[Gllug] [Surrey] FOSS, GPL, BSD, LGPL

Andrew Back andrew at carrierdetect.com
Mon Dec 12 10:44:22 UTC 2011

On 10 December 2011 11:33, Paul Brook <paul at codesourcery.com> wrote:
>> sw licences are legal documents.
>> The only person who should be answering questions on sw licenses is
>> someone who has the proper legal qualification.
>> But the simple answer, is there is no problem using BSD and GPL
>> licenses until you try to distribute anything non-open source with
>> them.
> Wrong.

+1. That's perhaps one of the strangest generalisations I've seen
applied to open source licensing.

> As soon as you start distributing code copyrighted by a third party you (and
> your legal adviser) should be aware of the licence implications.  Simply
> including the source is not sufficient.

Quite. Well, not always sufficient, and not always required.

> In particular the GPLv3 contains anti-TiVo and patent grant clauses.
> Some BSD variants include advertising clauses, and all of them require you
> reproduce their notice+disclaimer in your documentation.

GPLv3 precludes "tivoization" — it's not targeted at a single company.
The term is used to describe the practice of having embedded devices
which will only accept signed firmwares, where the signing key has not
been made available (as made famous by TiVo). In fact, I think this
would be fine if you provided some other mechanism by which GPLv3
licensed components can be replaced, e.g. a dialogue in a user
interface. However, if a vendor produces a device which will only
accept firmware images that they have signed, it is unlikely they
would allow people to replace parts of the image as this could be used
as a vector for circumventing this signing security.

So, this applies to much more than TiVo devices, and they can use GPL
v3 software subject to allowing it to being replaced.

> For personal projects these additional requirements may be trivial to meet,
> but in a commercial environment they can have substantial implications.

This is very true. Perhaps not such an overhead where you are running
software on corporate desktops and servers, but much more so when you
are talking about software that is distributed outside the corporate
environment (sold or given freely to customers and partners etc) and
embedded in physical products. Imagine if you made an ADSL router and
forgot to include copyright notices in the manual and/or UI, or baked
anything but a very old version of Samba (hence GPL v3) into the
signed/encrypted firmware, and this was only discovered once you had
warehouses full of gear ready to ship...

The key thing to good open source governance in a corporate
environment is to have clear process for obtaining sign-off before
something is used. How do you evaluate licence compatibility and
ascertain any positive obligations that use may bring on the company
etc. Some may argue that in many companies this would be overkill, but
IMHO you'd be mad not to have this in place where you distribute
software containing third party code.

Needless to say, I am not a lawyer and none of the above constitutes
legal advice.



Andrew Back
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list