Bradley Kuhn, the technical director of the Software Freedom Law Center (SFLC), has published a helpful set of guidelines about the most productive way to respond to a suspected violation of GNU's General Public License (GPL). The guidelines caution against jumping to conclusions and encourages free software enthusiasts to give violators the benefit of the doubt. GPL violations are extremely common, he says, but most of them are accidental.

The SFLC, which was founded in 2005 with the aim of providing legal support for the free and open source software development community, has played a key role in resolving numerous GPL enforcement conflicts. Its approach to GPL enforcement is typically instructive and non-confrontational. Lawsuits are used as a last resort and have consistently resulted in out-of-court settlements. The organization is perhaps best known for litigating a series of high-profile GPL violation cases on behalf of the developers of the open source BusyBox embedded tools.

In his role as the SFLC's technical director and in his previous position as the executive director of the Free Software Foundation, Kuhn has had extensive involvement in GPL enforcement efforts. His commentary on the subject is, needless to say, very well informed. He published the guidelines this week in response to a recent incident of alleged GPL infringement that was attributed to Microsoft.

An independent programmer found evidence suggesting that Microsoft's proprietary Windows 7 USB/DVD Download tool was potentially built with source code that was misappropriated from a GPL-licensed project called ImageMaster. The evidence is ambiguous but compelling. Microsoft apparently thought so too, because it pulled the tool in question from its website and is said to be investigating the matter.

Kuhn's guidelines put the matter into perspective and provide some insight into how such issues should be handled. Kuhn says that he has found, on average, one new company violating the GPL every day over the past few months. GPL violations are so common, he says, that he could easily keep it up for a whole year. He regards it as important work, but doesn't consider any individual instance of GPL infringement to be a significant revelation. Finding and resolving these issues is a lot like fixing bugs, according to Kuhn. Single cases don't mean much, but the ongoing effort contributes to a healthier and better-informed commercial ecosystem around free and open source software—one in which companies understand and appreciate their licensing obligations.

Most GPL violations are mere accidents or the result of simple negligence. Instead of immediately publicizing a suspected case of infringement, Kuhn suggests that the best way to start productive enforcement action is to privately contact the company and submit a for request source code and clarification. The next step is to contact the actual copyright holder—the author of the code that is being misused—as they are empowered to legally enforce the licensing terms. This should be done privately, he says, rather than on public mailing lists. He feels that attempting to publicly shame a company into compliance will undermine communication and make it more difficult to proceed.

"Don't go public first. Back around late 1999, when I found my first GPL violation from scratch, I wanted to post it to every mailing list I could find and shame that company that failed to respect and cooperate with the software freedom community. I'm glad that I didn't do that, because I've since seen similar actions destroy the lines of communication with violators, and make resolution tougher," Kuhn wrote. "Remember that the primary goal of the GPL is to encourage more software freedom in the world. For many violators, the first experience the violator has with FLOSS is an enforcement action. We therefore must ensure that enforcement action is reasonable and friendly. I view every GPL violator as a potential FLOSS contributor, and try my best to open every enforcement action with that attitude."

Kuhn's complete blog entry is worth a look and offers a number of additional recommendations that are equally important. It's a good resource for free software enthusiasts and developers who are concerned about license violations and want to contribute to productive enforcement efforts. Companies that are looking for additional details about how to avoid accidental GPL violations might want to have a look at the SFLC's handy compliance guide, which was published last year.

Listing image by barraquito