"Discourage litigation. Persuade your neighbors to compromise whenever you can."
This was Abraham Lincoln speaking in the mid-1800s but his advice is still relevant today. Litigation is almost always a poor tool for fostering collaboration, whether among neighbors or software developers.
In approaching the topic of open source license enforcement, it is important to consider Lincoln’s advice. Collaboration during open source license enforcement is a key to successful compliance just as it is an important element to success in the software development process. In assessing license enforcement tactics, you need to ask whether they will foster greater collaboration in open source software development. If the ultimate result of excessive or abusive enforcement is that developers and enterprises are turned off from participating in upstream open source communities, the ecosystems will wither and we all suffer as a result.
What good is enforcement if no one is engaging in open source development?
At a minimum, license enforcement should be conducted in a manner that is fair and predictable. This means providing a chance to correct inadvertent errors in license compliance — a common-sense idea that is now gathering great momentum.
Today, Red Hat announced that another wave of leading companies Amazon, Arm, Canonical, GitLab, Intel, Liferay, Linaro, MariaDB, NEC, Pivotal, Royal Philips, SAS, Toyota and VMware have joined Red Hat and nine other forward-thinking companies in rejecting harsh tactics in the enforcement of open source licenses. Following the lead of the open source development community, the move today reflects the growing strength of the norms in the open source community about the importance of responsible license compliance and supports the long-held belief that individual trolling for personal or corporate gain is not appropriate in the open source ecosystem. Today’s announcement brings the total number of companies who have adopted this approach to 24. The list of companies comes from across industries and geographies, all of whom have agreed to apply the principle of fairness in license enforcement.
For those who review and negotiate commercial contracts on a regular basis, the idea of a reasonable notice and opportunity to fix problems may seem obvious but this wasn’t always the case for the GPL. Version 2 of the GPL and LGPL do not contain express "cure" periods to fix problems before the licenses are terminated. In an earlier era, the Free Software Foundation (FSF) owned the copyrights for nearly all GPL-licensed code and was the only copyright holder regularly engaged in license enforcement. At that time, the idea of automatic termination in the hands of a benevolent license steward may have seemed appropriate to encourage and enforce license compliance. But, over time, there was an increasing volume of GPL and LGPL-licensed software that was distributed by a growing body of copyright holders (i.e., many potential license enforcers). A consensus began to form that automatic termination could result in potential unfairness and opportunities for abusive enforcement. When the FSF, with the guidance and assistance of the Software Freedom Law Center, ultimately released GPLv3 in 2007, one of its new features was the introduction of a cure period for license noncompliance and mechanisms for license reinstatement when compliance errors were promptly fixed.
Following the release of GPLv3, the FSF encouraged existing GPLv2 projects to adopt GPLv3. While many projects did move, there is still a large body of code that continues to be licensed under version 2. Some projects have chosen not to move and others were unable to do so due to license selection upstream or other reasons.
At the same time, the use of open source software has become increasingly ubiquitous across a growing number of industries — it is fast becoming the very foundation of cloud computing. An increasing number of companies in a variety of industries ranging from automobiles to banks to consumer products are now contributing to, distributing and using open source software within their enterprises and product portfolios. The diversity and volume of open source code used in products today have now become so large that it is no longer reasonable to expect that there will be 100 percent compliance all of the time. The potential for abusive enforcement of the automatic termination provisions of the GPLv2 became concerning to developers and community enforcement organizations who have been coalescing behind the position that heavy-handed approaches to license enforcement are out of place in the community.
This movement to adopt the GPLv3 cure approach for GPLv2 licensed-code originated with community-focused organizations and developers and, as today’s announcement demonstrates, is now being adopted by leading companies across industries and geographies. The approach has been adopted by more than 100 Linux kernel developers and by Red Hat-led projects. In addition, a growing number of individual open source developers are adding their names to the GPL Cooperation Commitment for their own GPLv2 and LGPLv2, and LGPLv2.1 copyrighted code through a repository hosted on GitHub.
Starting from a concept first embodied in GPLv3, the idea of affording GPLv2 and LGPLv2.x licensees the same opportunity to correct errors in compliance is now catching hold: the Linux Foundation and its work with the Linux kernel developers, Red Hat projects, 24 companies and more than 100 developers — all adopting the GPLv3 cure approach for GPLv2 and LGPLv2.x-licensed-code.
Red Hat intends to continue its effort to encourage other companies, projects and developers to adopt the GPL Cooperation Commitment and to support approaches to license enforcement that foster greater collaboration in open source software development. Visit the GPL Cooperation Commitment GitHub page if you or your company are interested in joining.
Innovation takes a village, and fairness and predictability are keys to growing that village
David Levine is assistant general counsel at Red Hat.