so-called "Common Cure" provision, GPL enforcement within Debian, Patrick McHardy's enforcement, etc. (was Re: Do we need embargoes for GPL compliance issues?)

[Bradley M. Kuhn]

I realize that the conversation has petered out a bit on this debian-project
thread, but I wanted to add a few details because Conservancy was mentioned,
and also let those interested know there is another place where discussion
can continue that might be of interest (see below):

Florian wrote:
> I'm asking because even with the GPLv3 or the Common Cure
> , the 30-day period seems awfully
> short. 

TL;DR: I agree that the "Common Cure" is of very limited benefit. 

In my experience, it takes much longer for even savvy companies to remedy
their copyleft noncompliance.  Have a look at the Principles
, which
Software Freedom Conservancy wrote together with the FSF to codify the ways
we think that ideologically motivated GPL enforcement should look.  The
so-called "Common Cure" idea is just one of those principles (and a minor
one at that).  It's hard to imagine that it will be effective when isolated
from the whole enforcement strategy.

I am indeed worried that (presumably inadvertently) those promoting the
"Common Cure" are indicating that it's some sort of panacea to compliance
issues.  There is no panacea; diligent, careful, hard-working,
friendly-but-firm and well-funded GPL enforcement is the only solution.

Ian Jackson wrote:
>> I think it was entirely wrong of the Conservancy's Linux GPL
>> enforcement project to go along with the idea of promising to give
>> violators a GPLv3-style termination clause.

As Ben explained, Conservancy didn't "go along with the idea", we were the
ones who proposed it, when Conservancy and FSF co-published the Principles.

However, we meant the Principles to be a unit that worked together -- not a
menu to pick from.  The "Common Cure" picks the mint from the tray at the
end of the meal and ignores the meal.  While we enjoy the mint as much as
anyone, we encourage everyone to first eat a full meal. :)

> Do you think Debian should welcome embargoes for GPL compliance
> issues? 

If embargoes include "not going public about the matter until private
negotiation has become fruitless", I think Debian could benefit from doing
that.  (That's another one of the Principles, in fact.)

I do understand and somewhat agree with the points many have made about how
it's often easier to report publicly first.  However, I think that primarily
only applies to intra-Debian minor violations (e.g., errors in packaging
yielding incomplete sources).  If some third party violates on Debian's
copyrights in a downstream product, I think it's much better to give them
some time to resolve it privately.  GPL violations are embarassing, and we
don't want to unduly publicly embarrass someone who makes an honest mistake
and fixes it quickly.

BTW, Conservancy would definitely welcome a discussion on the
principles-discuss mailing list about GPL enforcement strategies.  That list
is ,
and I've decided to boldly cross-posted my email here to the
principles-discuss list "just in case" folks want to continue this thread
there, as it's the perfect place to discuss that issue with a broader
community beyond Debian.

Finally, I should note that Conservancy currently does GPL enforcement work
on behalf many Debian copyright holders (and holds copyrights ourselves that
developers have assigned to us).  You can join that coalition if you like,
by contacting . (Note that these
agreements are *not* legal representation agreements of any kind, but an
enforcement cooperation agreements.)  (BTW, this was announced at DebConf
2015 for those who didn't know about it, See
)

Finally, quoting Phil Hands' post on Monday:

>>> As I understand it (IANAL), the troll in question is using a wrinkle of
>>> German law to send out paperwork that has a rather short time-limit to
>>> respond, which railroads the victim into signing something, after which
>>> that can be used as leverage in a second complaint to extract money from
>>> the victim.

As always, IA also NAL, TINLA, etc.

But, first of all, I think naming Patrick McHardy (rather than saying person
"in question") is better.  The situation with Patrick has been grossly
exaggerated, and by not avoiding his name, it can inadvertently give an
ominous air to the whole thing.  (As Dumbledore said, "Fear of a name
increases fear of the thing itself". ;).  I'm well connected to the
backchannels of enforcement (obviously), and while Patrick refuses to talk
to me (I've tried really hard to convince him to talk with me again, see

), I do hear from others about what he's up to, and AFAICT, he's up to very
little now.

I also don't think his activities are peculiar to German law (other than
perhaps that it's cheaper to file an initial lawsuit in Germany than
elsewhere).  Patrick's primary 

Re: Do we need embargoes for GPL compliance issues?

[Philip Hands]

Ian Jackson  writes:

> Ben Hutchings writes ("Re: Do we need embargoes for GPL compliance issues?"):
>> As you may know, an individual copyright holder in the Linux kernel is
>> understood to have succesfully sued various infringing companies
>
> Bet you a dime to a dollar that these same infringing companies are
> vigorously opposed to GPLv3 with its much more reasonable termination
> clause.  (In GPLv2 your licence is automatically terminated as soon as
> you violate.)
>
> I have no sympathy for them at all.  Hoist by their own petard.  Don't
> want our bugfixes to the licence ?  Fine, keep the bugs you care about
> too.
>
> I don't think Debian is at significant risk even from the trollish
> people being discussed here.

As I understand it (IANAL), the troll in question is using a wrinkle of
German law to send out paperwork that has a rather short time-limit to
respond, which railroads the victim into signing something, after which
that can be used as leverage in a second complaint to extract money from
the victim.

There is not much chance of Debian getting our act together inside the
deadline and signing something, even if we wanted to, which makes us
pretty-much immune to this attack.

The alternative route is to defend the case immediately.  When that
happened recently and a judge took a look at it, the troll's case went
really rather badly.

I'd guess that any slightly clued up troll is going to see that Debian
is a terrible target to choose.  We're not going to take the easy route
of simply signing something to make the case go away.  We're likely to
get lawyers willing to act for us for free.  We definitely don't make
any money out of any violation we might be accused of, so calculating
damages is going to be hopeless.  The troll will get their clever little
scheme rather more publicity than they'd prefer, which will make it that
much harder to do it to the next victim.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY


signature.asc
Description: PGP signature

Re: Do we need embargoes for GPL compliance issues?

[Ian Jackson]

Ben Hutchings writes ("Re: Do we need embargoes for GPL compliance issues?"):
> As you may know, an individual copyright holder in the Linux kernel is
> understood to have succesfully sued various infringing companies

Bet you a dime to a dollar that these same infringing companies are
vigorously opposed to GPLv3 with its much more reasonable termination
clause.  (In GPLv2 your licence is automatically terminated as soon as
you violate.)

I have no sympathy for them at all.  Hoist by their own petard.  Don't
want our bugfixes to the licence ?  Fine, keep the bugs you care about
too.

I don't think Debian is at significant risk even from the trollish
people being discussed here.

Ian.

Re: Do we need embargoes for GPL compliance issues?

[Ben Hutchings]

On Thu, 2018-09-13 at 09:03 -0700, Russ Allbery wrote:
[...]
> That said, the Linux kernel is of course under GPLv2, which doesn't have
> that 30-day provision at all, so it doesn't seem like an embargo would
> have helped at all in this specific case (which I think you mentioned in
> your original message).
[...]

As you may know, an individual copyright holder in the Linux kernel is
understood to have succesfully sued various infringing companies and
claimed significant fees to reinstate their licences.  In response to
this, there have been efforts to set norms for copyright enforcement
and to reduce the risk to distributors that may accidentally infringe.

Software Freedom Conservancy and the FSF set out the Principles of
Community-Oriented GPL Enforcement, which include applying GPL v3's
termination terms to works formally licensed under v2:
https://sfconservancy.org/copyleft-compliance/principles.html

The Linux Foundation organised another initiative, encouraging
copyright holders to agree that they would apply GPL v3's termination
terms to the kernel:
https://www.kernel.org/doc/html/latest/process/kernel-enforcement-statement.html
However this is not currently a requirement for contributing to the
kernel upstream.

Contributions from the one litigious copyright holder are no longer
accepted, and I would expect his code to be gradually replaced over
time.

Ben.

-- 
Ben Hutchings
Computers are not intelligent.  They only think they are.



signature.asc
Description: This is a digitally signed message part

Re: Do we need embargoes for GPL compliance issues?

[Florian Weimer]

* Russ Allbery:

> Florian Weimer  writes:
>> * Russ Allbery:
>>> Florian Weimer  writes:
>
 Do you think Debian should welcome embargoes for GPL compliance
 issues?  Security embargoes are a huge pain, but one would hope that
 GPL violations by Linux distributions are much rarer events.
>
>>> I'm sorry, I think I'm missing some basic context required to make
>>> sense of this question (and therefore I suspect other people on this
>>> list are as well).
>
>>> What exactly would we be embargoing, and why?
>
>> See bug #907585 for an example.  It occurred to me only afterwards
>> that reporting it publicly (upstream) might be a bit inconvenient for
>> some people (although no one has complained to me directly).
>
> Hm.  I guess I'm not seeing any harm there.  The problem only happens if a
> copyright holder sees such a notification and then files a formal notice
> of copyright violation, right?

I suppose so.

Thanks for all the feedback.  I was just wondering if I was missing
something.  Reporting things publicly immediately is probably easier
for all folks involved, and is probably the only realistic way to get
issues addressed when it comes to linux-firmware upstream.  I can't
see reporters wanting to talk to lawyers over the phone during the
course of multiple months, which is what I suppose would happen in
case of private reports, even if the reporter does not have a
copyright interest.

Re: Do we need embargoes for GPL compliance issues?

[Russ Allbery]

Florian Weimer  writes:
> * Russ Allbery:
>> Florian Weimer  writes:

>>> Do you think Debian should welcome embargoes for GPL compliance
>>> issues?  Security embargoes are a huge pain, but one would hope that
>>> GPL violations by Linux distributions are much rarer events.

>> I'm sorry, I think I'm missing some basic context required to make
>> sense of this question (and therefore I suspect other people on this
>> list are as well).

>> What exactly would we be embargoing, and why?

> See bug #907585 for an example.  It occurred to me only afterwards
> that reporting it publicly (upstream) might be a bit inconvenient for
> some people (although no one has complained to me directly).

Hm.  I guess I'm not seeing any harm there.  The problem only happens if a
copyright holder sees such a notification and then files a formal notice
of copyright violation, right?

One unfortunate part about the way the GPLv3 license is phrased is that if
the same copyright holder reports multiple instances like this, the
thirty-day thing only applies to the first one, and then one technically
immediately loses the license to distribute (at least if I'm understanding
the license correctly).  So, for packages like the Linux kernel where
these license violations are fixed when we notice them but which have an
ongoing likelihood of seeing new violations, we can get into some bad and
I think unintended consequences.  That means embargo isn't really useful
anyway in cases where we expect to see ongoing unintentional license
violations that have to be cleaned up.

That said, the Linux kernel is of course under GPLv2, which doesn't have
that 30-day provision at all, so it doesn't seem like an embargo would
have helped at all in this specific case (which I think you mentioned in
your original message).  If we get into informal conventions among
copyright holders about what they'll pursue and what they won't pursue,
(a) I have a hard time imagining any such convention that would pursue a
copyright complaint against what Debian does, and (b) those conventions
are strictly voluntary and there's no reason to believe that all Linux
copyright holders will follow them anyway.

-- 
Russ Allbery (r...@debian.org)   

Re: Do we need embargoes for GPL compliance issues?

[Florian Weimer]

* Russ Allbery:

> Florian Weimer  writes:
>
>> Do you think Debian should welcome embargoes for GPL compliance issues?
>> Security embargoes are a huge pain, but one would hope that GPL
>> violations by Linux distributions are much rarer events.
>
> I'm sorry, I think I'm missing some basic context required to make sense
> of this question (and therefore I suspect other people on this list are as
> well).
>
> What exactly would we be embargoing, and why?

See bug #907585 for an example.  It occurred to me only afterwards
that reporting it publicly (upstream) might be a bit inconvenient for
some people (although no one has complained to me directly).

Re: Do we need embargoes for GPL compliance issues?

[Russ Allbery]

Paul Wise  writes:
> On Thu, Sep 13, 2018 at 12:36 PM, Russ Allbery wrote:

>> I may just be hopelessly naive or out of touch, but I feel like the
>> termination of rights clauses under the GPLv2 and GPLv3 are widely
>> ignored for good-faith violations (such as those Debian would make) and
>> basically never enforced that way.  Hell, they're barely ever enforced
>> against blatant violations by large commercial companies like VMware.

> Agreed re good-faith violations by FLOSS community projects. That said
> there are also a lot of potential long-term violations in projects
> surrounding the FLOSS community, for eg check the Debian derivatives
> census for the phrase "no source packages".

Would an embargo help for that kind of thing, though?  If a Linux
distribution isn't publishing source at all, they're seem to be into far
more dangerous waters than an embargo could possibly help with.

I guess what I'm looking for is a concrete example of something that
happened to a Linux distribution for which an embargo would have been
helpful and productive.  Without such an example, I think we should
default to being opposed to participating in embargoes per point three of
the social contract.

I don't think the social contract means we should *never* participate in
embargoes.  For security, for example, the priorities of our users
conflict to some extent with not hiding problems, and we have the current
compromise.  But there has to be some reason to compromise that furthers
some other point of the social contract; otherwise, we should default to
openness.

-- 
Russ Allbery (r...@debian.org)   

Re: Do we need embargoes for GPL compliance issues?

[Paul Wise]

On Thu, Sep 13, 2018 at 12:36 PM, Russ Allbery wrote:

> I may just be hopelessly naive or out of touch, but I feel like the
> termination of rights clauses under the GPLv2 and GPLv3 are widely ignored
> for good-faith violations (such as those Debian would make) and basically
> never enforced that way.  Hell, they're barely ever enforced against
> blatant violations by large commercial companies like VMware.

Agreed re good-faith violations by FLOSS community projects. That said
there are also a lot of potential long-term violations in projects
surrounding the FLOSS community, for eg check the Debian derivatives
census for the phrase "no source packages".

The FSF and Conservancy do bring various organisations into
compliance, usually in much longer timeframes than specified by GPLv3.
Most of that work is done in private, IIRC the reasoning for that is
discussed in their compliance principles. Conservancy have
occasionally publicly released details of compliance their work, for
example Samsung and Tesla. Conservancy have also given conference
talks on the topic such as the keynote at FOSDEM last year.

https://wiki.debian.org/Derivatives/CensusFull
https://www.fsf.org/licensing/enforcement-principles
https://sfconservancy.org/copyleft-compliance/principles.html
https://sfconservancy.org/blog/2018/may/18/tesla-incomplete-ccs/
https://sfconservancy.org/news/2013/aug/16/exfat-samsung/
https://sfconservancy.org/news/2017/feb/13/bkuhn-fosdem-keynote/

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: Do we need embargoes for GPL compliance issues?

[Russ Allbery]

Paul Wise  writes:

> It seems to me that Florian is talking about the rare GPL violations
> that Debian (and other distros) commit and keeping those secret until
> they can be rectified. These happen (and are sometimes caused by
> upstreams like the GNU project). ISTR in the past we have just rectified
> the issues and ignored the fact that we lost our rights under GPLv2.

How does keeping them secret affect whether or not we lose our rights?
Oh, I think I see: it's about this section of the GPLv3?

  Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.

So the idea is that if we self-discover, or are told by someone who is not
the copyright holder, and publish that fact immediately, the copyright
holder could then give us and our derivatives and any other distributor
with the same problem immediate formal notice and we'd only have 30 days
to remedy, but if we keep it secret, we can take more than 30 days to
remedy as long as the copyright holder doesn't separately notice?

That seems a little tortured to me, but I can sort of see it if I squint
hard enough.  How much of a problem is this?  Has Debian ever received a
formal notice from a copyright holder under that clause?  Does anyone
really do this?

I may just be hopelessly naive or out of touch, but I feel like the
termination of rights clauses under the GPLv2 and GPLv3 are widely ignored
for good-faith violations (such as those Debian would make) and basically
never enforced that way.  Hell, they're barely ever enforced against
blatant violations by large commercial companies like VMware.

-- 
Russ Allbery (r...@debian.org)   

Re: Do we need embargoes for GPL compliance issues?

[Paul Wise]

On Thu, Sep 13, 2018 at 9:57 AM, Russ Allbery wrote:

> What exactly would we be embargoing, and why?

It seems to me that Florian is talking about the rare GPL violations
that Debian (and other distros) commit and keeping those secret until
they can be rectified. These happen (and are sometimes caused by
upstreams like the GNU project). ISTR in the past we have just
rectified the issues and ignored the fact that we lost our rights
under GPLv2.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: Do we need embargoes for GPL compliance issues?

[Russ Allbery]

Florian Weimer  writes:

> Do you think Debian should welcome embargoes for GPL compliance issues?
> Security embargoes are a huge pain, but one would hope that GPL
> violations by Linux distributions are much rarer events.

I'm sorry, I think I'm missing some basic context required to make sense
of this question (and therefore I suspect other people on this list are as
well).

What exactly would we be embargoing, and why?

For security embargoes, what we're embargoing is the description of the
vulnerability, and we're doing that to keep attackers from having an
opportunity to write exploits before a patch is released (putting aside
the question of whether this works).  I'm having a lot of difficulty
mapping those concepts onto license violations, so I don't understand what
you're proposing.

-- 
Russ Allbery (r...@debian.org)   

Re: Do we need embargoes for GPL compliance issues?

[Ian Jackson]

Ian Jackson writes ("Re: Do we need embargoes for GPL compliance issues?"):
> I think it was entirely wrong of the Conservancy's Linux GPL
> enforcement project to go along with the idea of promising to give
> violators a GPLv3-style termination clause.

Needless to say I don't approve of this "common cure" thing either.

Ian.

Re: Do we need embargoes for GPL compliance issues?

[Ian Jackson]

Florian Weimer writes ("Do we need embargoes for GPL compliance issues?"):
> Nothing can be done about GPLv2-only violations and the resulting
> license termination, of course.

This is a bit of a tangent, of course, but: I see this as a feature.

If corporations are upset by the possibility that their poor source
code management, untransparent processes, and lack of attention to the
needs of their downstreams, mean that they may be at risk of doom due
to the GPLv2 termination clause - why, then they should encourage
everyone to upgrade to GPLv3+.

I think it was entirely wrong of the Conservancy's Linux GPL
enforcement project to go along with the idea of promising to give
violators a GPLv3-style termination clause.

Instead, copyrightholders should dual licence their contributions to
the kernel and perhaps promise not to enforce GPLv2 breaches
(including GPLv2 termination) if the GPLv2-violator is willing to
behave in a way that would comply with GPLv3 within the GPLv3 30-day
period.

Ian.


-- 
Ian JacksonThese opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Re: Do we need embargoes for GPL compliance issues?

[Florian Weimer]

* Jonathan Carter:

> Having said all of that, I don't know of any case where Debian has
> specifically named and shamed anyone regarding such a violation, but I
> also don't see a reason why Debian should explicitly try to keep those
> secret for no good reason.

The main advantage for Debian would be to retain licenses for GPLv3
software, despite the occasional accidental violation and the time
needed to clean up one.

However, the most likely source of accidental violations is the Linux
kernel (because it will increasingly end up in firmware blobs where
the upstream submitter claims they are non-free but redistributable).
Non-cooperative developers are unlikely to participate in the Common
Cure movement anyway, so the whole thing is perhaps moot.

Re: Do we need embargoes for GPL compliance issues?

[Jonathan Carter]

Hi Florian

On 12/09/2018 21:19, Florian Weimer wrote:
> Do you think Debian should welcome embargoes for GPL compliance
> issues?  Security embargoes are a huge pain, but one would hope that
> GPL violations by Linux distributions are much rarer events.

I'm only speaking on my own behalf here, but I find those really awkward.

Red Hat has launched a project[0] called GPL Cooperation Commitment
where developers could volunteer to promise that they would give
violators of their license a "fair chance" to correct problems with how
they use the software.

"Fair chance", is of course, not very well defined anywhere in there at all.

So, the expectation is that free software developers should be willing
and eager to trust large billion dollar companies on what is best for
free software.

Frankly, my response to that isn't suitable for this list.

Having said all of that, I don't know of any case where Debian has
specifically named and shamed anyone regarding such a violation, but I
also don't see a reason why Debian should explicitly try to keep those
secret for no good reason.

-Jonathan

--
  ⢀⣴⠾⠻⢶⣦⠀  Jonathan Carter (highvoltage) 
  ⣾⠁⢠⠒⠀⣿⡁  Debian Developer - https://wiki.debian.org/highvoltage
  ⢿⡄⠘⠷⠚⠋   https://debian.org | https://jonathancarter.org
  ⠈⠳⣄  Be Bold. Be brave. Debian has got your back.



Powered ByWebafricaFibre | LTE

Do we need embargoes for GPL compliance issues?

[Florian Weimer]

Do you think Debian should welcome embargoes for GPL compliance
issues?  Security embargoes are a huge pain, but one would hope that
GPL violations by Linux distributions are much rarer events.

I'm asking because even with the GPLv3 or the Common Cure
, the 30-day period seems awfully
short.  I don't think even organizations that care a lot about GPL
compliance (even formal compliance with exactly matching sources) will
be able to address an accidental violation in that time period.

Although the cure period only starts when notified by a copyright
holder, with a public notice, other, less cooperating copyright
holders might send a notification of their own and start another
clock.

Nothing can be done about GPLv2-only violations and the resulting
license termination, of course.