Publishing exploits in retaliation to GPL violators?

Bradley M. Kuhn bkuhn at sfconservancy.org
Thu Jan 4 19:46:52 UTC 2018 

> On Tue, Jan 02, 2018 at 12:41:21PM -0500, Kevin P. Fleming wrote:
>> I don't see how this is likely to lead them to compliance.
Stefano Zacchiroli wrote at 13:50 (PST) on Tuesday:
> I was thinking along the same lines.

On that part, I think we're all agreed, but the likelihood of success of the
action is orthogonal here.  The Principles are themselves almost a polar
opposite to an "ends justify the means" analysis of GPL enforcement.

> So it seems to me that addressing this issue is out of scope for the
> principles.

I actually don't think so, in fact, my original point was, as you said...

> Failing that, I'd concur with Bradley suggestion that this is niche enough
> to not deserving a specific mention.

... that the behavior is already not in accordance with the Principles, as
currently written.  But, I'm now thinking that maybe the Principles don't
apply at all to this situation.  Full discussion below:


Firstly, after thinking about it for a few days, I conclude that, if the
company wasn't warned first, publishing an exploit *and* publicly declaring
such publication as a direct response to a no-source-nor-offer GPL violation
is in direct contradiction with the Principles, which state: "If it becomes
apparent that the company is misusing good faith confidentiality to cover
inaction and unresponsiveness, the problems may be publicized, after ample
warning."  Namely, the last three words are most relevant: it sounds like
the company was not warned the matter may go public.

We walked carefully in drafting the Principles on this point because I do
believe that, like litigation, public admonishment is a tool that can be
sparingly and legitimately used with intransigent violators.  Conservancy
has certainly used that tool in our enforcement (e.g., regarding Canonical,
Ltd.'s various GPL violations over the years).

Meanwhile, the "public shaming" style that I had in mind when we drafted the
Principles was BusyBox's old "hall of shame" that Erik Andersen built when
he, like this fellow, got frustrated at how many violations there are and
how difficult violations are to resolve via Principled GPL enforcement.  The
state of mind that I see expressed in the public discussion is much like
Erik's state of mind when I first met him in the early 2000's.  Folks get a
sense that the GPL is an outright failure when they first discover how
labor- and resource-intensive GPL enforcement is.  These days, violators are
almost always intransigent; most violators are utterly fearless these days.

While I've lived with this frustration every day of my life since 1999 (as
the list of GPL violations that I know are active and ongoing has never been
anywhere near empty since that time), I also realize that the patience that
I, Conservancy, and other copyright holders do and should exercise are
beyond what we can and should expect from the average owner of an infringing
product.  This is particularly true for someone who has already reported the
violation through proper channels -- yet has been told ( as we at
Conservancy must often tell people): "We've queued it, but we have so many
violation reports we can't promise we'll act on this particular one."

So, the issue I'm left pondering after this incident is a different one than
I originally raised.  Namely, should adherence to the Principles by anyone
other than a copyright holder and/or someone/some-org who does enforcement
on behalf of actual copyright holders?  Should we really expect a frustrated
users to report a violation to FSF and/or Conservancy, then just wait years
for their rightful source code -- which admittedly may never be coming?

My thoughts would be quite different if I had evidence that the exploit
poster held copyrights in the infringed software, but my impression is that
he does not.  It's clearly wrong, IMO, for Conservancy, FSF, or a copyright
holder to retaliate against an intransigent GPL violator in this manner
without warning the violator first that such action is coming.  But..

Is it wrong for a non-copyright-holding customer to do it?  I'm not sure.
-- 
Bradley M. Kuhn
Distinguished Technologist of Software Freedom Conservancy
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

More information about the Principles-discuss mailing list