Should companies that violate the terms of open source GPL license be taken to court? For the maintainers of world’s most popular general public license (GPL) project, Linux, the answer is surprisingly complex.
GPL is the bedrock that allows open source collaboration to take place, but it requires those that publicly use the GPL code to post their changes. And, arguably, a growing number of companies fail to do this. A heated discussion ensued recently on the Linux Kernel Mailing List (LKML) when Karen Sandler, executive director of the Software Freedom Conservancy, posted a message about a possible session around GPL enforcement during the upcoming Kernel Summit next month.
Sandler was seemingly encouraged by Linux creator Linus Torvalds’ appreciation for GNU GPL during his conversation with Dirk Hohndel, VMware vice president and chief open source officer, at LinuxCon North America, that GPL was a major factor in avoiding a fragmentation of Linux.
It’s a very long discussion. I have spent the last two days combing through every single email to understand all the perspectives. My notes taken from the emails alone were over 20,000 words. In this story, I’ll attempt to touch upon what is at stake, who are the stakeholders, and why they are doing what they are doing.
GPL Saved Linux From Fragmentation
Torvalds may not love the Free Software Foundation (FSF) and Richard M. Stallman, but he loved the basic idea behind their open source software license GPL v2. “If you take my code and make changes to it, I want my changes back,” said Torvalds in an earlier interview. GPL v2 ensured that he himself, or developers — whether individuals or companies — who contribute to Linux, won’t be locked out of the modification made to their own changes.
“I really think the license [GNU GPL version 2] has been one of the defining factors in the success of Linux, because it enforced that you have to give back, which meant that the fragmentation has never been something that has been viable from a technical standpoint,” said Torvalds during his conversation with Hohndel at LinuxCon.
Torvalds initially released Linux under a non-GPLed license that clearly restricted the commercialization of Linux. In 1992, Torvalds changed the license to GNU GPL v2, removing the commercial restriction.
The Role of Linux in Success of Open Source
While Torvalds attributes Linux’s success to GNU GPL, he is often hesitant in taking credit for popularizing open source. Torvalds told me that what makes Linux different is that it doesn’t just spread the coding effort, it also spreads the vision effort. Linux doesn’t have a vision on where it wants to go, individuals and company come to Linux with their own vision; where they want to take Linux.
This is unique to Linux and largely, despite the existence of BSD, Linux enjoyed massive adoption. Linux is credited for making commercial entities comfortable with open source. Linux became a catalyst in achieving commercial goals, without compromising on code quality and individual contributors. There is no elite Linux club; anyone from a one-man distro to IBM can use Linux and have same influence over the code. No wonder the modern economy literally runs on Linux.
Today Linux is literally powering the modern economy and is being used across the board: in embedded devices, data centers, smart cars, smart phone, tablets, smart TVs, stock exchanges … virtually everywhere. Linux is creating trillions of dollars for businesses. There are thousands of companies consuming Linux, and many are even contributing to Linux.
On the flip side of this popularity and massive adoption is that there are supposedly many companies that use Linux, but don’t comply with GPL. It could be intentional or it could be an honest mistake. The devil is in the details. Companies are selling products running Linux but they don’t release the source code, which violates the terms of the GPL.
Is it a problem? Depends on who you ask.
GPL Violation — How Big and Serious Is It?
What good is a license if no one respects it? Different people approach GPL violation from different angles. Organizations like FSF, SFLC, SFC consider it a serious issue because they are concerned about software freedom for very genuine reasons. GPL violation weakens software freedom so these organizations work really hard to ensure GPL enforcement.
Then there are developers like Matthew Garrett, who are genuinely concerned about security and rights of people. They want GPL enforcement so that users can keep their devices secure and get access to the source code that runs on their devices.
There are individual developers who want GPL compliance because they want to see, and possibly use the modifications made to their code by other parties, including companies. These groups and individuals strive for GPL enforcement as they seemingly prioritize software freedom, user’s rights over the software that they use.
What Does the Linux Community Feel?
The Linux kernel community is in a unique situation. Linux kernel is the largest GPL’ed project to date. While the kernel community admits GPL violations, it also believes that the situation is actually getting better.
Companies have always “violated” the Linux GPL license but that doesn’t make the license any less real or valid, wrote core Linux kernel maintainer Greg Kroah-Hartman, responding to a post by Sandler. He added, “Personally, it seems that we are much better off today than we were 15, 10, and even 5 years ago on this front.”
What Can Be and Is Done for GPL Enforcement?
There are different ways of getting companies to comply with GPL. The most common practice is developer level engagement. Most developers talk to the concerned companies, and in most cases get them to comply.
James Bottomley, a distinguished engineer at IBM, and one of the leading figures in the Linux kernel community said that he had spent most of his career working at fairly high levels within various companies to build open source strategies and business models for them.
Kroah-Hartman has also been extremely instrumental in talking to companies and getting them on board. Even bodies like SFC starts off with dialog and communication to bring companies into compliance.
However, SFC seems to be worried about the increase in GPL violation due to the popularity of Linux. Bradley M. Kuhn of SFC wrote on the mailing list:
I observe now that the last 10 years brought something that never occurred before with any other copylefted code. Specifically, with Linux, we find both major and minor industry players determined to violate the GPL, on purpose, and refuse to comply, and tell us to our faces: “you think that we have to follow the GPL? Ok, then take us to court. We won’t comply otherwise.” (None of the companies in your historical examples ever did this, Greg.) And, the decision to take that position is wholly in the hands of the violators, not the enforcers.
He expressed his frustration with the situation and wrote, “In response, we have two options: we can all decide to give up on the GPL, or we can enforce it in the courts.”
That lead to a heated debate.
I call bullshit on this,” Kroah-Hartman, who is usually very calm, shot back. “And frankly, I’m tired of hearing it, as it’s completely incorrect and trivializes the effort that thousands of people have been doing for 25+ years to preserve the rights that the GPL grants us.”
Torvalds also chimed in, “I personally think this arguing for lawyering has become a nasty festering disease, and the SFC and Bradley Kuhn has been the Typhoid Mary spreading the disease.”
What ticked them off? Kuhn’s statement on taking such violators to court. It upset many other leading kernel developers because Kuhn delivered a talk during LinuxConf Australia 2016 where he stated that “Linux is the battleground for copyleft.”
Clearly no one wants their backyard to be turned into a battleground, especially when they don’t want that war. There was a barrage of opposition against the idea of resorting to legal action. Bottomley said that he hasn’t sued anyone and that having “a reputation in the industry really helps to get my foot in the door when it comes to persuading some entity to be more GPL friendly.”
But the question is do companies comply without being sued? The fact is there have been few legal cases that forced companies to comply with GPL. At the same time, there are many more companies that started off as worst offenders and turned out to be leading contributors to the kernel, without ever being sued.
Kroah-Hartman gave the example of Intel, which has in the past abused the GPL. Today Intel is not only a leading contributor but one of the closest friends Linux has. Microsoft is yet another example that turned from a foe into a friend, without any lawsuit.
But it’s not black and white. Legal actions did play a role in educating other offenders that there will be consequences. However, there have also been huge costs.
The top maintainers are worried about those costs. BusyBox, a bundle of Unix utilities widely used in the embedded space, is a good example.
BusyBox was seen as the first GPL enforcement lawsuit filed by SFLC. Monsoon Multimedia was caught using BusyBox code in their firmware but they never released source code. While SFCL won and got access to that source code, BusyBox was seen as untouchable by many commercial players and lost adoption. BusyBox is now seen as a poster child of legal action destroying open source projects. The lead maintainer who filed the lawsuit regretted it.
Bottomley said, “…the loss of momentum in BusyBox is factual and does resonate and so does the theory that it’s because of too many enforcement actions.”
Top maintainers don’t want Linux to become the next BusyBox even if it gets some companies to comply with GPL. And that is why they, supposedly, reacted so strongly to legal options presented by Kuhn.
How long would you wait until an offender continues to violate despite talks? Is there a point when you say enough talking it’s time to drag them to court? Kuhn’s point is that, eventually, you have to resort to legal options. The biggest question is when.
Kuhn gave the example of VMware which reportedly has software that violates the GPL violation. After seven years of failed discussions, a Linux developer decided to take legal action and SFC supported him. They have lost the first round in a German court, though.
What if SFC wins and gets the code? Would it turn VMware into the next Google or Intel that’s a great Linux contributor? Won’t VMware turn hostile toward Linux and move to some other technology which is more permissive than GPL? And what if SFC loses?
SFC may win or lose, but like BusyBox, the Linux community may end up in a lose-lose situation. And that is what the main kernel developers do not want. Kroah-Hartman has some strong words for Kuhn, “You are willing to risk Linux in order to try to validate the GPL in some manner. I am not willing to risk Linux for anything as foolish as that. And I told you that, then, in front of a small audience, and am willing to do so now in front of a much larger one.”
Side Effects of Legal Action
Beyond concerns around losing possible collaboration and community, and irreparable damage to Linux, as was the case of BusyBox, there are other concerns too. It could turn into a PR disaster. The top maintainers of the kernel certainly won’t want news stories circulating with “Linux vs XYZ company’. No one with a vested interest in Linux would want Linux to be seen as a litigating party. That would make Linux untouchable.
There is an ever deeper concern around being trigger happy with lawsuits. There is a remote possibility that some rogue developer who contributed some code to the kernel or some company that owns the copyright on code through employees may turn into a GPL troll. It may start litigating GPL violators, to extort money. Looking at the amount of GPL violations, that could become a lucrative market just like patent trolls. There has already been such a case that SFC tried to mitigate.
The rise of trolls would be a concern for enterprise customers, developers and even companies (mostly small) using Linux to build their products. What we have learned from the patent trolls in the US is that we certainly don’t want to flood the market with GPL trolls.
There is another interesting fact and that is if someone is seriously violating GPL, running away with code that will directly hurt giants like IBM, these companies won’t sit tight. They won’t shy from unloading lawsuits on such offenders, without hurting the Linux community.
Don’t Bring a Nuke to a Code Fight
That doesn’t mean Torvalds or other key developers are taking the legal option off the table; they aren’t. They want the nuclear option, but at some secure location and not someone walking around with launch codes in a suitcase.
“I do think that there is some final point where lawyers do need to get involved. But it really should be seen as a last effort thing. It’s the nuclear option,” said Torvalds.
The message they (leading kernel developers) seem to be sending to the larger Linux community is that let’s do it the developer’s way. Developer’s way is collaboration on code, getting people to join the project, and getting companies to see benefits from it all. That’s how Linux started, and that’s how they want to run it.
Torvalds summed it up pretty well: “Let’s be clear about this: lawsuits destroy. They don’t ‘protect.’ Lawsuits destroy community. They destroy trust. They would destroy all the goodwill we’ve built up over the years by being nice.”
Not that they are opposed to legal action. Torvalds is open to legal action if someone takes the entire code of Linux, and turns it into a proprietary technology. They want it to be the real nuclear option, an option that you have but never actually use.
Intel is a sponsor of The New Stack.