% A Guide to GPL Compliance
for Software Engineers and Managers (07:40) % Bradley M. Kuhn % Tuesday 5 August 2008 # GPL Compliance (07:50) + Not a new topic. (07:55) + FUD machine makes it seem mysterious. (08:05) + Let's clear up misconceptions. (08:13) # My Credentials (08:18) + Intimately involved with every major USA enforcement since 1999. (08:50) + At old employer, created first formalized GPL enforcement program in history. (09:05) + Helped found the GPL enforcement team at SFLC. (10:05) + IANAL. (import std.disclaimer) (10:20) # Audience (10:25) This talk has material for two types of GPL redistributors. (10:38) # The Clueful: Constant Vigilance! (10:42) + Planning to begin incorporating FLOSS. (10:50) + Want to learn best practices. (11:10) # However, Some Remain Clueless (11:20) + They *still* think Dilbert is relevant. (11:35) + They refuse to read the GPL. (11:44) + They don't even look to see if GPL'd stuff is in their distribution. (12:10) # My Assumption (12:25) You are clueful, but you sometimes advise people who are clueless. (12:30) + Material in this talk is for both (12:40) # Two Ways of Examining Problem (12:47) + Clueful: Plan your development process to make GPL compliance easy. (12:54) + Clueless: Wait to get a letter from a GPL copyright holder. (13:10) # Clueful Route First (13:15) + Plan best practices to avoid violation. (13:25) + GPL software is here to stay. (13:46) + Design development, integration and acquisition to pre-handle it. (14:12) # Compliance-Friendly Development (14:43) + Use revision control ... (14:56) - ... to pull in vendor branch. (15:48) - ... to tag releases. (16:30) + Avoid "Build Guru" ... (17:11) - ... by documenting build process. (17:15) - ... and versioning it, too. (17:40) + Use Fossology! (17:45) - http://fossology.org/ (18:12) # Why Is Compliance Necessary? (18:30) + Binaries are modified versions of source. (19:15) + Modification controlled by copyright, thus by GPL. (20:40) + This separation is where nearly all violations occur. (21:13) *** > After all, what is binary distribution of software but a rudimentary form of DRM?

-- Richard Fontana, during the GPLv3 process

# GPL Binary Requirements (21:40) (v2 § 3, v3 § 6) + Four options: (22:20) - Source alongside binary (v2/v3). (22:28) - Offer for source (v2/v3). (22:45) - Internet side-by-side distribution (v3). (22:50) - Torrent distribution (v3). (23:00) # Source Alongside Binary (23:05) + Simplest option. (23:30) + **Obligations end at distribution time.** (24:00) + Physical media required. (24:34) # Offer For Source (24:49) + Useful if not shipping CD already. (25:30) + Lasts three years. (26:52) + Mail fulfillment required (not in v3). (27:46) # New v3 Options (27:51) + Pure Internet, both source and binary (28:10) - was always tolerated under v2 anyway. (28:30) - not possible for embedded systems. (29:06) + Torrents (29:13) - Rarely used. (29:42) # Preparing Corresponding Source (30:12) (v2 § 3, v3 § 1) + Make sure all sources are present. (30:35) - revision system helps a lot here. (31:06) + Build scripts (31:22) - rule of thumb: (31:27) - make sure someone skilled in art can build it. (33:02) # When the Letter Comes (33:25) + Communication is key. (34:43) + Understand the termination provisions ... (34:55) # Termination (35:47) (v2 § 4, v3 § 8) + v2 is automatic and permanent. (36:37) + v3 has auto-reinstatement. (36:48) - 60 day self-correction timeout (37:09) - 30 day penalty-less after notice (37:15) + Usually, you need copyright holder to reinstate. (37:30) # Standard Requests to Expect (38:10) + Compliance on all FLOSS copyrights. (39:05) + Notification to past recipients. (39:44) + Appoint GPL Compliance Officer. (40:50) + Periodic compliance reports. (41:17) # Clueless: The Upstream Problem (42:02) When I said that I was king of forwards, you got to understand that I don't come up with this stuff. I just forward it along. You wouldn't arrest a guy who was just passing drugs from one guy to another.

-- Michael Scott, *The Office*

# Don't be Michael Scott (42:08) + You are a distributor, just like your upstream is. (42:40) + You share the same obligations. (43:11) + Ask due diligence questions *before* buying. (44:18) + Require *them* to teach you to comply. (44:40) + Get indemnified! (45:22) # User Products (45:40) (v3 only, § 6) + Much FUD about Installation Information for User Products. (46:30) + The implications are not unlike what is already true. (46:45) + Users can modify, voiding warranties. (47:03) + You must allow them to install; you don't have to support it. (48:15) # Derivative Works Discussion? (48:25) + Truth is, it rarely comes up in GPL enforcement. (48:43) + Never has a violator in my experience disputed our interpretation. (49:48) + Uses are primarily mundane; lines are clear. (50:23) + Anyway, in the dicey cases ... (50:32) - ... a seasoned software copyright lawyer should study the facts. (51:19) - ... the modifiers are already extremely sophisticated, anyway. (51:46) # More Info? (51:50) Paper on these issues at: http://www.softwarefreedom.org/resources (52:30) # License of Slides and Talk This talk and the slides are Copyright © 2008, Bradley M. Kuhn. Everyone is permitted to make and distribute verbatim copies of the slides and/or recordings of the talk. Source code of slides.