For more than ten years, the GNU General Public License has provided the legal foundation for much of what’s been accomplished with free and open source software. Now the license’s steward, the Free Software Foundation, is revising the venerable document to comprehend the complexities of developing and distributing open source software in the modern day. In this exclusive article, Groklaw founder and editor Pamela Jones analyzes many of the proposed changes found in GPL Version 3 and explains what’s in store for you if your name is Joe Coder.
But what are the more meaty changes proposed? Are there changes in what a developer must do? Yes.
One significant change is the rule governing termination. Previously, if the terms of the GPL were violated, termination was automatic. Now, according to GPLv3, the copyright holder has a duty to notify the violator and give the violator an opportunity to cure. Why? Practical reasons. For one thing, experience has shown that most violations are inadvertent and automatic termination is too harsh a punishment. Moreover, it can be difficult to contact all of the copyright holders of a large collection of software to get all to agree to allow a violator who has cured to distribute under the GPL again. (In some cases, it’s virtually impossible.)
Under the new terms, a violator is accorded 60 days to cure after receiving notification of a violation. If the violation isn’t cured within that window, the violator may no longer distribute under the GPL. Furthermore, the only way for the violator to recapture that right is to cure and seek the approvals of the copyright holders to distribute anew. If no one notices a violation until a year after the occurrence, the violator still only gets 60 days to cure after the copyright holder sends notice. The 60 days refers to the violator, not the copyright holder.
The most popular major change in GPLv3 seems to be the new patent clause. The clause is also the first restriction on the use of GPL’d code. Under GPLv3, if you bring suit for patent infringement â€œâ€¦ against anyone for making, using or distributing their own works based on the Programâ€, you lose the right to privately modify and run the program yourself. The purpose is to discourage bad actors from threatening the freedoms of other users. Or as Comment 172 by Bradley Kuhn explains, â€œIt is particularly intended to discourage a GPL licensee from securing a patent directed to unreleased modifications of GPL’d code and then suing the original developers or others for making their own equivalent modifications.â€
It’s a narrow patent retaliation clause. However, the exceptions permitted by Section 7 allow for broader patent retaliation language found in other free software licenses to be added there. The Free Software Foundation has stated that it avoided such stronger language in GPLv3 because â€œtoo little is known about the consequences of these forms of patent retaliation.â€ One of the stated goals of drafting GPLv3, listed in the rationale document, is to do no harm.
The Dangers of Drafting
Any time you draft legal language, there’s always the danger of introducing unforeseen problems. Avoiding untoward results requires drafting skill, but because lawyers know that they’re only human, they are cautious about making moves into uncharted territory. That is part of the reason the FSF is asking for public comments â€” to make sure that many eyeballs and many brains notice and think about possible pitfalls now, so omissions and errors can be avoided in the final version.
Here’s some of the language from the drafting rationale, 1.1, Do No Harm:
â€œWe have also done our utmost to avoid unintentional consequences that would harm these freedoms. While we are confident that our draft, if adopted, will have no unforeseen consequences that would be deleterious to freedom, we must be certain that this will be so. Making sure of this is one primary reason for the public comment process.
â€œTo illustrate what this principle implies, consider the treatment of software designed for public use on network servers. Given the variety of needs and concerns in this area, in which different parties have disparate and strongly-held positions, we have chosen not to add requirements about public use of modified versions in the GPL itself. Instead we have made a variety of possible license requirements compatible with the GPL, through an enhanced compatibility provision; thus we leave individual developers scope for choosing among requirements to apply for public use of their code. We have intentionally done nothing that might threaten to divide free software developers from free software users.â€
As you can see, GPLv3 is trying to address the needs of business. Thus, there is also a â€œsystem library exception,â€ which appears to clarify that many previous combinations of code that some thought were violative of the GPL are actually well within the spirit of the license.
The Controversial Digital Rights Management Clause
The most controversial addition to GPLv3 has to be the Digital Rights Management (DRM) clause. Even Linus Torvalds misread it, seeming to think one would have to turn over your private key, such as you might use to sign off code. (See the sidebar â€œStallman Speaksâ€ for Richard Stallman’s response to Torvalds.) Here’s the wording in v3 that confused some:
â€œComplete Corresponding Source Code also includes any encryption or authorization codes necessary to install and/or execute the source code of the work, perhaps modified by you, in the recommended or principal context of use, such that its functioning in all circumstances is identical to that of the work, except as altered by your modifications. It also includes any decryption codes necessary to access or unseal the work’s output. Notwithstanding this, a code need not be included in cases where use of the work normally implies the user already has it.â€
You don’t need anyone’s key to do those things.
Some businesses hate this clause, of course. The pressure from the entertainment industry to use DRM is intense. But concerns about this clause are ongoing within the FOSS community as well.
GPLv3[ does] not require Linux developers to publish the private keys that they use to sign Linux source versions to show they are authentic. But GPLv3 would require the manufacturer of the Tivo you bought to give you the key needed to sign a binary so it will run on your Tivo. That means you will really be able to run the modified versions on your Tivo and they will really run.
The Tivo was the first well-known case of a machine that included free software but refused to run the users’ modified versions. Surely, it won’t be the last. It happens that Linux is one of the programs that were â€œtivoizedâ€ in this way.
We hope that the developers of Linux will adopt the GPLv3, so as to make future Linux versions resistant to â€œtivoizationâ€ in the future. â€”Richard Stallman
However, the FSF is making a clear statement that it doesn’t wish GPL’d code used to implement DRM schemes that restrict user freedoms guaranteed by the GPL. DRM’s purpose is to restrict users. The GPL has as its goal freedom for users to copy, modify, and share. The two act at cross purposes.
Some say there are legitimate uses of DRM, or that DRM is a hardware issue and a software license shouldn’t dictate what computer and device manufacturers do with their hardware. There are two answers to that. First, the Sony rootkit was software, not hardware, and it reportedly included GPL’d code. Second, while the FSF can’t outlaw DRM, it can make sure GPL’d code isn’t used to implement it in ways that hinder the freedom of users to modify, install, and run programs. (See â€œStallman Speaksâ€ for Stallman’s statement regarding Tivo, the company that brought this issue to the fore.)
The DRM clause isn’t designed to tell others what to do with their hardware; it’s language designed to tell them what they cannot do with other people’s GPLd software code.
Another purpose of the DRM clause is to create some protection from the DMCA, as stated in part in the rationale like this:
â€œIf a covered work is distributed as part of a system for generating or accessing certain data, the effect of this paragraph is to prevent someone from claiming that some other GPL’d program that accesses the same data is an illegal circumvention.â€
That part of the DRM clause reads like this:
â€œNo covered work constitutes part of an effective technological protection measure: that is to say, distribution of a covered work as part of a system to generate or access certain data constitutes general permission at least for development, distribution and use, under this License, of other software capable of accessing the same data.â€
The â€œtechnological protection measureâ€ language refers to the DMCA. It’s to ensure that no GPL’d program can be held to be a â€œcircumvention deviceâ€ for any other GPL program.
Other language addresses privacy:
â€œRegardless of any other provision of this License no permission is given to distribute covered works that illegally invade users’ privacy not for modes of distribution that deny users that run covered the full exercise of the legal rights granted by this license.â€
The privacy language refers to Tivo or any company that tracks users’ actions. Tivo complies with GPLv2 by the skin of its teeth, but the proposed new language would make it more difficult for GPL’d code to be used in conjunction with such privacy invasions, and that is precisely why the new language was crafted.
Couldn’t Tivo just stick with GPLv2, then? Yes. But as Eben Mogen, the FSF attorney who drafted GPLv3 has explained, under certain circumstances, upgrading is impossible to avoid.
For instance, suppose the Linux kernel were to move to GPLv3. (That is currently up in the air, but just suppose it happens for the purpose of discussion.) How does Tivo avoid GPLv3? It would have to freeze at the last version of the kernel under GPLv2, while the kernel itself moves on to bigger and better things. Unable to keep pace with the kernel isn’t an attractive option for a competitive business.
Says Moglen: â€œOnce a GPL’d work has been relicensed under GPLv3, although a party having a copy under GPLv2 could continue to distribute it under that license, any further maintenance from upstream would force the license upgrade.â€ (See an interview with Moglen at http://www.eweek.com/article2/0, 1895,1915643,00.asp.)
See the sidebar â€œMigrating to GPL Version 3â€ to learn how to migrate to v3 if you are a copyright holder of code under GPLv2 or any later version.
Migrating to GNU General Public License Version 3
According to Free Software Foundation attorney Eben Moglen, here’s what to do to migrate your code to GNU General Public License Version 3.
â€œWhen the eventual GPLv3 is released, any party modifying or redistributing a program under ‘GPLv2 or any later version’ can simply apply Version 3 instead of Version 2, pursuant to the text of Section 9 of Version 2. The rightsholder does not need to do anything. Code will simply move from v2 to v3 each time someone (including of course but not necessarily the rightsholder) redistributes the code under the new license. If the rightsholder wants to move the code permanently from Version 2 to Version 3, he or she can relabel the code ‘GPLv3 or any later version.’â€
Off to the Races
So GPLv3 is off and running, and so far, so good. But significant issues remain, and the discussions are intense. Some business interests would like GPLv3 to be more flexible, so GPL’d code and code under other licenses would be able to work together.
Keep in mind that the GNU Lesser General Public License (LGPL) must also be updated, and that work has not yet begun. Issues regarding the DRM clause have only begun to be worked through.