Four Linux Giants shift Open source Licensing Policies

Home Risk & Audit Software

by | November 28, 2017

Red Hat, Facebook, Google, and IBM commit to providing a fair cure period to correct open source GPLv2 software license compliance issues.

The GNU Public License version 2 (GPLv2) is arguably the most important open-source license for one reason: It’s the license Linux uses. On November 27, three Linux-using technology powers, Facebook, Google, and IBM, and the major Linux distributor Red Hat announced they would extend additional rights to help companies who’ve made GPLv2 open-source license compliance errors and mistakes.

The GPLv2 and its close relative, GNU Lesser General Public License (LGPL) are widely-used open source software licenses. When the GPL version 3 (GPLv3) was released, it came with an express termination approach that offered users opportunities to cure errors in license compliance. This termination policy in GPLv3 provided a way for companies to repair licensing errors and mistakes. This approach allows license compliance enforcement that is consistent with community norms.

The four companies are committed to extending the GPLv3 approach for license compliance errors to software code under GPLv2 and LGPLv2.1 and v2. Specifically, the Common Cure Rights Commitment, is:

Before filing or continuing to prosecute any legal proceeding or claim (other than a Defensive Action) arising from termination of a Covered License, [Company] commits to extend to the person or entity (“you”) accused of violating the Covered License the following provisions regarding cure and reinstatement, taken from GPL version 3. As used here, the term ‘this License’ refers to the specific Covered License being enforced.

    However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.

    Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.

    [Company] intends this Commitment to be irrevocable, and binding and enforceable against [Company] and assignees of or successors to [Company]’s copyrights.

    [Company] may modify this Commitment by publishing a new edition on this page or a successor location.

Other companies are expected to join in supporting this new GPLv2 approach soon.

This legally binds each company to apply the cure provisions of GPLv3 to their respective copyrighted code licensed under GPLv2, LGPLv2.1 and LGPLv2 (except in cases of a defensive response to a legal proceeding).

This follows in the footsteps the Linux kernel project, which recently adopted this approach in its Linux Kernel Enforcement Statement, and the Free Software Foundation and Software Freedom Conservancy, which embodied the concept in their Principles of Community-Oriented GPL Enforcement.

Do not mistake this for these companies taking a more aggressive stance on legal action against companies violating the GPL. It’s the reverse.

As Simon Phipps, president of the Open Source Initiative (OSI) commented, “I welcome this commitment by the largest companies in open source to put community confidence and open source adoption first and leave license litigation as a last resort. May many others follow suit!”

So, why aren’t these companies simply relicensing their Linux kernel contributions under GPLv3? That’s flatly impossible. Linux’s overall license of the kernel is GPLv2 only.

As Linus Torvalds said in 2016, “I love GPLv2. I really think the license has been one of the defining factors in the success of Linux because it enforced that you have to give back, which meant that the fragmentation has never been something that has been viable from a technical standpoint.”

Why are these doing this? Michael Cunningham, Red Hat’s executive vice president and general counsel, said, “We believe in promoting greater fairness and predictability in license enforcement and the growth of participation in the open source community. We encourage other GPLv2 copyright holders to follow our lead.”

IBM’s assistant general counsel Mark Ringes, added, “For many years, GPL v2 and V3 have guided the development of the world’s largest shared code base, Linux. Extending GPLv3’s non-compliance cure provision to GPLv2 will enable the continued adoption and robust growth of Linux for decades to come. IBM has long been a leading supporter of Linux and open source and assists in the development of the Linux kernel. Deepening our commitment with this assertion is a natural evolution of that support.”

Although neither mention it, these moves seem to be in reaction to several recent controversial GPLv2 legal actions.

In one example, Grsecurity, a Linux security company, blocked its users from distributing its “GPLv2” Linux code. Bruce Perens, one of open-source founders, blogged companies “should avoid the Grsecurity product … because it presents a contributory infringement and breach of contract risk.” Perens did so on on the grounds the GPLv2 guarantees the right to distribute code. Grsecurity responded by suing Perens. Grsecurity hasn’t, however, hasn’t sued Torvalds who declared, “Their patches are pure garbage.”

In another case, which prompted the Linux kernel developers’ move, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, stated a former Linux kernel developer’s actions had led to their new position on how the GPLv2 would be enforced.

Kroah-Hartman explained, “Unfortunately the same processes that we use to assure fulfillment of license obligations and availability of source code can also be used unjustly in trolling activities to extract personal monetary rewards. In particular, issues have arisen as a developer from the Netfilter community, Patrick McHardy, has sought to enforce his copyright claims in secret and for large sums of money by threatening or engaging in litigation.”

McHardy used to be the chair of Linux’s Netfilter core development team. Netfilter is a Linux kernel utility which handles various network functions, such as facilitating Network Address Translation (NAT). McHardy has been suspended from the Netfilter team. It’s believed McHardy has started legal action against over 50 companies seeking payment from them. Netfilter has released a document on how to deal with his attempts to extract money from vendors. According to Kroah-Hartman, McHardy has made a few million Euros from his actions.

While the corporate, developer, and open-source community restructuring of how the GPLv2 and LGPL will be enforced can’t stop McHardy, it can block future attempts to abuse Linux users by rogue developers.


Subscribe To Our Newsletter

Subscribe To Our Newsletter

ITAM Channel brings the best news and views from the ITAM industry. Sign up for the newsletter and get them straight to your inbox

You have Successfully Subscribed!