as is exemplified, in his view, by Google's decision to remove GPL code from the Android 'userland'.

The calmer reality

For the advocates of copyleft and free software, enforcement of the GPL is a practical necessity if software is to be free and accessible to everyone, and also helps those companies who choose to comply. "GPL compliance is a matter of fair competition," says Welte. "There are some companies who really do a good job in ensuring compliance with the various Free Software licenses. If their competition doesn't invest the funds into the respective skills, procedures and business processes, they are getting an unfair competitive advantage against those who are doing it right. If there was no enforcement, the motivation would be to reduce efforts in compliance, not increase it."

Most companies happily comply, and nothing is known about them because they "don't want anyone to know they were ever out of compliance", says Kuhn. "For the companies it isn't necessarily a good story. And it isn't a generally useful technical fact, who's violating and who isn't, so I try not to go public. But I've added it to my list of asks."

Behind the the headline stories of litigation lies a calmer reality, where the great majority of companies who are notified by SFC or are happy to comply without a fuss, because the software works for them, and gives them reductions in cost, speed to market, collaborative opportunities and access to high quality code. As one contributor to the LWN threads noted "it wasn't until the SFC started an aggressive campaign, using Busybox as a weapon (around 2006/2007), that as a consumer I started seeing devices released with little GPL leaflets and the source code available for download."

For other feature articles by Richard Hillesley, please see the archive.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit