Canonical recently threw this issue into sharp relief by their decision to ship CDDL licensed ZFS as a module of the GPLv2 licensed Linux kernel. Reading their legal justification for this leaves me somewhat unconvinced because it’s essentially the same “not a derivative work” argument that a number of dubious actors have used to justify binary modules. So what I’d like to do is look at this issue from a completely different viewpoint. First by accepting the premise that CDDL and GPLv2 are incompatible (since there’s some debate on this) and secondly by accepting the even more controversial proposition that creating a kernel module is a derivative work. I don’t want to debate these premises because it’s a worst case assumption I’m using as inputs to make the following analysis possible.
What is compliance?
One of the curious thing about CDDL and GPLv2 is that they’re both copyleft (albeit in differing forms) and the compliance requirements: the release of complete corresponding source code for your binary containing the licensed work. In fact, the only significant difference is the requirement for build scripts, which is in GPLv2 but not in CDDL. Therefore you can say that if you follow the compliance regime for GPLv2 on CDDL code, you’ll be in full compliance with the CDDL. The licences do, in fact, have compatible compliance requirements. This fact becomes very relevant when you consider the requirements for bringing a copyright lawsuit in the first place.
Where’s the Harm?
Copyright law is something called a tort in law. That essentially means a branch of law for resolving disputes between individual parties. However, in order to stem what could be seen as frivolous lawsuits, bringing a claim under tort law requires not just a showing that someone broke the rules of whatever agreement they were under but also that quantifiable harm resulted1. The essential elements of a tort claim are a showing of a violation, a theory of the harm produced and a request for damages based on the harm2.
All of the bodies which do GPL enforcement recently published a charter in which they make clear that the sole requirement from an enforcement action should be compliance with the terms of the licence. However, as I showed above, it is perfectly possible to be compatibly in compliance with both the CDDL and the GPLv2. So the question becomes if the party is already in compliance, even though there’s a technical violation of the terms of the licence produced by the combination, what would our theory of harm be given that we don’t really seem to have anything extra we’d ask of the violating party?
Of course, one can wax lyrical about the “harm to the licence” of allowing incompatible combinations. However, here we’re on a very sticky wicket because there have been a lot of works published (including by the FSF itself) bemoaning the problems of licence incompatibility. Indeed, part of the design of the GPLv3 process was to make the licence more amenable to combination with other open source licences. So suddenly becoming ardent advocates for the benefits of licence incompatibility is probably to be unlikely to fly before a judge as a theory of harm.
What the above analysis shows is that even though we presumed combination of GPLv2 and CDDL works to be a technical violation, there’s no way actually to prosecute such a violation because we can’t develop a convincing theory of harm resulting. Because this makes it impossible to take the case to court, effectively it must be concluded that the combination of GPLv2 and CDDL, provided you’re following a GPLv2 compliance regime for all the code, is allowable. This conclusion is the same as the one Canonical reached, but the means by which I got there are very different.
Note that this conclusion would apply to mixing any open source licence with GPLv2: provided the compliance regimes are compatible and the stricter one is followed, it’s difficult to develop a theory of harm and thus the combination is allowable.
The above analysis is all from the point of view of the Linux kernel compliance activities. However, with ZFS, there is another copyright holder: Oracle. Nothing prevents Oracle suing for copyright violation with a theory of harm that says something like the CDDL was deliberately designed to be incompatible with GPLv2 to prevent ZFS being shipped in Linux and as the shipper of products base on ZFS, they’ve suffered commercial harm (which would be quantifiable) by this action.
- This is a gross simplification, because copyright is a strict liability tort, I’m ignoring things like duty and intention
- in the US, provided the copyright was registered before the violation took place, damages may be statutory rather than actual But even for statutory damages, they come in a range which must be related to the harm