Top 10 open source legal stories that shook 2017

Take a look at some of the most important legal cases from the past year, including GitHub's revision of their Terms of Service.
605 readers like this.
Best of Law

Beth Cortez-Neavel on Flickr. Public Domain. Modified by

Like every year, legal issues were a hot topic in the open source world in 2017. While we're deep into the first quarter of the year, it's still worthwhile to look back at the top legal news in open source last year.

1. GitHub revises ToS

In February 2017, GitHub announced it was revising its terms of service and invited comments on the changes, several of which concerned rights in the user-uploaded content. The earlier GitHub terms included an agreement by the user to allow others to "view and fork" public repositories, as well as an indemnification provision protecting GitHub against third-party claims. The new terms added a license from the user to GitHub to allow it to store and serve content, a default "inbound=outbound" contributor license, and an agreement by the user to comply with third-party licenses covering uploaded content. While keeping the "view and fork" language, the new terms state that further rights can be granted by adopting an open source license. The terms also add a waiver of moral rights with a two-level fallback license, the second license granting GitHub permission to use content without attribution and to make reasonable adaptations "as necessary to render the website and provide the service."

In March, after the new terms became effective, concerns were raised by several developers, notably Thorsten Glaser and Joey Hess, who said they would be removing their repositories from GitHub. As Glaser and Hess read the new terms, they seemed to require users to grant rights to GitHub and other users that were broader than third-party licenses would permit, particularly copyleft licenses like the GPL and licenses requiring attribution. Moreover, the license to GitHub could be read as giving it a more favorable license in users' own content than ordinary users would receive under the nominal license. Donald Robertson of the Free Software Foundation (FSF) wrote that, while GitHub's terms were confusing, they were not in conflict with copyleft: "Because it's highly unlikely that GitHub intended to destroy their business model and user base, we don't read the ambiguity in the terms as granting or requiring overly broad permissions outside those already granted by the GPL."

GitHub eventually added a sentence addressing the issue; it can be seen in the current version of the terms: "If you upload Content that already comes with a license granting GitHub the permissions we need to run our Service, no additional license is required."

2. Kernel enforcement statement

Section 4 of GPLv2 speaks of automatic termination of rights for those who violate the terms of the license. By 2006 the FSF had come to see this provision as unduly harsh in the case of inadvertent violations. GPLv3 modifies the GPLv2 approach to termination by providing a 30-day cure opportunity for first-time violators as well as a 60-day period of repose. Many GPL projects like the Linux kernel continue to be licensed under GPLv2.

As I wrote last year, 2016 saw public condemnation of the GPL enforcement tactics of former Netfilter contributor Patrick McHardy. In a further reaction to McHardy's conduct, the Linux Foundation Technical Advisory Board (TAB), elected by the individual kernel developers, drafted a Linux Kernel Enforcement Statement, which was announced by Greg Kroah-Hartman on the Linux kernel mailing list (LKML) on October 16, 2017. The statement, now part of the kernel's Documentation directory, incorporates the GPLv3 cure and repose language verbatim as a "commitment to users of the Linux kernel on behalf of ourselves and any successors to our copyright interests." The commitment, described as a grant of additional permission under GPLv2, applies to non-defensive assertions of GPLv2 rights. The kernel statement in effect adopts a recommendation in the Principles of Community-Oriented GPL Enforcement. To date, the statement has been signed by over 100 kernel developers. Kroah-Hartman published an FAQ on the statement and a detailed explanation authored by several TAB members.

3. Red Hat, Facebook, Google, and IBM announce GPLv2/LGPLv2.x cure commitment

A month after the announcement of the kernel enforcement statement on LKML, a coalition of companies led by Red Hat and including Facebook, Google, and IBM announced their own commitment to extend the GPLv3 cure and repose opportunities to all code covered by their copyrights and licensed under GPLv2, LGPLv2, and LGPLv2.1. (The termination provision in LGPLv2.x is essentially identical to that in GPLv2.) As with the kernel statement, the commitment does not apply to defensive proceedings or claims brought in response to some prior proceeding or claim (for example, a GPL violation counterclaim in a patent infringement lawsuit, as occurred in Twin Peaks Software v. Red Hat).

4. EPL 2.0 released

The Eclipse Public License version 1.0, a weak copyleft license that descends from the Common Public License and indirectly the IBM Public License, has been the primary license of Eclipse Foundation projects. It sees significant use outside of Eclipse as well; for example, EPL is the license of the Clojure language implementation and the preferred open source license of the Clojure community, and it is the main license of OpenDaylight.

Following a quiet two-year community review process, in August 2017 the Eclipse Foundation announced that a new version 2 of the EPL had been approved by the Eclipse Foundation board and by the OSI. The Eclipse Foundation intends EPL 2.0 to be the default license for Eclipse community projects.

EPL 2.0 is a fairly conservative license revision. Perhaps the most notable change concerns GPL compatibility. EPL 1.0 is regarded as GPL-incompatible by both the FSF and the Eclipse Foundation. The FSF has suggested that this is at least because of the conflicting copyleft requirements in the two licenses, and (rather more dubiously) the choice of law clause in EPL 1.0, which has been removed in EPL 2.0. As a weak copyleft license, EPL normally requires at least some subset of derivative works to be licensed under EPL if distributed in source code form. FSF and Eclipse published opinions about the use of GPL for Eclipse IDE plugins several years ago. Apart from the issue of license compatibility, the Eclipse Foundation generally prohibits projects from distributing third-party code under GPL and LGPL.

While EPL 2.0 remains GPL-incompatible by default, it enables the initial "Contributor" to authorize the licensing of EPL-covered source code under a "Secondary License"—GPLv2, GPLv3, or a later version of the GPL, which may include identified GPL exceptions or additional permissions like the Classpath Exception—if the EPL-covered code is combined with GPL-licensed code contained in a separate file. Some Eclipse projects have already relicensed to EPL 2.0 and are making use of this "Secondary License" feature, including OMR and OpenJ9. As the FSF observes, invocation of the Secondary License feature is roughly equivalent to dual-licensing the code under EPL / GPL.

5. Java EE migration to Eclipse

The Java Community Process (JCP) facilitates development of Java technology specifications (Java Specification Requests, aka JSRs), including those defining the Java Enterprise Edition platform (Java EE). The JCP rests on a complex legal architecture centered around the Java Specification Participation Agreement (JSPA). While JCP governance is shared among multiple organizational and individual participants, the JCP is in no way vendor-neutral. Oracle owns the Java trademark and has special controls over the JCP. Some JCP reforms were adopted several years ago, including measures to mandate open source licensing and open source project development practices for JSR reference implementations (RIs), but efforts to modernize the JSPA stalled during the pendency of the Oracle v. Google litigation.

In August 2017, Oracle announced it would explore moving Java EE to an open source foundation. Following consultation with IBM and Red Hat, the two other major contributors to Java EE, Oracle announced in September that it had selected the Eclipse Foundation to house the successor to Java EE.

The migration to Eclipse has been underway since then. The Eclipse board approved a new top-level Eclipse project, EE4J (Eclipse Enterprise for Java), to serve as the umbrella project for development of RIs and technology compatibility kits (TCKs) for the successor platform. The GlassFish project, consisting of source code of the RIs for the majority of Java EE JSRs for which Oracle has served as specification lead, has mostly been under a dual license of CDDL and GPLv2 plus the Classpath Exception. Oracle is in the process of relicensing this code to EPL 2.0 with GPLv2 plus the Classpath Exception as the Secondary License (see EPL 2.0 topic). In addition, Oracle is expected to relicense proprietary Java EE TCKs so they can be developed as Eclipse open source projects. Still to be determined are the name of an Eclipse-owned certification mark to succeed Java EE and the development of a new specification process in place of the one defined in the JSPA.

6. React licensing controversy

Open source licenses that specifically address patent licensing often couple the patent license grant with a "patent defense" clause, terminating the patent license upon certain acts of litigation brought by the licensee, an approach borrowed from standards agreements. The early period of corporate experimentation with open source licensing was characterized by enthusiasm for patent defense clauses that were broad (in the sense that a relatively wide range of conduct would trigger termination). The arrival of the Apache License 2.0 and Eclipse Public License 1.0 in 2004 marked an end to that era; their patent termination criteria are basically limited to patent lawsuits in which the user accuses the licensed software itself of infringement.

In May 2013 Facebook released the React JavaScript library under the Apache License 2.0, but the 0.12.0 release (October 2014) switched to the 3-clause BSD license along with a patent license grant in a separate PATENTS file. The idea of using a simple, standard permissive open source license with a bespoke patent license in a separate file has some precedent in projects maintained by Google and Microsoft. However, the patent defense clauses in those cases take the narrow Apache/EPL approach. The React PATENTS language terminated the patent license in cases where the licensee brought a patent infringement action against Facebook, or against any party "arising from" any Facebook product, even where the claim was unrelated to React, as well as where the licensee alleged that a Facebook patent was invalid or unenforceable. In response to criticism from the community, Facebook revised the patent license language in April 2015, but the revised version continued to include as termination criteria patent litigation against Facebook and patent litigation "arising from" Facebook products.

Facebook came to apply the React license to many of its community projects. In April 2017 an issue was opened in the Apache Software Foundation (ASF) "Legal Discuss" issue tracker concerning whether Apache Cassandra could use RocksDB, another Facebook project using the React license, as a dependency. In addition to the several other ASF projects that were apparently already using RocksDB, a large number of ASF projects used React itself. In June, Chris Mattmann, VP of legal affairs for the ASF, ruled that the React license was relegated to the forbidden Category X (see my discussion of the JSON license last year)—despite the fact that the ASF has long placed open source licenses with similarly broad patent defense clauses (MPL 1.1, IBM-PL, CPL) in its semi-favored Category B. In response, Facebook relicensed RocksDB under GPLv2 and the Apache License 2.0, and a few months later announced it was relicensing React and three other identically licensed projects under the MIT license. More recent Facebook project license changes from the React approach to conventional open source licenses include osquery (GPLv2 / Apache License 2.0) and React Native (MIT).

Much of the community criticism of the React license was rather misinformed and often seemed to be little more than ad hominem attack against Facebook. One of the few examples of sober, well-reasoned analysis of the topic is Heather Meeker's article on Whatever actual merits the React license may have, Facebook's decision to use it without making it licensor-neutral and without seeking OSI approval were tactical mistakes, as Simon Phipps points out.

7. OpenSSL relicensing effort

The license covering most of OpenSSL is a conjunction of two 1990s-vintage BSD-derivative licenses. The first closely resembles an early license of the Apache web server. The second is the bespoke license of OpenSSL's predecessor project SSLeay. Both licenses contain an advertising clause like that in the 4-clause BSD license. The closing sentence of the SSLeay license, a gratuitous snipe at the GPL, supports an interpretation, endorsed by the FSF but no doubt unintended, that the license is copyleft. If only because of the advertising clauses, the OpenSSL license has long been understood to be GPL-incompatible, as Mark McLoughlin explained in a now-classic essay.

In 2015, a year after the disclosure of the Heartbleed vulnerability and the Linux Foundation's subsequent formation of the Core Infrastructure Initiative, Rich Salz said in a blog post that OpenSSL planned to relicense to the Apache License 2.0. The OpenSSL team followed up in March 2017 with a press release announcing the relicensing initiative and set up a website to collect agreements to the license change from the project's several hundred past contributors.

A form email sent to identified individual contributors, asking for permission to relicense, soon drew criticism, mainly because of its closing sentence: "If we do not hear from you, we will assume that you have no objection." Some raised policy and legal concerns over what Theo de Raadt called a "manufacturing consent in volume" approach. De Raadt mocked the effort by posting a facetious attempt to relicense GCC to the ISC license.

Salz posted an update on the relicensing effort in June. At that point, 40% of contacted contributors had responded, with the vast majority in favor of the license change and fewer than a dozen objections, amounting to 86 commits, with half of them surviving in the master branch. Salz described in detail the reasonable steps the project had taken to review those objections, resulting in a determination that at most 10 commits required removal and rewriting.

8. Open Source Security v. Perens

Open Source Security, Inc. (OSS) is the commercial vehicle through which Brad Spengler maintains the out-of-tree grsecurity patchset to the Linux kernel. In 2015, citing concerns about GPL noncompliance by users and misuse of the grsecurity trademark, OSS began limiting access to the stable patchset to paying customers. In 2017 OSS ceased releasing any public branches of grsecurity. The Grsecurity Stable Patch Access Agreement affirms that grsecurity is licensed under GPLv2 and that the user has all GPLv2 "rights and obligations," but states a policy of terminating access to future updates if a user redistributes patchsets or changelogs "outside of the explicit obligations under the GPL to User's customers."

In June 2017, Bruce Perens published a blog post contending that the grsecurity agreement violated the GPL. OSS sued Perens in the Northern District of California, with claims for defamation, false light, and tortious interference with prospective advantage. In December the court granted Perens' motion to dismiss, denied without prejudice Perens' motion to strike under the California anti-SLAPP statute, and denied OSS's motion for partial summary judgment. In essence, the court said that as statements of opinion by a non-lawyer, Perens' blog posts were not defamatory. OSS has said it intends to appeal.

9. Artifex Software v. Hancom

Artifex Software licenses Ghostscript gratis under the GPL (more recently AGPL) and for revenue under proprietary licenses. In December 2016 Artifex sued Hancom, a South Korean vendor of office suite software, in the Northern District of California. Artifex alleged that Hancom had incorporated Ghostscript into its Hangul word processing program and Hancom Office product without obtaining a proprietary license or complying with the GPL. The complaint includes claims for breach of contract as well as copyright infringement. In addition to monetary damages, Artifex requested injunctive relief, including an order compelling Hancom to distribute the source code of Hangul and Hancom Office to Hancom's customers.

In April 2017 the court denied Hancom's motion to dismiss. One of Hancom's arguments was that Artifex did not plead the existence of a contract because there was no demonstration of mutual assent. The court disagreed, stating that the allegations of Hancom's use of Ghostscript, failure to obtain a proprietary license, and public representation that its use of Ghostscript was licensed under the GPL were sufficient to plead the existence of a contract. In addition, Artifex's allegations regarding its dual-licensing scheme were deemed sufficient to plead damages for breach of contract. The denial of the motion to dismiss was widely misreported and sensationalized as a ruling that the GPL itself was "an enforceable contract."

In September the court denied Hancom's motion for summary judgment on the breach of contract claim. Hancom first argued that as a matter of law Artifex was not entitled to money damages, essentially because GPL compliance required no payment to Artifex. The court rejected this argument, as the value of a royalty-bearing license and an unjust enrichment theory could serve as the measure of Artifex's damages. Second, Hancom argued in essence that any damages for contract breach could not be based on continuing GPL-noncompliant activity after Hancom first began shipping Ghostscript in violation of the GPL, because at that moment Hancom's GPL license was automatically terminated. In rejecting this argument, the court noted that GPLv3's language suggested Hancom's GPL obligations persisted beyond the termination of its GPL rights. The parties reached a settlement in December.

Special thanks to Chris Gillespie for his research and analysis of the Artifex case.

10. SFLC/Conservancy trademark dispute

In 2006 the Software Freedom Law Center formed a separate nonprofit organization, which it named the Software Freedom Conservancy. By July 2011, the two organizations no longer had any board members, officers, or employees in common, and SFLC ceased providing legal services to Conservancy. SFLC obtained a registration from the USPTO for the service mark SOFTWARE FREEDOM LAW CENTER in early 2011. In November 2011 Conservancy applied to register the mark SOFTWARE FREEDOM CONSERVANCY; the registration issued in September 2012. SFLC continues to be run by its founder Eben Moglen, while Conservancy is managed by former SFLC employees Karen Sandler and Bradley Kuhn. The two organizations are known to have opposing positions on a number of significant legal and policy matters (see, for example, my discussion of the ZFS-on-Linux issue last year).

In September 2017, SFLC filed a petition with the Trademark Trial and Appeal Board to cancel Conservancy's trademark registration under Section 14 of the Lanham Trademark Act of 1946, 15 U.S.C. § 1064, claiming that Conservancy's mark is confusingly similar to SFLC's. In November, Conservancy submitted its answer listing its affirmative defenses, and in December Conservancy filed a summary judgment motion on those defenses. The TTAB in effect denied the summary judgment motion on the basis that the affirmative defenses in Conservancy's answer were insufficiently pleaded.

Moglen publicly proposed a mutual release of all claims "in return for an iron-clad agreement for mutual non-disparagement," including "a perpetual, royalty-free trademark license for Conservancy to keep and use its current name." Conservancy responded in a blog post that it could not "accept any settlement offer that includes a trademark license we don't need. Furthermore, any trademark license necessarily gives SFLC perpetual control over how we pursue our charitable mission."

SFLC moved for leave to amend its petition to add a second ground for cancellation, that Conservancy's trademark registration was obtained by fraud. Conservancy's response argues that the proposed amendment does not state a claim for fraud. Meanwhile, Conservancy has submitted applications for trademarks for "THE SOFTWARE CONSERVANCY."

Richard Fontana
Richard is Senior Commercial Counsel on the Products and Technologies team in Red Hat's legal department. Most of his work focuses on open source-related legal issues.

1 Comment

GitHub is great platform but they should not have changed ToS this way

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.