so-called "Common Cure" provision, GPL enforcement within Debian, Patrick McHardy's enforcement, etc. (was Re: Do we need embargoes for GPL compliance issues?)

[Bradley M. Kuhn]

I realize that the conversation has petered out a bit on this debian-project
thread, but I wanted to add a few details because Conservancy was mentioned,
and also let those interested know there is another place where discussion
can continue that might be of interest (see below):
    
Florian wrote:
> I'm asking because even with the GPLv3 or the Common Cure
> <https://github.com/gplcc/gplcc>, the 30-day period seems awfully
> short. 

TL;DR: I agree that the "Common Cure" is of very limited benefit. 

In my experience, it takes much longer for even savvy companies to remedy
their copyleft noncompliance.  Have a look at the Principles
<https://sfconservancy.org/copyleft-compliance/principles.html>, which
Software Freedom Conservancy wrote together with the FSF to codify the ways
we think that ideologically motivated GPL enforcement should look.  The
so-called "Common Cure" idea is just one of those principles (and a minor
one at that).  It's hard to imagine that it will be effective when isolated
from the whole enforcement strategy.

I am indeed worried that (presumably inadvertently) those promoting the
"Common Cure" are indicating that it's some sort of panacea to compliance
issues.  There is no panacea; diligent, careful, hard-working,
friendly-but-firm and well-funded GPL enforcement is the only solution.

Ian Jackson wrote:
>> I think it was entirely wrong of the Conservancy's Linux GPL
>> enforcement project to go along with the idea of promising to give
>> violators a GPLv3-style termination clause.

As Ben explained, Conservancy didn't "go along with the idea", we were the
ones who proposed it, when Conservancy and FSF co-published the Principles.

However, we meant the Principles to be a unit that worked together -- not a
menu to pick from.  The "Common Cure" picks the mint from the tray at the
end of the meal and ignores the meal.  While we enjoy the mint as much as
anyone, we encourage everyone to first eat a full meal. :)

> Do you think Debian should welcome embargoes for GPL compliance
> issues? 

If embargoes include "not going public about the matter until private
negotiation has become fruitless", I think Debian could benefit from doing
that.  (That's another one of the Principles, in fact.)

I do understand and somewhat agree with the points many have made about how
it's often easier to report publicly first.  However, I think that primarily
only applies to intra-Debian minor violations (e.g., errors in packaging
yielding incomplete sources).  If some third party violates on Debian's
copyrights in a downstream product, I think it's much better to give them
some time to resolve it privately.  GPL violations are embarassing, and we
don't want to unduly publicly embarrass someone who makes an honest mistake
and fixes it quickly.

BTW, Conservancy would definitely welcome a discussion on the
principles-discuss mailing list about GPL enforcement strategies.  That list
is <https://lists.sfconservancy.org/mailman/listinfo/principles-discuss>,
and I've decided to boldly cross-posted my email here to the
principles-discuss list "just in case" folks want to continue this thread
there, as it's the perfect place to discuss that issue with a broader
community beyond Debian.

Finally, I should note that Conservancy currently does GPL enforcement work
on behalf many Debian copyright holders (and holds copyrights ourselves that
developers have assigned to us).  You can join that coalition if you like,
by contacting <debian-services at sfconservancy.org>. (Note that these
agreements are *not* legal representation agreements of any kind, but an
enforcement cooperation agreements.)  (BTW, this was announced at DebConf
2015 for those who didn't know about it, See
<https://sfconservancy.org/news/2015/aug/17/debian/>)

Finally, quoting Phil Hands' post on Monday:

>>> As I understand it (IANAL), the troll in question is using a wrinkle of
>>> German law to send out paperwork that has a rather short time-limit to
>>> respond, which railroads the victim into signing something, after which
>>> that can be used as leverage in a second complaint to extract money from
>>> the victim.

As always, IA also NAL, TINLA, etc.

But, first of all, I think naming Patrick McHardy (rather than saying person
"in question") is better.  The situation with Patrick has been grossly
exaggerated, and by not avoiding his name, it can inadvertently give an
ominous air to the whole thing.  (As Dumbledore said, "Fear of a name
increases fear of the thing itself". ;).  I'm well connected to the
backchannels of enforcement (obviously), and while Patrick refuses to talk
to me (I've tried really hard to convince him to talk with me again, see
<https://sfconservancy.org/blog/2016/jul/19/patrick-mchardy-gpl-enforcement/>
), I do hear from others about what he's up to, and AFAICT, he's up to very
little now.

I also don't think his activities are peculiar to German law (other than
perhaps that it's cheaper to file an initial lawsuit in Germany than
elsewhere).  Patrick's primary problematic activity is quick settlement
agreements from truly clueless violators who remain *out of compliance*, and
who have little hope to come into compliance without substantial assistance.
(That could be done in virtually any jurisdiction.)  Those agreements
further insist the company pay Patrick escalating payments if they don't
figure out compliance on their own in a certain time period (circa six
months).  The big and/or clueful companies that he has approached have not
had to pay much of anything and to my knowledge (and they came into
compliance anyway in due course).  It's the less clueful companies who end
up paying his "later fines".  There are definitely rumors that Patrick "got
millions of Euro" doing this, but the actual evidence I've been shown
indicates he probably received about €50k from it.  Perhaps there's more
evidence, but it hasn't been shown to anyone I know, and my standard
question when someone claims "Patrick got a lot of money" is to ask for
actual proof.  And, meanwhile, the "millions of Euro" rumor appears to have
originated from someone who works in the compliance industrial complex and
thus has a vested interest in scaring companies into buying their services.

And, personally having spent a good part of my career doing GPL enforcement
(and in particular figuring out how to *fund* it), I'm very sure that while
Patrick might have gotten some "easy money" to start, he's likely discovered
that it's not a profitable undertaking.  Generally speaking, no one does GPL
enforcement work (long term) for money, because the work is not really
self-funding.  Those of us who have done it for decades do it because we
care about the copyleft and the rights of users to modify software, and we
usually take *much less* in salary than we could earn doing other
(substantially more interesting) things.

Patrick's enforcement interacts in an interesting way with the "Common Cure"
because he specifically exploited a very common situation: companies who
were caught by surprise and were logistically and/or technologically unable
to comply within the (various) 30-90 day windows provided for by GPLv3 and
the "Common Cure".  Heck, in my experience (which is now hundreds and
possibly more than a thousand GPL enforcement actions) only two or three
have ever complied in that amount of time (starting from date of notice of
violation).  So, if the community fears the vector of attack that Patrick
McHardy tried, the "Common Cure" is *not* the common cure.  Fortunately,
that doesn't matter because I expect Patrick's attempt will be shown by
history to have been a minor and mostly unsuccessful endeavor.

-- 
Bradley M. Kuhn
Distinguished Technologist of Software Freedom Conservancy
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter