Hacker News new | past | comments | ask | show | jobs | submit login
Understanding the “GPL is a Contract” court case (perens.com)
130 points by sohkamyung on June 4, 2017 | hide | past | favorite | 48 comments



> There’s been a lot of confusion about the recent Artifex v. Hancom case, in which the court found that the GPL was an enforceable contract.

The author is reading too much into this. This was just a ruling on a motion by the defendant, Hancom, to dismiss under Rule 12(b)(6) of the Federal Rules of Civil Procedure, the "failure to state a claim upon which relief can be granted" rule.

A 12(b)(6) motion essentially says "Let's assume for the sake of argument that every allegation of fact that the plaintiff made in their complaint is true. Under that set of facts, there is no way that a court could find that we are liable under whatever law plaintiff claims we have violated".

When a court rules against such a motion, it is not saying that the alleged facts ARE true, or that when those facts are applied to the laws in question the plaintiff will win. All it is saying is that they plaintiff has alleged everything that is necessary in order for it to be possible for the plaintiff to win.

So in this case all the court really found was that it is possible that GPL is an enforceable contract in the circumstances alleged by plaintiff, Artifex.


Well, that's not exactly a fair representation. The court found as a matter of law (not fact) that the GPL is an enforceable contract. 12b6 standards require the court to interpret the facts in the most favorable possible light for the plaintiff. The facts, but not the law. No factual evidence is required for the court to determine whether the GPL can be a legally enforceable contract, so the plaintiff-favorable burden of proof has no bearing on the legal conclusion which is the subject of all this news coverage. The decision being made as a matter of law in a 12b6 motion indicates that the outcome of this particular case still remains uncertain, but that the court would interpret any other GPL in any other case as a legally enforceable contract.


Is this distinction equivalent to satisfiability of the contract wrt any case vs satisfiability of the contract wrt this case?

How do you constrain "any case" to something reasonable, or does it need no constraining?


While your statement of 12(b)(6) is correct, I don't think your analysis of fact vs. law is deep enough.

The kinds of facts that court assumes to be true for a 12(b)(6) motion are that the defendant _did not_ sign a contract. The court assumes that the defendant _did_ use the software in a manner that violates the GPL.

However, determining that the GPL is an enforceable contract is a matter of _law_. That is not something that would be assumed to be true, and is a point that the court may make a decision on at this stage.

That is, the court _assumes_ the defendant violated the GPL, but still needed to come to the decision that the defendant _was not allowed_ to violate the GPL. From my brief reading, the court has made the determination that—if the alleged facts are true—the defendant was not allowed to violate the GPL.


Yeah, we're not very far into this case from my understanding. Might want to wait to see if it gets appealed and whether the court of appeals even addresses that question.

That said, aside from the occasional FUD, I don't think many people have doubts about the GPL holding up.


>> That said, aside from the occasional FUD, I don't think many people have doubts about the GPL holding up.

The GPL is more important in what it does rather than what it IS. It doesn't seem to matter whether it's a license or a contract, what matters is that someone who violates its terms have nothing to fall back on to defend their copyright violation. I think calling it a contract is actually a bad thing because breach of contract may result in compensation far less than todays penalties for copyright infringement.


Right, at best the case can provide analogy for a future case under substantially identical circumstances.

It does say, though, that a court considered some provisions of the GPL, in the fashion that Artifex could be considered to have agreed, to be binding. That alone is no small thing.


This is true for every decision by a court except for the final judgment. A typical example would be a bail hearing, where they are not supposed to establish guilt.

But like with many human system it tend to leak. Its not uncommon to hear lawyers say that the outcome of a motion will imply where the final decision will land.


Sometimes a motion is dispositive of the whole case (or nearly so). Failing to dismiss on 12(b)(6) isn't like that at all.


I hope single-vendor commercial open source business model would be more common. http://dirkriehle.com/publications/2009-2/the-commercial-ope...

GPL + Commercial dual licensing seems to be really good option for small and midsize business where ake the code and take the business is real possibility. GPL is widely known and quite clear. GPL establishes open source genealogy, not just one point in time event like BSD licenses do.

Ghostscript, MySql, Qt etc. followed this path successfully. Qt is now a public company with open source product.


Why not AGPL + Commercial? To me this sounds like an even better option, as it closes some GPL loopholes such as "hiding" modified GPL code behind a service.


Yes, of course. AGPL is good for this and should be considered as alternative for GPL or LGPL. It depends on the business model.


I thought they closed the loopholes with v3?


They closed all loopholes regarding software that runs on the user's computer.

For software that is used over the network (such as web applications), the GPLv3 grants the rights only to the server admins, because in the spirit of the GPLv3 these are the users of the software. In contrast, AGPLv3 states that in this case the real end users are those receiving the granted rights.


Different loopholes. V3 closes the idea of pretending to give someone permission to modify and share software, but then using encryption or patents to make it impossible in practice. Like selling a car but then withholding the ignition key.

AGPL closes the idea that someone just ship a thin client and have everything running on a server, which is an experience that can be almost indistinguishable from receiving a copy. Since GPL explicitly do not treat the transmission of a copy and using a service as identical, AGPL go as far as copyright allows and tries to fix that.


Ah, okay.

I knew about the AGPL and I thought it was merged into the GPL with v3.


It was included in GPLv3 drafts and then removed and split into a different license. Insider politics, but story as I take it basically that Google and similar threatened nuclear war on FSF and GPL if it had the Affero clause. FSF decided it was more important to get buy-in on other loophole-closings (tivoization, software patents) than to risk getting no buy-in for the update. Some people involved are still very frustrated about the compromise.


I was directly involved in the decision to split AGPL into a different license (as a lawyer for the FSF at the time). Your story attributing this development to pressure from Google is completely false (though I have heard something like it as well).

Early public drafts of GPLv3 did not exactly have an Affero condition - rather they provided for compatibility with a then-nonexistent class of licenses with Affero conditions satisfying certain criteria (AGPLv1 was not one of them).

This approach was disliked by two different constituencies. One was a group of intellectuals who were associated closely with Debian, who largely would have preferred a full-fledged Affero condition in GPLv3. The other was a corporate constituency, but it wasn't Google (or other web 2.0-type companies); rather I would say it was essentially FinSec end users. This group seemed to be worried about the possibility of normalization of Affero-type conditions which it was thought the compatibility provision in early GPLv3 drafts would cause.

FSF certainly wanted to get buyin for the provisions dealing with software patents and 'TiVoization', but the companies preoccupied with those provisions were mostly unconcerned about the Affero issue.

Edit: There was some concern from corporate interests, at least, about the whole prospect of a proliferation of future Affero-like GPLv3-compatible non-GPLv3 licenses, which the early drafts of GPLv3 specifically contemplated. This was one of the motivations for redesigning the policy to have a single, FSF-authorized Affero license that would be, in all likelihood, the only (partially) GPLv3-compatible license with an Affero condition. The other motivation was to address the concerns of the 'Debian intellectuals' I refer to above.


Thanks for the clarification. I did mean to say Google mainly as a stand-in for [that sort of company]. Good to be corrected on being wrong even there. But the confusion probably stems from the way that Google came out as anti-AGPL in the end anyway (as we might expect).

Count me as one of those people who want the alternate reality of GPLv3 = AGPLv3 and where that is widely used (but I'm in no position to know that if that decision had gone that way whether the result would have succeeded or whether the denunciation by those with conflict of interests against the Affero clause would too greatly hurt the cause — despite almost everything moving to where Affero clause is ever-more relevant, I'm not seeing much growth in AGPL unfortunately)


lol, buy-in sounds a bit like the FSF sold out.


It's like people think that FSF is a completely dogmatic and uncompromising organization. In fact, they're interested in whatever serves their mission, including compromising when they feel it's worthwhile. This is nothing new. It's just that most of the compromises that other people wish they would make they feel do not serve their free software mission.


Because the AGPL, like the GFDL, is not a free software license. It doesn't allow running the software in reasonable ways.

For example, given an AGPL full text search program expected to run over a web interface (and offer source over that interface), I cannot adapt it to run over postcard, SMS, or amateur shortwave radio.


> is not a free software license

Not sure which standards you are applying here, but AGPL is accepted by FSF, DFSG and OSI. It is clearly a FLOSS licence regarding whatever authority you want to cite.

(And just to be clear, we are talking about the latest version of AGPL, AGPLv3, right?)

> For example, given an AGPL full text search program expected to run over a web interface (and offer source over that interface), I cannot adapt it to run over postcard, SMS, or amateur shortwave radio.

Can you cite any laywer or AGPL representative who shares that interpretation?

Otherwise, Poe's Law is strong here. What's the point, for the sake if a civil discussion, in deliberately misinterpreting the AGPL in such an exaggerated way?


IANAL, but the AGPL only requires that you offer the source when a user interacts with it over a computer network. postcard and radio clearly do not qualify as such. Whether SMS qualifies might require some lawyer reading entrails.

And you could build your SMS service on top of a network interface. Network interaction is not considered conveying the work, so it is not affected by the conveing and combined work clauses of the AGPL. In other words: Linking is viral, the must-present-source part is not if you build services and the like.


> Another interesting point in the case is that the court found Artifex’s claim of damages to be admissible because of their use of dual-licensing. An economic structure for remuneration of the developer by users who did not wish to comply with the GPL terms, and thus acquired a commercial license, was clearly present.

Interesting development. This makes me want to dual-license my software so that violations have more teeth to them.


Although Jacobsen v. Katzer (2008) seems to give teeth even without dual licensing. Katzer argued that the open-source conditions are "non-economic", and therefore not enforcable as a copyright infringement case, but the Court of Appeals, Federal Circuit wrote

> Traditionally, copyright owners sold their copyrighted material in exchange for money. The lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration, however. There are substantial benefits, including economic benefits, to the creation and distribution of copyrighted works under public licenses that range far beyond traditional license royalties. For example, program creators may generate market share for their programs by providing certain components free of charge. Similarly, a programmer or company may increase its national or international reputation by incubating open source projects. Improvement to a product can come rapidly and free of charge from an expert not even known to the copyright holder. The Eleventh Circuit has recognized the economic motives inherent in public licenses, even where profit is not immediate. [---] The clear language of the Artistic License creates conditions to protect the economic rights at issue in the granting of a public license. These conditions govern the rights to modify and distribute the computer programs and files included in the downloadable software package. The attribution and modification transparency requirements directly serve to drive traffic to the open source incubation page and to inform downstream users of the project, which is a significant economic goal of the copyright holder that the law will enforce. Through this controlled spread of information, the copyright holder gains creative collaborators to the open source project; by requiring that changes made by downstream users be visible to the copyright holder and others, the copyright holder learns about the uses for his software and gains others' knowledge that can be used to advance future software releases.

The parties later settled, so we don't know what damages could have been awarded, but this affirms the basic principle of the GPL.


Well, why? If someone uses GPL only, it means they are not looking for money, but is more of a choice to not use more permissive licences. Dual licensing does not solves anything for them.


Because when I choose a GPL license, I do it because I want anyone that uses that code to share their changes back with me.

If all I get out of a long court case is finally seeing their code, then it's not worth it for me to sue, and it's not worth it for them to comply with the license.

Instead: if I dual license it: when they don't comply with the GPL license, I can sue them for damages: which makes things a hell of a lot more appealing for a lawyer to take my case, and not as much as a waste of my time.


> I do it because I want anyone that uses that code to share their changes back with me

You should be clear that the GPL has no such upstream requirement. Changes only need to be passed on downstream. It's pass-it-on, not give-back. It often works out that upstream gets access to the same channel that receives the changes, but that's not necessarily the case, strictly.


"dual-licensed" is normally used to describe 2 Open Source licenses that user can choose from.

[Edited for clarity]


I believe here that the use of "dual license" here is about open source + paid proprietary, not two open source licenses. The idea being that you can claim damages.


normally is a stretch. The term applies to all forms of dual licensing, and dual free and proprietary might be more common, just maybe not in your particular experience.


Wait what? I write GPL only software for a living and I certainly am looking for money from it. It's just that I don't get the money by selling you the software itself.


It's just that I don't get the money by selling you the software itself.

Even that is perfectly fine. The company I previously worked for did exactly that: sell AGPL-licensed software to other businesses.


What Perens doesn't explain, and what I'm curious about is if the GPL is considered a contract in just this specific case, or in general. As far as I understand, a contract requires agreement from the contractor (is that the right term? Contractee?).

The finding says:

> Defendant used Ghostscript, did not obtain a commercial license, and represented publicly that its use of Ghostscript was licensed under the GNL GPU. These allegations sufficiently plead the existence of a contract.

I read that as: Since the defendent publically aknowledged their use of the software under the GPL, they indirectly "agreed" to it, hence it's considered a contract.

If a company doesn't publically state that, is it then not considered a contract, and only a license?


The issue, of course, is that if they didn't agree to it, then they're (probably) redistributing a copyrighted work without a license to do so. So it's likely expedient for a court to assume that redistribution of a GPLed work constitutes acceptance of the GPL, as the alternative makes no sense.


The issue here is not about acceptance of the license, but whether it is just copyright infringement or also breach of contract.


IANAL, but it makes sense to me that A) you've agreed to the GPL and thus have willingly entered a contract, or B) not agreed to the GPL and are committing copyright infringement.

You can then only be in breach of contract if you're operating under A.


I'm also not a lawyer. I assumed that since they're making such a big deal about the GPL being considered a contract in this case, that in other cases it wasn't considered a contract. It feels like they're saying a breach of contract is somehow different than just violating a license / copyright law, but I'm not sure.


>As far as I understand, a contract requires agreement from the contractor

Maybe you are are thinking what is called express contract where parties state the terms, either orally or in writing. Two other types of contracts exist. Implied-in-fact contracts, and implied in law contracts are also valid contracts. Contract implied in fact is inferred from the circumstances There is no need for expressing the intent as happens in express contract.

The language in GPL indicates contractual arrangement. This is indicated when referring to the effect of the "agreement" and to what conduct constitutes acceptance of the license.

for example GPL 1.0:

THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT


I read that as something that bolstered the case that it was a willful violation and not accidental, not that it was a required condition for considering it to be a contract.


How is Linux immune to wannacry like attacks?


It's not, but Linux is immune to Wannacry and a lot of the other _actual_ garbage that's out there because they don't target Linux desktop users. It would probably be pretty trivial to come up with a Wannacry-like bit of malware that was equally (or more?) effective on a Linux desktop, but the market for doing so isn't very lucrative.


So the argument is Linux is more secure now because hackers aren't paying enough attention to it. That is no reason to gloat about how Microsoft is bad in terms of security.


Not sure why this got downvoted. The claim the author makes sounds ridiculous at best.

>My computer running the GNU and Linux software isn’t entirely virus-proof, but it’s immune to “Wannacry” and a lot of the garbage that most of you tolerate.

Essentially any Linux desktop install is going to be an absolute security nightmare when compared to a fully patched windows install. While Microsoft has been pushing trustworthy computing for 15 years, on Linux desktops we only recently started to get ASLR/PIE.

Wannacry wasn't even exploiting any 0days and therefore "Windows" was also immune to it from the beginning.


"Trustworthy" computing is not about security, but about platform control. You can still exploit a computer, whether it has TPM & accessories or not.

If the Windows was immune to Wannacry, we would not hear about it in the first place. You might argue, that it was the operators who failed to update, but there was already a discussion, that due to Microsoft abusing the Windows Update in the past, many people had many good reasons to disable it.


>"Trustworthy" computing is not about security, but about platform control. You can still exploit a computer, whether it has TPM & accessories or not.

I'm sorry, but this is just tinfoil nonsense. Trustworthy computing has nothing to do with TPM & accessories.

Stuff like this is what Trustworthy computing is about: https://www.blackhat.com/docs/us-16/materials/us-16-Weston-W...

The above PDF is also a good reference guide to mitigations that are not present on desktop linuxes.

>If the Windows was immune to Wannacry, we would not hear about it in the first place. You might argue, that it was the operators who failed to update, but there was already a discussion, that due to Microsoft abusing the Windows Update in the past, many people had many good reasons to disable it.

Choosing not to install security updates also leaves you vulnerable to such attacks on Linux, and they do happen. Are you seriously trying to imply that you've never had an issue with a package manager on Linux?


> I'm sorry, but this is just tinfoil nonsense.

Please refrain from insults and ridiculing. That does not belong into a honest discussion.

> Trustworthy computing has nothing to do with TPM & accessories.

Trustworthy computing and Trusted computing are so similar term, that most people will confuse these two. Especially if they are not native English speakers. It was not a good choice to pick a term so similar.

> The above PDF is also a good reference guide to mitigations that are not present on desktop linuxes.

Of course not, these desktop linuxes do not have the most used attack vectors in the first place.

> Choosing not to install security updates also leaves you vulnerable to such attacks on Linux, and they do happen.

Sure, but the point was lack of trust in Microsoft and the abuse of the update mechanism in the past. You wouldn't pick any candy from a box, if you knew that just some of them are poisoned...

> Are you seriously trying to imply that you've never had an issue with a package manager on Linux?

Yes, I seriously do. Since Redhat Linux 5.0 (that's Redhat Linux, not Redhat Enterprise Linux), the only issue I had was an invalid package that failed to install (it was later fixed and the package then installed fine). No Linux distribution ever abused the update mechanism in such a way as Microsoft did.

The only questionable thing that happened was Canonical and their forwarding of search data to Amazon. They were rightfully criticized, the fix was easy, the updates didn't flip the setting back and in the end, it was corrected by Canonical. I have yet to see any correction from Microsoft - they didn't even admit wrongdoing yet.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: