Managing GPL source; was: Re: backports web interface type thing...

Sam Liddicott sam at liddicott.com
Tue Dec 27 10:05:25 GMT 2005 

John Dong wrote:

> Well, again, sources are exactly the same as in Dapper, so that'll
> lessen the burden...

It will not lessen it, depending on dapper sources management it will
increase the burden.

http://www.gnu.org/licenses/gpl-faq.html#TOCSourceAndBinaryOnDifferentSites
suggests that references to dapper sources *are* enough, but it will be
neccessary to remove backports binaries at the same time the original
dapper sources are removed or to retain dapper sources as long as
backports are available.

If my understanding is correct, the dapper packages are likely to be
around for less time than the backports, as packports either lag dapper
slightly or miss some dapper upgrades altogether.

Thus an extra admin burden is involved, in synchronizing dapper sources
with hoary backports.

>
> Also, is the 3 year clause really that tightly enforced? 


The 3 year clause is actually worse than many think, it applies to mail
order requests for the source:

http://www.gnu.org/licenses/gpl-faq.html#TOCDistributeWithSourceOnInternet
shows that the 3 year clause of section 3 of the GPL cannot be satisfied
with mere internet access to source.

Whether or not it is "enforced" is irrellevant, it's a matter of
copyright law. For GPL packages, nothing apart from the GPL gives right
to distribute GPL works or derivative works. If the license is not
followed, the works cannot be legally distributed, it may just be the
FSF or copyright holding developers that come knocking instead of the RIAA.

You are right, how can someone enforce the 3 year clause 2 years after
the binary was pulled and the source has long gone?

A question that may be asked is: Is a reasonable effort being made to
comply with the requirements of the GPL?

Unless steps are taken to archive sources such that they can be supplied
by mail order, the answer to such a question would be "no steps are
taken to reasonably comply" which indicates very bad faith.

> For example, (http://archive.ubuntu.com/ubuntu/pool/main/f/firefox/),
> the earlier (1-2 month old) ubuntu builds of 1.4.99+1.5rc3 have
> already been removed from the repository.


This makes it knowingly hard to rely on that archive to provide older
sources.

The only low-admin way to comply with the GPL is to provide sources at
the same point of distribution as the binaries; this permits the sources
to be pulled as soon as the binaries are pulled, it may also duplicate
sources between dapper and backports, but thats a small downside for
having no other overheads. It also removes the need to fulfil the 3 year
mail order clause, which though unyielding, is burdensome and not
appropriate.

I'll even pay for the disk to stick in the server.

The GPL is clear and the GPL faq is clearer and after much reading and
multiple question and answer sessions with the FSF I am convinced that
source-with-binary is the only sensible method for small organisations
with online distribution to comply with the GPL.

Its most attractive feature is that it limits the duration of liability
to the time during which the organisation engages in distribution. Other
features are low procedural overhead which can easily be automated, and
less troublesome correspondance from users who want the source (which
may be impossible to fulfil).

Sam

> On 12/26/05, *Sam Liddicott* <sam at liddicott.com
> <mailto:sam at liddicott.com>> wrote:
>
>     John Dong wrote:
>
>     > My vision for it:
>     >
>     > Users enter a backport request into a web interface.
>     >
>     > The request is quickly run through a set of rules (i.e. no
>     libraries,
>     > package blacklist), and then a build is done.
>     >
>     > After the build, users can "pick up" their debs. Other users
>     with the
>     > same request will get the same debs (caching)
>
>     Please don't shoot me.... or feel the need to respond just to me; I'm
>     not critisizing anyone;
>
>     just a reminder, for GPL/LGPL licensed packages, it would have to make
>     the source available at the same time/place or for 3 years to all 3rd
>     parties.  Such management is a curse. It would be easiest to make the
>     src debs available as part of the automatic system for all packages.
>
>     Sam
>
>
>     --
>     ubuntu-backports mailing list
>     ubuntu-backports at lists.ubuntu.com
>     <mailto:ubuntu-backports at lists.ubuntu.com>
>     http://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ubuntu.com/archives/ubuntu-backports/attachments/20051227/d6da2f86/attachment-0001.htm

More information about the ubuntu-backports mailing list