The requirement to supply source code is covered by section 3 of the second version of the GPL. Under these sections, the distributor of GPL code is obligated to provide source code "on a medium customarily used for software interchange" for up to three years. In practice, this medium is usually a CD or DVD, or a server from which it can be downloaded. Under section 6 of the GPL, each distributor of the code comes under the obligations specified in section 3. This obligation is specified even more strongly in section 10 of the draft for the third version of the GPL, which specifically states that "downstream users" (those who, like Woodford, adopt the work of another project -- the "upstream distributor" -- for their own use) fall under these obligations.
"We think it's pretty clear," says David Turner, GPL compliance engineer at the FSF. "One problem with allowing people to skip out on source code distribution is that there's nothing that requires the upstream distributor to continue to offer source code. If they stop doing so, the source could become totally unavailable. Or, more commonly, the upstream distributor will upgrade the version of the source code available, leaving downstream distributors totally out of sync. In order to fix bugs, users need to get source code exactly corresponding to the binaries they have available."
Woodford does supply the source code for MEPIS' reconfigured kernel in a Debian source-package. His mistake seems to have been the assumption that, so long as the source code was available somewhere, he did not have to provide it himself if he hadn't modified it. While he has not contacted any other distributions, he suspects that he is far from the only one to make this assumption. "We, like 10,000 other people, probably, believed we were covered by the safe harbor of having an upstream distribution available online," Woodford says. "I think, of the 500 distributions tracked by DistroWatch, probably 450 of them are in trouble right now per this position."
A safe harbor is a legal term, referring to the elimination of the need to comply because a violation was made in good faith.
Compliance in the community
Woodford is exaggerating, but not enough to change the basic truth of what he says. Klaus Knopper, who develops the popular Knoppix live CD, says that he maintains a source repository and will make source code available on request. Talking on behalf of CentOS, Johnny Hughes says, "CentOS has been providing source for all packages, changed and unchanged, in their distribution. CentOS has the same understanding of the GPL as expressed by the FSF on this issue." Similarly, Texstar, the main maintainer for PCLinuxOS, says, "I am aware of the GPL requirements and make all of my source code available via DVD and it can be downloaded from a free server."
However, a majority of distributions and their distributors are apparently unaware of the requirements. "Before I was contacted by the FSF, I didn't know that we needed to actually offer the source code of binaries we didn't modify," says John Andrews, the source code maintainer of Damn Small Linux. "Yet we do comply now, and the FSF occasionally pops in with an email to make sure we do." Similarly, LinuxCD.org, a distributor, makes only Fedora source code available -- and only provides that because it was specifically requested to do so.
Unsurprisingly, no non-compliant distribution was willing to go on record for this article. However, a search through the Web pages of two dozen randomly selected smaller distributions in DistroWatch's top hundred shows only a few download repositories that contain source code, and no offers to provide it on request. The fact that only a few replied to a request for comments may also be significant, suggesting that the maintainers, having become aware of their non-compliance, do not wish to advertise their status -- although it might simply be that, being small operations, they prefer to focus on their work rather than answer questions. Still, even if Woodford's exact percentage is wrong, his suggestion that the majority of distributions are unaware of the GPL requirements does seem accurate.
Implications and solution-seeking
Woodford is now working to come into compliance. "Either I go along or go to court with them about it, and it's a lot easier to go along," he says. "I'm not making any money here. I can't afford a lawyer. I have an income, but I'm just barely staying afloat. We're going to reply to their request, and it seems like the request is consistent with the GPL license."
Woodford also understands that, while the FSF is firm about compliance, it is showing restraint in its effort to get MEPIS to comply. "If we were a big corporate entity, then they would ask us to pay them money," he says.
Yet, despite his willingness to comply, Woodford remains concerned about the implications. According to Turner, because MEPIS distributes both online and on CD and DVD, it would need to provide the source code in both media under the third version of the GPL, although section 3b of the second version would require distribution in only one medium. Woodford is also concerned about the practical considerations of automating the regular extraction of only the packages that MEPIS uses from the Ubuntu repositories.
Even more importantly, Woodford says, "I think that what they're doing is probably going to be bad for creativity in the open source community. There's plenty of people out there who like to be the GPL police. And with this extra little thing in their bag of tricks, somebody is going to go out there looking at everybody who puts out a new release of anything."
"What is really needed for the benefit of the community is if there could be a way to have an exception for the little guy," Woodford says. "But how can you do that when the whole thing is designed around the idea that every entity and every person that uses the GPL is held to the exact same rules and standards? How do you start making exceptions to that?"
Asked about the possibility of adding such an exception to the third version of the GPL, Turner replied, "If someone submitted a comment to that effect, we would of course consider that comment. But I don't think it likely that it will be changed.... I just asked Richard Stallman about this. He noted that the requirement isn't particularly onerous -- source code isn't much larger than binaries."
Woodford, though, disagrees. "If I had been told this when I was getting ready to create MEPIS in the first place, I never would have done it. I didn't have a server, I didn't have a repository, and it would have been a daunting task." His concern is that others will be similarly discouraged.
Andrews from Damn Small Linux also disagrees with Turner and Stallman, saying, "I understand why the FSF makes sure small-time players comply with their requirements. However, I also know from experience that it's quite a burden for the hobbyist or small-time developer who wants to share something cool with the world but doesn't have the finances or organizational structure of the big corporations."
"Of course, non-profit distributors can always arrange with their upstream distributors to help them with the source code distribution," Turner suggests. "If such an arrangement is in place, the problems mentioned above won't happen, and the non-profit distributor will be able to save time and bandwidth."
Major upstream distributors, however, are unlikely to enter such arrangements, if Fedora is any indication. Max Spevack, chair of the Fedora Board, says, "There are several reasons why the Fedora Project would be hesitant to officially sanction downstream distributions to point to upstream code repositories. The first has to do with the issue of forking. If the downstream developer has improvements, those improvements should be fed into the upstream code whenever possible. If downstream doesn't want to push those changes upstream, then it makes sense that the downstream distribution should bear the burden of redistributing the source for the forked code.
"Second, there is an issue of legal liability," Spevack continues. "The upstream party would be assuming legal liability for the downstream modifier, and that is not something that the Fedora Project is interested in doing.
"The third issue is that of cost -- which, while a valid concern, in my opinion is a lesser issue than the other two."
A possible solution for some distributions would be rPath's rBuilder Online, a tool whose use is free for non-commercial purposes and which allows users to build their own distribution using a repository of the Conary packaging system. Since one of the points of a Conary repository is that it contains both source and binary packages, using its version control system to keep track of them, as Erik Troan, one of rPath's founder notes, using "rBuilder automatically solves the problem by providing permanent access to binaries and the sources." Distributions based on rBuilder would still need to maintain their own repositories, but would not need to set up separate source repositories. This is the solution that Foresight Linux has chosen. However, rBuilder Online is not available to commercial distributions, and Conary is still a new and relatively unknown packaging system.
Many derivative distributions, then, seem to be on their own in a difficult situation where good intentions and creativity count for nothing beside the letter of the law.
For Woodford, the situation means struggling for compliance while preparing his next release, and the strain of the additional concerns is taking its toll. "I'm just trying to get back to the point where I can sleep at night," Woodford says. "Last night, I went to bed at 1:30 and just lay in bed thinking of all the technicalities that have been discussed about the GPL and how I'm going to access the source and make it available."
Bruce Byfield is a course designer and instructor, and a computer journalist who writes regularly for NewsForge, Linux.com and IT Manager's Journal.