How scary are GPL violations?

GPL violations need to be resolved... but are they really something to fear?

Since the source code is usually available, software under a free or open open source license can be re-used within another software project rather easily. That is, after all, the whole point of FLOSS. But the potential for FLOSS license violations within software projects is, like any other license, always there.

Critics of FLOSS licenses are usually quick to point out that the very openness of FLOSS source code actually promotes more license violations. Protect yourself, these critics urge, and avoid FLOSS altogether--or at the very least purchase commercial compliance services and products.

What's interesting is that these critics rarely if ever mention the number of proprietary software license violations that must surely also occur. These are usually not as well reported, since such violations are handled every day in legal settlements and closed trial proceedings. But when they do make the news, it is usually because of stunningly high damages or injunctive relief.

In the FLOSS arena, the license that seems to bear the brunt of this sort of criticism is the GNU General Public License (GPL), a copyleft license that puts more requirements on downstream developers of code for keeping the source code open and under the GPL. Because of these copyleft requirements, the GPL has often been been falsely described as "viral," or used as a weapon to tout the danger of working with FLOSS under a variety of open source licenses.

But here's a thing: while there seem to be many reports and threats of potential GPL violations showing up in the tech media and blogger community on a regular basis, there aren't many reports of massive legal penalties and even formal settlements being enforced. Even the most "famous" GPL violation legal cases, when BusyBox developers Erik Andersen and Rob Landley took Monsoon Multimedia, High Gain Antennas, LLC, Xteresys Corporation, and Best Buy to court, all of these cases were settled out of court. While the terms of the settlement were never disclosed, the Software Freedom Law Center and the Software Freedom Conservancy, who assisted the BusyBox team, insisted that the goal of the legal actions were to obtain compliance--not to keep the defendants from every releasing the software again, or obtaining huge damages.

With this in mind, I had to wonder: when a GPL violation occurs, just how hard is it to resolve the issue?

I had a chance late last week to talk with Bradley Kuhn, President and Executive Director of the Software Freedom Conservancy, to go over the real-world results of what happens when a piece of software is found to be in non-compliance of the GPL.

First, I asked, how many GPL violation reports does the SFC see on any given basis?

"I usually see a two-three new reports each month sent directly to the Conservancy via There are more on's mailing lists, but I don't follow those as closely. Those lists are public, so you could count the reports there," Kuhn replied.

And, visiting the [legal] mailing list over at, it appeared there was one violation reported this month, one in October, and five in September, just to give a very rough idea of the frequency.

But it's important right off the bat to understand that just because a violation is reported, that's not necessarily proof of a problem.

"When Conservancy finds out about a GPL violation, the Conservancy tries to confirm the facts and be sure that it really is a violation," Kuhn explained. "Some reports are confusions about what the GPL requires, and, in those cases, the Conservancy explains the confusion to the violation reporter."

So, what if a violation is indeed found?

"It's been true for a decade, and remains true: most GPL violations are an honest mistake. These days, there's often an upstream who failed to properly educate their downstream, and then the downstream made a mistake and violated," Kuhn replied. "The companies in violation almost always want to work to come into compliance, and the Conservancy doesn't ask for much: the Conservancy asks that they reimburse the cost of our time to help the company come into compliance, and to fully comply with all Open Source and Free Software licenses in their product."

Based on Kuhn's description of the remedial actions, and prior statements from the Free Software Foundation and the Software Freedom Law Center, one thing is very clear: while it is very important that GPL compliance should be maintained, most of the time the fix is a simple as letting someone know there's a problem and then helping them fix it.

"While a GPL violation is copyright infringement and therefore can be 'scary' to a company who has violated, the fact is this: Those of us, like the Conservancy, who enforce the GPL in the non-profit space on behalf of non-profit Free Software projects really do want these companies to keep using the software, under terms of GPL," Kuhn told me. "Our goal is to teach them how to comply in an ongoing way and continuing using the software. Everyone I know who does non-profit GPL enforcement treats it this way."

So, given all of the hullabaloo being generated about GPL compliance these days, what advice does Kuhn have for a vendor who might be concerned about GPL compliance?

"My advice would be: Do your best to comply with the license, read the materials available from various non-profit sources, and learn how to do it right. If, later on, an actual representative of copyright holders comes along says you are out of compliance, work with them proactively to meet their requirements, and even consider talking about that compliance work publicly with the community. (The community will be supportive of a company acting honestly and in good faith to comply with GPL, even if they're a former violator.)," Kuhn indicated.

"Frankly, I believe if every company that distributes GPL'd software took that simple advice to heart and acted in good faith on it, there would be no serious GPL violation issues in the world at all and everyone would happily share software with each other under the GPL in the way it intends," he added.

Kuhn's words mark a pleasant position of reasonableness in the world of FLOSS, and should be something vendors keep in mind when they hear misinformation about the GPL and all the other FLOSS licenses.

Read more of Brian Proffitt's Open for Discussion blog and follow the latest IT news at ITworld. Drop Brian a line or follow Brian on Twitter at @TheTechScribe. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon