Open main menu

We're in this weird time in history when most commercial software is touted as "proprietary" software, yet every commercial enterprise relies on GPL software. It's kinda like saying you really love the fresh air on a Spring morning while ignoring the physical reality that you share that air with every polluter on the planet. Compliance is like trying to prove on paper that the air molecules that you breathe are not and have never touched pollution. Selling proprietary software is like trying to sell packaged air because "it's clean". It would be a better world if we just focused our energy on eliminating air pollution. Until we have such Utopia, we have companies trying to document their compliance at the least possible cost.

Compliance between Licenses

The compliance drama is not just one between proprietary and free software. There is an over abundance of software licenses, and many of the so-called 'open source' or 'permissive' licenses are incompatible with each other. So, compliance is actually about what code you have, what license is that code under, and are you compliant with all the terms of every license that you are a party to.

Methods

The Software Freedom Law Center says [1]<-

You can generally do this at the 'file scope' or the 'project scope' (also called "centralized notice").[2] We believe project scope is the best way to do this, in conjunction with good Version Control (and also contributor assignment agreements).

The Software Freedom Law Center says [3]<

Enforcement

There isn't some big government agency like the FBI (who prosecutes you if you copy a movie) working to ensure that free code remains free. Instead, the effort is literally left to the little guy. The Software Freedom Law Center and Software Freedom Conservancy are the main actors in enforcement. The latter is a charity drawing their financial support from individuals. https://sfconservancy.org/copyleft-compliance/principles.html Meanwhile, the big guys certainly do have lots of money to enforce violations of their licenses (http://www.bsa.org/).

Resources

Eben Moglen is director of the Software Freedom Law Center. See their guide https://www.softwarefreedom.org/resources/2014/SFLC-Guide_to_GPL_Compliance_2d_ed.html Note: Bradley Kuhn and Karen Sandler, who used to work under the umbrella of the Software Freedom Law Center (SFLC) have since launched their own initiative, the Software Freedom Conservancy.

Bradley Kuhn put together https://copyleft.org where you can find

https://copyleft.guide 
Copyleft and the GNU General Public License: A Comprehensive Tutorial and Guide
https://gpl.guide 
Part I Detailed Analysis of the GNU GPL and Related Licenses
https://compliance.guide 
Part II A Practical Guide to GPL Compliance

Termination

Compliance is important obviously, and for a number of reasons. One reason is that under GPLv2, your rights to use (and distribute) are automatically and irrevocably terminated with violation. The GPLv3 amends this by offering a pathway to cure the violation.

Vendors

BlackDuck here in Massachusetts sells compliance as do other firms like TripleCheck

Criticisms

One of the chief criticisms of these vendors is that they do not provide guidance or solutions for meeting the "Complete and Corresponding Source Code" requirement of the licenses. Without providing Complete and Corresponding Source Code, you are not compliant.

Another criticism is that any enforcement action is used as fodder for these companies to heavily market their services and that these vendors are not about preventing or curing Violations.

Other

http://www.linuxfoundation.org/programs/legal/compliance

References