On Copyleft Software

Goal

This post is meant to summarize what copyleft is and why I consider it an inappropriate tool for the challenges of the current times in software. There are certain sections in this post that are marked as asides in smaller font size and a blue border on the left. I recommend you skip these on your first read-through. These are akin to footnotes for further reading, but reading on your first time, they may get you off track with my main line of argument.

What is copyleft?

Software is protected in many jurisdictions by means of copyright. Copyright is so-called intellectual property. It is an exclusive right held by the author to do certain things, such as modifying or publishing a work. Software in many jurisdictions is considered to a work or there is a legal fiction that subjects it to the same rules as if it were a work. There is a plethora of reasons why this scheme does not meaningfully map to how modern software is made and used (or even software at the time this hack was introduced), but that is a story for another time. Once there was legal protection of software in the form of an exclusive right, there came those who disagreed with the notion of proprietary software. The history may be interesting, but will only root my thinking in the 1980s when the phenomenon first surfaced. I therefore elect to skip recounting the tale, albeit Wikipedia appears to provide a well-cited summary thereof.

In short, copyleft uses the broad freedoms that copyright bestows upon authors to design a framework to ensure that the software never turn into proprietary software. This generally takes the form of a contract wherein:

the licensee receives an unrestricted license to use, study, copy, share and modify the software (source code),
subject to the obligation of releasing any modifications to the software under the same or similar terms in source code form.

I will leave the discussion of the terms contract and license outside the scope of this post. There appears to be much confusion on their use especially given the popularity of the term license for constructions that are quite obviously contracts containing license grants. For the purposes of this post, I will use contract and terms to refer to any text that grants a right protected by copyright with any amount of additional terms and conditions that must be fulfilled in order to receive a license grant to do things that would otherwise infringe copyright.

A contract that only provides point 1, i. e. an unrestricted license grant, without point 2, i. 2 being forced to release the modifications, is generally called a permissive license. There are holes in this definition, but it suffices for what I am trying to say in this post.

Copyleft licenses use is that they trigger obligations on certain actions that require the permission of the author (or a person authorized to sublicense) under copyright law. An instructive example from the GNU General Public License v2.0 (GPLv2):

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

Observe that the actions copy and distribute are encumbered with conditions. Other actions are unencumbered. This has interesting implications. For example, a permissively licensed file can coexist with files under the GPLv2 in the same project, compiled into the same binary. It is only when the binary is copied and distributed that the file covered by the GPLv2 can and will exercise its copyleft. Mixing different licenses within the same file may lead to interesting results, which prima vista would imply that the end result will effectively be covered by both terms.

Permissive licenses do the same trick, but usually just to ensure attribution and disclaimers are passed on. The Apache-2.0 terms get called a permissive license often, but the onslaught of obligations that come with it are actually quite hostile and the only reason any of this works is that most people think the license says something else than it actually says and effectively everybody tacitly copies that understanding. Though not copyleft (in the sense of having to release source code), the obligations are actually somewhat cumbersome: In summary, § 4.2 requires that modified files carry prominent notices that you changed the files, § 4.3 requires that all copyright, patent, trademark and attribution notices must be kept except those you make obsolete with your changes, § 4.4 requires that you make sure that any file called notice is passed on either as part of the source code or documentation or displayed within the program.

The relationship between copyleft and commercial usage

Copyleft does not directly impede commercial usage. While copyleft makes it difficult in practice for proprietary software to just take copyleft software, make improvements and then selling that because their business value in secrecy and exclusive rights is undermined by the copyleft license, nothing actually prevents this. There are numerous examples of copyleft not working or not working in the spirit of the terms:

The digital video recorder series TiVo took the Linux kernel and GNU software, both at the time available under the terms of the GPLv2. The vendor built a firmware on top of them and sold the physical product. The vendor met its obligations and made available the source code. However, they also added a check for a cryptographic signature. Modified code could therefore not run on the device, undermining the point of being able to modify the source code provided under the terms of the GPLv2. This later came to be called tivoization and led to the GPLv3 aiming to prevent this from happening in the future.

While the GNU project relicensed a lot of software immediately following the release of the GPLv3, the Linux project has not done so. Even if the Linux project wanted to do so, developers retain their copyright working on Linux. Therefore, an unfathomably large number of people would have to be contacted to change the license. For comparison: A similar effort by the OpenSSL project to relicense to Apache-2.0 took several years to complete and involved reaching out to several dozens of individuals or rewriting their code. OpenSSL only has several hundred thousands of lines of code (according to David A. Wheeler’s SLOCCount, the entire OpenSSL 3.0.7 source code tree consisted of 664,197 lines of code). Linux has several millions, just in the drivers subdirectory (according to SLOCCount, 16,433,472 lines of code for Linux 6.0-rc5).

Open Source Security, Inc provides the grsecurity patches for the Linux kernel, providing certain security enhancements that are not part of upstream Linux. The effectiveness and usefulness thereof put aside, the patches are only available to subscribers at contact sales pricing. This in and of itself is unproblematic as far as the GPL is concerned. The Red Hat group has been doing just fine doing the same, after all. Where they differ is the obligations of the customers. The Red Hat enterprise agreements have confidentiality clauses, but explicitly make an exception for information that is licensed under an open source license (as defined by the Open Source Initiative (https://opensource.org/)). They ship an operating system and go above and beyond by providing source code (to some extent; trivial rebuilds that siphon away revenue are no longer possible). Not so with grsecurity—by distributing their software as patches alone, they appear to argue that their changes are (until combined with the Linux kernel source code) works on their own. They do not ship precompiled kernels, only patches, likely to ensure that they would not themselves be subject to the GPLv2. I have been unable to get a hold of their standard agreement. They do appear to be ensuring that their own downstreams follow the terms of the GPLv2. This does, however, allow them to effectively keep the source code closed.

I remain only partially convinced of the idea that a patch(set) does not form a combined work by virtue of its very nature as a patch(set), but I fail to find the idea entirely untenable, either. This setup does, however, show a glaring flaw in the GPLv2: It does not trigger when modifications are made, only on distribution of the combined work. Allow me to quote the relevant section:

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
[…]
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
[…]

As you can see, the GPLv2 even explicitly provides for this specific case. The end result, however, is that it feels like grsecurity is going against the spirit of the license by locking down access to the patches, making modifications to a copyleft program without actually meaningfully contributing back.

These two examples highlight issues inherent to copyleft. There are many cases to consider in drafting a contract with copyleft characteristics, even when you ignore the issue of cross-contract compatibility (license compatibility) that come with trying to mix copyleft code from various sources. The core idea of copyleft is an equivalent exchange: I give everyone my code; in exchange, you give everyone yours and subsequently let me upstream them if they are any good. The copyright framework is outright hostile to such ideas of basic human decency—everything needs to be carefully navigated with contracts. The lengthy wording of copyleft licenses hardly comes as a surprise in light of this. Legal means are rarely good ways to enforce basic human decency (for if you need to codify them in a contract, you have already reached the need to deal with moral bankruptcy), but this is the society we find ourselves in. This, in turn, leads to the spirit of the license being breached in economic pursuits.

The relationship between copyleft and commercial usage

Given this background of bad corporate citizens, I often find people wanting copyleft licenses with non-commercial clauses. It usually goes something like I want a license that is copyleft, prevents non-commercial (or corporate) usage and then gradually starts descending into more and more idealism, ultimately reaching something like a variation of the Hippocratic License. I do not wish to cast doubt on these individuals’ goals and aspirations. They are usually of noble cause. But doing so is not only in direct contradiction of the Open Source Definition, which prohibits a discrimination against fields of endeavor, but also seriously calls into question why they make the code available in the first place.

Some classes of software are hostile to non-commercial clauses and—at least to some extent—copyleft clauses in particular. These classes of software are those that benefit everyone, assuming they are of good quality. For example, having no widely available choices for good cryptographic libraries will herd commercial usage towards alternatives or worse trying their own hand at it, ultimately leading to less safety for everyone. Similar caveats apply to everything that is both safety-critical and will find widespread usage. One may certainly argue that if there were just one or two copyleft projects instead of a plethora of projects made available under permissive terms, it would be a boon for everyone as it leads to consolidation of efforts in less projects, reducing duplicate work and creating opportunities for the best and brightest to gather in greater numbers. The economic incentives point the other way. Insist on ideological purity at your own peril.

Copyleft can, and will, however, be used as leverage against competitors. If a large commercial entity spends non-trivial amounts of funds on software, they can create an offering that will at price point zero wipe out nearly all commercial competition except for those in vendor lock-in. Commercial e-mail clients have fallen to web e-mail interfaces (with exception of Microsoft Outlook with strong vendor lock-in with Microsoft Office). Commercial web browser engines have fallen to WebKit and Gecko (even Microsoft EdgeHTML has failed). This has a strong anti-competitive effect in that a (smaller) competitor would already be overwhelmed just maintaining their own changes on top of the ever-shifting code commits. Technically, none of this applies to copyleft; mere open source software already has this effect. Copyleft, however, then seals the deal in that the competitor’s offering will never be commercially viable because they cannot reap the benefits of exclusivity of features when forced to release their changes.

Copyleft in and of itself is, however, at the same time insufficient to be anti-competitive. Even network-copyleft terms like the GNU Affero General Public License (AGPL) do nothing to prevent a bigger competitor from just taking and hosting your product. In recent history, Amazon Web Services has often done exactly this, provoking a host of new terms like the Server Side Public License (SSPL) and others with direct non-compete clauses. This is, of course, not without controversy on either side. All too often the tale goes something like a startup creating genuine open source software (to gather mindshare) and subsequently locks further versions of the software behind non-compete terms right after the cloud vendors take note and make offerings available to their own customers. In the best case, this works as intended and prevents the large cloud goliaths from bullying the poor little startup david (who may actually be funded with boatloads of venture capital, but that is an inconvenient truth in this lovely one-sided framing of the issue). In the worst case, this prompts a hard fork with the larger competitor gathering up mindshare by virtue of promising a more stable future and better license terms and faster development of more features and fixes to security vulnerabilities, leaving the smaller competitor with a shattered reputation as everyone who thought the smaller competitor was an upstanding corporate open source citizen leaves disillusioned.

Copyleft is therefore essentially orthogonal from a standpoint of large-scale economics, where overwhelming development activity can relegate any competitor to irrelevance. Nonetheless, it may be an economic tool in smaller-scale economics. In either case, however, we have completely left behind us the realm of basic human decency in a pursuit of money—or eschewing it. From an economic perspective, the copyleft–permissive axis is probably reaching the point of irrelevance as software as a service (SaaS) sidesteps many of the points copyleft used to cover and network copyleft only incompletely covers. The problem is with SaaS, once more, a moral argument about basic human decency in disguise: I made this, so I should get a cut of your large earnings made on the back of my labor with disproportionally little labor on your own part. Once more, I would like you to recall that legal means are rarely good ways to enforce basic human decency for if you need to codify them in a contract, you have already reached the need to deal with moral bankruptcy. You may certainly despair that this is the state of affairs, but it will do you no good to pretend you can ignore them. There is no such thing as a good corporate citizen, only one that is not yet big enough to become a bad one.

Artificial intelligence in software and its implications for copyleft

Speaking of economic activity, artificial intelligence is somewhat of a hot topic currently. Many an argument on the Internet goes that harvesting code under copyleft terms is in violation of the terms. Putting aside the question of how training artificial intelligence on software does or does not infringe copyright, this kind of argument completely overlooks that almost any other open source license terms also come with conditions, such as the MIT license requiring attribution, keeping intact the license text as well as the disclaimer. This is a point of much frustration to me. Permissive does not mean no conditions at all.

That is also all I want to say on the subject, at least until most jurisdictions have settled on:

the copyright status of the output of generative artificial intelligence; and
how and if/when training an artificial intelligence with code is considered copyright infringement.

Certainly, there is very much to be said. Law journals seem to be largely unable to stay quiet on the hype and every couple of months someone else feels the need to publish yet another analysis of the subject, usually flawed from a technical standpoint. This is a general pattern in legal doctrine, the economic realities force opinions out of both courts and academia, but the frequently destitute technical knowledge and abilities of the people weighing in on the subject dilute the usefulness of the answer to the question. The most obvious and at the same time most egregious example was, I believe, subjugating code to copyright.

Whose freedoms are they anyway?

One reason I think many proponents of copyleft have a difficult time getting along with fierce believers in permissive terms is that they look at different people’s freedoms. In a copyleft regime, the freedoms granted by any open source terms are meant to be passed on to the very end of the chain, the end user of an application or perhaps device. In a permissive regime, the freedoms granted are only meant to be passed on to the very next person in the chain, yet in greater amounts, namely allowing the creation of proprietary software; the end user does not meaningfully factor into the equation except for attribution and disclaimers. If neither side of the argument is aware of this fundamentally different point of view, then both sides will merrily (angrily) talk past each other, never understanding the other side.

Weak copyleft licenses only take effect when sharing changes with others, but they do not trigger when making a larger piece of software that would then affect the larger codebase. For example, take a file util.rs obtained under the terms of the Mozilla Public License 2.0 (MPL-2.0). It can coexist and distribution does not trigger a requirement to disclose the larger work’s source code. As an instructive example, observe the language in § 1.7 and § 3.3 of the MPL-2.0:

1.7. Larger Work
means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.
[…]
3.3. Distribution of a Larger Work
You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).

Strong copyleft licenses trigger for the whole program that contain copyleft components, even if the copyleft components are comparatively minuscule. Take for example the language in the Sleepycat license (which was intended for the Berkeley database, abbreviated as DB in the license):

Redistributions in any form must be accompanied by information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software. […] For an executable file, complete source code means the source code for all modules it contains. It does not include source code for modules or files that typically accompany the major components of the operating system on which the executable file runs.

The GPL is not exactly the poster child of enforcing its strong copyleft in clear language. The frequently asked questions (FAQ) about the GNU licenses claims that both dynamic and static linking results in a combined work with the end result being that the GPL cover[s] the whole combination. This is not supported in any clear way by the language of terms themselves; though there is probably something to be said about virtually all developers making this assumption that they might just have formed a common understanding of the GPL as a contract and therefore courts might underpin that understanding in their interpretation of the GPL. The mechanism seems to be based on the assumption that one paragraph in § 5 mentioning larger programs is then construed to imply e contrario that any kind of combination to form a larger program, not matter how minuscule the copyleft part is compared to the the rest of the code, will then fall in scope to make the entire combined program with a very extensive definition of Corresponding Source; perhaps the mere existence of the LGPL could also be used as an argument of the intent and how the GPL has to be understood. This probably holds up, but is considerably more ambiguous than I would like it to be. The text of the GPLv3 really speaks for itself, or rather, it does not speak and that is precisely the problem:

The Corresponding Source for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.
[…]
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
[…]
A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:
[…]
A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.

Network copyleft stacks an extra condition when the copyleft effect triggers, namely when the software can be interacted with over the network. The European Union Public License v1.2 EUPL-1.2 is an illustrative example:

1. Definitions
[…]
— ‘Distribution’ or ‘Communication’: any act of selling, giving, lending, renting, distributing, communicating, transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential functionalities at the disposal of any other natural or legal person.

Finally, recently unconditional copyleft terms have sprouted, for lack of a better word. While the terms weak copyleft, strong copyleft and network copyleft are firmly established in open source discourse, these new licenses do not yet have a common term. I propose unconditional copyleft because of their nature: They discard the question of When do copyleft effects trigger? entirely, namely by making the answer virtually always. The Parity license is exceedingly clear in its intent and language:

Copyleft
Contribute software you develop, operate, or analyze with this software, including changes or additions to this software. When in doubt, contribute.
Prototypes
You don’t have to contribute any change, addition, or other software that meets all these criteria:

You don’t use it for more than thirty days.

You don’t share it outside the team developing it, other than for non-production user testing.

You don’t develop, operate, or analyze other software with it for anyone outside the team developing it.

Weak, strong, network and unconditional copyleft all trade off developer freedom in exchange for end-user freedom at various amounts. This does, however, assume that the end-user benefits from this. The current state of computer literacy is such that the concept of a hierarchy of directories is well-above the modern user. I believe it therefore to be an illusory idea that the end-user freedoms being of any tangible value to anyone—except for the class of software developers.

AGPL and the hostility to compliance

In some circles, the AGPL seems to enjoy popularity in part because it exhibits network copyleft effects, but also in part because Google has a notorious policy that prohibits AGPL code and programs anywhere. Ignoring the anti-Google sentiment and by extension the anti-big-corporation sentiment, the terms of the AGPL are particularly hostile to any third party attempting to comply with it. Allow me to open with a quotation of the only difference between the AGPLv3 and the GPLv3 in the core text other than the name and preamble:

13. Remote Network Interaction; Use with the GNU General Public License.
Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.
[…]

The biggest issue here is that the copyright holder is, by definition, not beholden to the AGPL. This means that there is no requirement to make the base source code amenable to prominently offer the Corresponding Source. This means that downstreams can be (and in practice often are) left on their own to also figure out where to place the prominent offer. Those who rarely read the full terms of any open source terms may find themselves surprised by this requirement, thinking that just pushing the code of the changes on GitHub or an equivalent platform is sufficient.

The next issue: Who counts as a user? The AGPL says that the code must be offered to all users interacting with the modified version. It is unclear if this only affects legitimate users, authorized accounts (with possibly illegitimate users after a compromise) or anyone who can access the software at all. It could even be construed so far that an e-mail server receiving messages from X on e-mail server technically has X as a user because X indirectly interacted with it, and therefore the other e-mail server would have to provide its source code to X.

Finally, how do you even provide this prominent notice in the first place? This is simple in the case of a web application. But what about a REST service? Does every response now also need to have an HTTP header indicating where to download the source code, at the expense of network efficiency? This gets even more absurd with non-extensible protocols; where would you even put that in an NTP server?

I am not a fan of the AGPL.

Licensing theater: The problem of enforcement and rational apathy

All of the above text assumes that the terms under which code is placed are actually observed by everyone. What happens if others just do not observe the terms? Some terms, such as the GPLv3, include automatic termination clauses if you fail to comply with them. That is nice, but what actually happens? In practice, the answer may often be: nothing. A violation of a contract, until it is observed by anyone but the offender, may as well not have happened for no one is any wiser. The terms need to be enforced. Remy van Elst has tried to enforce the AGPL for their own code. The end result was that the server was taken down and no code was made available.

Enforcement may also ultimately mean courts. Courts are expensive, so you try not to go to them. Dropping four to five digits on legal expenses and court costs in an idealistic pursuit of copyleft is a rare occurrence. Organizations exist that aim to increase compliance; for example, Software Freedom Conservancy, Inc. states that they engage in worldwide efforts to ensure compliance with the GPL family in particular, claiming that legal action being the last resort. Lawsuits seem to be relatively rare in general. Ultimately, often an offense will either go unnoticed or the only people in a legal position to do anything about it succumb to a sense of rational apathy, realizing that the (emotional and economic) costs outweigh the perceived benefits.

Viewed in this light, much of the virtual ink spilled on licensing issues in open source software is licensing theater. On the other hand, we have widespread violations of license terms in the Go and Rust ecosystems.

Go places everything, including its standard library, under standard 3-clause BSD terms; though this issue was raised in 2017, the Go project saw no issue with this, but also could not make any guarantees regarding enforcement. A handful of components are covered by other terms, in particular in the linker, some code in the math package and probably a handful of other instances.

Rust, despite having existed for nearly a decade now, has an uncomfortable situation with regards to the licensing of its standard library and any compiler-inserted code and has also failed to provide any guidance for downstreams, involving several different licenses for a variety of components. It has been aware of but mostly ignoring this problem since rust-lang/rust#67014 from December 2019, with hilarious complexity inherited by downstream projects such as EmbarkStudios/cargo-about that try to automate this and make sense of it. Meanwhile, GCC and Clang/LLVM do not exhibit this issue by virtue of having had a modicum of foresight and placing appropriate license exceptions for the standard library and code injected by the respective compilers. This state of affairs speaks volumes about the destitute abilities of modern open source developers to navigate the license landscape—despite it getting increasingly complex and economically important.

Conclusion

To me, copyleft does not seem like an effective tool to achieve the apparent goal of getting basic human decency out of large for-profit corporations.