laforge-slides/2012/gpl-of2012/license_compliance.tex

% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $

\documentclass{beamer}
%\documentclass[handout]{beamer}

% This file is a solution template for:

% - Talk at a conference/colloquium.
% - Talk length is about 20min.
% - Style is ornate.



% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
%
% In principle, this file can be redistributed and/or modified under
% the terms of the GNU Public License, version 2.
%
% However, this file is supposed to be a template to be modified
% for your own needs. For this reason, if you use this file as a
% template and not specifically distribute it as part of a another
% package/program, I grant the extra permission to freely copy and
% modify this file as you see fit and even to delete this copyright
% notice. 


\mode<presentation>
{
  \usetheme{Warsaw}
  \setbeamercovered{transparent} % or whatever (possibly just delete it)
}

\mode<handout>{
	\usepackage{handoutWithNotes}
	\pgfpagesuselayout{4 on 1 with notes}[a4paper,border shrink=5mm]
	\usecolortheme{seahorse}
}

% ensure the page number is printed in front of the author name in the footer 
\newcommand*\oldmacro{}
\let\oldmacro\insertshortauthor% save previous definition
\renewcommand*\insertshortauthor{%
  \leftskip=.3cm% before the author could be a plus1fill ...
  \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro}


\usepackage[english]{babel}
% or whatever

\usepackage[latin1]{inputenc}
% or whatever

\usepackage{times}
\usepackage[T1]{fontenc}
% Or whatever. Note that the encoding and the font should match. If T1
% does not look nice, try deleting the line with the fontenc.


\title{GPL License Compliance}

\subtitle{in the embedded devices market}

\author{Harald Welte}

\institute
{gpl-violations.org\\gnumonks.org\\hmw-consulting.de}
% - Use the \inst command only if there are several affiliations.
% - Keep it simple, no one is interested in your street address.

\date[OF 2012] % (optional, should be abbreviation of conference name)
{November 4, 2012 / Sofia / Bulgaria}
% - Either use conference name or its abbreviation.
% - Not really informative to the audience, more for people (including
%   yourself) who are reading the slides online

\subject{Embedded Linux}
% This is only inserted into the PDF information catalog. Can be left
% out. 



% If you have a file called "university-logo-filename.xxx", where xxx
% is a graphic format that can be processed by latex or pdflatex,
% resp., then you can add a logo as follows:

% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
% \logo{\pgfuseimage{university-logo}}



% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
%\AtBeginSubsection[]
%{
%  \begin{frame}<beamer>{Outline}
%    \tableofcontents[currentsection,currentsubsection]
%  \end{frame}
%}


% If you wish to uncover everything in a step-wise fashion, uncomment
% the following command: 

%\beamerdefaultoverlayspecification{<+->}


\begin{document}

\begin{frame}
  \titlepage
\end{frame}

\begin{frame}{Outline}
  \tableofcontents
  % You might wish to add the option [pausesections]
\end{frame}


% Structuring a talk is a difficult task and the following structure
% may not be suitable. Here are some rules that apply for this
% solution: 

% - Exactly two or three sections (other than the summary).
% - At *most* three subsections per section.
% - Talk about 30s to 2min per frame. So there should be between about
%   15 and 30 frames, all told.

% - A conference audience is likely to know very little of what you
%   are going to talk about. So *simplify*!
% - In a 20min talk, getting the main ideas across is hard
%   enough. Leave out details, even if it means being less precise than
%   you think necessary.
% - If you omit details that are vital to the proof/implementation,
%   just say so once. Everybody will be happy with that.

\begin{frame}{About the speaker}
\begin{itemize}
\item Using + playing with Linux since 1994
\item Kernel development since 1999
\item IT security expert, focus on network protocol security
\item Board-level Electrical Engineering
\item System-level Software for PPC, ARM, x86
\item IANAL, but companies not complying with the license forced me to spend lots of time with legal issues
\end{itemize}
\end{frame}


\section{FOSS Licenses}

\subsection{Free Software and Copyleft}

\begin{frame}{Free Software}{Definition by the FSF}
  % - A title should summarize the slide in an understandable fashion
  %   for anyone how does not follow everything on the slide itself.
  Free Software has to ensure the following key freedoms:
  \begin{itemize}
  \item
    Freedom to use the software for any purpose
  \item
    Freedom to make copies "to help your neighbor"
  \item
    Freedom to study its functionality (source code)
  \item
    Freedom to fix it yourself (make modifications)
  \end{itemize}
\end{frame}

\begin{frame}{Copyleft}{A concept to ensure Freedom}
  Copyleft is an idea to use copyright to ensure Software Freedoms
  \begin{itemize}
    \item Use/claim copyright on the software
    \item Create a license that is permissive enough for the 4 Freedoms
    \item However, put some conditions/obligations in the license
    \begin{itemize}
	\item ensure the source code will always be available
	\item ensure nobody is able to remove the 4 Freedoms from the software
    \end{itemize}
    \item Use that license for the software.
  \end{itemize}
\end{frame}

\subsection{The GNU GPL}

\begin{frame}{The GNU GPL}{An implementation of Copyleft}
The GNU General Public License (GPL)
\begin{itemize}
	\item is a Copyleft Free Software License
	\item assures the original author that his work will always have the freedoms
	\item establishes a level of fairness: You can use my code, if you share your additions back with us.
	\item is a big motivation factor for many community members
\end{itemize}
\end{frame}

\begin{frame}{Revisiting the GPLv2 License Terms}
The GNU GPLv2
\begin{itemize}
	\item Regulates distribution, not use (running the program)
	\item Allows distribution of source code and modified source code, if
	\begin{itemize}
		\item The license is mentioned
		\item A copy of the license text accompanies each copy
	\end{itemize}
	\item Allows distribution of or modified binaries, if
	\begin{itemize}
		\item The license is mentioned
		\item A copy of the license text accompanies each copy
		\item The source code is either included with the copy, or a written offer is made on how the source can be obtained.
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Complete Corresponding Source Code}{As required by GPLv2}
\dots complete source code means all the source code for all modules it (the software) contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
\begin{itemize}
	\item For a C language program, this means
	\begin{itemize}
		\item Source Code
		\item Makefiles
		\item compile-time configuration  (e.g. kernel .config)
	\end{itemize}
	\item General rule
	\begin{itemize}
		\item Intent of the license is to enable the user to run modified versions of the program
		\item If you provide everything needed for that, there will be no discussion
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Modifications of GPL'd source code}{The details that matter}
\begin{itemize}
	\item In the GPL, it does not matter if you have modified the GPL'd program or if you ship it unmodified.
	\item You always have to provide the source code!
	\item If you modify the source code, your changes have to be visible/identifiable
	\item For practical reasons, I suggest shipping original upstream tarball + a diff/patch with your changes
\end{itemize}
\end{frame}

\subsection{GPL - Compatible source code offer}

\begin{frame}{Complete + Corresponding Source}{For every Release you make}
\begin{itemize}
\item Whenever you {\em distribute} GPL licensed software, the license applies.  This includes
	\begin{itemize}
	\item Actual sale of a physical embedded device with the software in flash
	\item Download of a firmware update as a file from a website
	\item Shipping of firmware updates on physical storage
	\item Distribution of firmware updates e.g. by over-the-air mechanisms in DVB-S or other networks
	\end{itemize}
\item Every time, the conditions of the license have to be fulfilled (mention there's software under GPL, include full license text, include or offer complete corresponding source code
\item For every release you ever ship (even beta release if it ever is shipped only to one customer), you need the {\em complete corresponding} source code.
\end{itemize}
\end{frame}

\subsection{GPL - Derivative Works}

\begin{frame}{Derivative Works}{Keeping it clean}
Derivative works are a question of copyright law, not the GPL
\begin{itemize}
\item whenever you couple a GPL and a non-GPL program tightly (e.g. static/dynamic linking), you're entering a legal grey area
\item there is little or no precedent on derivative works of software
\item you're violating the intention of the author. If he wanted you to link from proprietary programs, he would have used LGPL
\item try to work {\em with} the community, rather than against it
\end{itemize}
\end{frame}

\begin{frame}{Intermission}
Take a break, go one step back
\begin{itemize}
\item The License is not a means to itself
\item Intent of the license is to make sure people can modify + enhance the product
\item The more open your product is, the less you have to worry
\item Using Linux + FOSS without enabling community to modify+enhance is cheating!
\item Try to make friends of the developer community, not enemies!
\end{itemize}
\end{frame}

\begin{frame}{License compliance is not an afterthought}
Complying with the license terms is relatively easy {\em if} you consider the license terms {\em before} starting R\&D
\begin{itemize}
\item you can integrate building source releases in your build process
\item you can decide which software can be combined given the license terms
\end{itemize}
\end{frame}

\begin{frame}{License compliance is not an afterthought}
Achieving license compliance after shipping the product is very hard
\begin{itemize}
\item lack of good engineering practise could mean old source code is gone
\item engineers working on the product might have left the company
\item you and your customers are under a lot of time pressure (legal threat)
\item you might have already shipped a derivative work to GPLd software and now have to release parts that you originally wanted to keep proprietary
\end{itemize}
\end{frame}

\section{Linux and the Embedded Market}

\subsection{Linux-based systems everywhere}

\begin{frame}{Linux and Free Software (FOSS) everywhere}
\begin{figure}[h]
\centering
\includegraphics[width=100mm]{linux_netfilter_singapore_entertainment.jpg}
\end{figure}
\end{frame}

\begin{frame}{Areas of Embedded Linux}
\begin{itemize}
\item Embedded Network Devices (DSL-Modem, Router, WiFi-AP, NAS)
\item Telecommunications equipment (Switch, DSLAM, ...)
\item In-flight / In-vehicle entertainment
\item Personal Navigation Devices (Tomtom GO)
\item Mobile Phones (EZX, MAGX, Android, LiMo, WebOS)
\item PoS terminals, ATMs, Payphones
\item Digital Media Players, Set-Top-Boxes, Video Recorder
\item Exercycles + Fitness Gear
\item Building automation + control
\item VoIP telephones, VoIP switches, PBX
\item e-Ink readers, Tablet computers, MIDs
\end{itemize}
\end{frame}

\subsection{Embedded Linux supply chain}

\begin{frame}{Embedded Linux Supply Chain}
In a typical case, the supply chain consists minimal of
\begin{itemize}
\item The silicon maker of the SoC containing the core that runs Linux
\item The supplier of the reference design / board for that SoC
\item The ODM building an actual circuit board using that SoC
\item The OEM selling the product under his brand in the target market
\end{itemize}
\end{frame}

\begin{frame}{Embedded Linux Supply Chain}
Situation can be further complicated by
\begin{itemize}
\item A 3rd party supplier of the BSP / SDK for the SoC or reference board
\item Multiple companies involved on the ODM or OEM side (building parts of a product, later integration into the real product e.g. IVE for a car)
\item 3rd party suppliers of application programs (which might use FOSS)
\end{itemize}
\end{frame}

\begin{frame}{Embedded Linux Supply Chain}
Problems in the supply chain:
\begin{itemize}
\item OEM has no clue what kind of software ODM put into the product
\item ODM has limited technical skill and has no clue what BSP provider did
\item End user buys a product with license/copyright violations and has no clue
	\begin{itemize}
	\item who the entities in the supply chain are
	\item who actually caused the license/copyright violation
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{GPL - Embedded Systems}

\begin{frame}{GPL and Embedded Systems}{Interpreting the meaning}
\begin{itemize}
\item The GNU GPLv2 was written for the GNU project, at the time this project was
working on replacing individual application programs on top of a proprietary
UNIX operating system kernel.
\item scripts used to control compilation and installation
	\begin{itemize}
		\item Intent: To enable the user to modify + run modified versions
		\item In case of embedded systems, the "scripts used to control installation" include the software required for installing the program onto the target device
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{GPL and Embedded DRM}{Sometimes called Tivo-ization}
\begin{itemize}
\item Some companies want to lock down their Linux-based system, by
	\begin{itemize}
	\item Cryptographic verification of bootloader by ROM loader
	\item Cryptographic verification of kernel image by bootloader\dots
	\end{itemize}
\item This is problematic from a GPL point of view, since
	\begin{itemize}
	\item You are depriving the user from practically exercising his right to run modified versions of the program
	\item Thus, violation not of the GPLv2 wording, but likely of the GPL's intention
	\item Legal outcome unclear, different scholars have different opinions, also depends on jurisdiction
	\end{itemize}
\item GPLv3 makes this intent explicit in the license text
\end{itemize}
\end{frame}

\section{GPL Violations and License Enforcement}

\subsection{GPL Violations and Business Risks}

\begin{frame}{GPL Violations}
\begin{itemize}
\item GPL violations are not new, just like GPL licensed software is not new
\item However, increased popularity of GNU/Linux based systems increase GPL violations
\item Today, many more people and companies unfamiliar with the history and values of Free Software start using and (re)distributing FOSS
\end{itemize}
\end{frame}

\begin{frame}{Business Risk of GPL Violations}{Or: How to convince your managers}
If you ship a product that is incompliant to the GNU GPL,
\begin{itemize}
\item you are committing a copyright infringement not different from shipping a product with unlicensed copies of MS Windows
\item you can face civil and criminal charges in court
\item civil charges include (German jurisdiction)
	\begin{itemize}
	\item immediate cease + desist (halt of product sales)
	\item information of which quantity of the product has been sold to whom
	\item damages for lost revenue (see dual licensing)
	\end{itemize}
\item civil charges can also be filed against every distributor/store/importer
\end{itemize}
\end{frame}

\subsection{GPL Enforcement}

\begin{frame}{Early GPL Enforcement}
\begin{itemize}
\item The Free Software Foundation (FSF) has alway been doing GPL enforcement on software {\em of which they are the copyright holder}
	\begin{itemize}
	\item They do so quietly, without much public notice
	\item The quiet route sometimes leads to lengthy negotiations
	\item The FSF only holds copyright on some Free Software programs
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{The Linksys WRT54G case}
During 2003, the Linksys WRT54G case drew a lot of attention
\begin{itemize}
	\item Linksys was selling 802.11 WLAN Access Points and Routers
	\item Lots of GPL licensed software embedded into the device, including Linux, uClibc, busybox, iptables
	\item FSF-led alliance took their usual {\em quiet} approach
	\item Linksys bought itself a lot of time
	\begin{itemize}	
		\item Some sources were released two months later
		\item Full GPL compliance only achieved four months later
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Aftermath of the Linksys case}
\begin{itemize}
	\item Some developers were not happy with the Linksys case
	\begin{itemize}
		\item Linksys didn't loose anything by not complying from the beginning
		\item Four months delay is a long time given short product lifetimes
	\end{itemize}
	\item More embedded devices started to use Linux and other FOSS
	\item The netfilter/iptables project started to do their own enforcement
	\begin{itemize}
		\item Using German copyright law against German subsidiary of vendor
		\item Using direct legal / copyright based approach
	\end{itemize}
	\item The gpl-violations.org was later established
\end{itemize}
\end{frame}

\begin{frame}{GPL Enforcement by the Community}
\begin{itemize}
	\item The GPL is a Copyright License
	\item GPL enforcement is thus Copyright enforcement
	\item Copyright enforcement can normally only be done by copyright holders!
	\item Alternative (less tested) legal approaches
	\begin{itemize}
		\item Competition / Anti-Trust law (by a GPL-abiding competitor)
		\item Consumer protection (The product without source code is incomplete)
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{GPL Enforcement Requirements}
\begin{itemize}
	\item Clean copyright situation
	\begin{itemize}
		\item Who wrote which (part of a) software
		\item Was the copyright transferred to an employer?
	\end{itemize}
	\item Evidence for the violation
	\begin{itemize}
		\item Test purchase of the software on storage medium
		\item Detailed screenshots of download side, downloaded software images
		\item Evidence shows no notice of GPL or source code availability/offer
	\end{itemize}
	\item Copyright holders who want to do enforcement
\end{itemize}
\end{frame}

\begin{frame}{GPL Enforcement by the Community}
\begin{itemize}
	\item Authors/Developers of a project need to care about entities that violate their license
	\item Legal options in case of a violation
	\begin{itemize}
		\item One or multiple copyright holders do their own enforcement
		\item Copyright transfer to an entity that does enforcement
		\begin{itemize}
			\item Free Software Foundation
			\item http://conservancy.softwarefreedom.org/
			\item Fiduciary License Agreement with the FSF Europe
		\end{itemize}
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{gpl-violations.org}

\begin{frame}{The gpl-violations.org work}
\begin{itemize}
	\item Use all legal means necessary to bring infringing product in compliance
	\item We only act where we hold copyright (Linux kernel)
	\item We typically only act within Europe, mostly in Germany
	\item Success so far
	\begin{itemize}
		\item More than 100 amicable agreements as results of settlements
		\item More than 5 preliminary injunctions halting sales of products until compliance
		\item Multiple actual court cases with court verdict
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{The gpl-violations.org work}{Typical enforcement timeline}
\begin{itemize}
	\item Customer of product sends a report about GPL violation
	\begin{itemize}
		\item There is no GPL license text and/or no source code or written offer
	\end{itemize}
	\item We do reverse engineering and make test purchase
	\item After confirming the violation, send legal warning notice to vendor
	\begin{itemize}
		\item Tight deadline for complying with the GPL and signing a declaration to cease and desist
	\end{itemize}
	\item If no declaration is signed, we
	\begin{itemize}
		\item contract technical expert to do a study
		\item apply for a preliminary injunction
	\end{itemize}
	\item If cease-desist is signed and license compliance reached:
	\begin{itemize}
		\item Resolve how the vendor can ensure already manufactured products are compliant
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{The gpl-violations.org legal cases}
Commonly-known cases that actually went to court
\begin{itemize}
	\item April 2004: Preliminary injunction against Sitecom
	\item May 2004: Sitecom appeal case turned down by court
	\item April 2005: Preliminary injunction against Fortinet
	\item September 2006: Court case against D-Link
\end{itemize}
... all of those cases have been won
\end{frame}



%\subsection*{Outlook}

\begin{frame}{Outlook}
    Outlook
    \begin{itemize}
    \item
      Blatant GPL violations in embedded devices are declining, but are likely to continue due to lack of skill or negligence.
    \item
      We'll see more {\em derivative works} types of GPL violations, and we'll see actual legal enforcement and precedent in this area over the next years.
    \item
      Stronger copyright protection demanded by content industry will also mean stronger protection for FOSS licenses.  Imagine GPL enforcement with {\em three strikes} law in France ?!?
    \end{itemize}
\end{frame}

\end{document}