Many in the open source community have expressed concern about the activities of Patrick McHardy in enforcing the GNU General Public License (GPL) against Linux distributors. Below are answers to common questions, based on public information related to his activities, and some of the legal principles that underlie open source compliance enforcement.

Who is Patrick McHardy? McHardy is the former chair of the Netfilter core development team. Netfilter is a utility in the Linux kernel that performs various network functions, such as facilitating Network Address Translation (NAT)—the process of converting an Internet protocol address into another IP address. Controlling network traffic is important to maintain the security of a Linux system.

How much has McHardy contributed to Linux? This is not an easy question to answer. First, it’s not easy to assess the importance of contributions; all we can do is look at number and size of commits. And second, even if one tracks commits, the tracking mechanisms are not perfect. Git has a blame feature that tracks who nominally commits certain lines of code to the git repository. Tools like cregit can be used with git blame to report commits at a more granular level of a code token, producing a more accurate picture of contributions at a file level. Git blame and cregit are useful because they both use publicly available information—the information just needs to be interpreted properly.

An analysis of blame with cregit can help assess McHardy’s potential contributions. For example:

The bulk of his contributions appear to be concentrated during the period 2006-08 and 2012.

Of approximately 135 files in which McHardy included his copyright notice, only 1/3 are files to which McHardy contributed 50% or more of the file's code.

His contributions appear to constitute well under .25% of the code in the kernel.

Most of McHardy’s contributions appear to be to Netfilter; however, blame might not always tell the whole story. For example, a committer can check in many lines of code having made only minor changes, or can check in code written or owned by others. For these reasons, the authorship of a committer can be under- or over-reported.

Records of contributions to the kernel prior to 2002 are not useful to identify contributors, because at that time, Linus Torvalds checked in all code. Patrick McHardy's contributions did not begin until 2004.

The difficulty of establishing copyright ownership using development repository metadata arose in the Hellwig v. VMware case. Courts may be reluctant to accept such information as evidence of authorship.

What copyright rights does McHardy have in the Linux kernel? Copyright ownership in large projects such as the Linux kernel is complicated. It’s like a patchwork quilt. When developers contribute to the kernel, they don’t sign any contribution agreement or assignment of copyright. The GPL covers their contributions, and the recipient of a copy of the software gets a license, under GPL, directly from all the authors. (The kernel project uses a document called a Developer Certificate of Origin, which does not grant any copyright license.) The contributors’ individual rights exist side-by-side with rights in the project as a whole. So, an author like McHardy would generally own the copyright in the contributions he created, but not in the whole kernel.

What is "community enforcement"? Because the ownership of large projects like the Linux kernel is often spread out among many authors, individual owners can take enforcement actions that are inconsistent with the objectives of the community. While the community may have a range of views on how best to encourage adherence to the GPL’s terms, most agree that enforcement should be informal (not via lawsuits) and that the primary goal should be compliance (rather than penalties). Software Freedom Conservancy, for example, has issued certain principles of community enforcement, which prioritize compliance over the pursuit of lawsuits or money damages. There is no bright-line rule for when informal actions should become lawsuits, or how much money an enforcer should request. Most developers in the Linux community, however, consider lawsuits only the last resort, and are willing to refrain from legal action and work with users who sincerely wish to comply.

Why have so many open source lawsuits been filed in Germany? Some plaintiffs seeking to enforce open source licenses have filed their claims in Germany’s court system. There are a few instruments for pursuing legal action in Germany that don’t have exact analogs in the U.S. or other common law countries.

Abmahnung (“warning”): The “warning” is a request from the claimant to the defendant to stop doing something. In the copyright context, it is a letter from the copyright owner requesting that an alleged infringer stop infringing. These letters are issued by lawyers, not courts, and are often the first step in a copyright enforcement action in Germany. In the U.S., the closest analog would be a cease and desist letter.

Unterlassungserklärung (“cease and desist declaration” or “declaration of injunction”): The “warnings” will often have a “cease and desist declaration” attached to them. This “declaration” is like a contract—signing it will subject the defendant to legal obligations that might not otherwise exist. In particular, the declaration may contain obligations that are not required by the GPL itself. In Germany, it is common for such a document to contain penalties for noncompliance. In the U.S., the analog would be a settlement agreement, but settlement agreements rarely specify the penalties for breach—and in fact, in the U.S., “penalties” may not be enforceable in contracts. The “declaration” is not a court order, but if the defendant signs it, it may gain the legal force of a court order. So, signing them before seeking legal advice is often not a good idea. There are other approaches to consider in dealing with a complainant who sends a cease and desist declaration, including proposing a revised declaration with lesser penalties or obligations. Further, because a cease and desist declaration may also contain a non-disclosure requirement, signing one of these documents may also create additional difficulties, such as restricting the ability to seek support from other defendants or to alert the community about the claimant’s assertions.

For details, see abmahnung.org/unterlassungserklaerung/.

Einstweilige Verfügung (“interim injunction” or “preliminary injunction”):The “interim injunction” is a court order that is like a temporary restraining order in the U.S. A defendant’s non-response to a “warning” or “declaration” can encourage a plaintiff to seek an “interim injunction,” although there is no requirement that a claimant send a “warning” before requesting an “interim injunction” from a court. Interim injunctions for copyright infringement can prescribe penalties of 250,000 Euro or 6 months' imprisonment. In the U.S., in contrast, criminal penalties for copyright infringement are extremely rare, and must be pursued by the government, not private parties. Also, in the U.S., courts do not prescribe remedies for future possible infringement—they only order defendants to stop current infringement or pay damages. In Germany, interim injunctions are also available ex parte, meaning that a plaintiff can apply to the court without the defendant being heard, and they can issue without the defendant’s participation. If you receive a “warning,” and suspect that a request for an “interim injunction” might follow, there is a possibility to file a preemptive “opposition” with the court.

For details, see Abmahnung.org.

Widerspruch (“opposition” or “contradiction”):The “opposition” is an opportunity for a defendant to file an opinion with the court that an “interim injunction” is not justified.

For an example of a case in which this process took place, see this English translation of a German court order.

How many claims has McHardy brought? Due to the lack of publicly accessible records for many German court dockets, it is difficult to determine the precise number of actions brought by McHardy. It has been stated that McHardy has approached over 50 enforcement targets. For details, see Source Code Control and 7 Notable Legal Developments in Open Source in 2016. That doesn’t necessarily mean 50 lawsuits—it probably means 50 demands threatening a lawsuit. But it is difficult to verify this claim with public sources. For details, see Litigation and Compliance in the Open Source Ecosystem.

Why hasn’t the community stopped McHardy? Various members of the community, including Software Freedom Conservancy, have reached out to try to persuade McHardy to change his strategy, but thus far they have not been successful. The Netfilter project recently published a licensing FAQ addressing concerns about McHardy’s actions.

What can we do to stop McHardy and other copyright profiteers? There is no one answer to this question, and there may be no way to completely stop them. But here are some suggestions for what might reduce the number of copyright profiteers.

Strive to comply with open source licenses. There are plenty of resources to learn how to comply with licenses, and how to set up an open source compliance program at your company. For example:

The Linux Foundation published Practical GPL Compliance.

Software Freedom Law Center published A Practical Guide to GPL Compliance (Second Edition).

The OpenChain project publishes a specification for recommended internal processes for open source management.

Don’t sign an Unterlassungserklärung before seeking legal advice. As explained above, an Unterlassungserklärung can subject you to obligations and penalties that are not found in the GPL itself. Don’t cooperate with the profiteers. You can make yourself a harder target, and enlist the help of other targets in the community.

Support open source development. Authors should not have to resort to profiteering to make a living. Companies that use open source software should not expect open source developers to develop software for free; they should chip in to support important projects.

Learn to recognize a copyright profiteer. Be aware of the general differences between community-oriented GPL enforcement and copyright profiteering. Community-oriented enforcement generally aims to achieve GPL compliance through education and assistance, while respecting users’ freedoms. Profiteering, by contrast, may focus on poorly researched scattershot claims and the threat of legal action for purposes of financial gain. Be on the lookout for assertions that prioritize financial gain and set the stage for unreasonable damages penalties.

Make claims public. If you are the target of a profiteer, and have a choice to make the claims public, doing so might help both you and others by discouraging their actions. As members of the open source community, we all share a duty to speak out against profiteers who seek to burden the community with allegations that can be resolved in more appropriate and less contentious ways.

Update: October 31, 2017

The Linux Foundation released a Community Enforcement Statement, and implemented a means to allow kernel developers to show their commitment to this statement. Responding to concerns about rogue enforcement by kernel developers who have engaged in copyright profiteering, this effort is intended to set community expectation for enforcement of GPL violations relating to the Linux kernel. An FAQ released by the Foundation explains that the commitment effectively implements opportunities to cure violations, similar to the opportunity available in GPL3.