Cisco Settles, But Where From Here?

Until September 20, 2007, nobody had ever sued anybody for violating the General Public License (GPL) — not a single company, project, or individual developer in the license's then-eighteen year existence. This momentous first, settled in a mere month, was only the beginning — the beginning of a landslide of litigation large enough to make Apple's lawyers cry.

Civil complaints poured forth from the Software Freedom Law Center like Henry Ford's Model T, landing in the laps of High Gain Antennas, LLC and Xterasys Corp, Bell Microproducts and SuperMicro Computer, even communications powerhouse Verizon. Each was eventually forced into the same settlement: provide the source code, appoint an Open Source compliance officer, and pay out an undisclosed amount. And the Open Source community rejoiced.

The SFLC even went so far as to publish a guide to not getting sued, over and above the general advice that if a SFLC lawyer calls you up and says it plans to sue you, for the love of all that is technological, do what you're told. What had never happened, even amongst the SFLC's barrage of litigation on behalf of BusyBox, was to come, however.

On December 11, 2008, the Free Software Foundation, as represented by the Software Freedom Law Center, sued Cisco Systems for violation of the GPL. Earlier this week, the parties settled that suit, to the tune of the normal terms: Cisco will appoint a watchdog for Linksys, people who bought the Linksys products in question will be informed of what the GPL means for them, a license notice will be added to Linksys' website, the relevant source code will be made available on its website, and an undisclosed amount of cash will be coughed up — we suspect it won't be at the associate membership rate. Still, it's better than the original demand, that Cisco "disgorge to Plaintiff all profits derived," — rather like they planned to feed Cisco an industrial-size dose of Open Source ipecac. The full fifteen page complaint PDF, and the accompanying twenty-three pages of licenses, are available online.

Still, what made suing Cisco so different from all the other companies the SFLC has chased down?

Aside from being a gold member of the Linux Foundation — at $100,000 a year — Cisco Systems just happens to be one of the largest contributors to the Linux kernel, undoubtedly the most widely known Open Source project, period. As of the Linux Foundation's April 2008 Linux Kernel Development report, Cisco was responsible for 0.5% of the work being done on the kernel.

Doesn't sound that significant?

Consider that shortly before the FSF filed suit, the Linux kernel was reported to have reached nearly six and a half million lines of code — over ten million if counting actual lines, which include comments, text files, and blank lines. The numbers total out to, on average, for every day of the last two and a half years, more than 3,600 lines of code have been added, 1,500 removed, and 1,400 changed. Linus Torvalds — the belovéd creator who has been working on the code for almost twenty years, and whom the Linux Foundation pays, full time, to continue doing so — stands at 0.6% of changes. Not bad for a company, unlike firms such as Red Hat, that aren't focused around Linux products, and doesn't .

Also fairly impressive for a company who several months before opened up a highly-popular line of routers to third-party development of Linux-based modules. That wasn't it, though, as almost two months to the day before they were sued, they announced a $100,000 competition — for those who are counting, that bumps the total up to $200,000 on Linux for the year, not counting the salaries of the unknown number of people they pay to make those 0.5% of contributions — to encourage, and of course, reward developers for designing and developing those Linux-based modules.

Was it pure altruism? Of course not, but whose corporate development is?

That is, of course, not to ignore Cisco's other Open Source contributions, including those to Apache and Eclipse, among others. Their microgrant program for non-profit organizations interested in the Open Source community and Cisco and the $400,000 — that's up to $600,000 — Cisco donated to the Silicon Valley Education Foundation to support cost-free Open Source solutions to retain teachers and improve attendance are nothing to sneeze at either.

The point of this Open Source Cisco CV? Aptly enough, a gnome: Don't bite the hand that feeds you.

Did Cisco screw up? Yeah. Should they have listened when it was pointed out? Yeah. Should they have to make it right? Yeah. However — and this is where the pragmatist diverges from the ideologue — people don't like to be sued. Cisco is making a lot of contributions to Open Source projects. That doesn't excuse violating licenses, not in the least, but it isn't just a case of "if they don't make them, somebody else will." They're going to figure this stuff out anyway, and there are two choices: Open Source or proprietary. If Cisco makes advancements first and patents them, then other people can make the same advancements until the cows come home, they still won't be able to do anything with it. The lost money doesn't really matter, that can me made up somewhere else, but making enemies does. We don't want to turn our allies into enemies, and make other allies wonder if we're going to do the same to them.

Making enemies is just the beginning, however. This lawsuit — yes, this one individual lawsuit — could have brought the whole thing crashing to the ground. Non-profit organizations — even those represented pro bono by other non-profit organizations — don't have the financial resources that a corporation with $39,000,000,000 in annual revenue. Companies like Cisco have lawyers, and a lot of them. Not your friendly neighborhood lawyer who draws up wills and gets people out of traffic tickets — flesh-eating lawyers who aren't concerned that the enemy is a non-profit organization contributing to the greater good. An army of attorneys puts out a tidal wave of paperwork, much of which requires thousands of reams of documents in response — just take a look at the SCO litigation — and if there isn't an army of attorneys on the opposite side — the SFLC has eight, to spread amongst all its clients — it can very quickly lead to bankruptcy. For that matter, the plaintiff could lose, and even if the defendant wasn't awarded damages, they are entitled to recoup their costs. Armies of lawyers aren't cheap, and bankruptcy is not what we want.

Perhaps worse, from a utilitarian standpoint, is what each of these lawsuits means for the GPL. The GPL has never — not once — been tested in court. Never. Each time somebody files a lawsuit over the GPL, they hand its opponents the opportunity to dispatch it once and for all. There is kinda-sorta-maybe-possibly if-you-turn-it-this-way-it-looks-like-the-Mona-Lisa case law regarding other licenses that gives a general idea of how such a case might turn out, but with the possible exception of one federal circuit, that case law is merely informative, not binding.

Eventually, a defendant is going to decide not to settle, and if the plaintiff is still solvent after the flood of paperwork is finished, the court is going to rule on whether the GPL has any merit or not. If the court finds it does not have any merit, it's over. Sure, there can be appeals — and one, possibly two more rounds of paperwork, not to mention that if it went that far, not every attorney is a member of the Supreme Court bar, and experienced attorneys who are don't come cheap. Once the appeals are over, if they ever even get a start, the possibility exists that the GPL will be over too. It's a very real possibility: it wouldn't be the first time a license, contract, or other agreement was ruled void. Where does that leave all the projects that are licensed under the GPL, especially the ones, like Linux, that have too many contributors to be able to get them all to consent to a new license? Where does it leave licenses similar to the GPL?

We can scoff, we can laugh, we can insist that it could never happen, but that doesn't change reality. These lawsuits aren't just fun little jaunts to get companies to give out source code, they're very real opportunities for the whole ship to go down faster than the Vasa. That just isn't something we can afford to have happen.

Lest there be any confusion, we don't want that to happen. We don't want companies to get away with violating the licenses that make our work possible. For that matter, we don't want them to violate them in the first place, so there's no it to get away with period. We want companies to fulfill their obligations, we want developers to feel safe in licensing their code under the GPL and other licenses, and we want companies to feel safe in using Open Source code. We can't, though, sugar coat the reality that these lawsuits are as much a threat to us as they are to the offenders. It's a disservice to us all to assume that winning is a forgone conclusion — after all, Dewey Defeats Truman.

______________________

Justin Ryan is a Contributing Editor for Linux Journal.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

"belovéd"?

xoddam's picture

Torvalds is "belovéd"? Be Love Aid? Eh?

Faulty reasoning

Anonymous's picture

This is backwards. The GPL IS the foundation of the community, not Cisco or even Linux (without the GPL, Linux wouldn't be anything other than a minix clone). On the contrary, if nobody sues Cisco, we will open the gates to other GPL violations. The GPL can only retain its credibility if there is a clear threat to violate it.

As for Cisco itself, free software can happily survive its innimity, just like it survives Microsoft innimity. But I don't think a corporation is an individual. Being sued won't make it "angry" and "spiteful". It will remind more managers of the rules, which is good.

And the fear of putting the GPL to test in court is laughable. If indeed the GPL did not work in court (makes you then wonder why all companies prefer to settle?), a newer version of the GPL would need to be drafted, which would be a good thing.

The foundations of free software are sound, we should not be afraid of enforcing the principles that underlie it.

It has been proven in court

Ulrich Wisser's picture

The GPL maybe hasn't been proven in an american court, but it sure was up for discussion (more than once) in a German court. And the GPL did hold up. Given the fact that IP rights are very similiar all over the western hemisphere these days it guess it would hold up in an US court as well. But let me add another fact from the German court ruling. The plaintiff argued that the GPL was not valid. The judge answered to that with a question: (in my own words) How did you obtain a license if the GPL isn't valid?

As you see, ruling out the GPL doesn't get you nowhere in court. It just means you are using software without any license and that is plain copyright infringement from the books.

Its good

Anonymous's picture

I for one have to agree with the author.

I am an open source developer, and I do not like what the SFLC is doing. I do not want them to rep. me or my code.

I would like to know if any of the people whom worked on any works that are mentioned get any of those 'donations'.. I think not.

This is gone on long enough. Its one thing to stick up for a lic. and push the ideals of the community one that I respect and participate in I might add, and its another to strong arm companies to paying donations...

I would like to see someone not pay. I would like to see someone take this all the way to the box. Not that I want to see our community dis-mantled but I would like to see this type of legal black mail stop granted we can not ignore violations but its just like the red light cameras that have been going up (USA) to catch someone running a red light or making a right turn with out stopping the 3 seconds... its sleazy money.

"I do not want them to rep.

Lifewish's picture

"I do not want them to rep. me or my code."

Then don't ask them to represent you. Geez, do I have to think of everything?

Seriously, the SFLC doesn't just randomly go out, find a chunk of code and say "hey, let's enforce the licence on this". This is code that the FSF own the copyrights to. Mostly code that their members wrote. And, when an entire industry sector completely ignores that for years on end, I can understand why they get narked.

I agree that the law should be a last resort in the FOSS world - where possible it's best to keep things in the family. But in this case it looks like they spent the best part of *five years* negotiating with Cisco and got nowhere. That's not exactly jumping the gun. The fact that other parts of Cisco have contributed to other parts of the FOSS community is not terrible relevant.

To me, what it boils down to is: if we're not going to enforce the GPL, what's the point of having it? Why not just release your code into the public domain? The point of the GPL is to protect the FOSS community from ghettoisation; if it can't do that then there's no point having it.

I agree that the thought of the GPL being declared unenforceable is very worrying. But if our licence isn't strong enough to protect our rights, it's better we find out sooner rather than later. And it being unenforceable is really no worse than it being *treated* as unenforceable, which seems to be what Ryan is suggesting we do.

Re: It's good

JohnFlux's picture

Except that in this case they've been running the red light continuously for 5 years, despite many many warnings.

What?

Anonymous's picture

From now on when I come here to read an article, if ANY article has Justin Ryan's name is on it I'm clicking off. Simple as that. It's clear he has no respect for the GPL. He's a sissy. He calls this journalism?

I sure miss the old Linux Journal

Anonymous's picture

I sure do miss the old days of the Linux Journal, where the editors actually had a grounding in Linux and FOSS, and knew what they were talking about.

We most certainly should not allow businesses to violate the GPL -- so what if they get mad and take their 0.5% of code home and not play with Linux anymore? They fund a tiny bit of FOSS development, so that buys them a free pass? That's right, FOSS is all about toadying to the wealthy and influential. I'm so glad you cleared that up.

What about the developers of the other 99.5%, we should tell them to stuff it? Nah, they have no rights because you're scared. You know why the GPL has never been tested in court? Because violators know they will lose. No lawyer on earth is dumb enough to try.

This Cisco case has nothing in common with SCO. SCO sued Novell, IBM, AutoZone, and Daimler-Chrysler for reasons varied, nebulous, ever-changing, and ridiculous, and having nothing to do with the GPL. (Here is a nice summary on Wikipedia, http://en.wikipedia.org/wiki/SCO_v._IBM) This Cisco case is a straightforward GPL violation that Cisco screwed up by dinking around and not fixing it for years, and it finally took a lawsuit to get their attention. The lawsuit was the last resort.

And then what happened? Cisco settled. The FSF and the GPL won again, and our world did not come crashing down. Let me repeat that in short words: THE GPL WON AGAIN. The GPL has never lost. So do us a favor, throw away your copy of "How to Cave in When You Are The Strongest, by Neville Chamberlin", and read Eben Moglen instead.

Where do we go from here? From strength to strength, son, from strength to strength.

Are yu nuts?

Anonymous's picture

Summarized down this article is as follows: We shouldn't sue over GPL violations because maybe somebody will decide not to settle and might stop funding or try to have the GPL invalidated. WHAT? If you're not enforcing the terms of the license it's already effectively invalid.

Cisco had 5 years from the time the lawsuit was filed to fix things, they didn't, FSF sued LIKE THEY SHOULD HAVE. Look up Wallace v. Free Software Foundation or look up some of the trials gpl-violations was involved in, in Germany. The GPL has been found valid and even if it hadn't, the simple fact remains that if it isn't enforced it's useless.

Your "logic" is inane and doesn't hold up to even the lightest scrutiny. Please think over things more before you post something like this again.

Nah. I liked the article. It

Anonymous's picture

Nah. I liked the article.

It was fresh and different, unlike majority of articles that touch the license-issue. You know, those articles that resemble a rally of a political party: everyone gets to hear what they want to hear, and at the end of the day, nothing was really said.

Besides, he knows how to write. A rare talent in the FOSS-world.

a low bar

Anonymous's picture

Fresh and different inanity is still inanity.

Jezus christ, what in the

Anonymous's picture

Jezus christ, what in the hell are you trying to say here bud? This post doesn't make any sense at all, youre saying the SFLC was wrong and right but Cisco was also right and wrong. I mean, this article just doesn't convince me at all, I'm just simply glad Cisco settled and everything else youre trying to say, just doesn't come across and therefore doesnt make any sense to me.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix