Open source heavyweights Amazon, Canonical, Intel and more this week joined a diverse new coalition dedicated to making open source licence enforcement fairer and clearer.
The group was set up last year by major Linux users Facebook, Google, IBM and Red Hat. This week Red Hat announced that Amazon, Arm, Canonical, GitLab, Intel, NEC, Royal Philips, SAS, Toyota and VMware were among those committing to its terms.
Coalition members agree to provide a fair “cure period” for licensees in breach of their open source software licenses, rather than taking immediate legal action or cancelling the licences without warning (which early open source licences permit).
The companies also say that they want to “support approaches to license enforcement that foster greater collaboration in open source software development.”
Arm: Predictably Needed for Open Source Confidence
Arm’s principal open source counsel, Jilayne Lovejoy, said in a blog post this week: “The open source community is huge – and growing. That’s why it’s essential that we coalesce around a common approach to the use of licenses in this space. It’s simple: Anything that helps the predictability of open source software and therefore strengthens confidence in it is good for us, good for the Arm ecosystem, and good for the technology industry as a whole.”
What’s the Problem, Exactly?
The coalition has been formed as legal disputes over open source licencing continue to proliferate; including an ongoing and fairly esoteric debate among US legal circles over whether and when an open source licence constitutes a contract.
The main issue, however, is that the “automatic termination” feature of the widely used open source General Public License (GPL) in its early GPLv2 and LGPLv2 iterations does not provide an express “cure” period in the event of licence violation.
This means that a single act of non-compliance can give rise to an infringement claim, with no obligation to provide notice prior to taking legal action. (When GPLv3 was introduced in 2007, one of the key improvements was the inclusion of a cure period.)
Was Anyone Actually Callous Enough to Do That?
Yes, is the short answer.
As Red Hat emphasises: “In an earlier era, the Free Software Foundation (FSF) owned the copyrights for nearly all GPL-licensed code and was the only copyright holder regularly engaged in license enforcement. At that time, the idea of automatic termination in the hands of a benevolent license steward may have seemed appropriate to encourage and enforce license compliance.”
“But, over time, there was an increasing volume of GPL and LGPL-licensed software that was distributed by a growing body of copyright holders (i.e., many potential license enforcers). A consensus began to form that automatic termination could result in potential unfairness and opportunities for abusive enforcement. ”
GPL Cooperation Commitment
Coalition members are committing to the so-called GPL Cooperation Commitment.
This obliges signatories to retroactively applying the GPLv3 cure provisions for their GPLv2 and LGPLv2.x licensed software, rather than following the letter of the law too strongly.
In March 2018 CA Technologies, Cisco, HPE, Microsoft, SAP, and SUSE all announced that they were making the commitment. It is now 24-strong.
Keith Bergelt, CEO of the Open Invention Network said: “Consistent with OIN’s mission to provide freedom of action in Linux, we believe it is important to reinforce the principle that IP enforcement should be conducted in a manner that is rational and in consonance with the collaborative process that occurs in open source software.”
It was a sentiment echoed by another new signatory, GitLab, whose co-founder and CEO Sid Sijbrandij added: “At GitLab we’re committed to a 30-day cure period for GPLv2 because we want a world where everyone can contribute without worrying they won’t have a chance to remedy any mistakes they made.”