Mivz <mivz@...> posted 44A2A093.8060205@...,
excerpted below, on Wed, 28 Jun 2006 17:30:27 +0200:
> Wiktor Wandachowicz wrote:
>> I mean, if someone is able to create its own web page and put a binary
>> download(s) of its work, then how hard is it to comply with the GPL
>> license and just put some more links to the source code?
>> It's like the (old?/new?) Decalogue: "You shall not steal".
> But if your modification is on top of the Gentoo system and your build
> your own Live cd, like Kororaa, do you have to provide all the sources
> of all the program's on the live cd?
IANAL but from what I've read (and my read of the GPL v2 anyway), the
simplest way to think of it is that if you distribute binaries, you must
be able to provide source for them. If you aren't providing the binaries,
you don't have to worry about source.
That means with a LiveCD, presumably including at least a significant
handful of binaries, you'll have to provide source for at least those
binaries, not just what you may have modified. (This is in agreement with
the FSF and what Ciaran says below, tho it conflicts with Chris G's
statement on the subject.) The reason you have to provide source for
other than your own work is so that the end-user is guaranteed his four
freedoms rights to use, examine, modify, and distribute the programs you
provided, even if /your/ upstream goes away. IOW, you wouldn't be
released from the responsibility of providing sources just because Gentoo
disappeared, so to ensure that you can do so, you must make your own
arrangements to provide the sources for any GPLed binaries you distributed.
The section of the GPL (v2) that deals with this section 3 (section 6 of
the GPL v3 draft, which is similar but specifies in a bit more detail the
responsibilities of downstream redistributors). There are three clauses,
any of which will fulfill your obligations as a distributor under the GPL:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
A couple things to note about those clauses:
1) Clause B's 3-year minimum doesn't apply to clause A. Many downstream
distributors prefer it for this reason -- their obligation to provide
source for any particular version disappears when they quit distributing
the binaries created from it, no having to keep it around for three more
2) Clause C depends on your upstream using clause B. Since most major
distributions now use clause A, and are thus not subject to the three-year
minimum, it's quite possible their sources will no longer be available
for the period you are redistributing. (This is certainly true for
Gentoo, AFAIK, where the source mirrors aren't likely to be carrying the
sources much past the point when the ebuild is no longer in the Gentoo
tree. Also note that to provide proper sources for a Gentoo based binary,
you'd have to provide any Gentoo patches as well, so simply relying on the
sources mirrors won't suffice!)
That said, it's not really the big deal that it's being made out to be,
for a couple reasons:
1) The BIG reason -- The GPL is based and draws its authority from
copyright law. End users have no way to enforce their demands for source,
no matter /what/ the GPL says -- ONLY the holders of the copyrights on the
original programs do. If all you do is make a couple copies for your
friends and relatives (Grandma), and they don't care about sources, no
problem! Even if you distribute publicly, unless a copyright holder
demands that you honor the GPL, there isn't much anyone else can do.
It's the copyright holder's program, not the end user's program.
Do note however that in many cases, the kernel being a huge example, there
may be many copyright holders, any of which can demand action.
The reason the current story is making news is that apparently, the Mepis
author has a history of not being very forthcoming with sources where the
GPL requires they be available, and more importantly, the FSF, owner of
the copyrights of much of the core GNU/Linux software (anything with GNU
in the name, AFAIK, so the GNU Coreutils and GCC aka GNU Compiler
Collection, among others, plus glibc, the g for GNU, without which
virtually anything Linux would work, altho it's LGPL not GPL), is the one
making the request, and they very much DO have the legal authority to
demand the guy comply with the GPL on the stuff of theirs he distributes.
2) Keeping straight with the GPL isn't actually that bad anyway. That's
ESPECIALLY the case with Gentoo based binaries, since they are normally
built from sources all the way out at the user machine, so you, being that
user, already HAVE those sources -- all you have to do is manage them.
Where a user of a binary-based distribution would have to specifically go
to the trouble of collecting the sources for stuff they don't modify, as a
separate task from collecting the binaries, Gentoo users will normally
already have those sources close at hand.
Even discounting clause C above (which again isn't of much use unless
your upstream uses clause B, Gentoo doesn't, nor do most major
distributions), it's still relatively easy to supply sources in compliance
with the GPL. The biggest choice you have to make is whether you want to
supply only those who ask, therefore far fewer, but have to do it for
three full years (clause B) or whether that three years is a worse problem
than just making sure you have both available at the same time and in a
similar way (clause A).
For clause A, if you are already supplying the binaries (a LiveCD say),
just supply a way to get the sources at the same time if desired. Online,
this means putting a link to the sources right next to the link to the
LiveCD ISO or other binaries. At a conference, it can be having your
laptop with the sources with you, and a sign instructing those who want
sources to ask, you'll be happy to burn a CD for them right there, for a
couple bucks or whatever. (The physical cost. For a couple bucks I doubt
many will quibble, but while I've seen several say labor can be included,
I'm not sure on that, so best to check before you try it.) The important
thing to note here is that because you are offering the two at the same
time, clause A, the 3-year minimum of clause B doesn't apply so you don't
have to worry about sources as soon as you quit offering the binaries.
For clause B, many people simply tarball their sources at the same time
they create their binaries, then file them away in case they get a
request. The LiveCD should then include a README or the like with your
email and/or snail-mail address, and instructions to contact you for the
sources, which you will be happy to provide upon request and submission of
the fee if you decide to charge one. If you charge even a small fee (say
$5), covering your physical costs including postage and media (again, I'm
not sure if reasonable labor is allowed, I think it is but don't know),
that will discourage most, while fulfilling the GPL for those that do have
a want/need for the sources. Note that use of a VCS, which many
distributing anything modified will be using already, should make managing
a request for sources for a 2-year-11-month-29-day old release almost as
easy as managing a request for current sources. As you are allowed to
charge a fee based on what it costs you, and with a fee discouraging those
who don't have a good need for it, it shouldn't be a big problem, provided
only that you've properly managed the sources at the time of the release
in the first place, which is only good practice anyway, the better to
trace and solve bugs and the like. With clause B, complying with the GPL
requires that you honor source requests for three years, but with an
appropriate fee and proper release time source management, it won't be
Now, tying up a couple loose ends...
One solution that has been suggested for small distributors is that they
team up for providing sources. There's nothing saying you can't
subcontract out your responsibility to provide sources, and it's a
reasonable solution. In fact, that seems it could be a bit of a business
opportunity, providing that service. Distributors could be charged a
small annual fee for service maintenance, plus bandwidth charges, similar
to how web or other server hosting solutions work.
As mentioned, the GPL v3 draft is similar but somewhat different in the
details. AFAIK, it now allows a fee up to 10 times the physical cost of
provision of the source, rather than the strictly at-cost requirement of
v2. If labor is included, that could easily reach $1000, which would
certainly discourage the trivial requests. OTOH, the draft GPLv3 is
somewhat stricter on the responsibilities of downstream redistributors,
requiring them to provide sources independent of upstream where they may
have gotten away with a simple pointer to the upstream sources previously.
Apparently, there have been a couple cases where sources ceased to be
available at all after upstream ceased to provide them and downstream had
no copies, thus both the stricter wording in GPLv3 and the more active
enforcement by the FSF of the existing GPLv2 where it has copyright
standing to do so, as in the current case in the headlines, Mepis.
However, the 10-times-cost allowance in GPLv3 should more than offset the
additional responsibilities, allowing one to make it worth their while to
provide those sources.
Finally, don't forget that the GPL isn't the only license out there.
As the differences between the GPLv2 and (draft) GPLv3 illustrate,
complying with one license doesn't mean you've complied with all of them,
in terms of fulfilling your legal obligations as one who has chosen to
distribute the copyrighted works of another, FLOSS (Free/Libra and Open
Source Software) or not. It's really a big responsibility to be
distributing the works of another; significantly more so if you are
distributing the works of many, under a number of different licenses, as
is the case with any distribution or LiveCD Linux, even a small one.
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
email@example.com mailing list