> If they distribute a product with binaries built from GPL'd code in it, they must provide the source upon request.
That's a little bit of an overstatement. It is sometimes possible to distribute GPL binaries without incurring any source obligation, and I suspect that this is going to be come a lot more common as IOT devices become more popular. For example, Amazon, Best Buy, Walmart, and others sell assorted consumer products, such as televisions and routers, that contain Linux-based firmware, but they do not have any obligation to provide the source.
All they are doing is receiving boxes of televisions and routers and other goods from the manufacturers (or from the distributors who receive them from the manufacturers), and then selling those items to the consumer on a one to one basis. A copy of Linux comes in to them embedded in some physical thing, such as the FLASH memory in a television or router, and they sell that particular physical hardware and that particular copy of Linux to a consumer. The first sale doctrine, which pretty much every major country I believe has in some form in its copyright law, says that doing this does not require permission of the copyright owner. If you aren't doing anything with GPL code that requires permission of the copyright owner, GPL has no power over you.
Right now, I don't think this is a big issue because usually you can find out who does have an obligation to provide the code. Buy a television or router from Best Buy, and it will be from some reasonably prominent manufacturer, such as Samsung or Netgear, and that manufacturer probably is the one who was actually making copies and putting them on the device. They have the obligation to provide source, and they usually have some reasonable way to contract support and find out how and where to actually get it.
I think this may change as IOT becomes more common. I think we'll see several companies that make generic IOT base platforms, which they sell to companies that want to make IOT devices for specific applications. Those companies will add their software to the software of the base device, and hook up the specific sensors and actuators needed for their application.
A technically sensible way to make the generic base platforms is to make a Linux-based system that has the kernel and the standard utilities on a root partition in FLASH memory, and has a memory card slot. Upon startup have the init system wait for a memory card to be inserted that contains a valid filesystem, mount that filesystem on /home, and then look for /home/iot/startup.sh. If that exists, it becomes the iot user and runs /home/iot/startup.sh.
Companies that use this generic base to build their IOT device do not have to modify or copy the kernel or anything else on the root partition. All of their code lives on that separate memory card, as user mode applications and scripts. These companies, when they want to make a manufacturing run of, say, 5000 devices, would buy 5000 units of the generic IOT base system, build and connect 5000 of their sensor and actuator modules, insert 5000 copies of their user mode application and script memory card, and ship the 5000 devices out to customers, distributors, and stores.
So you go to Best Buy and buy one of these things and want source code to the Linux contained therein, what do you do? If you ask Best Buy, they say they just passed on the box they received, and point you to the manufacturer listed on the box. When you contact them, they say the same thing...they just bought these generic Linux IOT bases, and plugged in their hardware modules and inserted their memory cards (which contain no GPL software), and if they are feeling nice they tell you the name of the company that made the IOT base. If they are not feeling nice, or they consider information like who their suppliers are to be a trade secret, they may decline to tell you where they got the base platform, and you are pretty much stuck.
It could even get worse, because I suspect that in some markets there may be multiple layers of this. You'll have at the bottom layer companies making a fairly generic Linux-based system for embedded use. At a layer above them you'll have companies that take those generic systems and partially specialize them for particular industries or fields or activities. They may add special hardware interfaces, put them in rugged cases, or things like that. A layer up from that would be the companies that turn these into products for end users.
And that isn't even the worst it can get. It is actually possible to get a GPL binary commercially that nobody has obligation to provide source for. That's because GPLv2 provides two ways to satisfy your source code obligation if you commercially distribute a GPL binary:
1. Include the source when you distribute binary.
2. Provide a written offer, valid for at least three years, to provide the source to any third party who requests it.
Suppose the maker of the generic IOT base device, the one that has Linux on its root filesystem and on startup tries to mount the memory card and run the user mode application found there, includes in each box a CD-ROM that contains the source for all the software on the root filesystem. (That's what I would do...I'd rather go to the slight added trouble up front of adding a CD-ROM to the shipment now and be done with it than have to deal with it spread out over several years).
Their customer, the company that is making, say, an IOT nose hair trimmer, doesn't care about those CD-ROMs. They just want to add their hair length sensor module, and their clipper module, insert their memory card with their software, package it all up nicely, and ship it off to the retailers. They toss the CD-ROMs in the trash.
You buy one of these nose hair trimmers. Who is obligated to give you the source? How about the generic IOT base device maker? Nope. Every GPL binary they shipped was accompanied by the complete source code, so they satisfied their GPL obligation.
How about the nose hair trimmer company? Nope. They are just shipping out copies they received, and are covered by the first sale doctrine.
If this becomes common enough for the FSF to see it as an issue that needs to be addressed in GPLv4, it will be interesting to see if they can come up with a good solution. The basic problem is that the option to satisfy your GPL obligation by including the source with the binary extinguishes your obligation in regard to that binary without guaranteeing that when the recipient of that binary redistributes that they will incur a source obligation (because first sale provides a situation in which they can distribute without incurring any copyright obligation).
Offhand, I only see one way to address this. Make it so that if you distribute a GPL binary (in a way that required copyright owner permission) then you must provide source to any third party that requests it. Back when GPLv2 was written, that could have been quite onerous, because distributing source usually meant sending a tape. Nowadays, distributing only is easy, and there are plenty of free hosting services for source code, so it probably wouldn't be too onerous. Still, that would be a pretty big change, and I think a lot of people would be very upset at the "fire and forget" option that "include the source code when you distribute the binary" provides.
In practice, doesn't sound very problematic to me. As long as the IoT base device manufacturer is compliant, someone can just buy a board (for "product development" purposes) and then release the source publicly.
Nah, there I agree with tzs, after the manufacturer sells the product, copyright has been exhausted and the distributor has no obligations unless they make new copies of the work.
That's a little bit of an overstatement. It is sometimes possible to distribute GPL binaries without incurring any source obligation, and I suspect that this is going to be come a lot more common as IOT devices become more popular. For example, Amazon, Best Buy, Walmart, and others sell assorted consumer products, such as televisions and routers, that contain Linux-based firmware, but they do not have any obligation to provide the source.
All they are doing is receiving boxes of televisions and routers and other goods from the manufacturers (or from the distributors who receive them from the manufacturers), and then selling those items to the consumer on a one to one basis. A copy of Linux comes in to them embedded in some physical thing, such as the FLASH memory in a television or router, and they sell that particular physical hardware and that particular copy of Linux to a consumer. The first sale doctrine, which pretty much every major country I believe has in some form in its copyright law, says that doing this does not require permission of the copyright owner. If you aren't doing anything with GPL code that requires permission of the copyright owner, GPL has no power over you.
Right now, I don't think this is a big issue because usually you can find out who does have an obligation to provide the code. Buy a television or router from Best Buy, and it will be from some reasonably prominent manufacturer, such as Samsung or Netgear, and that manufacturer probably is the one who was actually making copies and putting them on the device. They have the obligation to provide source, and they usually have some reasonable way to contract support and find out how and where to actually get it.
I think this may change as IOT becomes more common. I think we'll see several companies that make generic IOT base platforms, which they sell to companies that want to make IOT devices for specific applications. Those companies will add their software to the software of the base device, and hook up the specific sensors and actuators needed for their application.
A technically sensible way to make the generic base platforms is to make a Linux-based system that has the kernel and the standard utilities on a root partition in FLASH memory, and has a memory card slot. Upon startup have the init system wait for a memory card to be inserted that contains a valid filesystem, mount that filesystem on /home, and then look for /home/iot/startup.sh. If that exists, it becomes the iot user and runs /home/iot/startup.sh.
Companies that use this generic base to build their IOT device do not have to modify or copy the kernel or anything else on the root partition. All of their code lives on that separate memory card, as user mode applications and scripts. These companies, when they want to make a manufacturing run of, say, 5000 devices, would buy 5000 units of the generic IOT base system, build and connect 5000 of their sensor and actuator modules, insert 5000 copies of their user mode application and script memory card, and ship the 5000 devices out to customers, distributors, and stores.
So you go to Best Buy and buy one of these things and want source code to the Linux contained therein, what do you do? If you ask Best Buy, they say they just passed on the box they received, and point you to the manufacturer listed on the box. When you contact them, they say the same thing...they just bought these generic Linux IOT bases, and plugged in their hardware modules and inserted their memory cards (which contain no GPL software), and if they are feeling nice they tell you the name of the company that made the IOT base. If they are not feeling nice, or they consider information like who their suppliers are to be a trade secret, they may decline to tell you where they got the base platform, and you are pretty much stuck.
It could even get worse, because I suspect that in some markets there may be multiple layers of this. You'll have at the bottom layer companies making a fairly generic Linux-based system for embedded use. At a layer above them you'll have companies that take those generic systems and partially specialize them for particular industries or fields or activities. They may add special hardware interfaces, put them in rugged cases, or things like that. A layer up from that would be the companies that turn these into products for end users.
And that isn't even the worst it can get. It is actually possible to get a GPL binary commercially that nobody has obligation to provide source for. That's because GPLv2 provides two ways to satisfy your source code obligation if you commercially distribute a GPL binary:
1. Include the source when you distribute binary.
2. Provide a written offer, valid for at least three years, to provide the source to any third party who requests it.
Suppose the maker of the generic IOT base device, the one that has Linux on its root filesystem and on startup tries to mount the memory card and run the user mode application found there, includes in each box a CD-ROM that contains the source for all the software on the root filesystem. (That's what I would do...I'd rather go to the slight added trouble up front of adding a CD-ROM to the shipment now and be done with it than have to deal with it spread out over several years).
Their customer, the company that is making, say, an IOT nose hair trimmer, doesn't care about those CD-ROMs. They just want to add their hair length sensor module, and their clipper module, insert their memory card with their software, package it all up nicely, and ship it off to the retailers. They toss the CD-ROMs in the trash.
You buy one of these nose hair trimmers. Who is obligated to give you the source? How about the generic IOT base device maker? Nope. Every GPL binary they shipped was accompanied by the complete source code, so they satisfied their GPL obligation.
How about the nose hair trimmer company? Nope. They are just shipping out copies they received, and are covered by the first sale doctrine.
If this becomes common enough for the FSF to see it as an issue that needs to be addressed in GPLv4, it will be interesting to see if they can come up with a good solution. The basic problem is that the option to satisfy your GPL obligation by including the source with the binary extinguishes your obligation in regard to that binary without guaranteeing that when the recipient of that binary redistributes that they will incur a source obligation (because first sale provides a situation in which they can distribute without incurring any copyright obligation).
Offhand, I only see one way to address this. Make it so that if you distribute a GPL binary (in a way that required copyright owner permission) then you must provide source to any third party that requests it. Back when GPLv2 was written, that could have been quite onerous, because distributing source usually meant sending a tape. Nowadays, distributing only is easy, and there are plenty of free hosting services for source code, so it probably wouldn't be too onerous. Still, that would be a pretty big change, and I think a lot of people would be very upset at the "fire and forget" option that "include the source code when you distribute the binary" provides.
Anyone see any other ways to address this?