Last week a bun-fight kicked off on the Linux kernel mailing list that led to some interesting questions about how and when we protect open source projects from bad actors. This also shone the light on some interesting community dynamics.
The touchpaper was lit when Bradley Kuhn, president of the Software Freedom Conservancy (an organization that provides legal and administrative services for free software and open source projects) posted a reply to Greg KH on the Linux kernel mailing list:
I observe now that the last 10 years brought something that never occurred before with any other copylefted code. Specifically, with Linux, we find both major and minor industry players determined to violate the GPL, on purpose, and refuse to comply, and tell us to our faces: “you think that we have to follow the GPL? Ok, then take us to Court. We won’t comply otherwise.” (None of the companies in your historical examples ever did this, Greg.) And, the decision to take that position is wholly in the hands of the violators, not the enforcers.
He went on to say:
In response, we have two options: we can all decide to give up on the GPL, or we can enforce it in Courts.
This rather ruffled Linus’s feathers who feels that lawyers are more part of the problem than the solution:
The fact is, the people who have created open source and made it a success have been the developers doing work – and the companies that we could get involved by showing that we are not all insane crazy people like the FSF. The people who have destroyed projects have been lawyers that claimed to be out to “save” those projects.
What followed has been a long and quite interesting discussion that is still rumbling on.
In a nutshell, this rather heated (and at times unnecessarily personal) debate has focused on when is the right time to defend the rights on the GPL. Bradley is of the view that these rights should be intrinsically defended as they are as important (if not more important) than the code. Linus is of the view that the practicalities of the software industry mean sending in the lawyers can potentially have an even more damaging effect as companies will tense up and choose to stay away.
Ethics and Pragmatism
Now, I have no dog in this race. I am a financial supporter of the Software Freedom Conservancy and the Free Software Foundation. I have an active working relationship with the Linux Foundation and I am friends with all the main players in this discussion, Linus, Greg, Bradley, Karen, Matthew, and Jeremy. I am not on anyone’s “side” here and I see value in the different perspectives brought to the table.
With that said, the core of this debate is the balance of ethics and pragmatism, something which has existed in open source and free software for a long time.
Linus and Bradley are good examples of either side of the aisle.
Linus has always been a pragmatic guy, and his stewardship of Linux has demonstrated that. Linus prioritizes the value of the GPL for practical software engineering and community-building purposes more-so than wider ideological free software ambitions. With Linus, practicality and tangible output come first.
Bradley is different. For Bradley, software freedom is first and foremost a moral issue. Bradley’s talents and interests lay with the legal and copyright aspects more-so than software engineering, so naturally his work has focused on licensing, copyright, and protection.
Now, this is not to suggest Linus doesn’t have ethics or that Bradley isn’t pragmatic, but their priorities are drawn in different areas. This results in differences in expectations, tone, and approach, with this debate being a good example.
Linus and Bradley are not alone here. For a long time there have been differences between organizations such as the Linux Foundation, the Free Software Foundation, and the Open Source Initiative. Again, each of these organizations draw their ethical and pragmatic priorities differently and they attract supporters who commonly share those similar lines in the sand.
I am a supporter of all of these organizations. I believe the Linux Foundation has had an unbelievably positive effect in normalizing and bridging the open source culture, methodology, and mindset to the wider business world. The Open Source Initiative have done wonderful work as stewards of licenses that thousands of organizations depend on. The Free Software Foundation has laid out a core set of principles around software freedom that are worthy for us all to strive for.
As such, I often take the view that everyone is bringing value, but everyone is also somewhat blinded by their own priorities and biases.
My Conclusion
Unsurprisingly, I see value in both sides of the debate.
Linus rightly raises the practicalities of the software industry. This is an industry in that is driven by a wide range of different forcing functions and pressures: politics, competition, supply/demand, historical precedent, cultural norms, and more. Many of these companies do great things, and some do shitty things. That is human beings for you.
As such, and like any industry, nothing is black and white. This isn’t as simple as Company A licenses code under the GPL and if they don’t meet the expectations of the license they should face legal consequences until they do. Each company has a delicate mix of these driving forces and Linus is absolutely right that a legal recourse could potentially have the inverse effect of reducing participation rather than improving it.
On the other hand, the GPL (or another open source license) does have to have meaning. As we have seen in countless societies in history, if rules are not enforced, humans will naturally try to break the rules. This always starts as small infractions but then ultimately grows more and more as the waters are tested. So, Bradley raises an important point, and while we should take a realistic and pragmatic approach to the norms of the industry, we do need people who are willing and able to enforce open source licenses.
The subtlety is in how we handle this. We need to lead with nuance and negotiation and not with antagonistic legal implications. The lawyers have to be a last resort and we should all be careful not to infer an overblown legal recourse for organizations that skirt the requirements of these licenses.
Anyone who has been working in this industry knows that the way you get things done in an organization is via a series of indirect nudges. We change organizations and industries with relationships, trust, and collaboration, and providing a supporting function to accomplish the outcome we want.
Of course, sometimes there has to be legal consequences, but this has to genuinely be a last resort. We need to not be under the illusion that legal action is an isolated act of protection. While legal action may protect the GPL in that specific scenario it will also freak out lots of people watching it unfold. Thus, it is critical that we consider the optics of legal action as much as the practical benefits from within that specific case.
The solution here, as is always the case, is more dialog that is empathetic to the views of those we disagree with. Linus, Bradley, and everyone else embroiled in this debate are on the right side of history. We just need to work together to find common ground and strategies: I am confident they are there.
What do you think? Do I have an accurate read on this debate? Am I missing something important? Share your thoughts below in the comments!
At what point is it time to sue? FSF and Software Freedom Conservancy have been trying to get Canonical (just as an example) to comply with the GPL for a long time now. I’ve talked with folks from both orgs and the gist I got was Canonical pushed back and made few concessions but ultimately is still not complying with the GPL today.
Now speaking more broadly we know the Linux Foundation is heavily funded by the very companies that are regularly violating the GPL.
At some point the license must be enforced otherwise it’s for show only.
That’s my two cents and I think there are many offenders other than Canonical. Pretty much every router OEM violates the GPL.
Heya, Ben,
In answer to when to sue, I would argue that when all reasonable other efforts have failed, it is time to explore legal options. I know this is a fuzzy answer, but every situation is different.
Out of curiosity, how is Canonical violating the GPL? Also, aside from the VMWare case, which other membership orgs in the Linux Foundation are not compliant with the GPL?
Thanks,
Hi Jono,
Will I am not going to jump into private and personal discussions I have discussed with folks at both the FSF and SFLC both before and after this announcement (https://www.fsf.org/news/canonical-updated-licensing-terms) and it is my understanding based on those conversations that while Canonical did come closer to not infringing on the GPL it still has a ways to go before it purely in compliance but that both orgs did not feel they could get anymore out of Canonical without costly litigation. Supposedly the issue is that Canonical’s other agreements and policies for contributors and users of the OSS confuses people as to what their rights really are. Basically, my understanding is you have the GPL which sets out certain freedoms but then Canonical has IP Policy and NDA which say you do not basically have all those freedoms and if you violate these addendum legal contracts Canonical can hit you with a legal hammer that really should not exist.
I’m sure some from both orgs will be reading this comment and your post should they want to chime in.
Note: In first comment I incorrectly said SFC and mean’t the SFLC as both are easy to confuse.
I’ve not heard about any NDAs or secret requirements coming from Canonical. I would love for you to provide some evidence to support your accusations
IP Policy and CLA both run counter to GPL.
The GPL is a distribution license, there’s no way for a contribution license or a trademark policy to run counter to it, because they are orthagonal subjects. Neither the IP policy nor the CLA restrict (or can restrict) any of the rights granted by the GPL.
I spent years helping (and sometimes demanding) companies and projects come into compliance with the terms of the GNU GPL (and LGPL and FDL) on behalf of the FSF. This work was driven almost entirely by the frustrations and complaints that went unheard by thousands of individuals that wanted to enjoy the freedoms the GPL tries to ensure are carried to each user of a given covered work. The work being done to enforce the GPL isnt driven by some abstract purpose, it is driven by the desire for people to be able to control their devices and hack code. Over the many years the work has been done it is almost done entirely, wth very little cost to businesses, almost never with the need to bring in lawyers or to seek the help of the courts.
Thanks for sharing Jono. I too am a pluralist on the licensing spectrum, and consider each organization you mentioned vital to the FOSS Movement.
The SFC (and SFLC before it) to my knowledge, have consistently purported a “compliance over damages” approach. I have heard voiced by their counsel publicly, a genuine concern over the types of optics you are suggesting.
In the hyper-litigious atmosphere of software patents, and takedowns, and anticircumvention, it is all-too-easy to cast these frdm lawyers in the same light as the trolls, but we must resist. We fear what we don’t understand, and Law is gatekept to maintain that information asymmetry. These folks are fighting the good fight. Please believe fair readers.
Much like OpenSSL and the other core infrastructure that needs maintainers, so too do our licenses and legal frameworks. There are not nearly enough lawyers and legal professionals helping to educate organizations about authentic participation in communities of practice–which is primarily what Bradley and Karen are doing through stewardship of projects under an umbrella like SFC, not litigation.
What Bradley seems so frustrated about, is that some participants are acting in bad faith on purpose, not in the spirit of community, with no interest in compliance, simply because they imagine the community as being outgunned legally.
If true, this is appalling and antisocial behavior, and we should bring to bear our legal AND cultural checks, like nonparticipation in those projects, and public discussion about this behavior. It’s situations like these that make me reconsider, if only for a moment, the temptation of exclusionary clauses for demonstrably hostile actors… but only for a moment…
I really do not like how this always ends up in a cult of personality thing. The whole compliance issue should not be on the Bradley vs. Linus level. If this is viewed or framed in such a way ppl automatically are choosing sides. I saw a Linux based company sharing a Bradley critical article on Facebook today. I can’t imagine what good will come from this approach to things.
As you, Jono, did above I see merit in both sides of the argument, but one should clearly mention the insightful mail in the thread by Jeremy Allison on the very positive outcomes of suing Microsoft for Samba. As he says this is not and has never been a black or white issue.
“Of course, sometimes there has to be legal consequences, but this has to genuinely be a last resort.”
Do you think that’s true now, or not?
Compared to the amount of GPL-violating going on, the amount of GPL-enforcing is both tiny and struggling for funds. GPL-enforcing entities tend to wait multiple years before taking people to court. If that’s not “genuinely a last resort”, I don’t know what is.
I think for most offenders we are years past the being diplomatic point.
Corporations are pillaging OSS to their benefit and ignoring their obligation under OSS licenses.
A tiny proportion of corporations are doing this. The reality is that corporations are funding much of the development of open source.
I find myself in the uncommon situation here of actually agreeing more with the lawyer.
I agree with your conclusions that nuance and negotiation is key and that lawyers should be a last resort, but as Bradley puts it, if you are dealing with a company (can’t be many of those though) that directly of indirectly says, “sue us, or we wont lift a finger”, then aren’t we already past the, we-have-tried-everything point?
Another point is, if ultimately a company is sued, where there is documentation for that kind of behaviour, then how should that scare of other potential contributors. If the violations are so clear and the attitude so much against the spirit of the project, then I find it difficult to believe that it should really scare of a potential contributor that is ok with a terms of the collaboration but maybe more scared of accidentally violating the GPL?
Right, from listening to Bradley talk on this topic, apparently its very common for them to get flat-out ignored by companies until they threaten legal action.
Talk of starting a dialog only works if they’re receptive to begin with. Likely many companies simply weigh the costs of continuing to violate with those of complying, and only comply when it the scale tips.
Hello Jono- it is for the courts now to decide whether VMWare have infringed GPL license or not, that is a separate matter in itself. Coming to your discussion, you have identified Linus as “pragmatist” on the basis that Linus may be concerned that enforcing GPL through courts against such organizations will also freak out lots of people watching it unfold. Always agree recognizing Linus’ contribution in stewarding Linux. Now, we need to consider as to what is “pragmatism” in the context of today’s mindset of the wider business world in adopting FOSS. For me “pragmatism” in this discussion primarily comes from 2 situations- a) Where Cisco can comply with GPL after the Linksys fiasco with FSF; and b) Myself being an integral part of OSS compliance team of suchlike organization using FOSS massively, I believe that given the value of Linux (with its development manpower resources that have gone into it and the market value), an organization like these will only get freaked out if the same has to be developed from scratch with every organization trying to time the market & better the competition and, reducing the TCO hugely. As Joshu and Decause mentions above a ““compliance over damages” approach adopted by Bradley & others, developers like Linus should be thinking lawyers more as their reliable partner rather than impediments to the growth and adoption of FOSS. Maybe a concerted effort from both ends of the aisle, will influence commercial organizations to adopt more ethical ways of social behavior where they need to think that if they are using FOSS, they have a moral duty to comply as well.
Every time I’ve heard Bradley speak about issues like this he completely agrees that “sending in the lawyers” is the last resort. The goal is compliance, not reprimand. But some bad actors will only comply if they’re forced to. And the only way to force a company to do something they are unwilling to do is legal action. If it is truly the stance of the company that
I heard about this issue on LAS recently. I felt uncomfortable when one of the host made fun of safe spaces and offensive language right before defending Linus for his language and general attitude. Aaron Saigo once warned of the dangers of cult of personality (especially in the Linux community) and I feel this is yet another moment of that. I agree that ultimately all parties are right and balance is key to being effective but I feel like coverage of this is yet again about defending Linus and the culture he brings.
As a minority and queer, I cannot explain how hostile the Linux community (even more than the overal tech industry) and Linus’s fandom keeps enforcing it.
I am not sure I entirely agree.
While I definitely think Linus could dial his rage back, if you look at the conversation on the kernel mailing list most people take Linus’s rantings in their stride and don’t bite.
I think this issue has primarily been focused on the question in hand which is when the right time to litigate is. Linus raises some genuinely important points, as does Bradley.
I think it is also important to not characterize the “Linux community” by the way people on the kernel mailing list talk to each other. That mailing list has very direct and frank discussions, and I would argue that most Linux community members don’t have the same tone (at least from my experience).
I’ve had sometime to cool down and rethink my position.
Linus does raise good points (as usual), as does Bradley, and I agree that legal actions should only be a last resort after more peaceful negotiations fail. Avoiding going to court is important for good relationships between OSS projects and corporations that rely on them, that is something that everyone can agree on. What bothers me is (once again) Linus’s language.
“While I definitely think Linus could dial his rage back, if you look at the conversation on the kernel mailing list most people take Linus’s rantings in their stride and don’t bite.” I feel like this is the mantra that greater Linux community, it’s fine that Linus uses unprofessional language and attacks others because everyone on the kernel mailing list are OK with it. Yet Linus’s point could be made without calling someone a disease. If Mark Shuttleworth called someone that on a mailing list, we wouldn’t hear the end of it and the entire Ubuntu community would have to deal with that fallout. Why does Linus continue to get a pass for this?
I’m sorry for ranting again but especially after Sarah Sharp left the kernel mailing list I thought there would be change within the greater Linux community about defending or downplaying the language and culture problems it has. I guess I should just be thankful the Ubuntu community doesn’t have this problem. Again, sorry for ranting!
Thanks for the thoughtful reply. CheeseBurg.
I am certainly not defending Linus here. I think his tone and approach is often too harsh and too personalized, and I think he should strike a little more empathy with people.
My only point was that the kernel mailing list is not representative of most Linux users and developers.
Should the kernel list be nicer and more friendly? Yes. Is it likely to change? Not really. Should be a blocker for continued growth of Linux? I don’t think so.
Jono, I think you have accurately described two fundamentally different mindsets, which we see at work in many spheres of life today, from politics to communities and open source software. On the one hand: openness, outgoing, willing to take risks and learn when thIngs go wrong. On the other, defensive, threatening, unwavering.
I wish I knew the answer!
John: I think that’s a pretty inaccurate characterisation of the difference between the two positions. How is Linus’ position “willing to learn when things go wrong”? It seems more like “willing to ignore the situation when things go wrong”. And how is Bradley’s position “threatening”? As noted above, SFC is much more about getting people to follow the license than extracting damages, and it took four years before they took VMware to court. That’s hardly “threatening”.
What’s the point of having license terms if everyone ignores them?
My fear of not enforcing the license is that it will make it enforceable. When you have a copyright, trademark, pretty much any property right at all, if you let people use that property without following the terms of use tort law has viewed that as the right-holder tacitly giving that right to the usurper. That is why you must not allow people to cut across your property to get to the next street, why trademarks are militantly enforced, etc. If that’s not done, you might as well have just given your property away. The courts may assume you already have.
Thanks, Joe. I don’t think any of these is in question though – I think the issue is more when you persue this, particularly within such an open environment as Linux and open source.
Even if that’s true for one particular piece of software (and there is some strong doubt that this concept applies to copyright), then it wouldn’t be true for all other software which uses the same licence. So there is no risk that Linus refusing to enforce the GPL for Linux will allow a judge to say “hey, no-one cares about the actual terms here – just look at Linux”. It is problematic for other reasons (see my other comments) but not for this one.
I think you nailed it. We’ve seen this argument before. We’ll see it again. I’ll be interested to see what ends up getting discussed at Plumbers.
Thanks, Steven – I also loved your piece on this!
I don’t think it’s a difference between ethics and pragmatism, as you said they are both ethical and pragmatic people. I think their differences are one of tactics. Bradley thinks that a strong offense keeps the GPL on a advantageous footing when it comes to companies that don’t want to comply. Linus favors using attrition to force them to concede their own position and accept compliance. Bradley is also trying to form a general strategy for free software, while Linus is only concerned with the specific case of the kernel.
Once somebody starts using the Linux kernel, Linus knows he will eventually win, because not complying with the GPL on the kernel is going to put them at a logistical disadvantage. He doesn’t need to risk a trial to win, he just has to wait for them to suffer enough that they want to comply. But the kernel is unique, and this strategy isn’t necessarily going to work for other GPL projects such as busybox. For those projects there is no assurance that they will win in the end, so every inch of ground they give is something they might never get back. For them a stronger legal push towards compliance is probably a better strategy.
I agree. Ultimately Linus’s expertise in OSS is really only with kernel (my assumption of course) and kernel development/community/experiences is very different than most other OSS projects.
You know this is actually pretty interesting. I’ve always thought the GPL and for that matter CC are a bit like BitCoin people have heard of them (Notice I did not say “A lot of” as an exercise in eye opening ask the next checkout person at the supermarket if they know what GPL is or what it stands for. :-D) but the vast majority in the serious business community think they’re a bit of a joke, funny money, worthless bits of paper. Did anyone read about Getty Images pinching a photographers work licensed under Creative Commons? Getty Images for Pete’s sake!
I understand why Linus is not overly bothered about GPL violation, Linus only cares about the kernel and its promotion/take-up thereof. I suspect he would prefer international business utilised his product without fear of litigation.
Now having said that I think I side with Bradly on this one. If we are going to have a GPL license then I believe the only way to legitimise it in the eyes of CEO’s etc is to have a big violation court case that hits the headlines internationally. Sadly I doubt we will ever live in a world whereby people or companies treat other peoples code honourably, unfortunately we will always have to be like the old wild west “If he’s carrying protection I better had too.” My irrelevant two penneth. 🙂
Late to the discussion but based on everything I’ve seen, I think the SFC is doing exactly what Linus is asking them to do. They’re not bringing in lawyers or lawsuits until everything else has failed and, even though the license allows an immediate loss of license for the violator, encourage copyright holders to not enforce that term. I tend to think that the lack of GPL compliance has gotten so totally horrible that someone needs to be made an example if they don’t agree to comply. It’s really unfortunate but what can you do when people won’t listen to anything else?