Bill Home

On “GPL3 May Require Websites To Relinquish Source Code”

I have seen a number of reports circulating in the press that state that the upcoming,
revised version of the GNU General Public License (GPL) called “GPL3”, will force providers
of web service applications based on GPL-licensed technology to disclose their source code.
To date, each of these headlines has been factually inaccurate. Here is the truth as I see it.

As someone with a decade of experience using GPL-licensed technology to build embedded systems,
I’m pretty well-versed in what the GPL Version 2 (the currently released version) says.
I have also taught classes and written magazine articles on how the GPL2 affects development
and deployment of embedded applications. I have even had the honor of an email from Richard
Stallman himself, a.k.a. RMS and the founder of the Free Software Foundation (FSF), in response
to an error I once made describing the interaction between the GPL and various Open Source licenses.
(Said mistake was swiftly and permanently corrected).

There have been a few sneak peeks of the GPL3 offered by RMS in comments summarized
here [slashdot],
and the FSF itself provides a paper called, “GPL
Version 3: Background to Adoption” [fsf]
that tells more. The FSF announced that it would
begin work on the GPL3 here [fsf].

What those comments say is far from “GPL3 may require websites to relinquish source code”.

Why rewrite the GPL?

There are several motivations for revising the GPL2, according to the Free Software Foundation.
GPL3 will revise some of the verbage that exists in GPL2 to help the new license more fully approximate
the “ideal of the global copyright license” being sought by the FSF. The GPL2 has scaled up to
global adoption remarkably well, even though its origins are in US copyright law, because its design
was limited to a minimum set of principles that most western nations already offer as signatories
to the Berne
Convention [google]
. In other words, GPL2 more or less describes existing laws as they can be
applied to copyright-able articles like source code, which keeps it in pretty safe legal territory.
I expect GPL3 to continue this trend.

The more compelling motivations to revise the GPL2, both arise out of situations that were far
less common in 1991 (the year the GPL2 was completed) than they are today: applications delivered
as web services, and cryptographically signed applications.

GPL in the era of Web Services

The GPL2 states that distributions of GPL-licensed articles must contain source code for the
licensed article, or an offer to provide that source code to the recipient at a nominal charge.
A GPL-licensed application delivered as a web service is not actually distributed to the end user,
however, so there is no requirement for the provider of the application to disclose the source
for that application. This is the GPL2’s so-called “loophole” that the mainstream press refers to.

As web services continue in their rising popularity, the risk is that more and more GPL-licensed
source code will get “locked up” on web servers and become unavailable to the users of those applications.
This outcome is incompatible with the objectives of the Free Software Foundation, which include
protecting end user rights to modify and redistribute GPL-licensed articles they use and receive.

In an interview of Richard Stallman by
CNET writer by Ingrid Marson [zdnet]
, RMS describes how the Free Software Foundation’s GPL3 may
address this risk. In my opinion, the proposed approach is a creative, even-handed solution that
strikes a nice balance with web service providers and software developers while still protecting the
fundamental objectives of the FSF. I hope something similar to what RMS describes in that interview
makes it into the final GPL3 text.

Put simply, under GPL3 if a software program provides a mechanism that allows the user of the
program to download a copy of the source code for the program, then recipients of that software
won’t be allowed to remove that functionality. That’s all there is to it.

Let’s say developer X writes and distributes a website shopping cart program, licensed under
the terms of the GPL. Company Y then obtains a distribution of that software, enhances it in
some useful way, and then incorporates the enhanced version into their website. Under GPL2, if
X had provided functionality permitting users of the program to download source code for the program,
then Company Y could remove that functionality and thereby prevent visitors to their website from
obtaining their modified copy of X’s original source code even though X clearly had intended otherwise.

Under GPL3, Company Y could modify developer X’s source code all they wanted, but they would have
to preserve the ability for end users to download that source code. Simple. Effective. Fair.

GPL and “Digital Rights Management”

Cryptographically-signed applications present a slightly different risk to the FSF’s objectives
for GPL-licensed articles, but in characteristic fashion, the FSF is seeking a simple, even-handed
solution with GPL3. Here’s how it works.

Under GPL2, a developer can obtain a GPL-licensed article and “enhance” it with the ability to
interoperate with other software only in the presence of the correct cryptographic keys. Such “signed”
applications might only work with certain web servers, for example, or perhaps only work with certain
signed versions of other applications (GPL or otherwise). Such functionality is often referred to as
“digital rights management”. The GPL2 protects the user’s right to source code for such applications,
but the applications themselves won’t do anything useful without those cryptographic keys. And since
cryptographic keys aren’t part of the GPL2’s definition of source code, vendors are not required to
distribute them. Yet another opportunity to “lock up” one or more GPL-licensed articles.

Stallman’s interview suggests that the GPL3 will address this situation by incorporating cryptographic
signatures and key-generating software into their definition of source code, thereby requiring redistribution
of those items alongside the security-enhanced source code itself. Straightforward. Reasonable.

I’m looking forward to GPL3

The FSF is providing sound, well-written licenses that developers who share the Free Software
Foundation’s vision can use when distributing their software. The GPL3 is just another step in
that direction, a step I find to be both appropriate and appealing.

A post on Slashdot
regarding Stallman’s description of the GPL3 states, “Sounds like a sane byproduct of a sanely
limited feature of the license to me”. Well put.


Site Design by: One Hat Design Studio.