Does the use of private plugins breach the terms of the GNU GPL v2?


(Angus McLeod) #1

Having just re-read the GNU GPL v2 and currently thinking about how an ‘app store’ for Discourse would work, it occurred to me that it is arguable that the use of Discourse plugins for which the source code is not publicly available (e.g. in a private repository) breaches the terms of the GPL v2.

Taken together, these parts of the GPL v2 seem to require that the source code of plugins be publicly available:

…a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language.

2. b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.

[ All of section 3]

For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.

There are further parts I could cite, but this would get too long…

Maybe that is not the way people have understood the terms of the GPL v2 in the past, but it is seems eminently arguable from a contractual perspective.

Disclaimer: This is an impression based on a brief reading of the documents. This is not a formal legal opinion.

Doing some very preliminary research it seems that my impression may be shared by others, and by some courts.

Interestingly, it seems that the folks pursuing cases over the availability of GPL v2 source code are typically not the copyright holders.


(Dean Taylor) #2

I would suggest digesting information from WordPress on this matter:

Also interesting reading:


(Angus McLeod) #3

hm yes. Invariably, the question is how courts will construe it.

There seems to be a perception in the industry, influenced by Wordpress and similar examples, that the GPL v2 allows for private plugins to software licensed under the GPL v2.

However, if a interested party decides to test this in court, the court will not take much notice of the industry perception. They’ll largely look at the terms of the license itself.

More interesting reading:

edit. It seems Wordpress has been concerned about this issue as well:


(Sam Saffron) #4

I am clearly not an IP lawyer, but we require a CLA for every core contribution so this is a non issue for our own hosting cause we have full control of core licensing.

For self hosters using private plugins, no idea, maybe it is an issue.


(Angus McLeod) #5

Right. This is not an issue for core Discourse or Discourse hosting. It’s an issue for 3rd parties who have made private plugins.

Even then, in the vast majority of cases of 3rd party plugins, it is not really an issue because it only really matters in enforcement scenarios. If you’ve made a private plugin for your own forum, you’re unlikely to be deriving significant financial benefit from it. No-one - Discourse or the various third party institutions seeking to protect the GNU GPL - has a real incentive to bring an action.

This is partly why it has not been an issue for Wordpress. No-one with the necessary resources has an incentive to bring an action against a Wordpress plugin developer who keeps their source code private. Or perhaps they do, but they don’t realize it.

Moreover, the development of plugins, whether they are public or private, is healthy for an open source ecosystem.

Nevertheless, separate from the issue of whether the circumstance for an action would ever exist, the question of whether a developer of a private plugin to a open source repository is in breach of the terms of widely used open source licenses is concerning for the overall trajectory of open source software. The ‘plugin’ approach is not uncommon for open source projects.

I guess what concerns me is that at some point down the line, if the project becomes ever more successful, this technical breach of contract could be misused. It’s a bit like leaving a minor security vulnerability in the code. It doesn’t matter until it matters.


(Michael - DiscourseHosting.com) #6

BTW Previous discussion at A question on GPL licensing and the current WordPress debacle

As I understand, only if you’re distributing them.


(Angus McLeod) #7

This seems to be where people have landed, however I’m not sure this is legally correct. The references to ‘distribute’ are always used along with references to ‘copy’ or ‘copy, modify, sublicense’. It seems to go beyond just distribution. I’m not sure, from a purely legal perspective, that a court would limit it to distribution. But, for the reasons mentioned above, practically speaking the question will probably only arise in circumstances of distribution.

The real issue here is that copyright law is the bastard child of property law, and that open source is fundamentally at odds with core concepts of property, let alone copyright. I wrote my law thesis on the concept of property in common law systems, so I tend to get excited and nerdy about these kind of questions. Much more work needs to be done on the open source legal framework.


(Jeff Atwood) #8

Ok, so you are just heaping speculation on top of (already existing!) speculation, and NOUAAL (None Of Us Are A Lawyer) so… is there any purpose to this topic, other than capturing the random thoughts of random people?


(Angus McLeod) #9

I am a lawyer. But, yes it is still largely speculation, given the lack of precedents on the matter.

I may just be needlessly scaring people, given the practical dimensions here. And that there aren’t any other lawyers here to discuss the question.

Nevertheless, as a third party plugin developer, it does affect me.


(Jeff Atwood) #10

I suggest researching what paid WordPress plugin authors do in practice will be the most useful outcome here.


(Michael - DiscourseHosting.com) #11

From the Wordpress site mentioned above:


(Angus McLeod) #12

This is going to get lawerly. Apologies in advance.

There are three issues with those two sentences.

One is that it is Wordpress’ view and not determinative of how the GPL will actually be interpreted (it is basically a guess on their part).

The second is that it mixes two uses of the word ‘distribute’. The first sentence concerns the scope of the GPL. Does it apply only to distributed derivatives, or does it also apply to non-distributed derivatives? The second sentence concerns the questions of what obligations the GPL places on derivative works to which it applies. If you read it a couple of times, you may notice there is a contradiction on the face of the meaning of those two sentences. If the GPL does not apply to non-distributed works as the first sentence claims, then how can it be determinative on the requirements placed on non-distributed works as the second sentence implies? This prima facie contradiction can be resolved, but it points to the fact that the slippage in usage is a bit sloppy.

The third is it that is relatively easy to sow doubts about what is painted as a relatively categorical interpretation of the GPL. This is exactly what lawyers will do in a relevant case. This is how it will be done.

Take this phrase used throughout clauses 1 to 3 of the GPL.

copy and distribute

Now, on first reading you may have thought that means that it applies to situations in which people both copy and distribute a work. On this reading ‘distribution’ is always a necessary part of use to which the GPL applies. There is another reading of this phrase which renders ‘copy’ and ‘distribute’ as divisible elements. This would mean the GPL applies to either copying or distributing a work. This interpretation may seem implausible to you as you feel that normally when you see two nouns joined by ‘and’ you read them conjunctively.

However, lets look at other uses of the words ‘copy’ and ‘distribute’ are used in the GPL (which is what a court will do when trying to resolve grammatical ambiguities).

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.

This sentence seems to use the verbs disjunctively. And in fact is directly referring to the scope of the GPL.

You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License.

Same as above.

It would be quite easy to make a case of contractual interpretation that the GPL applies to non-distributed derivatives.

Now, I’m not saying that that is how the GPL will be interpreted. I would reiterate what I said in response to Jeff’s post that, this is really speculation. And perhaps best left to lawyers to speculate over, rather than worry too much about at this stage.

But, that said, if I were thinking of starting a business or a career in work based on derivative works of an open source project like Discourse or Wordpress which uses GPL v2 (as I am), I would want to understand that there is a legal risk involved given:

  1. The terms of the GPL.
  2. The lack of legal precedent concerning the construction of the GPL.
  3. The general uncertainty and ambiguity around this area of law.

Regardless of how well established we think of Wordpress and how large it looms in our minds, a judge or the legal system (and keep in mind we’re talking about all legal systems, not just the US legal system) generally, will largely not care. They will look at the terms of the license.

Disclaimer: none of this post or previous posts constitutes legal advice.


(Erlend Sogge Heggen) #13

I think this an important conversation to have, but it would work better framed as a WordPress discussion, addressed to the WP community. They have over a decade with experience with this, and plenty of lawyers whose job it is to make sure their clients don’t get ruined by a misinterpretation of the GPL.

Maybe write a personal blog post about it and try spread it around, or get in touch with https://wptavern.com and ask to do a guest post there as I’m sure they’d be interested in this topic.


(Luke S) #15

Also of note: the FSF’s official stand on this subject, which should at least give some context to the intent under which the License was written.


(Steve) #16

How real a problem is this for Discourse? Are there any third parties selling plugins and keeping code private?

I can recall one incident from last year, which ultimately culminated with the author offering their source.


(Angus McLeod) #17

The best approach is simply to communicate. If you’re selling private plugins and you have a concern, just talk with someone at Discourse.

Unless you’re a lawyer and are interested in the legal question, or you’re devoting significant resources to a business around software using the GPL v2, I would not worry about this.

If you still have concerns regardless and want an informal 3rd party opinion, pm me.


(Christoph) #18

Interesting. So that means that it is only the Discourse developers (the creators of the original code) that can invoke a violation of the GPL? As is: they can make exceptions?


(Angus McLeod) #19

In most cases, yes. Richard Stallman wrote a useful post partly on that point recently (see footnote 9). There are possible exceptions to this, which are not worth getting into here.

However, the main point of talking with a license holder if you have any concerns that your use of their software breaches their license, is not to seek for a legally binding exception. It is to avoid legal issues altogether by developing a positive relationship with the license holder / community.

I have some regrets about posting this topic actually, as it prompts folks to think in overly legalistic fashion.


(Christoph) #20

No, I think it’s a valuable topic and I’m grateful that you are taking the time to explain the legal side of, well, a legal document.

Of course it’s not only a legal document and I didn’t mean to imply that people should talk to the license holder for legal reasons. I just wanted to understand the basic setup of the license, which I thought was binding also for the license holder. Thanks again for explaining!