[Fedora-legal-list] Providing a copy of the GPL

Tom Callaway tcallawa at redhat.com
Sun Mar 20 03:37:38 UTC 2011 

On 03/18/2011 02:07 AM, Ruediger Landmann wrote:
> Hi all
> 
> I'm currently reviewing[0] a package (perl-NTLM) that was originally 
> published under a mostly free license but with some unacceptable 
> restrictions (not allowed to sell it, must send the developer the diffs 
> of any changes).
> 
> The packager contacted the developer, and the developer agreed to 
> license it under "GPL+ or Artistic". The packager correctly included the 
> email with the clarification from the developer in the source RPM per 
> Fedora policy.[1]
> 
> However, we would now be shipping a copy of GPL-licensed software 
> without providing a copy of the GPL, which I understand we can't do 
> under section 4 of the GPL.[2]
> 
> The packaging guidelines state that we must include a file that contains 
> the text of the license "If (and only if) the source package includes 
> the text of the license(s) in its own file" and that "the packager 
> should contact upstream and encourage them to correct this mistake" if 
> such a file is missing from the package.[3]
> 
> However, the GPL doesn't seem to require the upstream to include a copy 
> of the license in their source -- it only seems to require this of 
> people who make copies of the program (section 4 again). The FSF's 
> guidelines for use of the GPL don't seem to insist on this either: they 
> only say that the developer "should also include a copy of the license 
> itself somewhere in the distribution of your program"[4] -- "should", 
> not "must".
> 
> So:
> 
> 1. am I right in thinking that because the "Artistic" option doesn't 
> specify the clarified version (or version 2.0) of the Artistic license, 
> we're compelled to ship under the GPL?

Yes.

> 2. assuming that we're shipping under the GPL, am I right in thinking 
> that we cannot ship this code without including a copy of the GPL?

In a strict interpretation, perhaps, but it is far more complicated than
that.

> 3. assuming that we must include a copy of the GPL, can we do so even if 
> upstream does not?

Again, this is complicated. Hold on tight. :)

=====

I never said the GPL isn't fun. :)

GPLv1 says (section 1):

"You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
... give any other recipients of the Program a copy of this General
Public License along with the Program."

GPLv2 says (section 1):

"You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
... give any other recipients of the Program a copy of this License
along with the Program."

GPLv3 says (section 4):

"You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you ... give all
recipients a copy of this License along with the Program."

Seems cut and dry, right? Well, no. :)

Our distribution of perl-NTLM is clearly dependent upon perl, and perl
includes a copy of the GPL (specifically, GPLv1, in
/usr/share/man/man1/perlgpl.1.gz). So, an argument could be made that by
distributing both perl and perl-NTLM together (which in every sane
common usage scenario is true), we're compliant with this requirement.

But, lets say for a moment that is deemed insufficient. The copyright
holder of perl-NTLM would be the entity to point out that they feel that
we have not met the requirement of the GPL by not including a copy of
the license terms. However, they failed to actually provide those terms
to us. I don't even want to speculate on what a court would say about
such a filing. The argument would boil down to: "You failed to follow
licensing terms that you were never given by the copyright holder?"

IMHO, this scenario is extremely unlikely.

Now, the reason we simply do not have a policy that says "When a copy of
the license text is missing, you must add it" is because there is the
possibility that you, the Fedora packager, gets the license wrong, and
by including a copy of the incorrect license text, put yourself at
potential legal risk when the copyright holder claims you're
distributing their software under terms they never gave you permission
to use.

I'm not going to speculate on how significant or probable that risk is,
but it is at least plausible.

Instead, the Fedora policy roughly boils down to this:

* If the license is indicated, but there is no copy of the license text
included, ask upstream to include it. I have never heard of an instance
where the omission of license text was intentional.
* If you (the Fedora packager) cannot accomplish this with upstream, and
you feel confident that upstream's licensing intentions are clear, you
may, at your own risk, add a copy of the license text, but are not
required to do so.

To be honest, the only times where situations get past the first bullet
point in that logical workflow is when the upstream is
dead/gone/missing, and they never respond to the request because, well,
the code is abandoned. This further minimizes the risk of this scenario
causing a problem (the absent copyright holder is unlikely to suddenly
awaken and start checking that distributors are adding license text that
they themselves forgot to include). However, even if they did this, an
argument could be made that by attempting to email the copyright holder,
you (the packager) have made a good-faith effort to confirm the
licensing terms, and were unable to receive a response. IANAL, but
lawyers tell me that this actually counts for quite a bit at trial.

If you're unlucky enough to get to that second bulletpoint (and you
still want to package up this piece of abandoned code), you get to make
the decision on whether you want to put yourself at personal risk by
including a copy of the license, or whether you want to put Fedora at
risk of being out of compliance on a requirement of a license for which
the text is unclear.

Sadly, the problem of "upstream forgot to include a copy of the license
text" is a rather common one, especially in perl, because, perl hackers
tend to assume you have a copy of perl already if you're installing
their module, and thus, copies of all applicable licenses (GPL+ or
Artistic). To the best of my knowledge, no copyright holder who has
failed to include a copy of the GPL with their software has ever
formally (or informally) complained that Fedora was distributing that
software without a copy of the license text.

So, from Fedora's perspective, the risk of being out of compliance on a
requirement of a license for which the text is unclear because it was
omitted by a copyright holder who cannot be contacted (and a good-faith
attempt has been made to contact) is so minimal that no one loses sleep
over it. You should not be at all concerned about choosing this option
over the one that affects you personally.

In the specific case of perl-NTLM, where we know upstream was responsive
at some point in the recent past (at the time of the permission to
relicense to GPL+ or Artistic), this situation can be addressed by
contacting the copyright holder (aka upstream) and asking them to
include a copy of the GPL license text in their source repository (or if
they don't use one, in a tarball release). They don't even need to
increment the versioning, just repack with a copy of the license text,
so you can then package it. If they reply that they're too
lazy/disinterested/not gonna do it for some odd reason, ask them
explicitly if they are okay with you including a copy of the GPLv1
license text with the package (and attach a copy of the GPLv1 license
text (yes, the GPLv1, not a later version, because the perl licensing
they granted is GPLv1 or later. If upstream adds a copy of GPLv2 or
GPLv3, that is sufficient for us to distribute to meet this
technicality, but if we're going to do it, we're going to do it
right.)). They'll almost certainly reply "Fine.". If they don't, feel
free to email me, as you will win a "No-Prize". ;)

If they get confused as to why it is important, well, feel free to point
them to this email.

If you read through all that, congratulations.

~tom

P.S. In the event that someone reading this decides to be super-anal and
point out that without an upstream provided license text, no one can
assume they have any sort of copyright permission besides those granted
to all recipients by US Copyright Law, which basically means "use only",
and that no one aside from the Copyright holder has redistribution
permissions in such a scenario, well, yes, this is strictly speaking,
under the most literal interpretation, possible. However, intent
matters, as well as common knowledge, in a more practical application.
If the copyright holder says "This code is available under the terms of
the GPL license, any version.", then we have a very good idea of the
intent of the copyright holder, because common sense dictates that there
is a very good probability that he means the "GNU General Public
License" and not "George's Parrot License", because that's what GPL
means in the open source (and software) space. So, in Fedora, we choose
to operate in good faith in such scenarios, and not be super-anal. Plus,
in those scenarios, we ask upstream to add the license text and clear up
any confusion.

P.P.S. In situations where there is no common sense knowledge (e.g.
"This code is available under the FHJOHKG License.") we do not make such
good-faith assumptions in Fedora, and only permit inclusion when we have
a copy of the FHJOHKG License text and clear it as Free.

DISCLAIMER: I am not a lawyer. I don't even play one on TV. Nothing in
this email should be considered legal advise. I talk to Red Hat Legal,
so I usually have some clue on such topics, but you should not assume
that I'm speaking on behalf of anything beyond Fedora. When in doubt,
get your own lawyer.

==
Fedora Project

More information about the legal mailing list