[Linux-aus] [Fwd: A GPL requirement could have a chilling effect on derivative distros]

[Arjen Lentz]

A curious article...

-------- Original Message --------

Title    A GPL requirement could have a chilling effect on derivative
distros
Date    2006.06.27 16:00
Author    Bruce Byfield
Topic   http://software.newsforge.com/article.pl?sid=06/06/23/1728205

Warren Woodford, the founder of the MEPIS distribution, would prefer
to be concentrating on polishing his latest release. Instead, he is
distracted by an official notice from the Free Software Foundation
that, because MEPIS has not previously supplied source code for the
packages already available from the distribution it is based on --
once Debian, and now Ubuntu -- it is in violation of the GNU General
Public License (GPL). Woodford intends to comply, but he worries about
how this requirement might affect all distributions derived from other
distributions -- especially those run by one or two people in their
spare time.


The requirement to supply source code is covered by section 3 of the
second version of the GPL. Under these sections, the distributor of
GPL code is obligated to provide source code "on a medium customarily
used for software interchange" for up to three years. In practice,
this medium is usually a CD or DVD, or a server from which it can be
downloaded. Under section 6 of the GPL, each distributor of the code
comes under the obligations specified in section 3. This obligation is
specified even more strongly in section 10 of the draft for the third
version of the GPL, which specifically states that "downstream users"
(those who, like Woodford, adopt the work of another project -- the
"upstream distributor" -- for their own use) fall under these
obligations.

"We think it's pretty clear," says David Turner, GPL compliance
engineer at the FSF. "One problem with allowing people to skip out on
source code distribution is that there's nothing that requires the
upstream distributor to continue to offer source code. If they stop
doing so, the source could become totally unavailable. Or, more
commonly, the upstream distributor will upgrade the version of the
source code available, leaving downstream distributors totally out of
sync. In order to fix bugs, users need to get source code exactly
corresponding to the binaries they have available."

Woodford does supply the source code for MEPIS' reconfigured kernel in
a Debian source-package. His mistake seems to have been the assumption
that, so long as the source code was available somewhere, he did not
have to provide it himself if he hadn't modified it. While he has not
contacted any other distributions, he suspects that he is far from the
only one to make this assumption. "We, like 10,000 other people,
probably, believed we were covered by the safe harbor of having an
upstream distribution available online," Woodford says. "I think, of
the 500 distributions tracked by DistroWatch, probably 450 of them are
in trouble right now per this position."

A safe harbor is a legal term, referring to the elimination of the
need to comply because a violation was made in good faith.

Compliance in the community

Woodford is exaggerating, but not enough to change the basic truth of
what he says. Klaus Knopper, who develops the popular Knoppix live CD,
says that he maintains a source repository and will make source code
available on request. Talking on behalf of CentOS, Johnny Hughes says,
"CentOS has been providing source for all packages, changed and
unchanged, in their distribution. CentOS has the same understanding of
the GPL as expressed by the FSF on this issue." Similarly, Texstar,
the main maintainer for PCLinuxOS, says, "I am aware of the GPL
requirements and make all of my source code available via DVD and it
can be downloaded from a free server."

However, a majority of distributions and their distributors are
apparently unaware of the requirements. "Before I was contacted by the
FSF, I didn't know that we needed to actually offer the source code of
binaries we didn't modify," says John Andrews, the source code
maintainer of Damn Small Linux. "Yet we do comply now, and the FSF
occasionally pops in with an email to make sure we do." Similarly,
LinuxCD.org, a distributor, makes only Fedora source code available --
and only provides that because it was specifically requested to do so.


Unsurprisingly, no non-compliant distribution was willing to go on
record for this article. However, a search through the Web pages of
two dozen randomly selected smaller distributions in DistroWatch's top
hundred shows only a few download repositories that contain source
code, and no offers to provide it on request. The fact that only a few
replied to a request for comments may also be significant, suggesting
that the maintainers, having become aware of their non-compliance, do
not wish to advertise their status -- although it might simply be
that, being small operations, they prefer to focus on their work
rather than answer questions. Still, even if Woodford's exact
percentage is wrong, his suggestion that the majority of distributions
are unaware of the GPL requirements does seem accurate.

Implications and solution-seeking

Woodford is now working to come into compliance. "Either I go along or
go to court with them about it, and it's a lot easier to go along," he
says. "I'm not making any money here. I can't afford a lawyer. I have
an income, but I'm just barely staying afloat. We're going to reply to
their request, and it seems like the request is consistent with the
GPL license."

Woodford also understands that, while the FSF is firm about
compliance, it is showing restraint in its effort to get MEPIS to
comply. "If we were a big corporate entity, then they would ask us to
pay them money," he says.

Yet, despite his willingness to comply, Woodford remains concerned
about the implications. According to Turner, because MEPIS distributes
both online and on CD and DVD, it would need to provide the source
code in both media under the third version of the GPL, although
section 3b of the second version would require distribution in only
one medium. Woodford is also concerned about the practical
considerations of automating the regular extraction of only the
packages that MEPIS uses from the Ubuntu repositories.

Even more importantly, Woodford says, "I think that what they're doing
is probably going to be bad for creativity in the open source
community. There's plenty of people out there who like to be the GPL
police. And with this extra little thing in their bag of tricks,
somebody is going to go out there looking at everybody who puts out a
new release of anything."

"What is really needed for the benefit of the community is if there
could be a way to have an exception for the little guy," Woodford
says. "But how can you do that when the whole thing is designed around
the idea that every entity and every person that uses the GPL is held
to the exact same rules and standards? How do you start making
exceptions to that?"

Asked about the possibility of adding such an exception to the third
version of the GPL, Turner replied, "If someone submitted a comment to
that effect, we would of course consider that comment. But I don't
think it likely that it will be changed.... I just asked Richard
Stallman about this. He noted that the requirement isn't particularly
onerous -- source code isn't much larger than binaries."

Woodford, though, disagrees. "If I had been told this when I was
getting ready to create MEPIS in the first place, I never would have
done it. I didn't have a server, I didn't have a repository, and it
would have been a daunting task." His concern is that others will be
similarly discouraged.

Andrews from Damn Small Linux also disagrees with Turner and Stallman,
saying, "I understand why the FSF makes sure small-time players comply
with their requirements. However, I also know from experience that
it's quite a burden for the hobbyist or small-time developer who wants
to share something cool with the world but doesn't have the finances
or organizational structure of the big corporations."

"Of course, non-profit distributors can always arrange with their
upstream distributors to help them with the source code distribution,"
Turner suggests. "If such an arrangement is in place, the problems
mentioned above won't happen, and the non-profit distributor will be
able to save time and bandwidth."

Major upstream distributors, however, are unlikely to enter such
arrangements, if Fedora is any indication. Max Spevack, chair of the
Fedora Board, says, "There are several reasons why the Fedora Project
would be hesitant to officially sanction downstream distributions to
point to upstream code repositories. The first has to do with the
issue of forking. If the downstream developer has improvements, those
improvements should be fed into the upstream code whenever possible.
If downstream doesn't want to push those changes upstream, then it
makes sense that the downstream distribution should bear the burden of
redistributing the source for the forked code.

"Second, there is an issue of legal liability," Spevack continues.
"The upstream party would be assuming legal liability for the
downstream modifier, and that is not something that the Fedora Project
is interested in doing.

"The third issue is that of cost -- which, while a valid concern, in
my opinion is a lesser issue than the other two."

A possible solution for some distributions would be rPath's rBuilder
Online, a tool whose use is free for non-commercial purposes and which
allows users to build their own distribution using a repository of the
Conary packaging system. Since one of the points of a Conary
repository is that it contains both source and binary packages, using
its version control system to keep track of them, as Erik Troan, one
of rPath's founder notes, using "rBuilder automatically solves the
problem by providing permanent access to binaries and the sources."
Distributions based on rBuilder would still need to maintain their own
repositories, but would not need to set up separate source
repositories. This is the solution that Foresight Linux has chosen.
However, rBuilder Online is not available to commercial distributions,
and Conary is still a new and relatively unknown packaging system.

Many derivative distributions, then, seem to be on their own in a
difficult situation where good intentions and creativity count for
nothing beside the letter of the law.

For Woodford, the situation means struggling for compliance while
preparing his next release, and the strain of the additional concerns
is taking its toll. "I'm just trying to get back to the point where I
can sleep at night," Woodford says. "Last night, I went to bed at 1:30
and just lay in bed thinking of all the technicalities that have been
discussed about the GPL and how I'm going to access the source and
make it available."

Bruce Byfield is a course designer and instructor, and a computer
journalist who writes regularly for NewsForge, Linux.com and IT
Manager's Journal.



-- 
Arjen Lentz, Community Relations Manager, MySQL AB
http://www.mysql.com/