[FOSSology] GPL license violations

Bradley M. Kuhn bkuhn at sfconservancy.org
Fri Apr 20 16:00:35 UTC 2018

al so wrote at 22:05 (PDT) on Thursday:
> I thought this tool would aid such review in an automated fashion.  But
> No. It just detects GPL libs.

Please be careful not to inadvertently troll this list.  I am sure you don't
mean to do so, but your emails come across a bit as such.  I thus decided to
de-lurk and reply since -- for posterity purposes -- it's probably useful (if
folks later find this thread in archives) to have an email in the thread
explaining the nuance of what Fossology can and can't do regarding detecting
GPL violations.  That's what I do below.

Fossology is very valuable tool, and as Ryan Arnold pointed out, it can aid
in the important first steps in your understanding of how to comply with
licenses when given a codebase that's new to you.

There are a *lot* of clauses in the GPL, and the clauses where Fossology
helps with compliance are, admittedly, not the ones that are most often
violated today.  For example, if you have a binary that may have GPL'd code
in it (i.e., a straight-up GPLv2§3 / GPLv3§6 violation), I'm not aware of
any feature in Fossology that will help you determine that; you need a
binary analysis tool.  (Personally, I just use 'binwalk' and 'strings' for
that situation.)

More generally, if you are working backwards from a known-violating binary,
Fossology can't *directly* help you figure out the proper complete,
Corresponding Source (CCS) that is needed to resolve that violation.  CCS
release construction, particularly when done in a post hoc fashion, is
something only a human can do.  But Fossology can *indirectly* assist in
those situations.

Furthermore, there *are* a class of violations that Fossology can detect
quite well.  That's why Ryan refers to when saying:

On Thu, Apr 19, 2018 at 12:57 PM, Ryan Arnold wrote:
>> It will not directly detect violations. It can be used in conjunction to
>> identify the presence of GPL and with research and review to see if any
>> violation may have taken place.

For example, Fossology will do an excellent job finding what are called
"license incompatibility violations", such as when you have a codebase that
has combined code that says "non-commercial-use only" with GPL'd software.

For Conservancy's part, we use Fossology extensively as part of our work
enforcing the GPL for Linux, Samba, Debian and other projects (See
<https://sfconservancy.org/copyleft-compliance/>).  Specifically, when we
get a candidate CCS release from a GPL violator, we use Fossology to verify
that they haven't introduced license incompatibility violations.  We also
use Fossology to compare the licensing information from the public upstream
project with the sources provided, to be sure that license notices have not
been surreptitiously modified.

In short, the problem you (and we all) wish Fossology could solve is (more
than likely) what's called in computability theory an "undecidable problem"
(See <https://en.wikipedia.org/wiki/Undecidable_problem>).  So, you
hopefully see now why your inquiries look troll-ish.  Your comment is akin
to posting to the mailing list of a project that does static code analysis
complaining that their project doesn't solve the halting problem. ;)
Bradley M. Kuhn
Distinguished Technologist of Software Freedom Conservancy
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

More information about the fossology mailing list