Feeds

GPLv2 - copyright code or contract?

Open source legal minds unravel license

Secure remote control for conventional and virtual desktops

Two prominent IP lawyers have warned that the all-pervasive General Public License version 2 (GPLv2) contains legally ambiguous wording that may be problematic for licensees.

They claim GPLv3 and AGPLv3 are much better suited for the realities of modern open source software.

"If you go back in time to when GPLv2 was written, I don't think people were aware of just how ubiquitous this license would become and how closely scrutinized it would be," said Mark Radcliffe, partner at the firm DLA Piper and general counsel for the Open Source Initiative (OSI). "At that time, open source was not something as broadly used as it is now."

Radcliffe was joined by Karen Copenhaver, partner at Choate Hall & Stewart and counsel for the Linux Foundation, for a GPL web conference hosted by the license-sniffing firm Black Duck software.

According to Radcliffe, the most important issue is defining the scope of the GPL. "This is a complicated question," he said, "in part because the GPL itself is not as clear as it could have been and in part because it has changed over time."

Some of the biggest concerns over using GPLv2 relate to the definitions of "derivative work" and "distribution," which Radcliffe says are used in GPLv2 "in a less than precise fashion."

Under US law, a derivative work is based upon one or more preexisting works. This might include a translation, musical arrangement, dramatization, or motion picture version.

The challenge, according to the two lawyers, is that US copyright framework is not well suited to computer software. A term like "derivative work" may be reasonably easy to understand in the context of a book or a movie, but there are several levels more difficult in terms of software.

GPLv2 tosses out this legal terminology in free fashion. Under the terms and conditions for copying, distribution, and modification for GPLv2:

This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".)

Also:

You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

And finally the infamous:

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

Radcliffe reckons that what we see here is inconsistent uses of the terms "based on," "derived from," and "collective works" – terms based on US copyright law. This leads to ambiguity. Is "in whole or in part contains or is derived from" meant to be the same as "modification"? Are they are both "derivative works"?

This marks one of the core questions of GPLv2: Is it based on copyright or is it a contract that, while borrowing some copyright terms, ultimately stands on its own? Radcliffe adds that the "collective work" bit in particular makes him nervous because what constitutes "collective" in a computer program is often difficult to determine.

Adding to potential troubles is that different countries obviously have different copyright laws and therefore different views on terms like "derivative works." And even within the United States, there are several interpretations that may shift over time.

"It's so interesting when you talk to many people that have spent a lot of time with the GPL and discuss derivative works," said Copenhaver. "Everybody has their own story, and some of that is based on when they first read the GPL and when they first began to think about what a derivative work is."

Copenhaver said the definition of a derivative work has shifted over time because everything from the way we write software to how software is protected under copyright to how it's distributed and open source community itself has changed over time as well.

"It's a little like going to a dance and everybody dances the way they danced in college," she said. "Everybody has a different understanding and a lot of it is based on when they first began looking at these issues."

More recently penned licensing terms like GPLv3 and AGPLv3 avoid this kind of terminology, including interfering turns of phrase such as "to 'propagate' a work" or "to 'convey' a work."

"I think the critical thing to recognize in the differentiation between GPLv2, GPLv3, and AGPLv3 is that there was a very strong effort to purposefully distance ourselves from copyright laws," said Radcliffe. Copyright law is "not stable," he says, and it changes over time. Equally important is that copyright law varies from country to country.

Copenhaven says we should focus not on whether something is derivative, but on what is considered a separate and independent work.

From GPLv2:

If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

She says that using this provision is helpful to understanding the scope of collective and derivative works that pops up in GPLv2.

A web rebroadcast of the seminar, along with earlier talks on open source licensing, can be found on Black Duck's website. (Note that registration is required). ®

Correction

The lead sentence was modified to better reflect the positions of Copenhaver and Radcliffe.

Next gen security for virtualised datacentres

More from The Register

next story
Why has the web gone to hell? Market chaos and HUMAN NATURE
Tim Berners-Lee isn't happy, but we should be
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Sin COS to tan Windows? Chinese operating system to debut in autumn – report
Development alliance working on desktop, mobe software
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
(Not so) Instagram now: Time-shifting Hyperlapse iPhone tool unleashed
Photos app now able to shoot fast-moving videos
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.