by James Turner

The Manager’s View of GPL Version 3: Two (and a Half) Things to Like and Two More to Look Out For

Jun 14, 20079 mins
Enterprise ApplicationsGovernmentOpen Source

IT departments that embrace open-source software are uncertain about the new version of the GNU Public License, arguably the most common FOSS license. Learn what’s in the works, and how GPLv3 may change the way your company adopts new software.

The GNU Public License, one of the oldest and most widely selected open-source licenses, is about to get its second makeover. There’s been a lot of uncertainty about the GPL’s differences in version 3, and exactly what they mean for end users, developers and corporations.

Part of the uncertainty stems from the fact that it was hard to pin down the exact nature of GPLv3 until late in the day. The license underwent multiple drafts, and some specific provisions (such as allegedly anti-Novell patent language) were added between drafts. But the current draft appears at last to be the final language that will be adopted—sometime this July, according to current plans.

The Free Software Foundation (FSF), the caretaker of the GPL, has a clear political agenda regarding the creation and distributions of software. Consider this portion of its FAQ for the GPL:

Of course, your software is not a contribution to our community if it is not free, and people who value their freedom will refuse to use it. Only people willing to give up their freedom will use your software, which means that it will effectively function as an inducement for people to lose their freedom.

If you hope some day to look back on your career and feel that it has contributed to the growth of a good and free society, you need to make your software free.

Leaving aside any discussion of whether its premise is even true (that most people place much weight in the relative “freeness” of software as a measure of its value), this statement provides a fairly accurate snapshot of the FSF’s attitude. Specifically, it believes that all software should be available without cost and should be freely distributable. This philosophy informs everything the FSF does, and particularly the GPL.

It is likely that if the FSF had its way, the GPL would require that anything that remotely touched a piece of GPL’d software would need to be GPL’d itself. However, even in its stridency, the FSF recognized that the GPL would not be widely adopted if it contained too extreme or coercive measures, and companies might not use open-source software with the GPL license. As a result, the GPLv2 largely concerned itself with GPL’d software, and programs that linked directly with GPL’d libraries. Some, if not most, of that safe haven for proprietary applications has been eroded in version 3.

However, uncertainty does not mean that the GPLv3 should be avoided by all (or even any) enterprises. In this article, I’ll point out the advantages and disadvantages to corporate IT departments.

What to Like About GPLv3

1) It improves the language in regards to internationalization of the GPL’d license.

Kat McCabe, vice president and general counsel for Black Duck Software, a firm that specializes in advising on open-source licensing, summarizes the changes so:

Internationalization of the license was talked about early on as a key goal for the new license. GPL3 allows developers to add local disclaimers, which is certainly helpful from an international point of view. The license also uses broader defined terms around distribution, which arguably captures some activities that weren’t covered under GPL2 but should have been.

Still, there are likely a number of issues that are not optimal for enforcement of the license in specific countries—and that raises some concerns for lawyers based outside of the United States. In a commercial context, most licensors use multiple versions of their base license, tailored to meet local requirements. The FSF did not want to take this approach. Having one license is certainly simpler. But to the extent enforcement is actually impaired, it may not be worth the trade off. Of course, we haven’t seen much litigation around the GPL. It remains to be seen whether concerns raised by international lawyers will play out in a way that hinders the use and adoption of the license.

2) It increases compatibility with other open-source licenses.

In the past, you couldn’t mix libraries written under the GPL with those written under the Apache or Mozilla licenses, for example. Again, McCabe describes the changes:

One of the original goals was to increase compatibility of GPL with other licenses, to expand the world of code that can be combined with GPL3 code and with that to expand development options. A worthy goal—but increased compatibility has proven to be very hard to achieve. GPL3 has a fairly complex mechanism that doesn’t seem to get us much past where we are today as a practical matter. In addition, GPL3 is now expressly compatible with a yet-to-be-published version of the Affero license. The current version of Affero is a license that is rarely used—so that seems to add complexity without clear value. There have been steps toward compatibility with Apache, which would be welcome news for many in the open-source community. As we understand it, though, that negotiation is still in process. So, seemingly a lot of effort without much in the way of results.

3) It puts pressure on companies not to patent software.

This can be a good or bad thing, depending on whether you’re a smaller firm worried about being slammed with infringement cases by patent trolls or a large company that holds a lot of software patents.

Essentially, what GPLv3 says is that if you use GPL’d software to create a new product, you can’t sue anyone who uses your product to create a new product with patent infringement. A later provision, aimed directly at the Novell-Microsoft cross-licensing deal, further restricts companies by basically saying that you can’t cut a deal to distribute GPL’d software with a patent protection from a third party for which you pay, unless that same patent protection is also granted to anyone else using the software. Here’s McCabe’s analysis:

GPL3 is designed to have much greater reach than GPL2 on the patent side. Companies with significant patent portfolios will need to evaluate the impact of GPL3 code on their patent strategies—in terms of their enforcement choices and their licensing programs. There has been some stated concern about a chilling effect on contributions from large companies because of those patent implications.

That said, to the extent companies are using and distributing GPL3 code that doesn’t relate to key patents in their portfolios, it’s probably not much of an issue. So, as complex as the patent issues are, and as much time and attention that has been paid to those provisions, they likely affect a small group of companies in the end.

Those items may make you feel more positively toward the new version. But you probably shouldn’t put away the worry beads just yet.

Potential Gotchas in GPLv3

1) Version 3 contains language designed to address what the FSF calls “Tivoization.”

A provision of the GPL requires a company using GPL software in its products to make generally available to customers the source code to all the GPL’d software, including any changes that the company made. TiVo, which uses Linux inside the box, has traditionally done this. However, TiVo also placed a clever locking mechanism in the software, such that if it is changed by the user in any way, the box will not operate.

Version 3 slams the door on this practice. It states, in brief, that if you sell a product whose software can be upgraded, you may not prohibit customers from making their own changes. This could have far-reaching consequences.

For example, many home broadband routers are based on Linux, and have firmware that can be upgraded. Under version 3, the router manufacturers would have to allow customers to make their own modifications to the firmware. In fact, they would have to provide documentation on how to do it, since the GPLv3 requires that the company offer “all the necessary installation methods, procedures, authorization keys, or other information required to install and execute modified versions of GPLv3 covered works.” For companies like TiVo, which need to lock out changes to enforce digital rights management (DRM, more on this in a second), it is pretty much a deal killer.

2) It bans DRM.

Any GPLv3 product is allowed to have DRM in it, but it must allow users to remove it. So essentially the DRM becomes useless.

This could cut two ways—first by making it virtually impossible for any GPL’d product (such as a Linux-based media appliance) to play proprietary media formats, since the likelihood that the RIAA and MPAA will allow distribution of software that can strip the DRM off music and films approaches zero. It also means, as a producer of such products, that you will, of necessity, be driven to use operating systems such as Microsoft Windows (and pay the Microsoft license fees).

What Does This Mean in the Short Term?

Even if the GPLv3 would put your company out of business, you don’t need to start panicking quite yet. Version 3 is not retroactive. While developers are free to release existing products under the new license, they must still be available under the old license.

However, this is a short-term relief, at best. As soon as new versions of software begin to be released, they can be licensed exclusively under the v3 version of the GPL. So, assuming that you want to incorporate bug fixes or new features into your products, you would have to comply with the version 3 provisions.

In short, GPLv3 is going to affect your company to a varying degree depending on how you use GPL’d software. For companies with large patent portfolios or that depend on locking users out of their software, the new version is going to be a major concern. Companies that use GPL’d tools internally probably won’t notice a thing.

In some cases, you may not have a choice about adopting GPL3, if the vendors or products you depend upon adopt it. For example, if your company uses the open-source Eclipse development environment to write Java code, it is almost certain that in the future some of the packages that come together to make Eclipse will move to a GPL3 library. So, if you need to keep Eclipse up to date and compatible with new tools as they come along, you may end up with GPL3 libraries intermingling with your end product.

But you need to start thinking about it soon, because as soon as the license is released, GPLv3 software won’t be long behind!