[ This email is ridiculously long. Much of it is just anecdotal info
about my meta-experiences in the software industry over the years as
they relate to GPL enforcement. I doubt you'll want to read it unless
you're really interested in the complicated politics of community GPL
enforcement, given from a non-profit advocate's perspective. And,
much of this stuff below are things I've already said in my various
public talks on the subject. ]
>> Robinson Tryon wrote on Thursday, 17 April:
>>> in the general case, I hope that employers would not be able to
>>> quash an employee's personal, non-work-time hobby of GPL
>>> enforcement.
> On Wed, Apr 23, 2014 at 6:18 AM, Bradley M. Kuhn <bk...@ebb.org> wrote:
>> I wish that were true as well, but it's merely a wish, sadly.
Robinson Tryon wrote at 16:51 (EDT) on Thursday:
> I don't recall hearing the head of BigWig Technologies, Inc. stand up
> and call you or Conservancy out on being akin to a patent troll.
Oh, no, executives at BigWig are *much* more politically savvy than
that. They send proxies to fight GPL enforcement: if you see people who
have 'street cred' in the Free Software community criticizing my
enforcement efforts (as happens in the media from time to time, like
back in early 2012), you should "follow the money" and see where it
leads you. (I really wish we had true investigative journalists in the
tech industry who would dig this stuff out independently.)
> If all of this is happening quietly in back alleys, then perhaps
> someone should help you shine some light back there, so we can let the
> rats scurry back to the subway tunnels and let you do your thing.
Indeed, they use plenty of private intimidation tactics, of both the
carrot and the stick variety. Below are a few anecdotes. Of course,
since it is "back alley", as you point out, you have to take my word
that these things below happened. I'm sure that the people involved
would deny it and/or avoid the question if asked, which is the main
reason I don't name names.
For example, an executive at a well-known corporation that contributes
to Linux and other Free Software projects once tried to convince me that
his company would give huge amounts of money to Conservancy if
Conservancy stopped stop doing GPL enforcement entirely. Other
mid-level managers followed up later with the same message.
Later, a different executive from a different company, which has
invested millions in Linux and Linux-related products, told me privately
that his company would "just stop its work in Linux, Samba and BusyBox
if you don't stop this GPL enforcement" (which would've been comical if
he hadn't seemed dead serious -- it seemed he really thought I was naïve
enough to believe that might be true). I told him that I found that
impossible to believe, and that he flattered the few GPL enforcers in
the world if he was saying our behavior alone could change his company's
major business plans. That executive ended the conversation by telling
me that if we were "doing any GPL enforcement against [his] competitors,
get in touch, because [he] could help". (There is some hypocrisy in
these positions, as you can see.) This executive also said during the
same conversation that that his "lawyers have researched the question
and found that you cannot ever enforce the GPL without 100% of the
copyright". Of course, we'd already gotten multiple judicial decisions
in BusyBox cases that show he's just wrong about that. :) He was just
trying to see if he could scare me.
I've also been blackballed from attending some conferences and
participating in some industry groups occasionally, where the only
legitimate reason that can be found upon investigation is that some of
the event/group sponsors are against GPL enforcement. (The publicly
stated reasons are usually Kafkaesque, that can clearly be shown as a
double-standard when comparing me to other invited participants.)
There have also been plenty of attacks on my character, both public and
private. Political opponents of GPL enforcement make a lot of hay of
the fact that I'm not a tactful politician and I have no qualms about
frankly speaking truth to power. I'm admittedly kinda the Michael Moore
of Free Software. But, political opponents use this as a way to
discredit me and conflate me personally with the broader work of
non-profit GPL enforcement -- since I'm the most known for it -- yet
it's not me excursively doing it.
Finally, at previous employers, I've actually been told by my managers
that they were under serious pressure from their funders to stop my GPL
enforcement work. I have fewer details on this part because I was only
told that second-hand and thus my repeating it is double-hearsay, but it
was clear to me that the managers in the situation believed it to be
true and they made substantial policy changes based on the information.
Now, I want to be abundantly clear on something I said before: this is
*not* a conspiracy. All the actors involved have their own reasons
(some of which overlap) for opposing GPL enforcement. But, I've
discovered that claims that community-oriented GPL enforcement [0] is
"controversial" -- which is a widely held political belief -- can be
traced back to a relatively few powerful people inside a few large
companies, who convince others -- some of whom are otherwise considered
software freedom heroes -- to spread a FUD message about GPL
enforcement. It's just a long-standing perfect storm scenario. I've
struggled for the last 12 years to fight the FUD, but these powerful
people are frankly better politicians than I am.
> set up as for-profit companies, your current activities as a
> GPL-wielding, copyleft enforcer are of lesser importance to them than
> your ability to perform a role they need to fill so that they, in
> turn, can fill their coffers.
Indeed, I can imagine being offered some cushy job *specifically* as a
way of getting me to stop doing GPL enforcement. The reason no one
offers me that is because they know I won't take it. :) (cf: the scene
in *It's a Wonderful Life* where Potter offers George Bailey a job. ;)
>> Actually, I think most of the major Linux companies prefer to pretend
>> Linux is LGPL'd. They're fine with upstreaming core subsystem stuff,
>> but they believe anything that isn't a core subsystem should be
>> proprietary if they want it to be.
> Any idea why the general consensus is to draw the line there? Just
> convenient to their business model, ala open-core?
It's all about the proprietary kernel modules. There's a lot of
powerful forces that want to keep modules proprietary, even though the
GPL prohibits that. If upstream Linux were LGPL'd (or de-facto treated
as if it were), well, then proprietary modules would be permitted.
Fortunately, Linux is not LGPL'd, but GPL'd -- however, if we don't
enforce, as I've said before, an unenforced GPL is the functional
equivalent of the Apache License.
... which brings me to another example of a dirty political trick a law
firm lawyer (formerly counsel to a Linux-related company) pulled on me
not too long ago: misquoting me on purpose on that statement above,
claiming that I said: "if copyright holders fail to enforce the GPL, the
copyright holders are giving you permissions equivalent of the Apache
license". Obviously, I never said that. The truth doesn't matter to
these people. :)
> Given that you're actively working on compliance, are these companies
> just hoping that you'll be too busy to get to them, or what?
I mean, after all, I *am* too busy to get to most GPL violations, and
Harald and Armijn for their part have retired from community GPL
enforcement work. There are hundreds of active violations, and I work
on 20-30 a year. I think FSF has similar numbers.
> Re: losing customers, GPL compliance seems pretty simple to me, but I
> can see how it's a scary place for newcomers.
Nah, that's the "old story" of GPL compliance issues -- what I was
saying in talks 3-5 years ago. The real story now is that savvy
violators are testing the boundaries of copyleft and have become brazen.
I get a lot of: "You think that's what the GPL requires? Fine, sue
us."-like responses (even on simply stuff like "you have to respond to
requests for source"). I'm amazed at this, because both Harald and I
*have* coordinated lawsuits before and can do so again. :) It should be
clear to everyone that "you might get sued unless you comply" is not a
bluff. But they still think it's a bluff, and they're starting to call
more often. I used to be a professional poker player, so I know what to
do when you get called too often: show up with a hand in the next really
big pot.
> Perhaps if we can provide more information about how to get into
> compliance and stay in compliance (including some kind of
> stupidly-simple guide for companies to pass-on to their downstream
> distributors), we might calm their irrational fears.
Yes, I think this work is still worth doing. That's why I want to
improve that book I mentioned elsewhere in this thread.
> IIRC you were going after the low-hanging fruit in years past. I guess
> at some point you find yourself picking higher up the tree :-)
Yes, the low-hanging fruit isn't cutting it. When I focused on low
hanging fruit, I got more "volume" of compliance, sure, but the problem
is the truly bad actors laughed their way to the bank by willfully
violating the GPL in nasty ways. I'm convinced now we have to mix
enforcement between some low-hanging fruit of "the clueless violators"
while also going after some of these companies who just get away with
major violations for very long periods of time because they have the
money to fund big law firm lawyers to fight copyleft.
> Is it legal for the employer to interfere in that way? (not to
> suggest that the interactions between employe(-es and -rs) always
> follows the law)
The general rule of thumb in the USA is that you can contract away any
right or privileged that isn't specifically prohibited from contracting
away by some state/Commonwealth or federal law. The USA is a scary
place, legally speaking. :)
But, I suspect that employers are not asking developers to contract away
their right to enforce their own copyrights on key Free Software
programs. I think what's actually happening is a chilling effect: if
you know your bosses hate GPL enforcement and you generally like your
job, won't you avoid enforcing the GPL?
> Based on my experience, for those who are full employees of a company,
> the copyright relationship is such that copyright is usually retained
> by the employer. Free-lancers often negotiate copyright terms on a
> case-by-case basis, with retention of copyright by the author being
> more common with graphic artists than with programmers.
Indeed, what employers *do* typically take (in part because it's the
default situation in the USA) is Free Software contributions that are
"work for hire", and thus copyrighted by the employer, not the employee.
Employees can and should insist on an explicit exception to this in
their contracts. A few Free Software-friendly employers have been good
about granting such exceptions upon request (at least for major Free
Software contributors who have a history of contribution before their
hire). No company is likely to offer this as an option on a menu;
employees must insist on it.
> If we want more Linux kernel devs to retain their own copyright, we
> might want to encourage that behavior across the industry as a whole.
I agree, we should do that. I certainly try, but as I've explained,
I've got a lot of people working hard to convince developers not to
listen to me. :)
>> Individuals need to be the largest single copyright holder in Linux
>> for a good, secure future of Linux.
> I think that's a laudable goal, but one that needs to be followed-up
> with concrete plans to make it actually happen.
Ideally, this would be a joint campaign from multiple orgs. I've just
asked the folks at OSI, Conservancy and FSF whom I know if they'd be
willing to work on this.
> Aside from just the warm fuzzies that a dev gets from knowing that her
> contributions to the kernel stopped a GPL violation, what other
> benefits should we tout to devs we hope will espouse these views and
> join your merry band of GPL enforcers?
I try to make the case that it's about the users. Most of the time, I
admit fully the CCS releases we get don't have ready-to-upstream code in
them. Some detractors have argued that GPL enforcement is *never*
worthwhile if it doesn't produce ready-to-upstream code. However, I
think we get something much more important: "scripts used to control
compilation and installation of the executable" and all the sources
needed to actually get software for the device in question built and
installed. This type of CCS release gained through enforcement actions
have created communities like OpenWRT and sammyGo. If we had more
leverage to enforce (i.e., more copyright holding developers involved),
we can help create more of these great outcomes.
> Is it effective to point out that we need their help to deliver on the
> GPL's promise of user freedoms?
I hope so. I've heard a few developers say they just don't care about
these communities who build modified firmwares. For example, one Linux
developer who opposes GPL enforcement told me: "I only care about the .c
file". But, I think that's a minority opinion: I suspect most
copyright-holding developers can see that helping out their users to
make modified firmwares for embedded devices is a good thing.
(Heck, if the violating companies weren't so short sighted, they'd see
it's a good thing for them too. A hackable firmware makes a lot better
product because there is diversity of interest from different types of
customers. But, even Linksys never saw that value: the WRT54G,
precisely because of Harald's and my enforcement action, ended up
selling a *lot* more units than it would have if we'd not enforced and
gotten a buildable and installable source release that launched the
OpenWRT project.)
[0] By community-oriented GPL enforcement, I mean the specific type of
enforcement that FSF and Conservancy does: which focuses exclusively
on getting compliance and merely recovering reasonable staff-time
costs for achieving that compliance from the violator. Ironically,
GPL enforcement of other types, such as (a) using GPL as a ploy
counter-claim in patent infringement suits, or (b) Oracle-style
MySQL violation shake-downs, seems to be the darling of the Open
Source industry. Not surprisingly, I have long called that that
type of enforcement "corrupt use of the GPL", mainly because the
enforcers in those cases don't actually seek compliance -- they seek
a deal on some other issue (such as making a patent suit go away, or
selling a proprietary license), and are using enforcement merely as
unrelated leverage. In those cases, compliance is almost never
achieved, and the "other, more important, business outcome" is
reached instead.
By contrast, in the case of community-oriented GPL enforcement,
there is no other goal higher than compliance, and as such nothing
else will be accepted in exchange for failure to comply: financial
or otherwise. This is an important concept, because unless one's
motives are completely pure in this regard to gain compliance, it's
very easy to become corrupt. This is why I try to be as transparent
as possible at how I pick GPL violation matters to work on and what
the demands are (the book I've been talking about covers this part).
It's in fact the primary reason why I've been participating on this
list more in recent months: to increase transparency.
--
-- bkuhn
