GPL Causing Problems for Derivative Linux Distros

NewsForge (Also owned by VA) is reporting on a recent discovery by Warren Woodford about how the GPL could affect derivative Linux distributions. This could make life difficult for those small distros that are being maintained by one or two people in their spare time due to the high amount of work it creates. From the article: "Woodford does supply the source code for MEPIS' reconfigured kernel in a Debian source-package. His mistake seems to have been the assumption that, so long as the source code was available somewhere, he did not have to provide it himself if he hadn't modified it. While he has not contacted any other distributions, he suspects that he is far from the only one to make this assumption. 'We, like 10,000 other people, probably, believed we were covered by the safe harbor of having an upstream distribution available online,' Woodford says. 'I think, of the 500 distributions tracked by DistroWatch, probably 450 of them are in trouble right now per this position.'"

Applies to other GPL software as well

[LiquidCoooled]

Remember, this applies equally to kernel hackers as well as people creating derivatives from other GPL software.

From: mrAngry@snootygits.com
Subject: I want the source code to your system!

Polite Reply:
If you would like the source code you are welcome to have it.
Please note however that I have only made changes to a few of the thousands of x system source files.

There are 2 ways that you can have it, the simplest being go to my upstream system writer and download the base code which I used and see the src folder on my FTP/CVS/web server for my own modifications.

Otherwise I am willing to post you a CD/DVD containing the entire source code (original and my modifications). I cannot unfortunately upload the entire x GB folder since I do not have the bandwidth to spare.
Please note however, there will be an administration and postage charge of £10 if you require a DVD image.

have a nice day.

Anyone making source modifications to a system must have at least one source copy of the original so be respectful but don't waste your time worrying about it.

Re:Applies to other GPL software as well

[wpanderson]

I think the primary concern is, what happens to a distro like MEPIS? Do they need to retain a full and publically available source repository for every package in Ubuntu? That could be an administrative and financial drain.

If an upstream distro has to keep their sources available for all revisions of all packages for three years, surely all a downstream distro has to do is refer to those sources for untainted packages? Is this good enough for the FSF, or are they just going to turn into the bully of the FOSS community?

Re:Applies to other GPL software as well

[Doctor+Memory]

Do they need to retain a full and publically available source repository for every package in Ubuntu?

No, just the ones they distribute. Honestly, I don't understand why this is such a big deal. I mean, you had the source when you compiled the system, right? Once you get your release squared away, you do the release build, then zip up a copy of the sources and tuck it away somewhere. If someone wants the source, then you drag it out and make it available. Note that the GPL permits you to charge reasonable fees for making the source available, so go ahead and copy the source CD and ship it off. As long as it's not in some odd-wad format, you should be fine (legally speaking).

Re:Applies to other GPL software as well

[throx]

I think the primary concern is, what happens to a distro like MEPIS? Do they need to retain a full and publically available source repository for every package in Ubuntu? That could be an administrative and financial drain.

There is no requirement to have the source instantly available online. It is perfectly acceptable to simply present a written offer of the source code for a nominal handling fee on physical media such as DVD-R. This will eliminate most of the people who just want the code to annoy you rather than do something serious with it.

Re:Applies to other GPL software as well

[LiquidCoooled]

Exactly my thinking.

There is no requirement to keep the source code available online to every single release you have ever done, but it makes SENSE to keep it stored away on CD inside a filing cabinet.
If somebody comes to you in 3 years with a request to the source code, you can return the EXACT code he had from the release he is requesting.

It is not breaking any clause of the GPL and would infact be a worthy test of a company to produce such data.

The daytime software I work on is closed source, however we use the same thinking there.
I can go into our files and produce a CD containing the entire code and packages for every single release of the software we have made since the DOS days.

To my knowledge however we have only ever required it ONCE. If it were open source, why would I waste the space to keep that online? (there are around 90 release CDs available, each around 400mb)

Re:Applies to other GPL software as well

[Fourier]

You clearly asked the wrong people. Much like Debian, Ubuntu's packages can be found quite easily on its website. A quick search here leads to the kernel image package; there you can find a link leading you to the kernel source package used to generate the image.

The APT package management system also provides commands that make it quite easy to download source automatically.

Re:Applies to other GPL software as well

[munpfazy]

No, just the ones they distribute. Honestly, I don't
  understand why this is such a big deal.

Yup. Seems like total nonsense to me.

Even if he chose to distribute the sources online, the resources required are trivial. A bzip'd source file is rarely much larger than binaries produced from it. We're talking about at most a factor of 2 difference in storage on the server even if he decided to independently place the source to every version of every binary online. And, there are many ways to cut that number down until it's a marginal increase in storage requirements.

There's no requirement that he distribute the source in an elaborate or easy to use way. Just write something that fetches the source to every used package and tosses them on the server somewhere every time a version is released. Remove the old ones from the server and offer to ship a dvd in exchange for handling costs.

Better yet, keep an up-to-date local copy and just check it into a cvs server with every release. (That way you only pay to store the diffs and have the source for every release available should anyone want it.)

If he's right and nobody actually wants or needs to get the source from him, then the additional bandwidth requirements will be tiny. On the other hand, if the added bandwidth *is* important, then it demonstrates that there's a very good reason to require source distribution.

Personally, I've never used a distro for which source packages aren't available. It seems like such an obvious step that I'd think twice before trusting someone who didn't do so automatically *before* getting a letter from the fsf.

Re:Applies to other GPL software as well

[Waffle+Iron]

He's already replied to this but yes if you don't have a working network.

Then that's his problem, not Ubuntu's. They satisfied the legal requirement under section 3a of the GPL by making the source available on the same website that they distribute the object code from (with an easy automatic command, no less). If he can't connect with a particular machine, Ubuntu has no obligation to fix his problem for him.

And if he happened to get the distro on a CD, the Ubuntu FAQ has this to say:

We do not normally distribute source CDs and you cannot order them through shipit. That said, in order to comply with the GPL, we are happy to distribute source code on CD to anybody we give a binary CD. More information is written in fine print on the back of each CD. Source for everything on the CD is always available at http://archive.ubuntu.com/ or can be ordered from Canonical for them cost of the media plus shipping.

Re:Applies to other GPL software as well

[Chops]

Remember, this applies equally to kernel hackers as well as people creating derivatives from other GPL software.

From: mrAngry@snootygits.com
Subject: I want the source code to your system!

I've been the Mr. Angry in this situation -- I'm not sure if it was a language issue, or why, but instead of telling me "the code is in anonymous cvs from XXX under tag YYY," or sending me a copy, the kernel hacker in question basically told me that he wasn't interested in helping me. It meant that I was stuck unable to make necessary reconfigurations to the only working kernel I could find for my handheld; I was basically stuck with a binary blob that I couldn't modify. I knew that the guy was one of the good guys, but it still really sucked being stuck in a situation that (a) left me unable to use Linux on my handheld, even though someone somewhere had got it working, (b) the GPL was designed to prevent, and (c) was, technically, illegal.

Anyone making source modifications to a system must have at least one source copy of the original so be respectful but don't waste your time worrying about it.

For me it was a much greater waste of time not getting the source code; it was such a waste of time that I gave up and shelved my handheld. You may not care about me personally, but you should bear in mind that fulfilling the GPL's conditions is very important, for reasons besides "it's the law."

rtfa and still don't get it

[seanadams.com]

Why should the "upstream" or "bigger" distro supplier be obligated to distribute source code for YOUR particular distribution? Of course _somebody_ needs to be responsible for making the source available, otherwise the entire spirit of the GPL is unenforceable...

It makes sense to me that the person distributing the binaries should be responsible for making source code available for said binaries. That is how the license is written, and it is very straight forward. No surprise here - so what is the complaint?

Do we really want everyone and their brother shipping their own MyFirstDistro as binary only, just because the sources are individually (hopefully, for the time being) available elsewhere? Is it fair to put that burden on someone else?

This is nothing new...

[Old+Man+Kensey]

I seem to recall various incidents in the past few years (a DVR maker comes to mind, though I can't remember which) where commercial products used GPL software unchanged, failed to distribute source (pointing people to the maintainer of the software), and the FSF and community raised a fuss. So I don't understand why this is suddenly such a light-bulb moment.

People who do not read license...

[also-rr]

...surprised when their guess as to what is required is not correct. Film at 11.

Wikipedia has a pretty good plain English translation of the requirements to distribute GPL software.

This article is FUD

The GPL only requires that one provide the source code if asked, and it is perfectly legal to send it via postal mail for a nominal fee.

I can't imagine that anyone is actually asking these small Linux distributions to provide the source code for the Linux kernel when it is available for a free download.

Quit whining, distro makers

[Animats]

OK, these "distro makers" are downloading vast amounts of material covered by the GPL for free and then redistributing it for money or advertising. (MEPIS sticks in an Earthlink signup icon, for example.) And then they whine that they have to provide the source for the free stuff they're reselling.

Even worse, some of these distro makers want you to sign up for a "support contract". If they don't have a repository of the source, their support probably isn't worth much.

I have an idea

[Ethan+Allison]

Why don't we completely rewrite the kernel from scratch and license it under something else?

Wait, I've heard that idea before somewhere...

Re:So what?

[Bluesman]

>Nobody in their right mind is going to rely on a software project that is somebody's hobby.

Best. Irony. Ever.

Re:So what?

[krack]

Nobody in their right mind is going to rely on a software project that is somebody's hobby.

What is the criteria for any open source project leaving 'hobby' status? To put it another way, when did people of 'right mind' start using Linux, which started out as Linus' hobby?

Mepis plays fast & loose with GPL

[gvc]

Warren has made his own problems. I tried Mepis in 2004 and quite liked it. I used it for more than a year and installed it on several people's machines. However, I will not use it any more.

My reasons are several, but one of the top ones is murky licensing.

No doubt somebody from the MEPIS community will loudly declare that licensing is not a problem. If this is the case, exactly how can I get the source to build myself a MEPIS distro?

There has been considerable bad blood in the MEPIS community and former community. I am not a member of any faction. I have done my share to contribute. I simply tried to get my questions answered and MEPIS and Warren came up short. His many rants -- the one cited in the story is one of many over the last three years -- further convince me that I was right to walk away.

MEPIS is because is non-standard. Warren repeatedly warns against upgrading packages from the standard Debian repositories. There is no upgrade path from one version of MEPIS to the next. There appears to be a very weak mechanism for collecting community know-how as to how to configure the system to "just work" on a particular platform.

I wonder what reasonable is?

[EQ]

Not a troll, nor flamebait - just "hacking" the 'reasonable' clause and cost in the GPL.

Hypothetical:

Say I make (ast an hourly rate of my annual salary) $50 an hour. Not unresaonable for a consultant.

I am distributing a baby distro and I do the source via DVD and postal request since I cannot afford a lot of bandwidth.

Figure it takes me 20 minutes to process the request, type up the label, grab the latest from my repository and DL the rest fromthe upstream, burn a DVD, and put it in a protective mailer package. And other 20 to go to the post office and 20 to come back (assume I'm in a rural area outside the suburbs). So thats and our of my time. Add in that this is essentially overtime in addition to my real job, so I bill it at time and a half. Thats $75 baseline in cost.

Add in the postage ($8 or whatever the USPS "Priority Mail" rate is), the mileage and gas on the car to go to the post office, the CD cost (including mileage on the car and gas and time to go buy them, plus wear and tear amortization on my CD burner), cost of the bandwidth, etc.

So all in all:

"Yes, you can have the whole source tree from my upstream and the 2K of diffs I have added - the reasonable cost for this source is $94.37 per CD"

Is that the right answer?

Every penny of it is documented and accounted for. Every bit of it is involved with the cost in materiels and time that it takes to prepare and ship the source. My software is free, my time is not. If you think otherwise, go ahead and put yourself down as a slave who will work for free at the demands of people that use the software you donated - is that the intend of the GPL, to enslave authors to the whims of the recipients of their gifts?

Again: Not a troll, nor flamebait - just "hacking" the 'reasonable cost' clause in the GPL.

Who decides what is reasonable?

Does the GPL give someone the right to dictate to the person releasing the software what they can and cannot do with their time? Think about it.

If not, then how do you overcome the situation above, where the GPL seems to imply that you have to release the whole of the code, including upstreams, not just your diffs, especially where releasing the whole of the upstream is cumbersome or onerous - and the response ($94.37 per DVD) is likewise.

Personally, I never looked at it this way before - the only thing I've released as open source (long ago) has been under the BSD license just to avoid the entanglements the GPL requires. And that only to be able to avoid warranty that Public Domain doenst expressly mention.

Re:I wonder what reasonable is?

Regrettably, I find your cost analysis unreasonable.

$50/hr is unreasonably low. When I consulted, I charged $60 and that was some time ago. Of course, you said you're rural area, so good congratulations getting $50/hr.

Stop double-billing. You're not consulting now, you're administering a GPL distribution. 20 minutes to process a source request? Come on. Maybe 5 minutes to type/write the address label, assuming no SASE. What else is there to process? Do the ISO burn while you do the envelope. Need to build the ISO from CVS? Do that during dinner. Car expenses and travel time to the Post Office? Put it in the nearest mailbox while about your paying business-done. $5 at a rate of $60/hr. Maybe add $1 for the CD and postage. Get it out within two weeks or four if you're on vacation and who could complain?

By adjusting the materials rate to cover the CD, packaging, and postage appropriately, and by billing at the rate at which you are accustomed, you are making money servicing source requests at your preferred rate and more or less at a time of your partial choosing.

Not every commercial action is necessarily profitable. For-profit businesses occasionally lose money on a job.

Nobody is enslaving you. You offered source at a reasonable cost upon request when you chose to distribute software under the GPL. It is a gift that can require additional giving, but if you find this giving onerous why distribute under the GPL?

Presumably you found value in some GPL software, including but not limited to this software. Your analysis doesn't consider the benefits you have received in advance of making your gift.

Of course, the point is probably largely moot. When has anyone ever said they were actually overwhelmed by servicing source requests associated with a GPL distribution?

Priority mail should be at the requester's option and complete expense and only if possible with your schedule.

I don't take your comment as flamebait, and I hope this isn't taken as a flame but as another view of your cost analysis.

Re:I wonder what reasonable is?

[wrook]

I suspect the answer to your question would be determined in roughly this fashion:

1. You charge $X for redistributing the source
2. Your customer thinks it's unreasonable and they make a stink
3. The holder of the copyright of the code notices (or is contacted) and they also agree it is unreasonable
4. The holder of the copyright contacts you and suggests that you should lower your price otherwise you will be in violation of the license
5. You hold steadfast to your price
6. The holder of the copyright terminates your right to distribute the software
7. You ignore this and continue to distribute the software
8. The holder of the copyright sues you
9. The judge asks you under what authority you were distributing the software
10. You have a choice of accepting the GPL or admitting that you don't have any authority to distribute the software. Since you actually have no choice, you say the GPL.
11. The judge determines whether or not the price is "reasonable". But I suspect that he/she would lean heavily in favour of the copyright holder's definition unless it were completely bonkers.

So, it's a long road to get to this point and quite likely you would resolve the situation before it ever got to the courts. And it would require several conversations with the copyright holder before it broke down that badly.

This is what makes the GPL so good.

Re:How did this get modded up?

[geekoid]

google is not a replacement for communication, and it is pathetic to tell people to google instaed of at least offering a link.

Oh, and typicall reason why people shy away from Linux:
"Should you read the appropriate documentation, "
maybe the poster didn't know where the docs are? perhaps they where new and just need some friendly advice?

Man, you are a dick.
I imagine if some asks you for directions to the corner store you just tell them to fuck off and by a map.

Take what it gives.

[twitter]

There is no upgrade path from one version of MEPIS to the next.

Well, that's what happens when you mix in non free stuff like Macromedia flash, Real Player, Nvidia drivers, NDis wrappers, Vonage clients, etc. Non free is brittle. It might be less brittle than the Windoze world, but it will never be as easy as the free world.

Free packages in Mepis upgrade with about as much grace as you can expect. Just last week, I upgraded Kontact from a 2003 edition to Etch. This worked out OK through apt-get outside of X. It got all the KDE goodies, xorg and other dependencies and just worked when it was done. There was one hang up, but the system itself told me what magic phrase to type.

There appears to be a very weak mechanism for collecting community know-how as to how to configure the system to "just work" on a particular platform.

Nuts. Mepis is one of the easiest distributions to install. If it works off the CD, it will work off your hard drive and Mepis works with more hardware than anything else I've ever tried.

Mepis is still a great distribution to install for someone when you don't want to spend a lot of time. It demonstrates what free software can do. The problems it has are the problems of non free software in general and those rear their head far less often on a Mepis system than they do on less free platforms. In short, don't give up a useful tool just because one person says some stupid things.

Warren can and will fix this little source code problem and this little non issue will fade away without trace. The chances are that some co operative solution will be easiest. Distributions which use the same package unmodified can get together to share the cost and expense of keeping the source code available.