Note that the FSF and the SF Conservancy have already been doing this, and recommending you do this, as part of their Principles of Community-Oriented GPL Enforcement.
> Community-oriented compliance processes should extend the benefit of GPLv3-like termination, even for GPLv2-only works.
> GPLv2 terminates all copyright permissions at the moment of violation, and that termination is permanent. GPLv3's termination provision allows first-time violators automatic restoration of distribution rights when they correct the violation promptly, and gives the violator a precise list of copyright holders whose forgiveness it needs. GPLv3's collaborative spirit regarding termination reflects a commitment to and hope for future cooperation and collaboration. It's a good idea to follow this approach in compliance situations stemming from honest mistakes, even when the violations are on works under GPLv2.
> The cure rights offer additional comfort that users of GPLv2 code have reasonable assurances of quiet use of that code, even if there is a temporary license noncompliance due to ambiguity, misunderstanding or otherwise. We also believe that community adoption of these rights will reduce the opportunity for copyright trolling.
It's hard to understand the problem being solved here. While I've heard of "patent trolling" I guess I've only thought of copyright trolling in the sense of the (poorly tested) automatons who issue DMCA takedown requests for audio/video on youtube.
I've heard about GPL enforcement but only in "good" context: copyright holders acting in good faith to get their licensees to comply with the license. Are there copyright holders engaging in abusive litigation?
And pray tell me what Oracle, Microsoft, and the friends in the BSA do if you're caught violating the terms of the license?
Do they kindly ask for apology? Do they offer, at cost, to make their licenses good? Are they a good steward when they find license mishaps? Or, why should Free Software foundations accept this against companies making decisions to cheat all of us?
The licenses used by Oracle, Microsoft, and friends are there to protect the monetary interests of Oracle, Microsoft, and friends. So, when you are caught violating the license, they offer to make their license good, conditioned on you serving their monetary interest.
The licenses used by the FSF are there to protect the liberty of users. So, when you are caught violating the license, they offer to make their license good, conditioned on you restoring the users' liberty.
I will concede that point for one class of violators.
There's from what I see, 2 groups of GPL (and related) license violators. The first are unintentional ones. They didn't realize, for one reason or another, the ramifications of the GPL. Or, they just don't have a license but it's on Git(Hub/Lab). These people, if it is mentioned to, will fix it.
You have the second group, that sells corporate, closed source hardware, with closed source linux kernel and associated GPL'ed tools. These care not for licenses, and would violate anything and everything for a nickel. They are bad actors, willing to do anything to disadvantage any suckers. Look no further than pretty much every Android phone vendor, Orange Pi, Banana Pi, and lots others.
Intent is 90% of the law. I'm certainly willing to let the 10% drop (the action), but its clear whom is and isn't well meaning and who is a bad actor. Making a pile of money and intentionally breaking the license and copyright is usually a pretty strong indicator.
You only have 60 days to be compliant for your license to be reinstated. The ilks of Allwinner have failed to comply for years, and are outside the scope of the "GPLv2 safeguard" that's the topic here.
The problem with moral is that it's in the eye of the beholder. While legal is described very clearly on paper.
And how is it moral to be nice with immoral people ?
Now I do believe it's good to let a chance to do the right thing. But if not, it must be followed by actions.
E.G: I would add to the licence that it is illegal to give technical support or to provide a commercial service related to the product with a violated licence, for all the product with the same licence. If you can't get support for any of your linux servers, or you can't even rent a new VPS, you'll think twice about compliance.
> Are there copyright holders engaging in abusive litigation?
Some enforcement efforts have been controversial, particularly the VmWare suit and other efforts by SFConservancy. I wouldn't call them trolls, but a lot of people think they are too heavy-handed.
On the other hand, with nobody wielding a stick, there is no real incentive not to abuse free licenses - which is exactly why the GPL exists in the first place.
The SF Conservancy has always done exactly what CA/Cisco/HPE/Microsoft/SAP/SUSE are now pledging to do. It's part of their Principles of Community-Oriented GPL Enforcement.
Whether or not you think they are too heavy-handed, or think they are trolls: SF Conservancy-like behavior isn't the type of behavior being addressed here.
>McHardy has sued companies for Linux GPLv2 violations in over 38 cases. In one, he'd requested a contractual penalty of €1.8 million. The company also claimed McHardy had already received over €2 million from his actions.
>what exactly does "not heavy handed" mean
It means not permanently revoking their licence to use the code again, even once they have become compliant. It's a common complaint made about the GPLv2 which was clarified in GPLv3
I would love to see the kernel community go after Mikrotik for license violations -- up to and including monetary damages, if they continue to refuse to comply.
The GPL is a tool to scare companies into doing the right thing and releasing their code. By committing to this we lose the ability to scare those companies. It becomes much more worthwhile to play chicken hoping no one will notice that you are using GPL code in your closed source binary.
I disagree--I firmly believe that this is a good thing.
If Foo Corp intentionally/accidentally violates the GPLv2 on software owned by CA/Cisco/HPE/Microsoft/SAP/SUSE, but decides to do the right thing/come clean and release the code...
without this (plain GPLv2): Their license to the GPLv2 was revoked, is still revoked, and are liable to each of the owners. Even if one owner reinstates the license, the others don't have to.
with this (GPLv2 with GPLv3-cure): Their license is provisionally reinstated upon coming in to compliance, and permanently reinstated 60 days later if none of the copyright holders object.
With the plain GPLv2 it was worth it to play chicken. Now, it no longer is.
Not all GPL violations are done in bad faith. So in many cases, it is better to give offenders the ability to fix the problem rather than revoking their license perpetually. Scaring is not a great tactic, if you really want more people to use open source code.
In practice, though, the GPL has mostly just managed to scare companies into using the Apache license for stuff they want to release. GPL violations are typically done by smaller actors without malice: little companies rushing products out the door, or integrators shipping stuff without a clear picture of the software license.
At this point in history I don't think free software has much to fear from a more lenient enforcement of copyleft. The real risk is that copyleft (IMHO a really great tool even absent the "scare companies" analysis) will be forgotten.
> In practice, though, the GPL has mostly just managed to scare companies into using the Apache license for stuff they want to release.
So? I see this as a good thing.
It's not like there is a shortage of BSD, MIT, Apache, et al., licensed code.
GPL code should be treated like radioactive or toxic material--you need a permit, legal approval, and you had better have a REALLY good reason. There are reasons why you might need to use it, but they should be few and very far between.
No, without this it goes to court. A court will already accept good faith arguments, but absent any good faith clause the court gets to decide what that means. By having a good faith clause the license can control better what happens when the court would determine good faith applys.
"The right thing to do" from a programmers perspective is to never use any dependency which uses anything with *GPL as its license if they can use something else instead. Sometimes, the only viable option is licensed under one of these licenses and then you have to look very carefully and probably involve legal support, but for all the other cases life gets far easier if you just don't use such dependencies and take something with a less restrictive license.
Sometimes you pay them with dollars. Sometimes you pay them by open-sourcing your own code. Sometimes you pay them by acknowledging their contributions. And sometimes you pay them by fixing the bugs.
Not knowing how you are going to pay for someone else's code before you use it is ridiculous, and refusing to pay for it in the manner that they have indicated is acceptable is reprehensible.
The only companies that can follow a policy of license purity and waste money rewriting code is those companies that live in markets with very little competition. The more harsh the competition is the more agile the company need to be in reducing cost and using any free code that help create the product while keeping to your core business model.
For example, game developers will use any code that don't conflict with the model of selling copies under exclusive rights. Blizzard Entertainment which is currently one of the largest game developer studio in the world has used everything from LGPLv3 to custom permission granted by free software developers. Having a lawyer read a standard license and evaluate if it can be used is much cheaper than pushing the release date on a game a few months further, not counting the additional cost of having to write your own XML parser, html, javascript, fonts, or what have you. It also the reason why game studio are willing to pay a lot of money for third-party libraries with extensively custom written restrictive licenses. So long it fit the business model, and it save money and time, then using it is a competitive advantage in a industry that is heavily over saturated.
The right thing to do is to just make the source available when the license requires you to do so. It's not that hard. If in doubt, just make it available.
It's hard if you licensed some of the code elsewhere and boundaries are unclear (and then ignore all the fallout from publishing - others can't use it and will call support, security researchers might find bugs, ...)
If more code would be shared it would be a better world, but the way s not simple. Respecting licenses of ocurse is a requirement.
AGPL is obviously even stricter than the GPL, but I don't see the problem with LGPL in libraries? Worst case you end up making some improvements to the library that are applicable outside your application and have to publish the source for your changes to the library, but that seems only fair. In the vast majority of cases you don't modify library code, leaving you with no obligation.
You might run the risk of somebody copy-pasting code from a LGPL library into your production system, but I don't think that risk is greater than the risk of them copy-pasting from the first google result without checking the license.
https://www.fsf.org/licensing/enforcement-principles
> Community-oriented compliance processes should extend the benefit of GPLv3-like termination, even for GPLv2-only works.
> GPLv2 terminates all copyright permissions at the moment of violation, and that termination is permanent. GPLv3's termination provision allows first-time violators automatic restoration of distribution rights when they correct the violation promptly, and gives the violator a precise list of copyright holders whose forgiveness it needs. GPLv3's collaborative spirit regarding termination reflects a commitment to and hope for future cooperation and collaboration. It's a good idea to follow this approach in compliance situations stemming from honest mistakes, even when the violations are on works under GPLv2.