On 03/18/2011 02:07 AM, Ruediger Landmann wrote: > Hi all > > I'm currently reviewing[0] a package (perl-NTLM) that was originally > published under a mostly free license but with some unacceptable > restrictions (not allowed to sell it, must send the developer the diffs > of any changes). > > The packager contacted the developer, and the developer agreed to > license it under "GPL+ or Artistic". The packager correctly included the > email with the clarification from the developer in the source RPM per > Fedora policy.[1] > > However, we would now be shipping a copy of GPL-licensed software > without providing a copy of the GPL, which I understand we can't do > under section 4 of the GPL.[2] > > The packaging guidelines state that we must include a file that contains > the text of the license "If (and only if) the source package includes > the text of the license(s) in its own file" and that "the packager > should contact upstream and encourage them to correct this mistake" if > such a file is missing from the package.[3] > > However, the GPL doesn't seem to require the upstream to include a copy > of the license in their source -- it only seems to require this of > people who make copies of the program (section 4 again). The FSF's > guidelines for use of the GPL don't seem to insist on this either: they > only say that the developer "should also include a copy of the license > itself somewhere in the distribution of your program"[4] -- "should", > not "must". > > So: > > 1. am I right in thinking that because the "Artistic" option doesn't > specify the clarified version (or version 2.0) of the Artistic license, > we're compelled to ship under the GPL? Yes. > 2. assuming that we're shipping under the GPL, am I right in thinking > that we cannot ship this code without including a copy of the GPL? In a strict interpretation, perhaps, but it is far more complicated than that. > 3. assuming that we must include a copy of the GPL, can we do so even if > upstream does not? Again, this is complicated. Hold on tight. :) ===== I never said the GPL isn't fun. :) GPLv1 says (section 1): "You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you ... give any other recipients of the Program a copy of this General Public License along with the Program." GPLv2 says (section 1): "You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you ... give any other recipients of the Program a copy of this License along with the Program." GPLv3 says (section 4): "You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you ... give all recipients a copy of this License along with the Program." Seems cut and dry, right? Well, no. :) Our distribution of perl-NTLM is clearly dependent upon perl, and perl includes a copy of the GPL (specifically, GPLv1, in /usr/share/man/man1/perlgpl.1.gz). So, an argument could be made that by distributing both perl and perl-NTLM together (which in every sane common usage scenario is true), we're compliant with this requirement. But, lets say for a moment that is deemed insufficient. The copyright holder of perl-NTLM would be the entity to point out that they feel that we have not met the requirement of the GPL by not including a copy of the license terms. However, they failed to actually provide those terms to us. I don't even want to speculate on what a court would say about such a filing. The argument would boil down to: "You failed to follow licensing terms that you were never given by the copyright holder?" IMHO, this scenario is extremely unlikely. Now, the reason we simply do not have a policy that says "When a copy of the license text is missing, you must add it" is because there is the possibility that you, the Fedora packager, gets the license wrong, and by including a copy of the incorrect license text, put yourself at potential legal risk when the copyright holder claims you're distributing their software under terms they never gave you permission to use. I'm not going to speculate on how significant or probable that risk is, but it is at least plausible. Instead, the Fedora policy roughly boils down to this: * If the license is indicated, but there is no copy of the license text included, ask upstream to include it. I have never heard of an instance where the omission of license text was intentional. * If you (the Fedora packager) cannot accomplish this with upstream, and you feel confident that upstream's licensing intentions are clear, you may, at your own risk, add a copy of the license text, but are not required to do so. To be honest, the only times where situations get past the first bullet point in that logical workflow is when the upstream is dead/gone/missing, and they never respond to the request because, well, the code is abandoned. This further minimizes the risk of this scenario causing a problem (the absent copyright holder is unlikely to suddenly awaken and start checking that distributors are adding license text that they themselves forgot to include). However, even if they did this, an argument could be made that by attempting to email the copyright holder, you (the packager) have made a good-faith effort to confirm the licensing terms, and were unable to receive a response. IANAL, but lawyers tell me that this actually counts for quite a bit at trial. If you're unlucky enough to get to that second bulletpoint (and you still want to package up this piece of abandoned code), you get to make the decision on whether you want to put yourself at personal risk by including a copy of the license, or whether you want to put Fedora at risk of being out of compliance on a requirement of a license for which the text is unclear. Sadly, the problem of "upstream forgot to include a copy of the license text" is a rather common one, especially in perl, because, perl hackers tend to assume you have a copy of perl already if you're installing their module, and thus, copies of all applicable licenses (GPL+ or Artistic). To the best of my knowledge, no copyright holder who has failed to include a copy of the GPL with their software has ever formally (or informally) complained that Fedora was distributing that software without a copy of the license text. So, from Fedora's perspective, the risk of being out of compliance on a requirement of a license for which the text is unclear because it was omitted by a copyright holder who cannot be contacted (and a good-faith attempt has been made to contact) is so minimal that no one loses sleep over it. You should not be at all concerned about choosing this option over the one that affects you personally. In the specific case of perl-NTLM, where we know upstream was responsive at some point in the recent past (at the time of the permission to relicense to GPL+ or Artistic), this situation can be addressed by contacting the copyright holder (aka upstream) and asking them to include a copy of the GPL license text in their source repository (or if they don't use one, in a tarball release). They don't even need to increment the versioning, just repack with a copy of the license text, so you can then package it. If they reply that they're too lazy/disinterested/not gonna do it for some odd reason, ask them explicitly if they are okay with you including a copy of the GPLv1 license text with the package (and attach a copy of the GPLv1 license text (yes, the GPLv1, not a later version, because the perl licensing they granted is GPLv1 or later. If upstream adds a copy of GPLv2 or GPLv3, that is sufficient for us to distribute to meet this technicality, but if we're going to do it, we're going to do it right.)). They'll almost certainly reply "Fine.". If they don't, feel free to email me, as you will win a "No-Prize". ;) If they get confused as to why it is important, well, feel free to point them to this email. If you read through all that, congratulations. ~tom P.S. In the event that someone reading this decides to be super-anal and point out that without an upstream provided license text, no one can assume they have any sort of copyright permission besides those granted to all recipients by US Copyright Law, which basically means "use only", and that no one aside from the Copyright holder has redistribution permissions in such a scenario, well, yes, this is strictly speaking, under the most literal interpretation, possible. However, intent matters, as well as common knowledge, in a more practical application. If the copyright holder says "This code is available under the terms of the GPL license, any version.", then we have a very good idea of the intent of the copyright holder, because common sense dictates that there is a very good probability that he means the "GNU General Public License" and not "George's Parrot License", because that's what GPL means in the open source (and software) space. So, in Fedora, we choose to operate in good faith in such scenarios, and not be super-anal. Plus, in those scenarios, we ask upstream to add the license text and clear up any confusion. P.P.S. In situations where there is no common sense knowledge (e.g. "This code is available under the FHJOHKG License.") we do not make such good-faith assumptions in Fedora, and only permit inclusion when we have a copy of the FHJOHKG License text and clear it as Free. DISCLAIMER: I am not a lawyer. I don't even play one on TV. Nothing in this email should be considered legal advise. I talk to Red Hat Legal, so I usually have some clue on such topics, but you should not assume that I'm speaking on behalf of anything beyond Fedora. When in doubt, get your own lawyer. == Fedora Project _______________________________________________ legal mailing list legal@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/legal
