Feeds

GPLv2 - copyright code or contract?

Open source legal minds unravel license

Combat fraud and increase customer satisfaction

Two prominent IP lawyers have warned that the all-pervasive General Public License version 2 (GPLv2) contains legally ambiguous wording that may be problematic for licensees.

They claim GPLv3 and AGPLv3 are much better suited for the realities of modern open source software.

"If you go back in time to when GPLv2 was written, I don't think people were aware of just how ubiquitous this license would become and how closely scrutinized it would be," said Mark Radcliffe, partner at the firm DLA Piper and general counsel for the Open Source Initiative (OSI). "At that time, open source was not something as broadly used as it is now."

Radcliffe was joined by Karen Copenhaver, partner at Choate Hall & Stewart and counsel for the Linux Foundation, for a GPL web conference hosted by the license-sniffing firm Black Duck software.

According to Radcliffe, the most important issue is defining the scope of the GPL. "This is a complicated question," he said, "in part because the GPL itself is not as clear as it could have been and in part because it has changed over time."

Some of the biggest concerns over using GPLv2 relate to the definitions of "derivative work" and "distribution," which Radcliffe says are used in GPLv2 "in a less than precise fashion."

Under US law, a derivative work is based upon one or more preexisting works. This might include a translation, musical arrangement, dramatization, or motion picture version.

The challenge, according to the two lawyers, is that US copyright framework is not well suited to computer software. A term like "derivative work" may be reasonably easy to understand in the context of a book or a movie, but there are several levels more difficult in terms of software.

GPLv2 tosses out this legal terminology in free fashion. Under the terms and conditions for copying, distribution, and modification for GPLv2:

This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".)

Also:

You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

And finally the infamous:

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

Radcliffe reckons that what we see here is inconsistent uses of the terms "based on," "derived from," and "collective works" – terms based on US copyright law. This leads to ambiguity. Is "in whole or in part contains or is derived from" meant to be the same as "modification"? Are they are both "derivative works"?

This marks one of the core questions of GPLv2: Is it based on copyright or is it a contract that, while borrowing some copyright terms, ultimately stands on its own? Radcliffe adds that the "collective work" bit in particular makes him nervous because what constitutes "collective" in a computer program is often difficult to determine.

Adding to potential troubles is that different countries obviously have different copyright laws and therefore different views on terms like "derivative works." And even within the United States, there are several interpretations that may shift over time.

"It's so interesting when you talk to many people that have spent a lot of time with the GPL and discuss derivative works," said Copenhaver. "Everybody has their own story, and some of that is based on when they first read the GPL and when they first began to think about what a derivative work is."

Copenhaver said the definition of a derivative work has shifted over time because everything from the way we write software to how software is protected under copyright to how it's distributed and open source community itself has changed over time as well.

"It's a little like going to a dance and everybody dances the way they danced in college," she said. "Everybody has a different understanding and a lot of it is based on when they first began looking at these issues."

More recently penned licensing terms like GPLv3 and AGPLv3 avoid this kind of terminology, including interfering turns of phrase such as "to 'propagate' a work" or "to 'convey' a work."

"I think the critical thing to recognize in the differentiation between GPLv2, GPLv3, and AGPLv3 is that there was a very strong effort to purposefully distance ourselves from copyright laws," said Radcliffe. Copyright law is "not stable," he says, and it changes over time. Equally important is that copyright law varies from country to country.

Copenhaven says we should focus not on whether something is derivative, but on what is considered a separate and independent work.

From GPLv2:

If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

She says that using this provision is helpful to understanding the scope of collective and derivative works that pops up in GPLv2.

A web rebroadcast of the seminar, along with earlier talks on open source licensing, can be found on Black Duck's website. (Note that registration is required). ®

Correction

The lead sentence was modified to better reflect the positions of Copenhaver and Radcliffe.

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.