 Oh, yeah. What the fancy folks talking about? Prittles? We always have better people. I guess so. It is going through guidance. We discussed enforcement and compliance. Okay, so we couldn't tell if the title of this was compliance or endorsement. So we just added an end in between and now you get both. Which I think does tell us something about sort of the state of where things are, right? Compliance with licensing, enforcement with licensing, two sides of the same coin. And I think pendulum swing between years that we're talking a lot more about enforcement, years that we're talking a lot more about compliance, like proactive compliance. So hopefully we'll walk through that some. For those of you who joined us after lunch, I'm Luis Villa. I'm the general counsel of Tidelift, which is a new VC-backed startup where we're helping support developers by and support enterprise users of open source. The longer pitch is long. So I'll bore you with it. Previously I've been in Madeline Wikipedia and I'll let you each introduce yourself briefly for... Oh, and we have one speaker drop out. So Justin is a very last minute addition to the panel. Wow, I actually realized that we're all... We all had a comment at one point. Oh, yeah. It's been a long time. You didn't? I never definitely did. I was trying a bit of progress. There was a time in 2009 when we were all hanging out on the upper west side of New York City. Yeah. In 2006 we were sharing the same office at least like one or two days. Yeah. Yeah, yeah, yeah. Okay. We just all inside and made sulfur and no one who knows us. So we'll tell you about that, right? My name is Karen Sandler. I'm the executive director of the Software Freedom Conservation, which is an organization that does a good amount of the visible GPL compliance plus enforcement work. And I am also a lawyer and I do provodal legal work at some time for the FSS and canoes. And before that I was the executive director of canoes, but before that I was the general counsel of the Software Freedom Law Center, which was in contact with that previous, beginning to know your conversations. So my name is Justin Colonino. I'm an attorney at Microsoft in the open source and standards group. The group. Previously I've been in private practice as a patent litigator, but I started my career for the first year and a half at the Software Freedom Law Center, working with Karen right after Richard left. I got Richard's extension so I used to get all these calls for Richard. And when I started out I was doing GPL enforcement work, compliance enforcement work for client software freedom conservancy. And Eric Anderson represented them, put them just from New York in the Cindy Box litigation. And I'm Richard Fontana. I'm a lawyer at Red Hat and I've been doing work around open source for probably over 10 years now. He does the software freedom law center too. I was? Yes. I'm one time. Yeah, I just hung out there because one of my professors ran out there. I think he gave me some credit at some point. So when I think about compliance and enforcement there's sort of micro level stuff, like what are individual companies doing about enforcement and compliance, and that was something that came up a fair bit in the last panel. There's also macro level stuff. Like what are the big picture changes in the environment? And so I think where I want to start is that I think one of the big changes in the macro environment in this past year, especially in the past few months, is that a bunch of big Linux kernel contributors issued a statement in November about how they're going to enforce their GPL copyrights. And that announcement was led by Richard. So Richard, why don't you kick us off by talking a little bit about that announcement and what you think is... Oh, yeah. So the Linux project has a thing called the Technical Advisory Board. I think it's sort of actually technically an arm of, sort of associated with the Linux Foundation, but it's really kind of collected by the developers of the project. And they came out with this enforcement statement, which was sort of signed on to by about 100 or so developers of the Linux kernel project as of, I think, recently. The statement says that the developers commit to applying a specific GPL version of three termination provisions relating to pure opportunities, two violations of GPL v2 license code. So the Linux kernel is licensed basically under GPL v2. GPL v2 has a kind of simple automatic termination provision. So the idea is to kind of give a more forgiving, kind of lenient termination enforcement policy to GPL v2 license code from the kernel. And then following up on that, Red Hat led a coalition of companies, including Google, IBM, and Facebook, announcing about a month after the Linux kernel statement came out that they were granting the same commitment essentially to all of their GPL v2 license and LGPL v2.1 or 2.0 license code. So regardless of project, they were granting the same commitment for all of their pre-GPL v3 license GPL code. And so I assume you think that was a good idea. How impactful do you think that is? So I think it's important to understand this is coming out of some specific concerns that have existed for a few years because primarily because of there is one litigator in Germany, a former contributor to net-filtered Linux kernel named Patrick McCarty, who is rumored to have brought a large set of cases using kind of tactics, the enforcement that have been criticized by many in the Linux kernel community and in the community of commercial companies involved in using and distributing Linux. So the tab statement, the Linux kernel enforcement statement grew out of that that these developers wanted to make some kind of statement about what they thought norms of correct enforcement were for their project. And then the motivation for Red Hat and the other companies and our little coalition of companies was very similar. So it's also really coming out of this concern about this one litigator in one country who's kind of caused a lot of angst in the Linux community over his enforcement. And so we think it sends a really good message about what is the right way to do enforcement of GPL versions who in particular need the idea that most acts of GPL non-compliance are inadvertent in nature and that it's appropriate to give those who don't comply with the license a fair opportunity to correct those errors, which was historically the enforcement policy of the Free Software Foundation. So Karen, I mean you've been involved in an even broader attempt to, I might say somewhat proactively bind hands of GPL licensors to, you know as Richard said, essentially be slightly more lenient than the license formally requires. What do you? Yeah, I mean to give a little bit more background, a lot of this, the history of what Patrick McCarty had been doing, it was really shrouded in mystery. We talked about this a little bit last year actually during the name track, but the cases that they were brought in Germany have strong privacy components to that. So the defendants were unable to, or the public is unable to get a, like a, Yeah, it's not like the US law where we have the documents, we can see all the cases. It was really, we were relying on the defendants themselves to tell us what was happening. And people were claiming that Patrick McCarty was really that actor, and we just didn't know. Can I step back since this has come up in both of your, for those of you who are not familiar, Patrick McCarty is a Linux kernel developer who's been bringing a series of cases. He owns, he's a copyright holder in a small, though it's disputed exactly how small portion of Linux kernel, and he's been bringing a series of cases for three, four years now in German courts. So that's the information that we don't, that we can't just search on. Right, right. I mean we don't really know who he brought these cases against. I know from back room discussions that some companies say that they have been approached by him and sued by him, and that I know that there have been some hearings that have been done. And we're still, people were confusing these actions with the work that Conservancy did to enforce the TPL, and so we started wanting to take back, take back the principles for starters. People often mischaracterize what Conservancy does anyway, and think that, you know, we're really aggressive, or we've been, you know, we're trying to monetize, you know, we're shaking up companies to get our big, fat donations, like that. And so we sort of took it back to principles and said, what is it that we find potentially problematic about these actions that this prison may or may not be doing? And what can we do about it to bring stability and take the risk out of the field? And so what we did was we decided to write down what our principles are in doing our own enforcement, and to really, and then to promise publicly that we'd always do them this way. And we wrote the principles and the FSM published them with us when we went public with them. And they say all the things that we've been thinking before about how, you know, the, you know, litigation is the last resort. We say that the goal of the enforcement actions must be compliance and not monetization. That we will verify that there's a violation before we, you know, like as part of the process that, and then we also included this provision that we thought that it was much fairer to exclude GPLD3-style termination over P2. And so we promised all of that in our principles document. And then we brought that to, so we published that for ourselves because we thought this is the enforcement we can stand behind. And that companies should know that that is what they should expect from us. If they get a letter from us that, because, you know, they're not, you know, we got a no-sourcer offer going on and we can't find someone to talk to. Eventually we send a formal letter. And when that letter gets illegal, at least when they research FLC, oh, they have principles about this. Then, oh, maybe this is something we can talk about and not get scared and also can help factor into the risk analysis and adopting the software. And so we did that. And I think, like, that has had a really good impact. And I'm still not sure exactly how I feel about the Patrick McCartney stuff they were hearing just a, yes, a few days ago. Two days ago, right? And some of the members of our coalition were there and like we've had a lot of discussion about it. It's all really fascinating stuff. I'm not sure, but a lot of it is based on speculation. So the good thing that's come out of it is that it caused us to, at least write down what we do, and then it gave the Nest filter team the tools so that they could say to Patrick, this is what we believe. Do you agree too? And if you don't agree, then we're going to suspend you from our team, which is what they did. And then further, basically, you know, set the playing field so that then other people can take the pieces of the principles that they think are the important ones, and they can do things like the one external enforcement statement or the state's covenant that that group of companies did, which I think is really cool. Do you, I mean, do any of you see more of that kind of stuff happening in the upcoming year? Are people going to break out other bits and pieces of it? I think everybody should adopt wholesale. Are you going to be that? I don't know about the principles wholesale, but we're continuing to try to get, see if there's interest among other companies and kind of make signing onto the same kind of commitment and maybe doing it on a project specific basis. So projects with multiple contributors contributing under the GPL or LGPL in version two, seeing whether projects will make that same sort of commitment that the Linux kernel is made for or that certain developers in the Linux kernel project. So I think there will be some news about this in the upcoming year. Oh, that's great. I mean, for what is worth it? Oh, yeah. Oh, I was going to say, I don't have an etherpad because I think everybody's been really terrific at actually asking questions and not giving mini lectures instead of questions. So if everybody can keep that up, just throw up your hand and go for it. That makes sense. It comes to make it fun to sort of, what do you mean? Red Hat, Red Hat may not have realized the consequences of data constricted. Everybody was like, wait a minute. Red Hat never enforced open sources of power. Why are they saying that now, are they now, that now, oh my God, now they're giving me a chance to come on and put in a substance understanding or a form. I think that's the commercial nature of Red Hat. So it's sufficient about why are they saying that? I think that's fair. We did have a fact about this with that included that, an answer to that question. So we made very clear, this does not signal that we're going to go out, we're suddenly going to go out and start enforcing the GPL. And the same thing with, you know, I can't speak for Facebook, IBM or Google because I don't think they got the same, they didn't actually sign on to hardback. But certainly for Red Hat, Red Hat has lots of GPL and held GPL code. So it's a fair question. You know, Red Hat has historically not been active in enforcement. The only real example of it is the defensive assertion of GPL kind of counterclaim in one patent, kind of a patent control lawsuit that Red Hat's in the book was sued under a few years ago. So it doesn't signal a change in that in Red Hat's historic tendency not to get involved in enforcement itself. It is designed to send a signal about what the community thinks the proper sort of approach to enforcement ought to be. So if others do engage in enforcement, this starts to build a kind of, in a sense, kind of record about what consensus view of enforcement policy ought to be in GPL communities. But to be clear for those who aren't into the nitty-gritty on this, it's not really binding on other folks. It's certainly not binding on, it's binding on the companies that have signed on to this amendment. Not binding on others. And the Linux kernel enforcement statement is an additional permission for the portion, for the people who signed on for the, you know. So it's not a... That is for companies. It's written differently. So it doesn't use the phrase additional permission as far as I know, in the Linux kernel statement, but I think it's analytically... I'm not sure it really matters that much, but analytically... Well, since you two jumped into the deep weed of... I'm going to steer us into a different part of the deep weed. So one of the cases, one of the litigations that was going on this year was Hancom versus Artifex, which was a case in which Artifex has some software called GhostScript, which reads PostScript files, PDF files, Hancom allegedly infringed on it. What was interesting from the deep license surgery perspective was that Artifex alleged that the GPL was a contract and attempted to enforce on that basis, which is something that's relatively new in most previous cases, and please correct me if I'm wrong here, but it was a copyright infringement license theory. This case was brought on both. This case was brought on both, whereas most in the past have the only alleged copyright violation of copyright. Although the topic came up in 2006. That's true. Which involves the Apache license, I'm sorry, the artistic license. I think they were both contract and copyright infringement. Does this reopen the age old? Is it a license? Is it a contract debate? You guys went into the weeds first. Sorry, you all went into the weeds first. Yeah, I mean a contract theory or a copyright theory. In other words, there was an allegation that the alleged infringer in the case had agreed to the GPL when they downloaded the software and were not abiding by it. And so therefore the court held the GPL, they accepted it and then they didn't comply with it and therefore there's a contract agreement. The other issue there relates to whether or not those contract agreements are preempted because of copyright law because there's already a cause of action in the federal statutes for not complying with the copyright law. And the court held because there was alleged territorial infringement that both claims could stand independent of one another. Now what does that mean for whether or not the GPL is a contract or a copyright? I think it means you can Yeah, it's alleged both in addition to the Jacobson case there's an interesting case not specifically about free software licenses but the World of Warcraft case out of the Ninth Circuit dealt with whether or not particular provisions in a click-wrapped license were a condition or a covenant. So the covenant would reach of the covenant in all in one document which of the covenants of the condition would sound under copyright. And the Ninth Circuit held that there was there needed to be a nexus between the rights granted by the Copyright Act in order for the breach of a particular provision to be sounded in copyright. So in other words, there needs to be a nexus between the copyright rights and the provision in the agreement in order for to maintain a copyright cause of action versus a contract. And so Microsoft had similar language in there which leads to some language in MPL level for people with that one. Moving on, I just want to point out that the license versus contract thing from a more global perspective this plays out a little differently in different jurisdictions and there was a really good panel at Osam that Pam Chastick organized to check out. For those of you who are interested in diving more into some of these topics, FOSM, which is a big conference in Brussels, has a bunch of streamed videos from their day long legal track just a month or so ago. I don't think they have mine up yet because there was a serious technical glitches in mine. But yeah, that's an excellent point about the jurisdiction stuff. I wanted to tease out one more thing before we get away from litigation specifically. We've talked about Patrick McCarty, there was in the hearing earlier this week it was alleged that there's been nearly $2 million in payments to him so far from 38 different defendants. That's obviously a lot of money, a lot of interest. You already mentioned that you think there's some hope of a good outcome from this in the sense that it brought some more cohesion around in the form of the various statements and principles that have been circulated. Any hopes of any other positive outcomes out of this? You're all looking at me. She's looking at you. Go ahead. I was trying to process your question. Let me frame it a different way. This is something you and I were just talking about over lunch, Justin. Traditionally one set of enforcers like Free Software Foundation concerns the very driven by the principles that are now codified. I will say having represented clients on the other side of that that the principles are very helpful because they do help call a client who is an inadvertent violator. You can point to these and say, hey look, they're not trying to argue. It's just how they do it. So that's very helpful. So there's that class of enforcers. There's the sort of Patrick McCarty class of enforcers. And for some time there was sort of Harold Belty. There's been some other sort of in the middle enforcers who aren't as profit motivated as Patrick but do seek to collect some damages and fees. I think Harold was solidly in the epidemic emergency model. I thought at some point we did it as part of GPL violation and so FSS and Conservancy will seek to cover their costs. So unfortunately our missing panelist was going to take some of the heat of this question because he has represented some clients who have sought some damages not on the McCarty scale but sufficient, frankly to go slightly above and beyond merely paying his legal fees. So I'm wondering, do you think there's a space in the ecosystem for this Justin? You had a great answer for that. I think the question is you know, essentially I think is private enforcement you know, this for-profit that brings lawyers to the table where the lawyers can make some money and the developers can make money and I think last year you made the point that it can be good because the money goes back into the developer's pocket and the developer can continue developing and making software and releasing it under I think the issue with that position is that in order for individual contributors but take a large robust project with many, many different contributors, each contributor goes out and seeks rent in a for-profit way that private lawyers bring private enforcement action and they can make money off of it then you get a royalty stacking issue where things kind of go out of control and folks kind of like the patent control problem where you have the same or one patent applied against multiple different companies to generate a huge stream of revenue and then people start going out and speaking out other business slices of the property right and closing up I think that if you got into that type of situation where the patent control type of problem was applied to open source and free software projects what you'd end up with would be a lot of people would just be scared away and it would be really hard in the business case that we've been building, we've been working towards for a last 20 years would be put in jeopardy I'm particularly scared away from I think use of the kinds of projects that have what we historically have thought of as the healthiest in a tactical sense healthiest kind of development problem in terms of like size of contributor communities, maybe such projects might have other problems of course but I used to point maybe naively to some degree I used to point to the Williams Kernel project as kind of a model project because it was so successful in attracting so many contributors and it was sort of like a poster child for free software and open source but this is now sort of the flip side that there's this danger of associating what we talked about as a kind of anarchistic project of lots of developers as a sort of special source of concern about my ability so these are really tough questions and believe it or not, we get tons of heat from folks who are either working for companies or strongly affiliated with companies that tell us that insurgency, whatever we do, we have to be really confident about adoption and we have to do everything we can to make our lawsuits or we don't even consider many lawsuits as many but our compliance work to be as company friendly as possible so that more companies learn how to come into compliance and will continue to use free open source software even as an advocacy matter to get more free open source software being used and then at the same time we get tons of heat from individuals primarily who think that we are doing a terrible job because we're not going after violators who have been in violation for a long time because we're so soft we're not as impactful as we should be and so in some ways it's been a little bit of a relief to have a monetizer out there because it's like we've been doing the best we can but we do enforcement at a loss and it's been like a funny balancing act to kind of figure all this out and I think the answer is I don't know where we struggle to do the best that we can with the situation and I think that the collaboration that is created in free open source software you cannot underestimate how much that is tied to this camaraderie and this willingness to work together and a lot of it comes out of ideology and a lot of it comes out of this corporate view of well we can use this free and the no cost software and collaborate with these other companies and there's good that comes out of it and I think that when you start having monetizers even if it's in a small way I think it impacts both sides of the equation so I'm not sure we at Conservancy don't think that you're community oriented if you are trying to monetize your GPL. Well I mean that brings I think to an interesting this is in some sense been a very interesting year for GPL and open source license compliance generally right a fair bit of litigation in particular a fair bit of litigation yet also simultaneously I would guess that all of you own a device at least one device in your home that is in GPL violation in some way shape or number right not just GPL violation many open source right so the level of enforcement relative to the level of infringement they're not I don't know what the intermediate balance is but they're definitely not in balance I mean do you think they're do you think there should be more I mean how would you I absolutely think there should be more I think that are so present at events like this I think the companies that invest heavily in their compliance infrastructure that have heads of open source that support GPL they're investing millions of dollars in their own compliance what I don't understand is that like as an industry those companies should be funding community driven enforcement so that we can you know so that there's consequences for the company to have a competitive advantage for not spending those millions of dollars on their own compliance so like I think that we would have much better compliance which is like we better first code which would the tide draw I think we would be so much better off either of you have any thoughts on I feel like there's there's there is a right balance out there so I just don't know I don't know what I don't know that we currently have the right balance I mean I can point to say the McCarty litigation as a bad thing and I used to I gave another talk kind of related to the topic a year or two ago where I pointed to the busy box lawsuit sort of an example of what I thought the right sort of getting the right sort of balance out on on GPL enforcement so I think that the balance is you want you want and you do need a certain degree of enforcement to make sure that that you know that there's a late level playing field for the companies and individuals were involved in contributing to these projects because it's not fair for some companies and maybe this is sort of the point that Karen is making about not not fair for some companies to sort of invest a lot of resources in compliance while other companies sort of you know get to benefit from a project like Linux without being compliant on the other hand I think that there's a point at which enforcement of certain types at least can be hard to discourage use of the software and contribution software and that's sort of where I think you have to kind of find the right the right approach and right balance. Yeah and that's why I think that funding community driven enforcement is so important where the first goal is that someone who's in violation today is part of the community at being exceptionally impressed about that and if we all work together to provide the right educational materials alongside the community driven enforcement we would be in a completely different world. Yeah I mean I think because in a lot of ways the busy box litigation kind of sparked you know sparked a lot of companies thinking a little more heavily about you know how to how to do it and how to do it right and you know that's probably a benefit that came out of that was that you know this is a real license and there are real people who are impacted by or they're real people who might come around and knock on your door. This is amazing to me because at the time we're shortly thereafter and everybody here knows the busy box clusters were deprived of being terrible. A disaster for free and open source software and what's amazing is like just like GPLV2 became beloved once GPLV3 had been released. I was like only we could go back to the busy box one. So let me I mean I totally correct a very darkly hilarious point I want to jump back a little bit to something that Justin was saying though you know where people are thinking I think a little more about compliance and certainly to shift gears and shift the discussion a little bit one of the one of the macro proactive trends that we're seeing is a lot more people investing in data and tooling in order to comply better for at least certain definitions of compliance. So we we recently got just as two examples. The Linux kernel got license information machine readable license information added to something like 70,000 files a few months back and this was something that traditionally Linux kernel had said oh we already know what the license of the Linux kernel is we don't need more machine readable information that's just extra noise and extra work for us to please don't do it and then a couple months ago that position sort of changed and a lot of metadata was added let me give the one other example and then just this week there was a project launch called clearly defined.io which is another initiative to improve metadata around project information among other things sponsored by this is yeah and it's actually hosted by the open source initiative so it's at opensource.org it's clearly defined if you're interested in finding out more this is simultaneously tens of thousands of new files and I think clearly defined as targeting the top 1,000 projects simultaneously maybe not a very big 10. I don't know what do you guys think about this trend towards more metadata? I mean I think it's good I mean from a standpoint of your shipping and you want to provide proper licensing, you want to make sure that your licenses are compatible as they should be knowing what's in a code base when you're ingesting free software at scale which is what Microsoft does is extremely important and so to be able to kind of get a clear overview of what is inside the packages you're using because a lot of time developers will say what solved my problem this is what I want to use and they won't go through and look through stuff files or dependencies and having that known and defined is extremely helpful so that you can find people with proper attribution and also helps you talk about what you're using so if security vulnerability comes along or anything like that it's kind of all right there I'm a little skeptical about some of this activity so in the case of the Linux kernel what we have, what happened what I think you're referring to is kind of a standardization of how on a source file base is how licenses are sort of notated anyone using the Linux kernel project should have basically known that it's GPLD2 license and yet people who are kind of really obsessed around open source license compliance and the self culture of people who are kind of annoying me they can tell you that there's actually 200 different licenses in the Linux kernel and you have to make sure you're in perfect compliance with all of them basically it's GPLD2 license and in any case you should be building from source code and shipping source code with your Linux based product and you will be in compliance if you do that properly in a kind of self auditable way I don't know if you really benefit that much from having these sort of SPEX standardized licenses versus the kind of licenses that preceded them so I've talked to Kate Stewart about that she's one of the people who's been involved in the Linux kernel and she pointed out that there were some Red Hat copyrighted files in Linux kernel that say copyright Red Hat 2000 GPL and she said don't you think it would be a good idea to change this to SPDX license identifier GPL dash 1.0 it's still GPL if you have decent tooling it'll be identified by your tooling who do you think has decent tooling? well that's the question I think the value of the metadata is that we do so this is really in another sense we step outside the Linux kernel which is maybe a special case this is all really complicated we have these code bases that are developed anarchistically to a large degree and in a very informal way and they're a complexity sort of licensing data that makes up any open source project code base and the more that you can use tools to extract information from source code to make conclusions about licensing I think the easier your compliance task is going to be so I think to that extent these efforts around metadata and improved information of that sort is valuable I don't know if we really have such good tools yet for that purpose I think that's sort of part of the objective we need tools that can reliably extract useful information from these very complex and in many ways informally developed corporate so you're skeptical of the tools so I'm skeptical of some of the efforts around the metadata I think that there's a certain degree of bike shedding that occurs and there's some sort of subculture for the lawyers who aren't experts bike shedding I don't know if that's the right term to use in this context bike shedding is sort of getting obsessed over trivialities I mean it's not just trivialities it's getting really caught up in maybe the less important aspects of open-source licensing so printing out I know one person who's part of the subculture will come to conferences and show these phone book sized printouts of all these permissive license notices that they ship with their product that's I think less important than getting these companies in the embedded device industry into getting them to kind of make sure that they're building stuff from source code shipping their source code shipping buildable source code I think that that's more important than getting really obsessed over some of these details of file formats and so I wouldn't dig in on something but Kevin was going to say something and say yeah it was actually a presentation about that particular project and the reason I'm saying is that they had to tell each of us to have our own files and he said I have the rights to do the file there was no way to continue to use the file so that was the first reason yes there's lots of people to focus on career analysis and he could make a claim that there's no license to use the file at all and so that's what it tackles those first with this culture and there's a so when the DCO was originally adopted by the kernel it was not the general practice to put a license on it in each file and everybody knew that and the DCO has been used for 15 years or so with that sort of practice in place and I don't think that's a good enough reason I don't want to criticize it too much because there is some value to it and I think it's maybe not where the focus of efforts should be I agree go ahead actually let me take a slightly different tack here that all three of you may be able to because Karen certainly many conservancy projects are not the Linux kernel I think as you were just saying Richard the kernel is an outlier in a lot of ways some of the research we've been doing for Tidelift shows that even the most what is the name of this license in like for example in the node ecosystem something like between 5 and 10 percent of packages disagree between what GitHub says the licenses and what the package manager says the licenses like forget forget looking at all the files forget looking at each individual header like just the very top most level of license information is inherently contradictory and so I'm wondering like in these more new ecosystems outside of the Linux kernel what do you all see any best practices emerging any terrible practices emerging where do you think we need to go with that so people often associate the sovereign conservancy with GPL compliance or GPL enforcement but we have over 40 member projects and they are under a variety of licenses so many of our projects are under copy less licenses so just that in the way of background we have our projects are very widely licensed and in diverse technology as well with different traditions of how you do things yeah I do what I see what I see with copies I'm trying to set as I want to say well you know Justin wanted to say something in the meantime I mean I think I agree with Richard that probably Karen as well that the most important kind of educational aspect to enforcement or where we should be devoting resources is education about how to build how to ship code to build that said our licenses we have to comply with it Red Hat has a different philosophy because they ship all their source they ship your source you're in compliance you're done it's a great recommendation for everyone but when you have a business model it doesn't involve shipping source you need to comply with license and in order to do that you need to know what's in there what's going on in there a lot of these efforts there are a lot of different companies that rely on a lot of different projects a lot of different projects to make close source binaries if they're all looking at the same project getting together and trying to figure out exactly what the proper attribution of the right licensing is and sharing that information in a centralized way I think is a great use of resources so that we don't have these people spinning their wheels it's all the particular problem that maybe Red Hat doesn't have but it's one that other people do I totally agree with that I think it is valuable for these companies to get together and make this effort I think for the Siemens Free Software Project their wider adoption is definitely a factor for encouraging that kind of effort but at the end of the day a lot of the time it comes down to focusing on the wrong things from a community perspective because from our perspective it's like the days when companies would provide Black Duck audits as proof that they couldn't possibly be a compliance a lot of times these initiatives do a good job of getting started or a good job of tagging things so that if you have someone who's knowledgeable and you're doing the right thing you'll be helped and that's a good thing but it doesn't really help the overall field of compliance so it does help the residential especially for companies that are using free and open-source software to support their proprietary business model that's a fine use for them but it doesn't help the whole field in the same way that it could otherwise and there are other initiatives that might provide education on compliance that might help solve those problems so I think it's a valuable effort from where I'm sitting quite much I'm going to shift gears one more time here you know Richard the Red Hat blog had a great post a couple months ago about how licenses are really shared resources where a lot of information gets in there there's the text to the license itself but then as I think the previous panel was pointing out there's also a lot of wisdom and meta that builds up around that and you mentioned what we were prepping for this that Red Hat is thinking about that a little more do you want to talk to them about how or if that's impacting how Red Hat complies? It's not really focused so much on our compliance but how we're seeing it's a really direct model like what's going on with enforcement we're looking at the cardi enforcement the rumors around the cardi we're looking at what conservancy is doing what some companies are doing around GPL enforcement so this idea of shared resources it's an idea that my co-worker Scott Peterson came up with this sort of my gloss on it is that most of these open source licenses in terms of the actual use of licenses we're using 80%, 90% of open source free software code is using a small set of licenses, they are standardized licenses they're not negotiated they're sort of like contracts of adhesion they're used across projects, across stacks across technology and so there's a certain benefit to that economically of course there's a standardization a backup standardization but there's also a kind of grittleness to it because it means that when you start thinking about the risks of enforcement in the litigation system at least there's a danger of any particular court decision having an outside impact on a really large community so any court decision on any given negotiated contract might not have too much in the way of implications for contract parties in general but maybe if they're using semi standard language it might but with something like the GPL during the GPL it's going to potentially affect hundreds, thousands of GPL licensed projects the danger is that what if courts get this wrong from a kind of community they're not likely to take community viewpoints into account maybe if one of the litigants has community credibility that's helpful but in general litigants to a dispute would be raising arguments that are not necessarily tied to how the community views licenses or what the interests of the community are so that's the danger we see in having any kind of increase in judicial treatment of widely used open source license so one way of sort of addressing that is things like shaping norms around enforcement so making sure that there's kind of a kind of expectation of forgiveness for the community to license code things like the principles of community or GPL enforcement are helpful maybe kind of getting other kinds of activities involved where you try to shape consensus on how to interpret the license and so you start to kind of shape and potentially influence future courts and how they might interpret the license so I think that's the idea behind the shared resources I like that idea but it's like a race because the thing is that at the same time as some companies have been or yeah some companies have been arguing that we should be community oriented actors should be very hesitant to litigate because the case might come down the wrong way and then in fact you should avoid bringing a case at all costs because the risk of having about a vision is so high the problem with that is that if we do that and we try to establish this community norm as much as we try to do that and publish principles publish all these other things court reactors are going to have disagreements as they have done over the years and it's only a matter of time before these cases are tied with messy fact patterns in ways that courts will just view as commercial activities and it won't be set up with any possible ideological view and so I think it's just no win and if we don't we're not eager to go to court but I'm revisiting this shyness that we've had or this communal fear of litigation because I think if we bring these blockings with good fact patterns that are thought out that are isolated in the questions they ask then we'll get answers to the questions in ways that we can interpret in the long run I agree to that to a larger I think we might disagree on what those busy box cases were sort of got the right balance I think that's partly my view on that is because there were straightforward violation cases I would say I think that there could be other kinds of cases raising novel those of you who have not been around the space for decades the busy box cases involve devices through VETFY right some of them VETFY was one of 13 there were 13 defendants that included no offer of source code no source code a very straightforward classic black and white kind of violation of the white it was one filing but it was related to 13 cases so very factually straightforward it really wouldn't be a lot of disagreement in the community over issues of GPL interpretation there were at the time and folks were really upset and really worried and it feels entirely the same to me now as it is then but now that we're looking back on time to 2020 but I'm glad those suits were brought because we had some results and then we had that some additional context might be helpful here because I don't know if you guys can provide it but I think what Richard's referring to is in his view the busy box case was a kind of straightforward like someone took the software put in their product and didn't even tell anybody about it right so that was that's what we mean by kind of a straightforward in for in connection I think Richard's saying that that's a very you know open and shut that type of enforcement has good educational value I think what Richard might be saying is not so good an enforcement mechanism would be a case around an ambiguous term in a like ambiguous provision that people have been interpreting different ways and that ambiguity might be a feature rather than a bug in the license and by getting certainty around it it may harm the license environment I think the certainty may be in the direction we don't we don't like so so you know one of the concerns around McCarty is that he is apparently and this is where we really don't have good facts unfortunately but he's apparently raising what some people say are kind of relatively bizarre theories of GPL non-compliance and so that's the kind of concern that we have what if we got and maybe the real concern is maybe more like the litigant like artifacts so what if artifacts assert a theory of GPL non-compliance that really is out of step with how most of us in the industry who are dealing with distributing GPL codes think the GPL ought to be interpreted in a very restrictive direction because they have kind of an incentive to do that you might argue because of their business model so that's the kind of concern it's very far removed from the more straightforward kind of busy box scenario that I see of you know you ship a device GPL code and if you didn't write any source there were quite some but the main point that I want to say is that it's a race because there are co-kinetics out there I don't know if anybody read the complaint in co-kinetics but it's just wild you know it's a kind of sonic right right yeah I mean in that case it's correct me if I'm wrong but it was a third party speaking to enforce the GPL there was sort of some anti-trump thrown in he did a very interesting read the case settled fairly quickly but yeah it would have presented I think it's exactly what you were saying about the fact pattern in so unusual where he was a predator with a sort of third party claim and even a judge we're just completely out of control in our country and it was messy and our community could be collateral on that I think that that's what amicon breaches for I mean my view on this is you know trying to shape community viewpoints on licensing probably won't make a difference to a judge I mean the judge is going to look at the license and they're going to decide this is what the license means at least at the trial court level and if that gets appealed there might even be an opportunity below before the trial court for years we heard over GPL v2 there might be an implied patent license there might be an implied patent license and the Zimpleware case comes along and the court is like yeah there's a patent license it says you is right there in GPL v2 you know and and you know that wasn't how I'd say most of the people lawyers in the community viewed GPL v2 they didn't think that there was a patent license or there might be an implied patent license I think maybe I would characterize my position on that for those of you again not super into the weeds on this a lot of the older licenses because they gave back to a point in time where software patents were not necessarily to be viable and you know don't specifically license relevant patents they speak of the use of the underlying code and so there's been a question that implied patent law in the U.S. as well as other places it's sort of a password of mess of all kinds of things and so certainly my position would have been I can make a plausible argument that there isn't implied license here but I feel like going to a court would be a coin point and what you're trying to say is that when you take a case like this to court you're flipping a coin on behalf of the whole community and maybe it comes up there's a patent license and so don't flip the coin I don't want to be misunderstood Conservancy is not looking to bring lots of watches like I just said what we're trying to do at all but what I'm saying is that when you get to the instance where you have companies that are out of compliance and that after years of effort they still don't come into compliance and the fact pattern is clear at some point if you don't bring those suits then the whole thing is great because what we've seen as companies do everything I think they can get away with and without you never are willing to bring that lawsuit then you may have, you may is that ambiguity that you think that you may be benefit from the license it's as if it doesn't exist at all so would be on that like forceful punctuation though so for for somebody that's trying to be in compliance that maybe is not a type of way that the organization is going to be law-abiding what are the things that trigger the enforcement and are there those enforcement that you would recommend because there's not a lot of enforcement in the case and if there are good enforcement that might fall summarize ongoing so for us we try to do everything simple say what we look at if there's the way that we get a matter brought to us is that really someone has purchased a product who's in developer and looks at the product and can't get the first code and they want to do something cool with that product or something and so they file a report with us and then you contact the company and we try to do it in a friendly, in the best case scenario we once got a problem fix so sort of like if you bring information internally and responsibly but I think a lot of it has to do with building the right procedures so we've partnered with EFSF on copylaw.org where we try to talk as extensively as possible about our interpretation of the DPL and there are a lot of example enforcement actions we also published what we think is an analysis of a 15 candidate so you can see what we look at what we try to evaluate it so that's one resource that we provide there are others too I would have said the same one and it's under copy left itself and so if you read it and something looks like it could be written better you can please propose a patent and we can help you do that that could be your first lawyerly contribution and that's opensource.com it's law tag written by a variety of people many of them are head employees but not all of them Mark Radcliffe does an end of the year roundup every year it's exactly one blog post a year but it's usually pretty good in terms of hitting the high notes Heather Meeker just published a second edition of Purple it's a really good one if you're ready to dive into something from Flanks I'd say booklinks I think she does a good job of distilling it it's not like textbook links it's like booklinks reading it a few days and it's not heavyweight it's a great overview yeah and reasonably it was even still a year ago I was still recommending people the first edition even though it was probably 10 years old at that point it was still worthwhile oh and then what for your engineers who are bandwins who targeted more explaining all these concept engineers in a way that's familiar and used in analogies that will work for them that's not going to touch out of date but for you especially for some of your top engineers who are interested in it oh yeah yeah it doesn't really deal with compliance but it's a good introduction to how open source project is all and they do we have time for one last question if anybody has one perfect thank you so much for having us Chris up there we're not just making $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9 $9