Increasing Stability and Predictability in Open Source License Compliance:
Providing a Fair Chance to Correct Mistakes
November 27, 2017
Red Hat believes that enforcement of open source software licenses should be judged by whether the activity fosters or discourages adoption of the software and collaboration and participation in open source development. Legal proceedings are generally a poor tool for achieving license compliance, and should almost always be avoided. In the rare situation that they do occur, they should be conducted in a way that is fair, rational and predictable. We are particularly concerned about the possibility of opportunistic enforcement of open source licenses for financial or personal gain and disparate court or other interpretations.
Red Hat releases large volumes of software under open source licenses, including those in the GPL family. The choice of open source licenses for our software reflects both the choices made by upstream community projects and the preferences of our own customers and employees. One of the main features in GPL version 3 is its specification of a cure period for license noncompliance. The GPLv3 cure provision establishes specific and appropriate incentives for distributors to discover and fix compliance problems.
The large ecosystems of projects using GPLv2 (and versions 2 and 2.1 of the LGPL) would benefit from express adoption of the cure approach provided in GPLv3. One way to achieve this is for projects to switch to GPLv3 or LGPLv3, but in many cases, this is impractical, inconsistent with upstream license obligations or contrary to the general preferences and expectations of participants in these projects. In the Commitment set forth below, Red Hat uses another approach: we commit to apply the cure and reinstatement language of GPLv3 to our copyrighted code that is licensed under GPLv2, LGPLv2.1 and LGPLv2 (except where we are responding to a legal proceeding). We hope that other copyright holders who have licensed software under earlier versions of GPL and LGPL will follow our lead.
Before filing or continuing to prosecute any legal proceeding or claim (other than a Defensive Action) arising from termination of a Covered License, Red Hat commits to extend to the person or entity (“you”) accused of violating the Covered License the following provisions regarding cure and reinstatement, taken from GPL version 3. As used here, the term ‘this License’ refers to the specific Covered License being enforced.
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
Red Hat intends this Commitment to be irrevocable, and binding and enforceable against Red Hat and assignees of or successors to Red Hat’s copyrights.
Red Hat may modify this Commitment by publishing a new edition on this page or a successor location.
‘Covered License’ means the GNU General Public License, version 2 (GPLv2), the GNU Lesser General Public License, version 2.1 (LGPLv2.1), or the GNU Library General Public License, version 2 (LGPLv2), all as published by the Free Software Foundation.
‘Defensive Action’ means a legal proceeding or claim that Red Hat brings against you in response to a prior proceeding or claim initiated by you or your affiliate.
‘Red Hat’ means Red Hat, Inc. and its subsidiaries.
This work is available under a Creative Commons Attribution-ShareAlike 4.0 International license.
Q: How is the commitment different from the Enforcement Statement that was recently adopted by the Linux kernel project?
A: It is very similar to the Linux kernel enforcement statement but is broader in scope. The Linux kernel enforcement statement is limited to Linux kernel contributions, while the commitment announced today applies to all code licensed by us under GPLv2 and LGPLv2.x, which includes contributions to the Linux kernel and many other open source projects.
Q: Why didn’t you simply relicense your GPLv2 projects under GPLv3 and let the community benefit from the cure approach that way?
A: In many cases, this would not be possible or practical. For example, we couldn’t relicense our Linux kernel contributions under GPLv3, because the overall license of the Linux kernel is “GPLv2 only”.
Q: Why not have the statement cover all open source licenses?
A: The statement is specifically intended to modify the termination language that is present in GPLv2 and LGPLv2.x. No other major open source licenses have such termination language. Other widely-used or well known copyleft open source licenses outside the GPL family, such as EPL, have their own cure provisions. Moreover, most GPL enforcement activity involves GPLv2, and we are seeking to set an example for individuals and entities that are active in license enforcement and that are significant copyright holders in GPLv2 or LGPLv2.x code.
Q: What are defensive GPLv2 actions and why are they excluded?
A: A defensive action is a legal proceeding or claim to enforce GPLv2 (or LGPLv2.x) that we bring against a party in response to a prior legal proceeding or claim brought by that party or its affiliates against us. If, for example, a third party sues us for infringing a software patent, and the third party is violating GPLv2 as to some of our copyrighted code, we may wish to bring a copyright counterclaim against the third party based on the GPLv2 violation without offering the cure opportunities of GPLv3, to motivate the company to drop the patent lawsuit. We believe that, in such cases, the policy concerns that have led us to support extending cure provisions to GPLv2 enforcement are outweighed by the value of being able to bring a GPL-based counterclaim to discourage patent aggression and similar behavior.
Q: How is the commitment different from what has already been expressed in the Principles of Community-Oriented GPL Enforcement published by the Free Software Foundation and the Software Freedom Conservancy?
A: Our commitment puts into action the approach contained in the Principles and is legally binding. This should reassure users and developers in our community and, we hope, provide an example for other copyright holders to follow.
Q: In publishing this commitment, are you signaling that you will start aggressively enforcing the GPL?
A: Absolutely not. Our intent is to encourage open source participation by creating a more predictable environment. Litigation is a poor tool for achieving license compliance and can have many serious adverse consequences for the open source licensing system.
Q: The GPLv3 termination language seems a bit complicated. Why use it verbatim rather than writing an improvement?
A: When GPLv3 was drafted 10 years ago, the cure language was vetted with a wide variety of stakeholders. We think it is now familiar to the community and has stood the test of time; the language has even been reused in another open source license, MPL 2.0.
Q: Is this statement binding?
A: Yes. We say in the statement that we intend it to be irrevocable, and binding and enforceable.