Posted by Heather Meeker on Friday, January 25th, 2013
It’s been almost six years since the release of GPL version 3. During the revision process, which lasted over two years and veered toward walk-away controversies more than once, hundreds of open source enthusiasts — from the hackers to the fortune 100 — contributed comments to a major drafting process. Adoption of the new GPL3 license was gradual, and many companies put the new license on their open source policy black lists.
Now that the dust has settled, how scary is GPL3? What inroads has it made into the world of commercial technology development?
Many years ago, at an open source conference, I ran into an IP lawyer for a company that was a major Linux distributor. A client of mine had found a potential license issue in the company’s distribution — a commonly used library had GPL license notices, and that seemed unworkable. “Was that a mistake?” I asked. “Shouldn’t the library be under LGPL?” He considered this for a moment, and said, “Maybe, but that’s only a problem if you are developing proprietary software.”
When we ask what is scary about GPL3, that’s the baseline. Of course it’s not scary, if what you want to do is distribute GPL3 software. If that’s what you want to do (and as we baby boomers say, more power to you), then corporate adoption of GPL3 is probably not important to you. As a baseline, people only fear GPL3 if they are trying to steward their IP rights — copyrights and patent rights. And usually, they are trying to do that because their shareholders insist on it.
It’s important to remember that GPL3 was mostly a clarifying revision of GPL version 2. Clarity is the best weapon against fear. As they say, capital is a coward. The more uncharted the territory, the less companies will venture into it. Part of the problem with open source licenses is that they are such complex and technical documents that we lean heavily on industry practice to interpret them — or at least to assess the risk of following different interpretations. So, open source license interpretation tends to be a chicken-and-egg problem. We look to industry practice, but industry must decide to use code under the license before we know what the practice is. It took technology companies over a decade to become comfortable enough with GPL2 so that their lawyers stopped falling off their coalmine canary perches every time GPL2 came up in due diligence. Now, almost every company uses some GPL2 software.
But GPL3 also introduced some substantive changes that caused consternation (among those selfish enough to care about their company’s IP). GPL3 is in its relative infancy, so these new terms still have not earned the patina of industry practice that made companies comfortable with GPL2.
What makes GPLv3 scary? Mostly patent terms, though ironically, probably not the patent license terms. After much haggling during the drafting process, the patent licensing terms that apply to authors of GPLv3 code are livable. People don’t generally expect to enforce patents based on the use of software they write and contribute to open source projects, or distribute in their own products. Patent holders are mainly concerned with using patents as defensive weapons, and not against their customers or the open source community.
But GPLv3 also contains unique — and to most readers, very confusing — patent terms. (See Section 11, paragraphs 5, 6 and 7 — the so-called anti-Microsoft and anti-Novell provisions.) Companies worry, for instance, that if someone else sues them for patent infringement based on GPL3 code, these provisions cannot be reconciled to the terms for a settlement, which is usually a non-sublicensable, and sometimes royalty-bearing, patent license.
Other frights lurk in the “anti-Tivoization” terms — more properly referred to as the “User Product” terms, Section 6. These terms require “Installation Information” to be provided to allow customers of hardware devices to re-install and execute modifications of the software that are enabled by the license. These terms mostly cause concern for companies in the consumer electronics field. However, the burgeoning industry of tools for SMEs means that the line of demarcation between consumer and business customers is blurring, and that causes consternation among potential industry adopters. Many worry that delivery of this information will make it hard to manage the security or support of their products, or will enable their competitors to disrupt their business.
Private companies feel — rightly or wrongly– that using open source code involves an investment of brain damage to understand the license. They also assume — rightly — that use of open source requires implementing internal business processes to track use and compliance. These are costs, and savvy companies consider these alongside license fees as part of the total cost of ownership of software. Notwithstanding GPL3’s perceived or real dangers, as with any open source license, its adoption depends on having a “killer app” to make it worthwhile.
For GPLv3, that killer app is clearly GCC. Most companies today cannot function without this compiler package. Moreover, most companies only use GCC as a development tool and not distributed within products, so they have little trouble managing compliance. (This is because the copyleft requirements of GPLv3 only kick in upon “conveying” — a notion akin to distribution, which doesn’t happen in the ordinary course of business for a pure development tool.) So, as we stand in 2013, GPLv3 fear is abating somewhat. Currently, GPL3 is one of the top open source licenses, applying to 12% of projects. But all projects are not created equal. The bottom line is that licenses don’t drive their own adoption. Software drives license adoption, and the more tasty software released under GPL3, the more private companies will grin and bear it.
So who’s afraid of GPLv3? Most private companies, even today, but less afraid than they used to be.
Get the latest AppSec news and trends sent directly to you.