Free but not easy: A guide to open-source compliance

A friend pointed out to me that the Free Software Foundation's "Practical Guide to GPL Compliance" has some intriguing details. One, in particular, caught his eye.

Most people familiar with open source understand that distribution of modified open-source software compels the modifying party to make source code available for the derivative work. However, as the Free Software Foundation points out, there is no obligation to make it easy to compile source code:

The GPL contains no provision that requires distribution of the compiler used to build the software. While companies are encouraged to make it as easy as possible for their users to build the sources, inclusion of the compiler itself is not normally considered mandatory. The Corresponding Source definition--both in GPLv2 and GPLv3--has not been typically read to include the compiler itself, but rather things like makefiles, build scripts, and packaging scripts.

In other words, source code must be available, but the onus isn't necessarily on the code author to pave the way to a perfect binary. I personally believe that it's in the developer's interest to make it as easy as possible to compile as the benefits of open source start the moment the receiving party can contribute and participate in the code, but it's not a requirement.

One other thing that caught my eye was the Free Software Foundation's clarification as to whom a code author must distribute her source code:

...[GNU General Public License (GPL)] v2 ? 3(b) requires that offers be "to give any third party" a copy of the Corresponding Source. GPLv3 has a similar requirement, stating that an offer must be valid for "anyone who possesses the object code". These requirements indicated in v2 ? 3(c) and v3 ? 6(c) are so that non-commercial redistributors may pass these offers along with their distributions. Therefore, the offers must be valid not only to your customers, but also to anyone who received a copy of the binaries from them. Many distributors overlook this requirement and assume that they are only required to fulfill a request from their direct customers.

This is the language that allows, for example, CentOS to take Red Hat's code and redistribute it. Lost in this language, however, is an increasingly common business practice to only distribute source code to one's immediate customers, and to impede the right of redistribution through a separate contract. Regardless of the validity of such contracts, it is absolutely the case that very few downstream business users of software have any interest (or even internal policies that allow) in software redistribution.

As such, companies could make their software available as open source without any material concern that their source code will be redistributed and modified, if such is their concern. (Of course, if this is a concern, why bother using an open-source license at all...?)

I encourage you to read the Free Software Foundation's compliance guide. It makes a lot of things about the GPL and its affiliate licenses easier to understand.

[akiba_freak]

Actually, the guide was published by the Software Freedom Law Center which, as far as I know, is not part of the FSF. They do work closely together, however its probably best to get something like that straightened out.

[odubtaig]

That's certainly cleared up one thing I was getting wrong but...

This is the language that allows, for example, CentOS to take Red Hat's code and redistribute it.

Really? Including all the BSD, MIT, Apache and other licensed software? If that was the real barrier, all they'd have to do is buy one license of RHEL AS anyway and even then Red Hat could just not give them the code to X.org, ncurses and a whole host of other stuff and their lives would already be more difficult. Anything based on wxWidgets? Gone. I forget exactly when I saw the stats on a typical Linux distribution but typically less than half is licensed under the GPL or similar, the rest is a mishmash of OSI approved licenses including several variations on the MIT and BSD licenses.

[The_Decider]

The MIT, BSD, and (I think) Apache licenses are far more permissive then the GPL. They have no reciprocity clause. It is nearly impossible to be in violation of them:

[andrewkatz]

Under GPL2, at least, I'd argue that the offer has to be any third party, not just any recipient of the binary. Thus *any person at all* is able to request the binaries, assuming they know about the offer. Unfortunately, one possible defect of GPL2's drafting is that it's not necessarily a breach to fail
to honour the offer. The consequences of this depend to a certain extent on whether the GPL is a bare licence (which is my view) or a contract (which is the view of many lawyers in England, at least), and whether acceptance of the offer is a contract as well.

[andrewkatz]

Duh - for "request the binaries" above, read "request the source"

[mdahlman_cnet]

Hi Matt,

This is more of a nitpick, since I think the point of the article is correct. But I think the second quote is taken slightly out of context and as such is a bit misleading. In part it reads "Many distributors overlook this requirement and assume that they are only required to fulfill a request from their direct customers." It's implied in the article above that this applies to all vendors distributing code under a GPL v2 license. But in fact it's only applicable in cases where the vendor distributes the object code without the source and accompanies the object code with a written offer to make the source available.

Three paragraphs later the quoted article makes this explicit. It points out that if the source accompanies the object code in the first place, then the vendor does not need to provide the source to other non-direct customers. It explains that "This situation illustrates that the offer for source is often a poor choice for products that your customers will likely redistribute." Including the source code in the original distribution is often a better choice.

[The_Decider]

The problem these days is that companies are abusing it. Many of these companies are offering distributed mainframe services(cynically, and laughably called 'cloud computing' to mask what it really is) with allegedly GPL software, but since the software isn't really distributed these companies get to lock it down while being able to claim OSS status.

[russ danner]

It's interesting that code distributed as GPL need not be easily compiled/packaged under the GPL. From a practical standpoint this is necessary because you may have written your code in ADA or BLISS or god know what else where there are not freely available compilers. The code is GPL, the compiler is not. Distributing code that can't easily or freely be compiled is not in line with the spirit of GPL or open source in my opinion and really defeats or deflates the payout. It does make one wonder if this is a loop hole for freeloaders who what to consume GPL source but don't want to give back. The first companies that came to mind when I read this were SAP, Salesforce and Oracle. All have proprietary languages that drive their products. They could make the source code available but it wouldn't do us much good without the compiles and engines required to run it.

The encouraging side of that thought is that most source code will be written in a standard language with freely available compilers. In general, despite the possibility that this issue may come up now and again; it doesn't seem to be a real issue and to "take advantage" of the terms requires more effort than it is really worth and further it means overlooking the clear advantages of open source based development.