lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 26 Jun 2007 15:45:28 -0700
From:	"David Schwartz" <davids@...master.com>
To:	"Linux-Kernel@...r. Kernel. Org" <linux-kernel@...r.kernel.org>
Subject: RE: Dual-Licensing Linux Kernel with GPL V2 and GPL V3


david@...g.hm wrote:

> this sounds like a step backwards, you may not have the sources at that
> point if you were relying on the other site to host them.

You would then be violating the GPL, under any version. The GPL is quite
clear that being unable to comply with it means you do not get the benefits
it offers rather than excusing you from meeting its requirements.

You *MUST* have the source code in order to distribute it on request. You
cannot ship GPL'd works without offering source code just by arranging it
(deliberately or accidentally) so that you don't have the source code.

> and by the way, internet access never was a barrier that could stop
> someone from obtaining them, the only issue was you hosting the source vs
> someone else hosting the source.

The GPLv2 never specified one way or the other.

If you do allow someone else to host them, you are responsible for making
sure they remain available for at least three years from the last time you
used them as an offer. Should they stop distributing, you would be violating
the GPL. Nothing in the GPL says you can't rely on third parties for your
GPL compliance. Of course, this could be a very risky thing to do. However,
there is no GPL violation so long as they do in fact remain operational for
three years from the last time you distributed.

In fact, a third party is no more risky than any other setup. Any company
can go out of business within the three-year period after distribution.
There are many real-world cases where a third party having the source is
actually more likely to result in actual GPL compliance than the
distributor. (Consider a fly-by-night company selling Fedora binary
distributions burnt to CDROM on the stop for $1 on a street corner.)

One way to avoid this problem is to maintain your own web page that links to
the third party's download. You would have to host the sources yourself if
you couldn't make other arrangements at any point during the three year
period.

This is no different from any other case where the offer is not honored. If
the offer is not honored in a case where the GPL requires that it be, the
GPL is being violated.

DS


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ