<div dir="ltr">Bradley, thanks for sharing your personal experiences in this field. They were interesting to read, especially the part where dogs eat the requests for source code!<br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Aug 17, 2018 at 2:35 AM Bradley M. Kuhn <<a href="mailto:bkuhn@ebb.org">bkuhn@ebb.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Sorry for reopening a thread from last week; I don't follow this list<br>
closely and only happened to discover while skimming today that a GPL<br>
compliance issue was under discussion here.<br>
<br>
I do have a few comments on the thread that are hopefully useful:<br>
<br>
Scott Peterson wrote on Wednesday, 8 August:<br>
> There is no reason that a distributor of a product that includes software<br>
> licensed under the GPL cannot use an upstream supplier's written offer as<br>
> a part of compliance with the source availability requirement of the<br>
> GPL. ...<br>
><br>
> That written offer is real; requests sent in response to that written<br>
> offer are fulfilled. That downstream distributor has not failed to comply<br>
> with the GPL merely because it did not write its own written offer and did<br>
> not not implement its own separate fulfillment process for receiving<br>
> requests and sending source code responses.<br>
<br>
Scott's analysis is of course correct as to the requirements of GPL, but I'm<br>
glad we're discussing this in detail publicly, as there are some nuances<br>
worth exploring. (Transparency and public discourse about these topics will<br>
surely benefit the whole community.)<br>
<br>
Most of my comments below aren't about the minimum requirements per the<br>
license text, but rather discussing about best practices around this issue.<br>
I generally find that seeking to meet the bare minimum requirements of the<br>
license has limited utility in copyleft compliance discussions; it's better<br>
to seek the best practice that will yield compliance practices that are<br>
beyond reproach.<br>
<br>
Thus, as a best practice, I urge all redistributors to avoid the written<br>
offer entirely (more on that below). Moreover, certainly in the case of a<br>
commercial actor, in most real-world scenarios, the written offer from<br>
upstream is likely to be inadequate in practice even though it might be<br>
adequate in theory (as Scott pointed out).<br>
<br>
In my experience, only white-box repackagers of products ever use the binary<br>
build precisely as upstream provided in a manner that would mean the<br>
required "scripts used to control compilation and installation of the<br>
executable" remain absolutely identical for upstream and downstream. I've<br>
never seen a scenario in GPL enforcement where the upstream CCS complied,<br>
because invariably the downstream vendor's engineers made changes and the<br>
legal staff hadn't realized it. Most often, this is around the build and<br>
installation. Too often, the build scripts requirement is (sadly)<br>
forgotten, so it's easy for even well-intentioned downstreams to err<br>
(because they don't read GPLv3§3/GPLv3§6 carefully), and then realize only<br>
later the source offered by upstream is incorrect source (per "Complete,<br>
Correspond Source" (CCS) definitions in the various GPL versions).<br>
<br>
Furthermore, note that Scott's analysis assumes that the upstream source,<br>
when shipped, will actually comply with other requirements (e.g., GPLv2§3)<br>
of the GPL. In my experience, most upstreams have GPLv3§3/GPLv3§6<br>
compliance problems. In other words, if you don't verify yourself<br>
(regularly) that your upstream's offer, when exercised, puts GPL-compliant<br>
CCS in the requestor's hands, you'll find out your upstream failed to comply<br>
at the latest possible moment -- when someone tests what is now *your* offer<br>
for source. You're then left scrambling and have set yourself up to fail.<br>
<br>
BTW, as a copyleft drafting matter, the entire "offer for source" idea is<br>
an annoying necessity. It assures that full source code provisioning at<br>
point-of-sale doesn't cost-prohibit commercial incorporation of GPL'd<br>
software in inexpensive devices. However, the only advisable time to use<br>
offer for source is when it's truly financially unviable to distribute<br>
physical-media source at time of physical distribution.<br>
<br>
Relatedly, it's important to note that the companies who nefariously violate<br>
the GPL have used the offer for source for more than a decade as a way to<br>
cover up their intentional violations (more on that below). Contrary to<br>
popular belief, there *are* many bad actor GPL violators who simply publish<br>
an offer for source with no intention of fulfilling it properly if asked.<br>
They hope that no one asks during the (usually short) sales lifecycle of the<br>
product, and while the offer is indeed valid for three years after<br>
distribution (GPLv2) or EOL (GPLv3), it's relatively rare that someone<br>
requests source on an EOL'd product. Such companies play the odds and get<br>
away with violations over and over again.<br>
<br>
More reading on this issue can be found in the Comprehensive Copyleft Guide.<br>
This issue is discussed in various sections (search for "offer" in the whole<br>
text of the book available at <a href="https://copyleft.org/guide/monolithic/" rel="noreferrer" target="_blank">https://copyleft.org/guide/monolithic/</a> to find<br>
them all), but the section directly linked via<br>
<a href="https://copyleft.org/guide/comprehensive-gpl-guidech16.html#x21-12700015" rel="noreferrer" target="_blank">https://copyleft.org/guide/comprehensive-gpl-guidech16.html#x21-12700015</a><br>
deals with the issue directly.<br>
<br>
<br>
On Bruce's point:<br>
<br>
Bruce Perens wrote on Wednesday, 8 August:<br>
>> It's also possible for a company, including the upstream manufacturer, to<br>
>> formally contract to perform another entity's GPL source code<br>
>> fulfillment.<br>
<br>
This was quite a trend a few years ago, and a few companies in the<br>
compliance industrial complex even attempted to offer such contracts as a<br>
fee-for-service business. I don't get the impression this was successful,<br>
because contracting out CD/DVD printing fulfillment is a commodity service,<br>
and if you need any services beyond that, you're basically asking for GPL<br>
compliance help anyway -- so you might as well train your staff in house how<br>
to comply correctly as that expertise will pay dividends going forward for<br>
future products.<br>
<br>
I thus really don't recommend outsourcing any of your GPL requirements. I<br>
do, however, recommend a public-accessible website with all source releases<br>
for every product. While this does fail to comply with the offer provisions<br>
for GPLv2-only, it *does* usually mean the number of people who will request<br>
physical media goes down to zero or near-zero, as the only ones who need it<br>
are those who lack speedy Internet connections. A sample offer that works<br>
in this particular way is given in the second Copyleft Guide URL I mentioned<br>
above.<br>
<br>
Scott wrote further:<br>
> If what matters is the name on the offer (not whether the offer is<br>
> effective), then that would be a GPL that serves the interests of<br>
> troll-oriented "compliance enforcement", not the interests that the GPL<br>
> seeks to serve. I do not believe that that is what is intended in the GPL.<br>
<br>
While I do generally agree with this point, I think it might be overstated<br>
for these two reasons:<br>
<br>
First, I don't think there is *any* serious threat from troll-like<br>
enforcement in any event; that risk has been unreasonably exaggerated.<br>
<br>
Second, and relatedly, the violators who attempt to play games around the<br>
offer clause behave much worse, such that it easily drowns out any concern<br>
of bad enforcement behavior. In my experience, many violators (both the<br>
nefarious and lazy varieties) have a tendency toward "hide the ball"<br>
activity around the offer clauses. This is easier explained by giving a few<br>
examples of why violators have told me they ignored offer requests:<br>
<br>
* "You didn't have the address on the envelope character-for-character as<br>
it appeared on the offer page, therefore, we weren't required to honor<br>
your request."<br>
<br>
* "You're not our customer." <br>
<br>
* "You can't provide an address in the USA for delivery of your source CD,<br>
so we aren't required to provide the source to you."<br>
<br>
* "You sent your request via services with tracking, and we only accept<br>
source requests with a plain, regular stamped envelope with no tracking<br>
or signature required."<br>
<br>
The GPL of course doesn't allow for any of these excuses, or the dozens of<br>
others of the "but the dog ate your source request" variety that I've heard<br>
from violators over the years. In most of these cases, compliance was<br>
achieved in the usual way by following the Principles of Community-Oriented<br>
GPL Enforcement, and thus I'm not bringing this up to admonish those who<br>
behaved this way, but rather to point out that for every one of the times I<br>
(or someone bothered to report a violation) have been told something like<br>
this when requesting source, I'd suspect there are hundreds of people out<br>
there are getting specious answers to their source requests -- who just give<br>
up entirely. That pandemic problem (and the other pandemic problems of<br>
non-compliance), so much outweigh any threat from one bad-actor-enforcer who<br>
"once-upon-a-time made an argument not supported by the license text", that<br>
the latter seems risible to me as a concern. I think we should continue to<br>
read copyleft licenses with an eye toward assuring its requirements advance<br>
software freedom, and include any requirements that succeed in that regard,<br>
even if they are on rare occasions abused. IMO, the place for worrying<br>
about what bad-actor-copyright-holders is in meta-documents like the<br>
Principles of Community-Oriented GPL Enforcement, not the license itself.<br>
-- <br>
<br>
Bradley M. Kuhn<br>
<br>
Pls. support of the charity where I work, Software Freedom Conservancy:<br>
<a href="https://sfconservancy.org/supporter/" rel="noreferrer" target="_blank">https://sfconservancy.org/supporter/</a><br>
<br>
_______________________________________________<br>
License-discuss mailing list<br>
<a href="mailto:License-discuss@lists.opensource.org" target="_blank">License-discuss@lists.opensource.org</a><br>
<a href="http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org" rel="noreferrer" target="_blank">http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><a href="mailto:henrik.ingo@avoinelama.fi" target="_blank">henrik.ingo@avoinelama.fi</a><br>+358-40-5697354 skype: henrik.ingo irc: hingo<br><a href="http://www.openlife.cc" target="_blank">www.openlife.cc</a><br><br>My LinkedIn profile: <a href="http://fi.linkedin.com/pub/henrik-ingo/3/232/8a7" target="_blank">http://fi.linkedin.com/pub/henrik-ingo/3/232/8a7</a></div>