Does GPLv2 Include an ‘Installation Information’ Obligation? A Textual & Historical Analysis
P. McCoy Smith a
(a) Founding Attorney; Lex Pan Law & Founder, Opsequio
Abstract
One of the features included in version 3 of the GNU General Public License (GPLv3) was a requirement, in certain circumstances, to provide ‘Installation Information.’ This was a new addition to the licence to address a ‘loophole’ that existed in version 2 of the licence (GPLv2); a loophole that was perceived as being exploited, at the time, by certain device vendors. Recently, it has been asserted that this requirement was inherent, or explicitly called for, in GPLv2. This paper examines the historical record around the time that the ‘Installation Information’ requirement was proposed, and eventually ratified, in GPLv3, to show that this requirement was understood to be both new, and not a part of GPLv2. A textual analysis of GPLv2 yields an identical result.
Keywords
Law; information technology; Free and Open Source Software; GPLv2; GPLv3; ‘Installation Information’; Installation ‘Scripts’; ‘Authorization Keys’
GPLv3, in Section 6 (specifying the obligations when ‘Conveying Non-Source Forms’ of GPLv3 code), defines a class of information, designated ‘Installation Information,’ to which certain specific disclosure obligations apply:
Therefore in 2006, the inability to reinstall a modified version of GPLv2 software on a device upon which that software was initially installed was, and still is, considered to be a significant detraction from the FSF’s concept of the freedoms that a user should have to software. The FSF has not been shy in describing this practice in highly pejorative terms:
Although the FSF has long had an objection to the practice of ‘Tivoization’ ‒ preventing the reinstallation of modified binary code licensed under one of the FSF’s family of licences ‒ it, through the statements of its President, its lead attorney during the drafting of GPLv3, and its Executive Director, also made abundantly clear that this practice was permissible under GPLv2:
The distinction between what was being proposed in GPLv3 to address ‘Tivoization’ (and other similar techniques for validation of GPL binaries), and what was allowed under GPLv2, was a crucial distinction for Linus Torvalds, author of the Linux kernel, in preferring to retain “GPLv2 only” for the kernel, rather than moving to GPLv3:
Throughout the process of proposing, revising, and ultimately publishing GPLv3, the FSF also made clear that it was adding features to ensure that GPLv3, unlike GPLv2, would prevent ‘Tivoization’:
The FSF – from the time GPLv3 was first proposed, and continuing to the date of publication of this article – has made clear that indeed GPLv3 has a more expansive definition of the obligations encompassed in the ‘Installation Information’ requirement than any requirement that GPLv2 contains:
“Does GPLv2 have a requirement about delivering installation information?...
In his plea to software developers to “upgrade” to GPLv3 to address existing problems in GPLv2, Richard Stallman cited the new Installation Information requirement as the first reason developers should move to GPLv3:
“Keeping a program under GPLv2 won't create problems. The reason to migrate is because of the existing problems which GPLv3 will address.
Although the description of the obligation to provide source code is primarily tied to the general understanding of what is ‘source code’ in computer programming, i.e.:
GPLv2 also includes two other items falling within that licence’s definition of ‘source code’: ‘associated interface definition files’ and ‘scripts used to control compilation and installation of the executable.’ An examination of the meaning of each of these provisions is necessary to understand how the disclosure obligations in GPLv2 differ from those in GPLv3.
As discussed above, GPLv3’s disclosure obligations upon distribution of executable code include both ‘Corresponding Source’:
and ‘Installation Information’:
Thus, during the drafting stages of GPLv3, the Free Software Foundation recognized, and acknowledged in changes to the drafting of that license, that the ‘Installation Information’ requirements were a separate obligation beyond the Corresponding Source Code obligations extant in GPLv2 and ported into GPLv3.
GPLv2’s source code disclosure obligations recite only:
If there is any correspondence between the ‘Installation Information’ requirement of GPLv3 within the ‘corresponding source code’ requirement of GPLv2, it is in the recitation of two separately articulated disclosure obligations – ‘any associated interface definition files’ and ‘scripts used to control compilation and installation of the executables.’
‘[S]cripts used to control compilation and installation of the executable,’ on the other hand, is, at least, directed to material related to the installation of an executable subject to GPLv2. Nevertheless, this requirement is directed to ‘scripts,’ a term with generally-understood meaning in computing:
It would appear unquestionable that GPLv2’s obligation to provide ‘scripts used to control … installation of the executable’ cannot be construed, as a matter of textual interpretation, to cover checksums, hashes, authorization, or signing keys, or other numerical data embedded in hardware or firmware that is used to validate the installation of GPLv2 executable code; that data would not fall within the common understanding of what is a ‘script.’ A more interesting interpretational issue would be if a hardware device included firmware running an installation program that ‒ as part of its functionality ‒ engaged in some form of validation of the executable and barred installation if the executable was determined to be invalid – for example, as the result of modification. Given the long-standing and consistent position of both the FSF and the Linux kernel developers during the drafting and release of GPLv3 that any sort of installation validation – including TiVo’s validation using PROM-loaded information – was permissible under GPLv2, even a firmware-instantiated validation feature would be difficult to argue falls within the ‘scripts used to … installation of the executable’ requirement of GPLv2.
In contrast, GPLv2 has no definitions, limitations or restrictions on the types of products to which its source code obligations apply – ‘User Products’ and non-‘User Products’ alike must provide the source code and other disclosure obligations of GPLv2. Thus, if GPLv3’s full ‘Installation Information’ obligation definition were merely a reiteration or clarification of the existing disclosure obligations of GPLv2, GPLv3 would have narrowed the circumstances under which those disclosure obligations are extant. As a result, GPLv3 would be less ‘software freedom’ respecting than GPLv2 because its obligation would apply to a smaller subset of software. That result would be directly contrary to the stated goals of creating GPLv3 in the first place:
GPLv3 only expands and maximizes freedom if the ‘Installation Information’ obligation itself expands ‘freedom’ beyond the disclosure obligations of GPLv2. As GPLv2 obligations are not limited to any product subset, providing obligations in GPLv3 only for User Products would thus necessarily represent a reduction of ‘freedom.’
As outlined in detail above, both a textual analysis, and a review of the historical record, makes clear that the ‘Installation Information’ obligations of GPLv3 do not exist in, and can in no way be backported into, the source code obligations found in GPLv2. Despite these facts, there has been a recent effort to alter the historical record, and to reinterpret the requirements of GPLv2, to equate the source code obligations in GPLv2 with the source code and ‘Installation Information’ requirements of GPLv3:
The text, and the historical record, of GPLv3 makes clear that the ‘Installation Information’ requirement in that licence was specifically designed to add new requirements that were not found in GPLv2. The historical record also makes clear that it was perfectly permissible to distribute code licensed under GPLv2 without providing information ‒ such as authorization keys or other hardware-embedded information that might prevent the installation of modified versions of that GPLv2 code – and that only a fairly narrow class of information – installation scripts – were required in GPLv2. Efforts to backport the ‘Installation Information’ requirements of GPLv3 into GPLv2 are both ahistorical, and yield the counter-intuitive result that make GPLv3 less ‘freedom’-preserving than GPLv2 – a result which was in no way the goal of creating GPLv3 in the first instance. This counter-intuitive result would have counselled software freedom-loving authors to prefer GPLv2 over GPLv3, a result which would be contrary to the entire purpose of creating and launching GPLv3.
The extent to which an ahistorical and textually unsupported interpretation of GPLv2 is a mere theoretical debate, or is one which may eventually be tested in an interpretational tribunal as the result of compliance enforcement litigation, remains to be seen. Many of the statements made during the GPLv3 drafting process, and the actual language from GPLv2 – as outlined in detail above – will likely be relevant to any decision on scope of the source code obligations of GPLv2.
About the author
P. McCoy Smith is Founding Attorney at Lex Pan Law (www.lexpan.law), a full-service intellectual property law firm in Portland, Oregon, U.S.A., that has a sub-speciality in free and open source licensing, as well as Founder at Opsequio (www.opsequ.io), an software licence compliance consultancy. As a member of GPLv3 Discussion Committee B, he was an active participant in the debate over, and revision of, the ‘Installation Information’ requirement in that licence.
Licence and Attribution
This paper was published in the Journal of Open Law, Technology, & Society, Volume 12, Issue 1 (April 2021). It originally appeared online at https://www.jolts.world
This article should be cited as follows:
Smith, P. McCoy (2021) 'Does GPLv2 Include an “Installation Information” Obligation? A Textual & Historical Analysis', Journal of Open Law, Technology & Society, 12(1), pp 21 – 31
Copyright © 2021 P. McCoy Smith.
This article is licensed under a Creative Commons Attribution 4.0 CC-BY available at
https://creativecommons.org/licenses/by/4.0/
1GNU Operating System, ‘GNU Library General Public License, version 2.0,’ (June, 1991) https://www.gnu.org/licenses/old-licenses/lgpl-2.0.html (accessed March 8, 2021).
2Although GPLv3 was designed to eventually supplant GPLv2, in the 14 years since GPLv3 was published, the use of GPLv3, by some measures, is roughly equal in measure to the use of GPLv2; GPLv3’s relative use is also declining while GPLv2 remains steady state. Johnson, Patricia, ‘Open Source Licenses in 2021: Trends and Predictions,’ WhiteSource (January 28, 2021) https://resources.whitesourcesoftware.com/blog-whitesource/open-source-licenses-trends-and-predictions (accessed March 30, 2021).
3See GNU Operating System, ‘What is free software? The Free Software Definition,’ https://www.gnu.org/philosophy/free-sw.en.html (accessed March 8, 2021).
4One example of a change in the law that the authors of GPLv3 felt needed to be addressed in that license was the adoption in 1996 of the WIPO Copyright Treaty (WCT), and the passage in 1998 of its counterpart in the United States, the Digital Millennium Copyright Action (DMCA), particularly the provisions against circumvention of 'technological protection measures', See WCT Article 11; 17 U.S.C. § 1201 (1998). GPLv3, § 3 directly addresses these additions to copyright law.
5The technology in TiVo's devices, preventing reinstallation of modified binaries on devices running GPLv2 software, was one example of technology developed long after the GPLv2 licence was drafted that was of concern to the drafters of GPLv3. Subsequent to the release of GPLv3, millions, if not billions, of devices continue to be distributed with a GPLv2-licensed Linux kernel that prevent the reinstallation of modified binaries. GPLv3 also addressed the outmoded language around distribution of source code in GPLv2, and GPLv3 ‒ in Section 6 ‒ added several additional mechanisms for fulfilling source code obligations more consistent with current mechanisms for software distribution. See GPLv3, § 6(d)-(e).
6Free Software Foundation, ‘Rationale for 1st discussion draft,’ http://gplv3.fsf.org/gpl-rationale-2006-01-16.html (accessed March 22, 2021).
7Irish Free Software Organization, ‘Transcript of Opening session of first international GPLv3 conference,’ (January 16th 2006) http://www.ifso.ie/documents/gplv3-launch-2006-01-16.html (accessed March 22, 2021).
8GNU Operating System, ‘GNU General Public License, version 3,’ (‘GPLv3’) (June 29, 2007) https://www.gnu.org/licenses/gpl-3.0.html (accessed March 22, 2021).
9Burnette, Ed, ‘Tivo and GPL: Beauty and the Beast?,’ ZDNet, (October 2, 2006) https://www.zdnet.com/article/tivo-and-gpl-beauty-and-the-beast/ (accessed March 29, 2021).
10‘Convey’ is the activity defined in GPLv3 as triggering source code disclosure obligations. GPLv3, n. 6, §§ 4-6.
11GPLv3, n. 6 above, § 6.
12See ‘Transcript of Opening Session of First International GPLv3 Conference,’ (January 16th 2006) http://www.ifso.ie/documents/gplv3-launch-2006-01-16.html (accessed May 5, 2021) at 0h 03m 59s
13Perhaps the most notable feature of the ‘Installation Information’ requirement, and an important feature in understanding how that requirement differs from the source code obligations in GPLv2, is that the ‘Installation Information’ requirement of GPLv3 applies only to a specified subset of products – ‘User Products’ upon which GPLv3 might be installed. See GPLv3, n. 6 above, at § 6.
14The Computer Language Company, ‘Tivoization,’ The Free Dictionary by Farlex https://encyclopedia2.thefreedictionary.com/Tivoization (accessed April 2, 2021).
15Checksums and cryptographic hashes are techniques used to determine whether a received binary file is identical to, or deviates from, an expected binary file. Various techniques are used to generate a numerical value associated with the digits in the expected file to generate a value; that value is then compared at the receiving end to a stored representation of the same value. In this way, any changes to the binary file, even so much as changing one bit from ‘0’ to ‘1’ or vice versa, will produce a different value which will not match the stored value, thus indicating at the received binary file is not identical to the expected binary file. See Fisher, T., ‘What Is a Checksum?’ Lifewire (June 14, 2021) https://www.lifewire.com/what-does-checksum-mean-2625825 (accessed June 14, 2021).
16Miller, Todd, ‘Using large disks with TiVo,’ Sudo Project (2008) https://web.archive.org/web/20120206023943/http://www.gratisoft.us/tivo/bigdisk.html (accessed April 2, 2021) (‘it is not possible to replace the kernel on a Series2 TiVo since the PROM requires that the kernel be cryptographically signed with a key from TiVo’). Note that although most of the commentary about the Series 2 TiVo devices of the mid-2000s indicate that they would not allow modified GPLv2 binaries to install or execute, at least one commentator has stated that that device allowed such binaries to be installed and run, but only prevented execution of non-GPLv2 proprietary code on that device. See Kuhn, Bradley & Webster, Behan, ‘Safely Copylefted Cars: Reexamining GPLv3 Installation Information Requirements,’ Linux Foundation Events (2017) at 13 https://events19.linuxfoundation.org/wp-content/uploads/2017/11/Safely-Copylefted-Cars-Reexamining-GPLv3-Installation-Information-Requirements-ALS-Bradley-Kuhn-Behan-Webster-1.pdf (accessed April 9, 2021)
17GNU Operating System, ‘Proprietary Tyrants,’ https://www.gnu.org/proprietary/proprietary-tyrants.html (accessed April 2, 2021).
18Stallman, Richard, ‘Transcript of Richard Stallman at the 5th international GPLv3 conference,’ (November 21, 2006) https://fsfe.org/activities/gplv3/tokyo-rms-transcript#tivoisation (accessed April 2, 2021).
19Shankland, Stephen, ‘Defender of the GPL,’ CNet (January 19, 2006) https://www.cnet.com/news/defender-of-the-gpl/ (accessed April 2, 2021).
20Byfield, Bruce, ‘GPLv2 or GPLv3?: Inside the Debate,’ Datamation (June 17, 2007) https://www.datamation.com/trends/gplv2-or-gplv3-inside-the-debate/ (accessed April 9, 2021).
21Bennett, Amy, ‘Linux creator Torvalds still no fan of GPLv3,’ Computerworld (July 28, 2006) https://www.computerworld.com/article/2820022/linux-creator-torvalds-still-no-fan-of-gplv3.html (accessed April 7, 2021).
22Shankland, Stephen, ‘Torvalds rules out GPL3 for Linux,’ ZDNet UK (January 27, 2006) https://web.archive.org/web/20080424051024/http:/news.zdnet.co.uk/software/0,1000000121,39249370,00.htm (accessed April 7, 2021).
23Barr, Joe, ‘Torvalds versus GPLv3 DRM restrictions,’ Linux.com (February 2, 2006) https://www.linux.com/news/torvalds-versus-gplv3-drm-restrictions/ (accessed April 8, 2021).
24Bottomley, James, et al., ‘Kernel developers' position on GPLv3,’ LWN.net (September 22, 2006) https://lwn.net/Articles/200422/ (accessed April 8, 2021). See also Bottomley, James, et al., 'The Dangers and Problems with GPLv3,' (September 15, 2006) https://lore.kernel.org/lkml/1158941750.3445.31.camel@mulgrave.il.steeleye.com (accessed May 27, 2021).
25Linux kernel licensing notice, https://elixir.bootlin.com/linux/latest/source/COPYING (accessed April 8, 2021).
26Deb Conf, ‘Linus Torvalds says GPL v3 violates everything that GPLv2 stood for,’ YOUTUBE (accessed May 5, 2021, at 0h 0m 34s) https://www.youtube.com/watch?v=PaKIZ7gJlRU.
27Stallman, Richard, ‘Transcript of Richard Stallman at the 3rd international GPLv3 conference,’ (June 22, 2006) https://fsfe.org/activities/gplv3/barcelona-rms-transcript.en.html#tivoisation (accessed April 2, 2021).
28Stallman, Richard, ‘Transcript of Richard Stallman speaking on GPLv3 in Torino,’ (March 18, 2006) https://fsfe.org/activities/gplv3/torino-rms-transcript.en.html#drm (accessed April 2, 2021).
29Free Software Foundation, ‘Opinion on Digital Restrictions Management,’ (August, 2006) http://gplv3.fsf.org/drm-dd2.html (accessed March 17, 2021).
30GNU Project, ‘Frequently Asked Questions About the GNU Licenses,’ https://www.gnu.org/licenses/gpl-faq.html#InstInfo (accessed April 7, 2021)
31Stallman, Richard M. ‘Why Upgrade to GPL Version 3,’ (May 31, 2007) http://gplv3.fsf.org/rms-why.html (accessed May 6, 2021).
32GPLv3 uses the term ‘convey,’ n. 8 above, whereas GPLv2 uses the term ‘distribute,’ to articulate acts that trigger, among other things, obligations to provide source. Although there are subtle differences between the two terms, they are intended to cover the same acts. GNU Project, ‘Frequently Asked Questions About the GNU Licenses,’ https://www.gnu.org/licenses/gpl-faq.html#ConveyVsDistribute (accessed March 29, 2021).
33Brown, Neil, ‘GNU GPL 2.0 and 3.0: obligations to include licence text, and provide source code,’ JOLTS vol. 2, no. 1 (2010) DOI: 10.5033/ifosslr.v2i1.31 (accessed March 30, 2021).
34GPLv2, n. 1 above, § 3.
35‘Source Code,’ Computer Dictionary of Information Technology https://www.computer-dictionary-online.org/definitions-s/source-code.html (accessed March 30, 2021).
36GPLv3, n. 6 above, § 1.
37GPLv3, n. 6 above, § 6.
38Free Software Foundation, ‘GPLv3 First Discussion Draft,’ §1 (January 16, 2006) http://gplv3.fsf.org/gpl-draft-2006-01-16.html (accessed June 14, 2021).
39Free Software Foundation, ‘GPLv3 Third Discussion Draft Rationale,’ (March 28, 2007) http://gplv3.fsf.org/gpl3-dd3-rationale.pdf/download (accessed June 14, 2021).
40GPLv2, n. 1 above, § 3.
41E.g., Microsoft, ‘Interface Definition (IDL) File,’ Windows Developer Documentation (May 31, 2018) https://docs.microsoft.com/en-us/windows/win32/midl/interface-definition-idl-file (accessed April 8, 2021);
de St. Germain, H. James, ‘Interfaces in Object Oriented Programming Languages,’ University of Utah Computing Department https://www.cs.utah.edu/~germain/PPS/Topics/interfaces.html (accessed April 8, 2021).
42Christensson, Per, ‘Script Definition,’" TechTerms. (2006) https://techterms.com/definition/script (accessed April 8, 2021).
43‘Script,’ Merriam-Webster.com Dictionary, Merriam-Webster https://www.merriam-webster.com/dictionary/script (accessed April 8, 2021).
44GPLv2’s requirement to provide ‘compilation’ scripts are not analysed in this article; compilation is part the process of converting source code into executable code, and is not related to the subsequent activities of installing, or executing, that executable code.
45Arthur, Ty, ‘How to Write a Simple Script to Install a Program,’ Techwalla https://www.techwalla.com/articles/how-to-write-a-simple-script-to-install-a-program (accessed April 8, 2021)
46‘User Products’ in GPLv3 are subject to a rigorous definition which excludes a large class of products which can, and currently do, use code licensed under one of the GPL family of licences: “A ‘User Product’ is either (1) a ‘consumer product’, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. … A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.” GPLv3, n. 6 above, at Section 6.
47GPLv3, n. 6 above, at Section 6.
48Transcript of Opening Session of First International GPLv3 Conference, see n.10 above, at 0h 23m 30s.
49Kuhn, Bradley, et al., ‘Copyleft and the GNU General Public License: A Comprehensive Tutorial and Guide,’ Copyleft.org at § 5.2 (2003-2018) https://copyleft.org/guide/comprehensive-gpl-guidech6.html#x9-460005.2 (accessed April 9, 2021).
50Gingerich, Denver, ‘Understanding Installation Requirements in GPLv2,’ Software Freedom Conservancy (March 25, 2021) https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ (accessed April 9, 2021).
51See above nn. 17 and 22-23.