Re: Linux kernel enforcement statement discussion

J Lovejoy

On Dec 10, 2018, at 5:47 PM, James Bottomley <James.Bottomley@...> wrote:

On Mon, 2018-12-10 at 15:58 -0700, J Lovejoy wrote:
C) The issue comes down to how the short identifier would be
effectively used due to the KES's slightly different implementation
as described above in 1-6.
C-iii) There is also the possibility that people might incorrectly
use the KES in the kernel where it shouldn’t be and consequently make
it appear that some contributors had agreed to the KES who had not
explicitly done so via adding their name to the list and this would
then mean the license identifier was not completely correct.
Can I please hear some additional thoughts as to the risk and
potential outcomes of C, particularly C-iii from anyone who has this
concern, as well as some of the long-standing members of the SPDX
Legal team?  

I haven't quoted C in its entirety, but it misses what I think was
Mike's primary concern, which has also become mine as I've discussed
with the lawyers our current use of the KES.

The design of KES is to be a strong community statement about
principles of enforcement that can be used to rebut someone claiming to
act on behalf of the kernel (i.e. McHardy) when they take actions
contravening the KES like claiming to terminate the licence of the
kernel.  The great thing about the current KES is that the document can
be entered into evidence and easily explained to the court.  If we have
a process based on SPDX tags, it's going to be a nightmare to explain
to the court at the preliminary injunction phase and worse still, if we
only have a few SDPX tags, it allows the malicious enforcer to claim
that the KES is weaker than it would otherwise appear because there are
so few SPDX tags containing it within the kernel.

So I think, realistically, the kernel wouldn't ever use this.  Now that
means don't do it, but I think it's legitimate to wonder how many other
projects would have similar problems.


Somewhat breaking my own rule here, as I don’t really think the details of admissibility or ease of explaining external evidence to a court is really on-topic for the SPDX License List… but since you’ve brought it up and this is a public mailing list, I think I ought to provide a complete picture of what we are talking about, as not everyone has necessarily been following all of what you have eluded to above.

First of all, for anyone not familiar with the reference to McHardy - this article should get you caught up:

In light of some of practices in the suits brought by McHardy (which are hard to come by), some specifics of how the German court system works, and concern over this activity “inspiring” copycats, various members of the broader open source (legal) community asked the important question as to what could be done to help establish some community norms around GPL enforcement. And thus, the following initiatives came to be:

  • The Software Freedom Conservancy (SFC), in coordination with the Free Software Foundation published "The Principles of Community-Oriented GPL Enforcement” [1], which were endorsed by the Open Source Initiative (OSI)[2] and the netfilter community[3] (notably, because McHardy was a member of this community).  I believe gpl-vioations also endorsed or adopted the Principles. These 7 principles include a broad statement covering various aspects to be adhered to in GPL enforcement. One of these includes an explicit statement to extend the benefit of GPL-3.0 termination clauses for GPL-2.0-only works. 
  • Grant Likely, chair of the Linux Technical Advisory Board (TAB), proposed the initial draft of the Linux kernel enforcement statement, which formally adopts the principle related to extending the benefit of the GPL-3.0 termination clause to the Linux kernel. This ultimately resulted in the publishing of a version of his original intent, with input from kernel maintainers, Linux Foundation lawyers, and many others which creates an enforceable commitment made by anyone who signs up to it.  Individual copyright holders and corporate copyright holders submit their commitment to the Linux kernel enforcement statement via signing off on the statement commit here: . The list of current signatories is comprised of approximately 103 separate individuals or entities, which includes such companies as Arm, Amazon, Collabra, Google, Linaro, Oracle, Samsung, SUSE, VMware.
  • Red Hat begins an initiative in which corporate entities can pledge a commitment to enforce any of their copyrighted code released under LGPL-2.0-or-later or GPL-2.0-only or GPL-or-later by following the termination and cure provision in GPL-3.0. Thanks to the tireless work of David Levine (Asst General Counsel) and his legal team, 41 companies to-date have signed the GPL Cooperation Commitment, ranging across the globe and across industries.[4] 
  • In follow-up to the corporate GPL Cooperation Commitment, Red Hat later publishes a version of the same promise tailored for individual copyright holders to use and for projects to use as of a certain release date and going forward. Approximately 230 individual copyright holders have signed up to these terms[5]. It is unclear how many open source projects have adopted the project commitment, but that is certainly more than 1. 

By my count, that means that 4 non-profit organizations with influential voices in this space (SFC, FSF, OSI, LF); 44 companies, including some of the most globally recognized and influential names in technology; at least 2 major open source projects (but probably more); and somewhere around 300 individuals have all agreed that automatic termination of GPL-2.0 is too harsh and that the more reasonable termination and cure provisions as drafted in GPL-3.0 provide a more fair and amicable platform for enabling conversations around enforcement and non-compliance. 

That, my friends, is an amazing accomplishment of collaboration and a community coming together. And if that’s not a strong community statement, then I don’t know what is. Most importantly, let this be a solid message, that in spite of whatever difference or competitiveness or politics that any of these organizations, companies, individuals may otherwise sometimes engage in - we can, and, most importantly, we will COME TOGETHER. 

Whether, when, or how the SPDX License List incorporates these somewhat unique commitments is an aside to the amazing effort as summarized above. And that’s coming from someone who unabashedly believes in the importance of SPDX and the SPDX License List. 

So, can we please all just take a moment to feel the appreciation that this accomplishment deserves. And, in kind, appreciate that the above effort probably reflects the collective effort and momentum of upwards of one thousand people or more.

SPDX legal co-lead (and believer in what we can achieve when we all work together)

Join to automatically receive all group messages.