From bkuhn at sfconservancy.org Wed Sep 19 22:09:23 2018 From: bkuhn at sfconservancy.org (Bradley M. Kuhn) Date: Wed, 19 Sep 2018 15:09:23 -0700 Subject: so-called "Common Cure" provision, GPL enforcement within Debian, Patrick McHardy's enforcement, etc. (was Re: Do we need embargoes for GPL compliance issues?) In-Reply-To: <878t3zewfe.fsf@hands.com> References: <87lg865xs5.fsf@mid.deneb.enyo.de> <87zhwm2m7t.fsf@hope.eyrie.org> <874leuhrmb.fsf@mid.deneb.enyo.de> <87y3c5v0z3.fsf@hope.eyrie.org> <23455.37617.223913.926280@chiark.greenend.org.uk> <23455.37617.223913.926280@chiark.greenend.org.uk> Message-ID: <87h8ilxhpo.fsf@ebb.org> I realize that the conversation has petered out a bit on this debian-project thread, but I wanted to add a few details because Conservancy was mentioned, and also let those interested know there is another place where discussion can continue that might be of interest (see below): Florian wrote: > I'm asking because even with the GPLv3 or the Common Cure > , the 30-day period seems awfully > short. TL;DR: I agree that the "Common Cure" is of very limited benefit. In my experience, it takes much longer for even savvy companies to remedy their copyleft noncompliance. Have a look at the Principles , which Software Freedom Conservancy wrote together with the FSF to codify the ways we think that ideologically motivated GPL enforcement should look. The so-called "Common Cure" idea is just one of those principles (and a minor one at that). It's hard to imagine that it will be effective when isolated from the whole enforcement strategy. I am indeed worried that (presumably inadvertently) those promoting the "Common Cure" are indicating that it's some sort of panacea to compliance issues. There is no panacea; diligent, careful, hard-working, friendly-but-firm and well-funded GPL enforcement is the only solution. Ian Jackson wrote: >> I think it was entirely wrong of the Conservancy's Linux GPL >> enforcement project to go along with the idea of promising to give >> violators a GPLv3-style termination clause. As Ben explained, Conservancy didn't "go along with the idea", we were the ones who proposed it, when Conservancy and FSF co-published the Principles. However, we meant the Principles to be a unit that worked together -- not a menu to pick from. The "Common Cure" picks the mint from the tray at the end of the meal and ignores the meal. While we enjoy the mint as much as anyone, we encourage everyone to first eat a full meal. :) > Do you think Debian should welcome embargoes for GPL compliance > issues? If embargoes include "not going public about the matter until private negotiation has become fruitless", I think Debian could benefit from doing that. (That's another one of the Principles, in fact.) I do understand and somewhat agree with the points many have made about how it's often easier to report publicly first. However, I think that primarily only applies to intra-Debian minor violations (e.g., errors in packaging yielding incomplete sources). If some third party violates on Debian's copyrights in a downstream product, I think it's much better to give them some time to resolve it privately. GPL violations are embarassing, and we don't want to unduly publicly embarrass someone who makes an honest mistake and fixes it quickly. BTW, Conservancy would definitely welcome a discussion on the principles-discuss mailing list about GPL enforcement strategies. That list is , and I've decided to boldly cross-posted my email here to the principles-discuss list "just in case" folks want to continue this thread there, as it's the perfect place to discuss that issue with a broader community beyond Debian. Finally, I should note that Conservancy currently does GPL enforcement work on behalf many Debian copyright holders (and holds copyrights ourselves that developers have assigned to us). You can join that coalition if you like, by contacting . (Note that these agreements are *not* legal representation agreements of any kind, but an enforcement cooperation agreements.) (BTW, this was announced at DebConf 2015 for those who didn't know about it, See ) Finally, quoting Phil Hands' post on Monday: >>> As I understand it (IANAL), the troll in question is using a wrinkle of >>> German law to send out paperwork that has a rather short time-limit to >>> respond, which railroads the victim into signing something, after which >>> that can be used as leverage in a second complaint to extract money from >>> the victim. As always, IA also NAL, TINLA, etc. But, first of all, I think naming Patrick McHardy (rather than saying person "in question") is better. The situation with Patrick has been grossly exaggerated, and by not avoiding his name, it can inadvertently give an ominous air to the whole thing. (As Dumbledore said, "Fear of a name increases fear of the thing itself". ;). I'm well connected to the backchannels of enforcement (obviously), and while Patrick refuses to talk to me (I've tried really hard to convince him to talk with me again, see ), I do hear from others about what he's up to, and AFAICT, he's up to very little now. I also don't think his activities are peculiar to German law (other than perhaps that it's cheaper to file an initial lawsuit in Germany than elsewhere). Patrick's primary problematic activity is quick settlement agreements from truly clueless violators who remain *out of compliance*, and who have little hope to come into compliance without substantial assistance. (That could be done in virtually any jurisdiction.) Those agreements further insist the company pay Patrick escalating payments if they don't figure out compliance on their own in a certain time period (circa six months). The big and/or clueful companies that he has approached have not had to pay much of anything and to my knowledge (and they came into compliance anyway in due course). It's the less clueful companies who end up paying his "later fines". There are definitely rumors that Patrick "got millions of Euro" doing this, but the actual evidence I've been shown indicates he probably received about €50k from it. Perhaps there's more evidence, but it hasn't been shown to anyone I know, and my standard question when someone claims "Patrick got a lot of money" is to ask for actual proof. And, meanwhile, the "millions of Euro" rumor appears to have originated from someone who works in the compliance industrial complex and thus has a vested interest in scaring companies into buying their services. And, personally having spent a good part of my career doing GPL enforcement (and in particular figuring out how to *fund* it), I'm very sure that while Patrick might have gotten some "easy money" to start, he's likely discovered that it's not a profitable undertaking. Generally speaking, no one does GPL enforcement work (long term) for money, because the work is not really self-funding. Those of us who have done it for decades do it because we care about the copyleft and the rights of users to modify software, and we usually take *much less* in salary than we could earn doing other (substantially more interesting) things. Patrick's enforcement interacts in an interesting way with the "Common Cure" because he specifically exploited a very common situation: companies who were caught by surprise and were logistically and/or technologically unable to comply within the (various) 30-90 day windows provided for by GPLv3 and the "Common Cure". Heck, in my experience (which is now hundreds and possibly more than a thousand GPL enforcement actions) only two or three have ever complied in that amount of time (starting from date of notice of violation). So, if the community fears the vector of attack that Patrick McHardy tried, the "Common Cure" is *not* the common cure. Fortunately, that doesn't matter because I expect Patrick's attempt will be shown by history to have been a minor and mostly unsuccessful endeavor. -- Bradley M. Kuhn Distinguished Technologist of Software Freedom Conservancy ======================================================================== Become a Conservancy Supporter today: https://sfconservancy.org/supporter