Gentoo Archives: gentoo-dev

From: Duncan <1i5t5.duncan@×××.net>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] Re: Re: GPL and Source code providing
Date: Wed, 28 Jun 2006 19:47:25
Message-Id: e7ultt$e9n$
In Reply to: Re: [gentoo-dev] Re: GPL and Source code providing by Mivz
Mivz <mivz@×××××××××××××.net> posted 44A2A093.8060205@×××××××××××××.net,
excerpted below, on  Wed, 28 Jun 2006 17:30:27 +0200:

> Wiktor Wandachowicz wrote: >> I mean, if someone is able to create its own web page and put a binary >> download(s) of its work, then how hard is it to comply with the GPL >> license and just put some more links to the source code? >> It's like the (old?/new?) Decalogue: "You shall not steal". >> > > But if your modification is on top of the Gentoo system and your build > your own Live cd, like Kororaa, do you have to provide all the sources > of all the program's on the live cd?
IANAL but from what I've read (and my read of the GPL v2 anyway), the simplest way to think of it is that if you distribute binaries, you must be able to provide source for them. If you aren't providing the binaries, you don't have to worry about source. That means with a LiveCD, presumably including at least a significant handful of binaries, you'll have to provide source for at least those binaries, not just what you may have modified. (This is in agreement with the FSF and what Ciaran says below, tho it conflicts with Chris G's statement on the subject.) The reason you have to provide source for other than your own work is so that the end-user is guaranteed his four freedoms rights to use, examine, modify, and distribute the programs you provided, even if /your/ upstream goes away. IOW, you wouldn't be released from the responsibility of providing sources just because Gentoo disappeared, so to ensure that you can do so, you must make your own arrangements to provide the sources for any GPLed binaries you distributed. The section of the GPL (v2) that deals with this section 3 (section 6 of the GPL v3 draft, which is similar but specifies in a bit more detail the responsibilities of downstream redistributors). There are three clauses, any of which will fulfill your obligations as a distributor under the GPL: <quote> a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) </quote> A couple things to note about those clauses: 1) Clause B's 3-year minimum doesn't apply to clause A. Many downstream distributors prefer it for this reason -- their obligation to provide source for any particular version disappears when they quit distributing the binaries created from it, no having to keep it around for three more years. 2) Clause C depends on your upstream using clause B. Since most major distributions now use clause A, and are thus not subject to the three-year minimum, it's quite possible their sources will no longer be available for the period you are redistributing. (This is certainly true for Gentoo, AFAIK, where the source mirrors aren't likely to be carrying the sources much past the point when the ebuild is no longer in the Gentoo tree. Also note that to provide proper sources for a Gentoo based binary, you'd have to provide any Gentoo patches as well, so simply relying on the sources mirrors won't suffice!) That said, it's not really the big deal that it's being made out to be, for a couple reasons: 1) The BIG reason -- The GPL is based and draws its authority from copyright law. End users have no way to enforce their demands for source, no matter /what/ the GPL says -- ONLY the holders of the copyrights on the original programs do. If all you do is make a couple copies for your friends and relatives (Grandma), and they don't care about sources, no problem! Even if you distribute publicly, unless a copyright holder demands that you honor the GPL, there isn't much anyone else can do. It's the copyright holder's program, not the end user's program. Do note however that in many cases, the kernel being a huge example, there may be many copyright holders, any of which can demand action. The reason the current story is making news is that apparently, the Mepis author has a history of not being very forthcoming with sources where the GPL requires they be available, and more importantly, the FSF, owner of the copyrights of much of the core GNU/Linux software (anything with GNU in the name, AFAIK, so the GNU Coreutils and GCC aka GNU Compiler Collection, among others, plus glibc, the g for GNU, without which virtually anything Linux would work, altho it's LGPL not GPL), is the one making the request, and they very much DO have the legal authority to demand the guy comply with the GPL on the stuff of theirs he distributes. 2) Keeping straight with the GPL isn't actually that bad anyway. That's ESPECIALLY the case with Gentoo based binaries, since they are normally built from sources all the way out at the user machine, so you, being that user, already HAVE those sources -- all you have to do is manage them. Where a user of a binary-based distribution would have to specifically go to the trouble of collecting the sources for stuff they don't modify, as a separate task from collecting the binaries, Gentoo users will normally already have those sources close at hand. Even discounting clause C above (which again isn't of much use unless your upstream uses clause B, Gentoo doesn't, nor do most major distributions), it's still relatively easy to supply sources in compliance with the GPL. The biggest choice you have to make is whether you want to supply only those who ask, therefore far fewer, but have to do it for three full years (clause B) or whether that three years is a worse problem than just making sure you have both available at the same time and in a similar way (clause A). For clause A, if you are already supplying the binaries (a LiveCD say), just supply a way to get the sources at the same time if desired. Online, this means putting a link to the sources right next to the link to the LiveCD ISO or other binaries. At a conference, it can be having your laptop with the sources with you, and a sign instructing those who want sources to ask, you'll be happy to burn a CD for them right there, for a couple bucks or whatever. (The physical cost. For a couple bucks I doubt many will quibble, but while I've seen several say labor can be included, I'm not sure on that, so best to check before you try it.) The important thing to note here is that because you are offering the two at the same time, clause A, the 3-year minimum of clause B doesn't apply so you don't have to worry about sources as soon as you quit offering the binaries. For clause B, many people simply tarball their sources at the same time they create their binaries, then file them away in case they get a request. The LiveCD should then include a README or the like with your email and/or snail-mail address, and instructions to contact you for the sources, which you will be happy to provide upon request and submission of the fee if you decide to charge one. If you charge even a small fee (say $5), covering your physical costs including postage and media (again, I'm not sure if reasonable labor is allowed, I think it is but don't know), that will discourage most, while fulfilling the GPL for those that do have a want/need for the sources. Note that use of a VCS, which many distributing anything modified will be using already, should make managing a request for sources for a 2-year-11-month-29-day old release almost as easy as managing a request for current sources. As you are allowed to charge a fee based on what it costs you, and with a fee discouraging those who don't have a good need for it, it shouldn't be a big problem, provided only that you've properly managed the sources at the time of the release in the first place, which is only good practice anyway, the better to trace and solve bugs and the like. With clause B, complying with the GPL requires that you honor source requests for three years, but with an appropriate fee and proper release time source management, it won't be overwhelming. Now, tying up a couple loose ends... One solution that has been suggested for small distributors is that they team up for providing sources. There's nothing saying you can't subcontract out your responsibility to provide sources, and it's a reasonable solution. In fact, that seems it could be a bit of a business opportunity, providing that service. Distributors could be charged a small annual fee for service maintenance, plus bandwidth charges, similar to how web or other server hosting solutions work. As mentioned, the GPL v3 draft is similar but somewhat different in the details. AFAIK, it now allows a fee up to 10 times the physical cost of provision of the source, rather than the strictly at-cost requirement of v2. If labor is included, that could easily reach $1000, which would certainly discourage the trivial requests. OTOH, the draft GPLv3 is somewhat stricter on the responsibilities of downstream redistributors, requiring them to provide sources independent of upstream where they may have gotten away with a simple pointer to the upstream sources previously. Apparently, there have been a couple cases where sources ceased to be available at all after upstream ceased to provide them and downstream had no copies, thus both the stricter wording in GPLv3 and the more active enforcement by the FSF of the existing GPLv2 where it has copyright standing to do so, as in the current case in the headlines, Mepis. However, the 10-times-cost allowance in GPLv3 should more than offset the additional responsibilities, allowing one to make it worth their while to provide those sources. Finally, don't forget that the GPL isn't the only license out there. As the differences between the GPLv2 and (draft) GPLv3 illustrate, complying with one license doesn't mean you've complied with all of them, in terms of fulfilling your legal obligations as one who has chosen to distribute the copyrighted works of another, FLOSS (Free/Libra and Open Source Software) or not. It's really a big responsibility to be distributing the works of another; significantly more so if you are distributing the works of many, under a number of different licenses, as is the case with any distribution or LiveCD Linux, even a small one. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman -- gentoo-dev@g.o mailing list