[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why does no one care that Brad Spengler of GRSecurity is blatantly violating the intention of the rightsholders to the Linux Kernel?

Hi Bradley,

I was proceeding after others in the community had already made contact and were rebuffed.

I have definitely looked at the principles of GPL-oriented enforcement that SFC is currently distributing. I have some issues with your current policy.

Let's discuss the policy of forgiveness of past offenses in exchange for current compliance. This has worked very well for the non-profit projects that SFC is actually able to serve, because there is literally no reason for the well-counseled offender not to settle with SFC. Both of us have experience with highly visible deep-pockets offenders who have not been well enough counseled to accept this easy exit from violation.

As you know, I have a compliance business. I have advised every client without exception to come into compliance with the GPL as soon as possible, and where allowed I have engineered that compliance. The companies that reject that advice do not become my customer.

We should remain aware that Richard and Eben made an exception to the policy of not asking for financial damages in the case of Cisco, for quite a large settlement.

With the advent of dual-licensing as used by Artifex (Ghostscript) since 1984, MySQL since the 1990's, and others, we have a paradigm that arguably makes the GPL more fair to more people, especially the GPL developers themselves. Those who wish to participate in the GPL's partnership of sharing do, those who do not pay money, and the money goes to paying the developers to make more good Free Software under the GPL. The developers do not have to wear hair shirts or spend their days as waiters or as programmers of proprietary software for big companies, but can support their families while creating Free Software. This worked for Peter Deutsch who has been able to enjoy retirement as a composer and musician as a result, and of course for Michael Widenius and his partners in MySQL. We are all using the result of these dual-license enterprises.

It seems to me that it would be fair for these dual-licensing companies, who offered the GPL but made dual licensing available to those who did not wish to accept the GPL terms, to exact the fees of lost commercial licensing from commercial infringers. Those infringers clearly had paid licensing as an option. Dual-licensing is not inimical to the philosophy of Free Software, and SFC should support the dual-license enterprises in collecting fair damages.

I am also concerned because in our society there is a right to sue and collect damages in compensation for violation of your rights, and SFC may have allowed itself, without planning to, to be in the position of suppressing developer's rights. Obviously I am aware of the excesses of the "intellectual property" and tort system, and moderation is necessary. But entirely suppressing the right to collect damages doesn't sound like a good solution.

Then we have the issue of SFC's obvious inability to pursue all but a fraction of one percent of all violators. Besides the obvious cases which remain untried, I have in my own practice twice witnessed SFC so short-staffed as to be unable to respond for many months to a company that was attempting to settle with SFC, and another company that had settled and was attempting to fulfill its continuing obligation to SFC. So, here SFC is as the only organization with funding to pursue violations of the GPL, closing out the avenue for other such organizations to fund themselves through settlement and take up some of the case load. And the developers don't get served and get de-motivated by the persistent and un-remedied infringements. So, unfortunately, the principles of community-oriented enforcement aren't actually serving the community.

Recently, we have observed:

1. Failure of SFC or its funded parties to attempt to appeal the VMWare decision or find another plaintiff.
2. A consultation with the Linux kernel developers who are not terribly in favor of enforcement, I feel due to prejudices so loudly expressed by Linus Torvalds, who just doesn't accept that lawyers are of any benefit to society.
3. No visible enforcement for quite a while.
4. Very many egregious violations in our sight that we have no way to cure.

So eventually, Bradley, we lose patience. I have no way to fund enforcement of GPL violations. I don't have confidence that you can ever handle more than 1% of them, and you don't tell me what 1% you are working on. I only have publicity as a tool.



On Fri, Jul 14, 2017 at 11:06 AM, Bradley M. Kuhn <bkuhn@sfconservancy.org> wrote:
[ I'm not on debian-user regularly but I was dragged into the thread by a
  large cc list that Bruce started.  Removing individual email addresses of
  possible non-list members, other than Bruce. ]

Bruce, if you haven't looked at the Principles of of Community-Oriented
Enforcement <https://sfconservancy.org/copyleft-compliance/principles.html>,
which were co-published by Conservancy and the FSF, and endorsed by a wide
range of other organizations, including FSF Europe and the OSI, you should
definitely do so.

The most relevant principle regarding your public post referenced in this
thread is: "Confidentiality can increase receptiveness and responsiveness."
You don't indicate in your blog post that you put in efforts to resolve this
matter confidentially and sought compliance in a collaborative and friendly
way first.  That's a mistake, in my opinion.

Conservancy often spends years of friendly negotiations, attempting to
resolve a GPL enforcement matter before making public statements about it.
We have found in our extensive experience of enforcing the GPL that early
public statements sometimes thwarts not just our enforcement efforts, but
the enforcement efforts of others.

Finally, I have an important general statement that those concerned about
violations should consider: With hundreds of known GPL violations going on
around the world every day, we should as a community be careful not to
over-prioritize any particular violation merely because the press becomes
interested.  Rather, the giant worldwide queue of known GPL violations
should be prioritized by figuring out which ones, if solved, will do the
most to maximize software freedom for all users.
Bradley M. Kuhn
Distinguished Technologist of Software Freedom Conservancy
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Reply to: