Feeds

GPLv2 - copyright code or contract?

Open source legal minds unravel license

High performance access to file storage

Two prominent IP lawyers have warned that the all-pervasive General Public License version 2 (GPLv2) contains legally ambiguous wording that may be problematic for licensees.

They claim GPLv3 and AGPLv3 are much better suited for the realities of modern open source software.

"If you go back in time to when GPLv2 was written, I don't think people were aware of just how ubiquitous this license would become and how closely scrutinized it would be," said Mark Radcliffe, partner at the firm DLA Piper and general counsel for the Open Source Initiative (OSI). "At that time, open source was not something as broadly used as it is now."

Radcliffe was joined by Karen Copenhaver, partner at Choate Hall & Stewart and counsel for the Linux Foundation, for a GPL web conference hosted by the license-sniffing firm Black Duck software.

According to Radcliffe, the most important issue is defining the scope of the GPL. "This is a complicated question," he said, "in part because the GPL itself is not as clear as it could have been and in part because it has changed over time."

Some of the biggest concerns over using GPLv2 relate to the definitions of "derivative work" and "distribution," which Radcliffe says are used in GPLv2 "in a less than precise fashion."

Under US law, a derivative work is based upon one or more preexisting works. This might include a translation, musical arrangement, dramatization, or motion picture version.

The challenge, according to the two lawyers, is that US copyright framework is not well suited to computer software. A term like "derivative work" may be reasonably easy to understand in the context of a book or a movie, but there are several levels more difficult in terms of software.

GPLv2 tosses out this legal terminology in free fashion. Under the terms and conditions for copying, distribution, and modification for GPLv2:

This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".)

Also:

You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

And finally the infamous:

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

Radcliffe reckons that what we see here is inconsistent uses of the terms "based on," "derived from," and "collective works" – terms based on US copyright law. This leads to ambiguity. Is "in whole or in part contains or is derived from" meant to be the same as "modification"? Are they are both "derivative works"?

This marks one of the core questions of GPLv2: Is it based on copyright or is it a contract that, while borrowing some copyright terms, ultimately stands on its own? Radcliffe adds that the "collective work" bit in particular makes him nervous because what constitutes "collective" in a computer program is often difficult to determine.

Adding to potential troubles is that different countries obviously have different copyright laws and therefore different views on terms like "derivative works." And even within the United States, there are several interpretations that may shift over time.

"It's so interesting when you talk to many people that have spent a lot of time with the GPL and discuss derivative works," said Copenhaver. "Everybody has their own story, and some of that is based on when they first read the GPL and when they first began to think about what a derivative work is."

Copenhaver said the definition of a derivative work has shifted over time because everything from the way we write software to how software is protected under copyright to how it's distributed and open source community itself has changed over time as well.

"It's a little like going to a dance and everybody dances the way they danced in college," she said. "Everybody has a different understanding and a lot of it is based on when they first began looking at these issues."

More recently penned licensing terms like GPLv3 and AGPLv3 avoid this kind of terminology, including interfering turns of phrase such as "to 'propagate' a work" or "to 'convey' a work."

"I think the critical thing to recognize in the differentiation between GPLv2, GPLv3, and AGPLv3 is that there was a very strong effort to purposefully distance ourselves from copyright laws," said Radcliffe. Copyright law is "not stable," he says, and it changes over time. Equally important is that copyright law varies from country to country.

Copenhaven says we should focus not on whether something is derivative, but on what is considered a separate and independent work.

From GPLv2:

If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

She says that using this provision is helpful to understanding the scope of collective and derivative works that pops up in GPLv2.

A web rebroadcast of the seminar, along with earlier talks on open source licensing, can be found on Black Duck's website. (Note that registration is required). ®

Correction

The lead sentence was modified to better reflect the positions of Copenhaver and Radcliffe.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
Microsoft: Windows version you probably haven't upgraded to yet is ALREADY OBSOLETE
Pre-Update versions of Windows 8.1 will no longer support patches
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.