1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
|
% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
\documentclass{beamer}
% This file is a solution template for:
% - Talk at a conference/colloquium.
% - Talk length is about 20min.
% - Style is ornate.
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
%
% In principle, this file can be redistributed and/or modified under
% the terms of the GNU Public License, version 2.
%
% However, this file is supposed to be a template to be modified
% for your own needs. For this reason, if you use this file as a
% template and not specifically distribute it as part of a another
% package/program, I grant the extra permission to freely copy and
% modify this file as you see fit and even to delete this copyright
% notice.
\mode<presentation>
{
\usetheme{Warsaw}
% or ...
\setbeamercovered{transparent}
% or whatever (possibly just delete it)
}
\usepackage[english]{babel}
% or whatever
\usepackage[latin1]{inputenc}
% or whatever
\usepackage{times}
\usepackage[T1]{fontenc}
% Or whatever. Note that the encoding and the font should match. If T1
% does not look nice, try deleting the line with the fontenc.
\title{GNU GPL License Enforcements}
\subtitle
{What the community can do to enforce the GPL}
\author{Harald Welte}
\institute
{gpl-violations.org\\hmw-consulting.de}
% - Use the \inst command only if there are several affiliations.
% - Keep it simple, no one is interested in your street address.
\date[DORS/CLUC 2010] % (optional, should be abbreviation of conference name)
{DORS/CLUC 2010, May 2010, Zagreb/Croatia}
% - Either use conference name or its abbreviation.
% - Not really informative to the audience, more for people (including
% yourself) who are reading the slides online
\subject{Embedded Linux}
% This is only inserted into the PDF information catalog. Can be left
% out.
% If you have a file called "university-logo-filename.xxx", where xxx
% is a graphic format that can be processed by latex or pdflatex,
% resp., then you can add a logo as follows:
% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
% \logo{\pgfuseimage{university-logo}}
% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
%\AtBeginSubsection[]
%{
% \begin{frame}<beamer>{Outline}
% \tableofcontents[currentsection,currentsubsection]
% \end{frame}
%}
% If you wish to uncover everything in a step-wise fashion, uncomment
% the following command:
%\beamerdefaultoverlayspecification{<+->}
\begin{document}
\begin{frame}
\titlepage
\end{frame}
\begin{frame}{Outline}
\tableofcontents
% You might wish to add the option [pausesections]
\end{frame}
% Structuring a talk is a difficult task and the following structure
% may not be suitable. Here are some rules that apply for this
% solution:
% - Exactly two or three sections (other than the summary).
% - At *most* three subsections per section.
% - Talk about 30s to 2min per frame. So there should be between about
% 15 and 30 frames, all told.
% - A conference audience is likely to know very little of what you
% are going to talk about. So *simplify*!
% - In a 20min talk, getting the main ideas across is hard
% enough. Leave out details, even if it means being less precise than
% you think necessary.
% - If you omit details that are vital to the proof/implementation,
% just say so once. Everybody will be happy with that.
\begin{frame}{About the speaker}
\begin{itemize}
\item Using + playing with Linux since 1994
\item Kernel development since 1999
\item IT security specialist, focus on network protocol security
\item Board-level Electrical Engineering
\item System-level Software for PPC, ARM, x86
\item IANAL, but companies not complying with the license forced me to spend lots of time with legal issues
\end{itemize}
\end{frame}
\section{FOSS Licenses}
\subsection{Free Software and Copyleft}
\begin{frame}{Free Software}{Definition by the FSF}
% - A title should summarize the slide in an understandable fashion
% for anyone how does not follow everything on the slide itself.
Free Software has to ensure the following key freedoms:
\begin{itemize}
\item
Freedom to use the software for any purpose
\item
Freedom to make copies "to help your neighbor"
\item
Freedom to study its functionality (source code)
\item
Freedom to fix it yourself (make modifications)
\end{itemize}
\end{frame}
\begin{frame}{Copyleft}{A concept to ensure Freedom}
Copyleft is an idea to use copyright to ensure Software Freedoms
\begin{itemize}
\item Use/claim copyright on the software
\item Create a license that is permissive enough for the 4 Freedoms
\item However, put some conditions/obligations in the license
\begin{itemize}
\item ensure the source code will always be available
\item ensure nobody is able to remove the 4 Freedoms from the software
\end{itemize}
\item Use that license for the software.
\end{itemize}
\end{frame}
\subsection{The GNU GPL}
\begin{frame}{The GNU GPL}{An implementation of Copyleft}
The GNU General Public License (GPL)
\begin{itemize}
\item is a Copyleft Free Software License
\item assures the original author that his work will always have the freedoms
\item establishes a level of fairness: You can use my code, if you share your additions back with us.
\item is a big motivation factor for many community members
\end{itemize}
\end{frame}
\begin{frame}{Revisiting the GPLv2 License Terms}
The GNU GPLv2
\begin{itemize}
\item Regulates distribution, not use (running the program)
\item Allows distribution of source code and modified source code, if
\begin{itemize}
\item The license is mentioned
\item A copy of the license text accompanies each copy
\end{itemize}
\item Allows distribution of or modified binaries, if
\begin{itemize}
\item The license is mentioned
\item A copy of the license text accompanies each copy
\item The source code is either included with the copy, or a written offer is made on how the source can be obtained.
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{Complete Corresponding Source Code}{As required by GPLv2}
\dots complete source code means all the source code for all modules it (the software) contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
\begin{itemize}
\item For a C language program, this means
\begin{itemize}
\item Source Code
\item Makefiles
\item compile-time configuration (e.g. kernel .config)
\end{itemize}
\item General rule
\begin{itemize}
\item Intent of the license is to enable the user to run modified versions of the program
\item If you provide everything needed for that, there will be no discussion
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{Modifications of GPL'd source code}{The details that matter}
\begin{itemize}
\item In the GPL, it does not matter if you have modified the GPL'd program or if you ship it unmodified.
\item You always have to provide the source code!
\item If you modify the source code, your changes have to be visible/identifiable
\item For practical reasons, I suggest shipping original upstream tarball + a diff/patch with your changes
\end{itemize}
\end{frame}
\subsection{GPL - Embedded Systems}
\begin{frame}{GPL and Embedded Systems}{Interpreting the meaning}
\begin{itemize}
\item The GNU GPLv2 was written for the GNU project, at the time this project was
working on replacing individual application programs on top of a proprietary
UNIX operating system kernel.
\item scripts used to control compilation and installation
\begin{itemize}
\item Intent: To enable the user to modify + run modified versions
\item In case of embedded systems, the "scripts used to control installation" include the software required for installing the program onto the target device
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{GPL and Embedded DRM}{Sometimes called Tivo-ization}
\begin{itemize}
\item Some companies want to lock down their Linux-based system, by
\begin{itemize}
\item Cryptographic verification of bootloader by ROM loader
\item Cryptographic verification of kernel image by bootloader\dots
\end{itemize}
\item This is problematic from a GPL point of view, since
\begin{itemize}
\item You are depriving the user from practically exercising his right to run modified versions of the program
\item Thus, violation not of the GPLv2 wording, but likely of the GPL's intention
\item Legal outcome unclear, different scholars have different opinions, also depends on jurisdiction
\end{itemize}
\item GPLv3 makes this intent explicit in the license text
\end{itemize}
\end{frame}
\subsection{GPL - Compatible source code offer}
\begin{frame}{Complete + Corresponding Source}{For every Release you make}
\begin{itemize}
\item Whenever you {\em distribute} GPL licensed software, the license applies. This includes
\begin{itemize}
\item Actual sale of a physical embedded device with the software in flash
\item Download of a firmware update as a file from a website
\item Shipping of firmware updates on physical storage
\item Distribution of firmware updates e.g. by over-the-air mechanisms in DVB-S or other networks
\end{itemize}
\item Every time, the conditions of the license have to be fulfilled (mention there's software under GPL, include full license text, include or offer complete corresponding source code
\item For every release you ever ship (even beta release if it ever is shipped only to one customer), you need the {\em complete corresponding} source code.
\end{itemize}
\end{frame}
\subsection{GPL - Derivative Works}
\begin{frame}{Derivative Works}{Keeping it clean}
Derivative works are a question of copyright law, not the GPL
\begin{itemize}
\item whenever you couple a GPL and a non-GPL program tightly (e.g. static/dynamic linking), your're entering a legal grey area
\item there is little or no precedent on derivative works of software
\item you're violating the intention of the author. If he wanted you to link from proprietary programs, he would have used LGPL
\item try to work {\em with} the community, rather than against it
\end{itemize}
\end{frame}
\section{GPL Violations and License Enforcement}
\subsection{GPL Violations}
\begin{frame}{GPL Violations}
\begin{itemize}
\item GPL violations are not new, just like GPL licensed software is not new
\item However, increased popularity of GNU/Linux based systems increase GPL violations
\item Today, many more people and companies unfamiliar with the history and values of Free Software start using and (re)distributing FOSS
\end{itemize}
\end{frame}
\subsection{Business Risk of GPL Violations}
\begin{frame}{Business Risk of GPL Violations}{Or: How to convince your managers}
If you ship a product that is incompliant to the GNU GPL,
\begin{itemize}
\item you are committing a copyright infringement not different from shipping a product with unlicensed copies of MS Windows
\item you can face civil and criminal charges in court
\item civil charges include (German jurisdiction)
\begin{itemize}
\item immediate cease + desist (halt of product sales)
\item information of which quantity of the product has been sold to whom
\item damages for lost revenue (see dual licensing)
\end{itemize}
\item civil charges can also be filed against every distributor/store/importer
\end{itemize}
\end{frame}
\subsection{GPL Enforcement}
\begin{frame}{Early GPL Enforcement}
\begin{itemize}
\item The Free Software Foundation (FSF) has alway been doing GPL enforcement on software {\em of which they are the copyright holder}
\begin{itemize}
\item They do so quietly, without much public notice
\item The quiet route sometimes leads to lengthy negotiations
\item The FSF only holds copyright on some Free Software programs
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{The Linksys WRT54G case}
During 2003, the Linksys WRT54G case drew a lot of attention
\begin{itemize}
\item Linksys was selling 802.11 WLAN Access Points and Routers
\item Lots of GPL licensed software embedded into the device, including Linux, uClibc, busybox, iptables
\item FSF-led alliance took their usual {\em quiet} approach
\item Linksys bought itself a lot of time
\begin{itemize}
\item Some sources were released two months later
\item Full GPL compliance only achieved four months later
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{Aftermath of the Linksys case}
\begin{itemize}
\item Some developers were not happy with the Linksys case
\begin{itemize}
\item Linksys didn't loose anything by not complying from the beginning
\item Four months delay is a long time given short product lifetimes
\end{itemize}
\item More embedded devices started to use Linux and other FOSS
\item The netfilter/iptables project started to do their own enforcement
\begin{itemize}
\item Using German copyright law against German subsidiary of vendor
\item Using direct legal / copyright based approach
\end{itemize}
\item The gpl-violations.org was later established
\end{itemize}
\end{frame}
\begin{frame}{GPL Enforcement by the Community}
\begin{itemize}
\item The GPL is a Copyright License
\item GPL enforcement is thus Copyright enforcement
\item Copyright enforcement can normally only be done by copyright holders!
\item Alternative (less tested) legal approaches
\begin{itemize}
\item Competition / Anti-Trust law (by a GPL-abiding competitor)
\item Consumer protection (The product without source code is incomplete)
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{GPL Enforcement Requirements}
\begin{itemize}
\item Clean copyright situation
\begin{itemize}
\item Who wrote which (part of a) software
\item Was the copyright transferred to an employer?
\end{itemize}
\item Evidence for the violation
\begin{itemize}
\item Test purchase of the software on storage medium
\item Detailed screenshots of download side, downloaded software images
\item Evidence shows no notice of GPL or source code availability/offer
\end{itemize}
\item Copyright holders who want to do enforcement
\end{itemize}
\end{frame}
\begin{frame}{GPL Enforcement by the Community}
\begin{itemize}
\item Authors/Developers of a project need to care about entities that violate their license
\item Legal options in case of a violation
\begin{itemize}
\item One or multiple copyright holders do their own enforcement
\item Copyright transfer to an entity that does enforcement
\begin{itemize}
\item Free Software Foundation
\item http://conservancy.softwarefreedom.org/
\item Fiduciary License Agreement with the FSF Europe
\end{itemize}
\end{itemize}
\end{itemize}
\end{frame}
\subsection{gpl-violations.org}
\begin{frame}{The gpl-violations.org work}
\begin{itemize}
\item Use all legal means neccessarry to bring infringing product in compliance
\item We only act where we hold copyright (Linux kernel)
\item We typically only act within Europe, mostly in Germany
\item Success so far
\begin{itemize}
\item More than 100 amicable agreements as results of settlements
\item More than 5 preliminary injunctions halting sales of products until compliance
\item Multiple actual court cases with court verdict
\end{itemize}
\end{itemize}
\end{frame}
\section*{Summary}
\subsection*{Summary}
\begin{frame}{Summary}
% Keep the summary *very short*.
\begin{itemize}
\item
GPL compliance is not difficult if you think about the problem when you start product development.
\item
A large part of the task can be automatized by using a proper build system.
\item
There are questionable legal {\em grey areas}. To minimize the risk, I'd try to stay out of them.
\end{itemize}
\end{frame}
\subsection*{Outlook}
\begin{frame}{Outlook}
Outlook
\begin{itemize}
\item
Blatant GPL violations in embedded devices are declining, but are likely to continue due to lack of skill or negligence.
\item
We'll see more {\em derivative works} types of GPL violations, and we'll see actual legal enforcement and precedent in this area over the next years.
\item
Stronger copyright protection demanded by content industry will also mean stronger protection for FOSS licenses. Imagine GPL enforcement with "three strikes" law in France ?!?
\end{itemize}
\end{frame}
\end{document}
|