Gentoo Archives: gentoo-dev

From: Duncan <1i5t5.duncan@×××.net>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] Re: Re: GPL and Source code providing
Date: Wed, 28 Jun 2006 19:47:25
Message-Id: e7ultt$e9n$1@sea.gmane.org
In Reply to: Re: [gentoo-dev] Re: GPL and Source code providing by Mivz
1 Mivz <mivz@×××××××××××××.net> posted 44A2A093.8060205@×××××××××××××.net,
2 excerpted below, on Wed, 28 Jun 2006 17:30:27 +0200:
3
4 > Wiktor Wandachowicz wrote:
5 >> I mean, if someone is able to create its own web page and put a binary
6 >> download(s) of its work, then how hard is it to comply with the GPL
7 >> license and just put some more links to the source code?
8 >> It's like the (old?/new?) Decalogue: "You shall not steal".
9 >>
10 >
11 > But if your modification is on top of the Gentoo system and your build
12 > your own Live cd, like Kororaa, do you have to provide all the sources
13 > of all the program's on the live cd?
14
15 IANAL but from what I've read (and my read of the GPL v2 anyway), the
16 simplest way to think of it is that if you distribute binaries, you must
17 be able to provide source for them. If you aren't providing the binaries,
18 you don't have to worry about source.
19
20 That means with a LiveCD, presumably including at least a significant
21 handful of binaries, you'll have to provide source for at least those
22 binaries, not just what you may have modified. (This is in agreement with
23 the FSF and what Ciaran says below, tho it conflicts with Chris G's
24 statement on the subject.) The reason you have to provide source for
25 other than your own work is so that the end-user is guaranteed his four
26 freedoms rights to use, examine, modify, and distribute the programs you
27 provided, even if /your/ upstream goes away. IOW, you wouldn't be
28 released from the responsibility of providing sources just because Gentoo
29 disappeared, so to ensure that you can do so, you must make your own
30 arrangements to provide the sources for any GPLed binaries you distributed.
31
32 The section of the GPL (v2) that deals with this section 3 (section 6 of
33 the GPL v3 draft, which is similar but specifies in a bit more detail the
34 responsibilities of downstream redistributors). There are three clauses,
35 any of which will fulfill your obligations as a distributor under the GPL:
36
37 <quote>
38
39 a) Accompany it with the complete corresponding machine-readable
40 source code, which must be distributed under the terms of Sections
41 1 and 2 above on a medium customarily used for software interchange; or,
42
43 b) Accompany it with a written offer, valid for at least three
44 years, to give any third party, for a charge no more than your
45 cost of physically performing source distribution, a complete
46 machine-readable copy of the corresponding source code, to be
47 distributed under the terms of Sections 1 and 2 above on a medium
48 customarily used for software interchange; or,
49
50 c) Accompany it with the information you received as to the offer
51 to distribute corresponding source code. (This alternative is
52 allowed only for noncommercial distribution and only if you
53 received the program in object code or executable form with such
54 an offer, in accord with Subsection b above.)
55
56 </quote>
57
58 A couple things to note about those clauses:
59
60 1) Clause B's 3-year minimum doesn't apply to clause A. Many downstream
61 distributors prefer it for this reason -- their obligation to provide
62 source for any particular version disappears when they quit distributing
63 the binaries created from it, no having to keep it around for three more
64 years.
65
66 2) Clause C depends on your upstream using clause B. Since most major
67 distributions now use clause A, and are thus not subject to the three-year
68 minimum, it's quite possible their sources will no longer be available
69 for the period you are redistributing. (This is certainly true for
70 Gentoo, AFAIK, where the source mirrors aren't likely to be carrying the
71 sources much past the point when the ebuild is no longer in the Gentoo
72 tree. Also note that to provide proper sources for a Gentoo based binary,
73 you'd have to provide any Gentoo patches as well, so simply relying on the
74 sources mirrors won't suffice!)
75
76 That said, it's not really the big deal that it's being made out to be,
77 for a couple reasons:
78
79 1) The BIG reason -- The GPL is based and draws its authority from
80 copyright law. End users have no way to enforce their demands for source,
81 no matter /what/ the GPL says -- ONLY the holders of the copyrights on the
82 original programs do. If all you do is make a couple copies for your
83 friends and relatives (Grandma), and they don't care about sources, no
84 problem! Even if you distribute publicly, unless a copyright holder
85 demands that you honor the GPL, there isn't much anyone else can do.
86 It's the copyright holder's program, not the end user's program.
87
88 Do note however that in many cases, the kernel being a huge example, there
89 may be many copyright holders, any of which can demand action.
90
91 The reason the current story is making news is that apparently, the Mepis
92 author has a history of not being very forthcoming with sources where the
93 GPL requires they be available, and more importantly, the FSF, owner of
94 the copyrights of much of the core GNU/Linux software (anything with GNU
95 in the name, AFAIK, so the GNU Coreutils and GCC aka GNU Compiler
96 Collection, among others, plus glibc, the g for GNU, without which
97 virtually anything Linux would work, altho it's LGPL not GPL), is the one
98 making the request, and they very much DO have the legal authority to
99 demand the guy comply with the GPL on the stuff of theirs he distributes.
100
101 2) Keeping straight with the GPL isn't actually that bad anyway. That's
102 ESPECIALLY the case with Gentoo based binaries, since they are normally
103 built from sources all the way out at the user machine, so you, being that
104 user, already HAVE those sources -- all you have to do is manage them.
105 Where a user of a binary-based distribution would have to specifically go
106 to the trouble of collecting the sources for stuff they don't modify, as a
107 separate task from collecting the binaries, Gentoo users will normally
108 already have those sources close at hand.
109
110 Even discounting clause C above (which again isn't of much use unless
111 your upstream uses clause B, Gentoo doesn't, nor do most major
112 distributions), it's still relatively easy to supply sources in compliance
113 with the GPL. The biggest choice you have to make is whether you want to
114 supply only those who ask, therefore far fewer, but have to do it for
115 three full years (clause B) or whether that three years is a worse problem
116 than just making sure you have both available at the same time and in a
117 similar way (clause A).
118
119 For clause A, if you are already supplying the binaries (a LiveCD say),
120 just supply a way to get the sources at the same time if desired. Online,
121 this means putting a link to the sources right next to the link to the
122 LiveCD ISO or other binaries. At a conference, it can be having your
123 laptop with the sources with you, and a sign instructing those who want
124 sources to ask, you'll be happy to burn a CD for them right there, for a
125 couple bucks or whatever. (The physical cost. For a couple bucks I doubt
126 many will quibble, but while I've seen several say labor can be included,
127 I'm not sure on that, so best to check before you try it.) The important
128 thing to note here is that because you are offering the two at the same
129 time, clause A, the 3-year minimum of clause B doesn't apply so you don't
130 have to worry about sources as soon as you quit offering the binaries.
131
132 For clause B, many people simply tarball their sources at the same time
133 they create their binaries, then file them away in case they get a
134 request. The LiveCD should then include a README or the like with your
135 email and/or snail-mail address, and instructions to contact you for the
136 sources, which you will be happy to provide upon request and submission of
137 the fee if you decide to charge one. If you charge even a small fee (say
138 $5), covering your physical costs including postage and media (again, I'm
139 not sure if reasonable labor is allowed, I think it is but don't know),
140 that will discourage most, while fulfilling the GPL for those that do have
141 a want/need for the sources. Note that use of a VCS, which many
142 distributing anything modified will be using already, should make managing
143 a request for sources for a 2-year-11-month-29-day old release almost as
144 easy as managing a request for current sources. As you are allowed to
145 charge a fee based on what it costs you, and with a fee discouraging those
146 who don't have a good need for it, it shouldn't be a big problem, provided
147 only that you've properly managed the sources at the time of the release
148 in the first place, which is only good practice anyway, the better to
149 trace and solve bugs and the like. With clause B, complying with the GPL
150 requires that you honor source requests for three years, but with an
151 appropriate fee and proper release time source management, it won't be
152 overwhelming.
153
154 Now, tying up a couple loose ends...
155
156 One solution that has been suggested for small distributors is that they
157 team up for providing sources. There's nothing saying you can't
158 subcontract out your responsibility to provide sources, and it's a
159 reasonable solution. In fact, that seems it could be a bit of a business
160 opportunity, providing that service. Distributors could be charged a
161 small annual fee for service maintenance, plus bandwidth charges, similar
162 to how web or other server hosting solutions work.
163
164 As mentioned, the GPL v3 draft is similar but somewhat different in the
165 details. AFAIK, it now allows a fee up to 10 times the physical cost of
166 provision of the source, rather than the strictly at-cost requirement of
167 v2. If labor is included, that could easily reach $1000, which would
168 certainly discourage the trivial requests. OTOH, the draft GPLv3 is
169 somewhat stricter on the responsibilities of downstream redistributors,
170 requiring them to provide sources independent of upstream where they may
171 have gotten away with a simple pointer to the upstream sources previously.
172 Apparently, there have been a couple cases where sources ceased to be
173 available at all after upstream ceased to provide them and downstream had
174 no copies, thus both the stricter wording in GPLv3 and the more active
175 enforcement by the FSF of the existing GPLv2 where it has copyright
176 standing to do so, as in the current case in the headlines, Mepis.
177 However, the 10-times-cost allowance in GPLv3 should more than offset the
178 additional responsibilities, allowing one to make it worth their while to
179 provide those sources.
180
181 Finally, don't forget that the GPL isn't the only license out there.
182 As the differences between the GPLv2 and (draft) GPLv3 illustrate,
183 complying with one license doesn't mean you've complied with all of them,
184 in terms of fulfilling your legal obligations as one who has chosen to
185 distribute the copyrighted works of another, FLOSS (Free/Libra and Open
186 Source Software) or not. It's really a big responsibility to be
187 distributing the works of another; significantly more so if you are
188 distributing the works of many, under a number of different licenses, as
189 is the case with any distribution or LiveCD Linux, even a small one.
190
191 --
192 Duncan - List replies preferred. No HTML msgs.
193 "Every nonfree program has a lord, a master --
194 and if you use the program, he is your master." Richard Stallman
195
196 --
197 gentoo-dev@g.o mailing list