[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Do we need embargoes for GPL compliance issues?

Florian Weimer <fw@deneb.enyo.de> writes:
> * Russ Allbery:
>> Florian Weimer <fw@deneb.enyo.de> writes:

>>> Do you think Debian should welcome embargoes for GPL compliance
>>> issues?  Security embargoes are a huge pain, but one would hope that
>>> GPL violations by Linux distributions are much rarer events.

>> I'm sorry, I think I'm missing some basic context required to make
>> sense of this question (and therefore I suspect other people on this
>> list are as well).

>> What exactly would we be embargoing, and why?

> See bug #907585 for an example.  It occurred to me only afterwards
> that reporting it publicly (upstream) might be a bit inconvenient for
> some people (although no one has complained to me directly).

Hm.  I guess I'm not seeing any harm there.  The problem only happens if a
copyright holder sees such a notification and then files a formal notice
of copyright violation, right?

One unfortunate part about the way the GPLv3 license is phrased is that if
the same copyright holder reports multiple instances like this, the
thirty-day thing only applies to the first one, and then one technically
immediately loses the license to distribute (at least if I'm understanding
the license correctly).  So, for packages like the Linux kernel where
these license violations are fixed when we notice them but which have an
ongoing likelihood of seeing new violations, we can get into some bad and
I think unintended consequences.  That means embargo isn't really useful
anyway in cases where we expect to see ongoing unintentional license
violations that have to be cleaned up.

That said, the Linux kernel is of course under GPLv2, which doesn't have
that 30-day provision at all, so it doesn't seem like an embargo would
have helped at all in this specific case (which I think you mentioned in
your original message).  If we get into informal conventions among
copyright holders about what they'll pursue and what they won't pursue,
(a) I have a hard time imagining any such convention that would pursue a
copyright complaint against what Debian does, and (b) those conventions
are strictly voluntary and there's no reason to believe that all Linux
copyright holders will follow them anyway.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: