[Ksummit-discuss] [CORE TOPIC] GPL defense issues
Bradley M. Kuhn
bkuhn at sfconservancy.org
Sat Aug 27 21:18:16 UTC 2016
I *thought* this list was for KS proposal meta-discussion, but this thread is
now mostly substance and very little meta. :) However, AFAICT, no one has
declared this thread as off-topic, and generally speaking, I believe everyone
in the GPL Compliance Program for Linux Developers, including me, is glad to
see GPL enforcement discussed openly. So, I'm continuing with replies:
Today, Greg made references to a talk I gave, and drew broad conclusions
about my beliefs. Yesterday, Linus made reference to an LWN comment I made,
and made conclusions about my moral character. This is a complex topic, and
the entire breadth of everyone's view cannot be summarized by out of context
snippets. I do think Greg's summary of my talk is inaccurate on many fronts,
but the details on that don't really matter.
I believe we function well as a community by trying lots of different
strategies in parallel. This works for Linux development itself, and it
works for GPL enforcement too. I, Greg, and many others have done excellent
work convincing companies to abide by GPL without lawsuits. Nearly all the
work by the GPL Compliance Program for Linux Developers doesn't use lawyers
or lawsuits. We all use the same strategy, and *almost* all the same tactics
to achieve GPL compliance for Linux.
Our disagreement is over a finer point of a specific tactic that is only
relevant in roughly 0.57%  of GPL violations, which is this: "What do we
do in those cases that have no resolution for years, after many try to gain
compliance and failed. Should anyone sue in that case?". Greg says: "No,
never." The consensus in Conservancy's GPL Compliance Program for Linux
developers is: we're giving up on the GPL as a strategy if we let those 0.57%
just get away with violating, because even though the number is small, that
group contains the truly bad actors; they'll set example for future bad
actors. One reason (among many) we should bring lawsuits in those rare cases
is to show everyone the 99.43% that they are much better off working with the
community. We have plenty of evidence from company representatives who say
clearly: "I can't get my company to comply unless the threat of lawsuit is
realistic; we agree it's totally reasonable to sue the very few bad actors".
Greg, representatives of some the same companies that I know you've worked
with to improve compliance have told me and Karen that directly.
Greg, in your email today, you've called for us to close up our Program:
> So please stop this now, it's not helpful, but instead, hurtful, and
> harmful to our very survival.
The GPL Compliance Program for Linux Developers only does this work because
real developers who have written code upstream in Linux work actively with
Conservancy. You've ask them to stop working with us. Fortunately, they can
see your directive above and act. The enforcement agreements are revocable.
Every one of our many coalition members could walk away tomorrow, and I
assure you that we'll close up the Program if they do.
> and not change to being rude and disrespectful to our users and developers
> by getting lawyers involved.
I do know lawyers who are rude and disrespectful by default. (I also know
some Linux developers who are rude and disrespectful by default.) But you're
saying above that can't be categorically true about lawyers (or Linux
developers): namely, that *all* lawyers are rude and disrespectful, in every
situation. In our coalition's Linux enforcement actions, we don't typically
bring a lawyer into the conversation until we're close to what I called Step
(3) . But, even when we do, we'd only employ a respectful and friendly
lawyer. I stopped working with rude and disrespectful lawyers years ago.
> Let's please stick to what has gotten us this far,
You ignore that we got this far by working in parallel toward the same goal.
The GPL Compliance program for Linux Developers is more than four years old
now. Before that, Harald was enforcing for Linux -- more litigiously than
our coalition ever would, BTW -- since 2004. So, extremely rare litigation,
guided by Linux developers, has been part of "what got us this far" for at
least 12 years. Greg: you, and James, and me, and Karen, and Conservancy,
and gpl-violations.org, and every member of the GPL Compliance Program for
Linux Developers are all part of the "us" that "got us this far".
Greg wrote, on 27 August 2016:
> Look at the existing vendors you see today as not as "offenders" but rather
> as "potential members of our community" and treat them that way.
Karen and I wrote together on 19 July 2016 :
>>> Today's violators can then become tomorrow's contributors.
I wrote on 8 November 2009 :
>> We therefore must ensure that enforcement action is reasonable and
>> friendly. I view every GPL violator as a potential FLOSS contributor, and
>> try my best to open every enforcement action with that attitude.
...and I made similar statements as far back as 2002. My position on this
has never changed; I agreed with what you said today before you said it.
Karen has also always held this position. Most importantly, to my knowledge,
every developer in the GPL Compliance Program for Linux Developers agrees.
> It's great that Samba has survived this type of enforcement effort, but as
> Jeremy has pointed out, he's done that primarily by working directly with
> the companies, not having legal people get involved. So thanks Jeremy for
> proving my point :)
You're misattributing Jeremy's statements as well. Jeremy said specifically
that he works *with* Conservancy and that our methods *don't* get lawyers
involved until the very tiniest fraction of situations where it's absolutely
necessary. If Jeremy proved your point, then he also proved that Conservancy
and our coalitions *are using the method of enforcement you want*.
> that's what burned Busybox to the ground...and is what is threatening the
> future of gcc as well.
You're assessments of BusyBox and GCC are definitely incorrect. (BusyBox is
still widely used and deployed, and the future of GCC is much more
complicated than any enforcement-specific issues.) But I won't go into
details on that because I worry it's just too far off topic for this list.
Finally, I'll address just one more of your assumptions about my values:
> You value the GPL over Linux, and I value Linux over the GPL. You are
> willing to risk Linux in order to try to validate the GPL in some manner.
... which is false. Before you posted the above, I had already told you in
response to your private email (which contained the same text) that it
misrepresented my values. I won't bore the list with everything I said in my
private reply, but here's the most relevant part:
You said that you "care more about Linux than the GPL". I would probably
agree with that. But, I do care about software freedom generally much more
than I care about Linux *or* the GPL. I care about Linux because it's the
only kernel in the world that brings software freedom to lots of users.
The GPL is a tool that helps Linux do that, but I don't see the GPL as a
moral pinnacle. It's a tool and a strategy to advance software freedom.
Linux doesn't matter merely because it's GPL'd. It matters because it's
*great software* *and* it's GPL'd.
The GPL Compliance Program for Linux Developers works together to ensure all
users may copy, modify, and redistribute all versions of that great software.
 I didn't just guess at this number. I searched my email archives, which
roughly show that I've been sent reports of at least 3,000 GPL violations
in my life, and I count only 17 defendants who have ever been sued by
Erik Andersen, Christoph Hellwig, FSF or Conservancy (i.e., I'm counting
BusyBox and Linux violations in there together, which should
theoretically make the numbers as high as possible). That gives me
99.43% of GPL violators -- again, only count the ones I personally have
been informed of -- have never been sued. I didn't include Harald's
lawsuits because I'm not really sure on the count of his cases, but
someone who'd like to can go through
http://gpl-violations.org/news/archive/ and count them up and update my
numbers, but I think to make it a good estimate, you'd have to also
update the denominator to count all violations ever reported to the
gpl-violations.org mailing list too, which sadly are not online at the
moment. ( links from http://gpl-violations.org/mailinglists/ are dead.)
Bradley M. Kuhn
President & Distinguished Technologist of Software Freedom Conservancy
Become a Conservancy Supporter today: https://sfconservancy.org/supporter
More information about the Ksummit-discuss