GPLv2, Red Hat, and You

(See update at the bottom of this post)

One of the interesting outcomes of the Red Hat situation:

Distribution of GPLv2-licensed code requires no restrictions be placed on downstream users rights to use and redistribute the code (whether they obtained it freely or paid for access):

Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients exercise of the rights granted herein.

Does threatening retaliation (account suspension) for sharing code count as a 'restriction' on exercising a user's rights?

So far I've heard from three corporate open source licensing experts the answer is no.

According to them, the EULA only deals with an account-holder's ability to acquire services from Red Hat (a contract).

Unauthorized Use of Subscription Services. Any unauthorized use of the Subscription Services is a material breach of the Agreement.

Unauthorized use of the Subscription Services includes: [...] (d) using Subscription Services in connection with any redistribution of Software

The corporate license experts I talked to said the threat of termination of a subscription would not trigger the 'no restrictions' clause of the GPLv2, which deals with a copyright, not a contract.

I... disagree in principle (for what that's worth, lol) and think a lot about "interference, coercion, or intimidation", something surrounded by some legal precedent, admittedly not in the software space, and only really dealing with discriminatory topics like real estate sales. But it seems there is some case law (ironically, dealing with SCO and IBM) on the topic.

As for whether Red Hat would enforce that agreement and cancel someone's subscription for sharing the source code, here's what Mike McGrath had to say (at approximately 50:30):

If they [downstreams] continue to use their subscription, I think that they would find they'd have difficulties with that, but, I don't really know what else to say about it.

I think it's insane Red Hat, of all companies, is the one triggering this thought process.

Update 2023-07-01

It was pointed out on Reddit the terms also include in Section 1.4 the following:

This Agreement establishes the rights and obligations associated with Subscription Services and is not intended to limit your rights to software code under the terms of an open source license.

From my reading, this would negate the earlier clause, and it seems that Red Hat's EULA is not technically in opposition to the GPLv2 license, which applies only at the time of Red Hat providing the source code, and doesn't widen it's scope to any ongoing relationship (the Red Hat subscription).

Somewhat ironically, IBM's own 'Open Source - Open Enterprise' page states (under section 5):

Note that if there is an End User License Agreement (EULA) or other terms required to download the software, it is not open source and those terms would have to be reviewed further."

Maybe they were on to something.

Comments

I should say after discussing this with about 5 more people now (many of whom have been in the OSS licensing game longer than I have—I started paying attention around 2009), it seems that Red Hat's EULA would be enforceable as long as they don't restrict the distribution of whatever versions an end user has had access to before.

They could cancel my account at any time even if the sole reason they cancel my account is my redistribution of their RHEL sources, and I would have no recourse unless they also tried restricting my ability to redistribute the sources I had already obtained as part of my subscription.

So it seems we have to take turns in breaching the agreement.. perhaps once per week. RockyLinux may develop a program that can download and re-distribute SRPMs not yet in the pool.

I have a Red Hat Developer Subscription, and I would be honored to burn my one free source code download to assist the community of downstream users.

SUSE has a commitment to make everything they do open source. Even Rancher Prime is open source. Maybe it’s time to switch to SUSE

RedHat is barely opensource these days. They opensource the core but the important pieces to be secure and complaint in a production environment they put behind a paywall. SUSE does not.

To take that even further, I'd argue due to the close relationship it has to SLE/Leap (assuming a stock install with no third-party/community repos enabled, Leap 15 to Tumbleweed is a seamless upgrade, for example), and being the one rolling-release distro that's seemingly actually stable and sanely managed, that Tumbleweed might be the one exception to the 'no rolling-release distros in production' rule as it very well might be the only rolling-release distro that's potentially viable in a production setting on a dev workstation or something along those lines.

Arch meanwhile from what I've heard isn't the most sanely managed or stable, so it would only be relegated to personal home desktop or gaming rig use, or at least it should be.

I can get a subscription for RHEL, and I can distribute the source attached to that subscription without being impeded.

"You may copy and distribute verbatim copies of the Program’s source code as you receive it." Nothing in RH's EULA prevents that. Even after I've been denied access to the subscription service, there's nothing concrete that says I'm being denied that right.

To that end, I can be denied the binaries attached with an ongoing Red Hat subscription, and therefore denied access to the source code of future binaries, and nothing in the GPL has been broken.

However, something that worries worries me in Red Hat's EULA:

"The Agreement (including pricing) is premised on the understanding that you will use Subscription Services only for your internal use."

IBM's army of lawyers created an ambiguous and dangerous implication that I am in "breach of the agreement" which is dangerously close to saying I'm in "breach of contract." If IBM successfully argues that "Agreement" and "Contract" are synonyms, then by distributing the code, I could be found in "Fundamental Breach of Contract." In such a breach, the IBM would be allowed sue and get damages. And sure, I could defend myself via the GPL, but who can maintain an onslaught by IBM's legal team?

That falls right into your notion of "intimidation," but who's going to test it out?

Think the community could raise the like $1 billion it would take with a GoFundMe? lol

I think that's why the lawyers gave the go-ahead on those blog posts—outside of maybe Oracle, there's nobody with enough skin in the game and enough cash to challenge Red Hat on any of this.

Isn't this what the Software Freedom Law Center was created for? TBH, IBM took over Red Hat and said we won't make any changes, of course time goes on and IBM is has been slowly turning the screws to attempt to get the community and GPLv2 to implode. IMO IBM/Red Hat agreed to the GPLv2, thus they are in breach when layering on the ambiguous terms that contravene GPLv2. If nobody challenges it though, it will continue to get watered down to the point of uselessness and then all the efforts OSS folks went to will be owned and monetized by businesses.

I don't understand the fixation with bringing IBM into everything.

What does IBM have to do with this if variation of this text are decades old, and were applied decades ago by many other companies such as Cygnus and Montavista?...

Suggest you actually check the license terms for each and every RPM in RHEL before suggesting that any particular license terms might give you the out you're looking for. In ancient times at former $WORK we were considering looking at recompiling our own equivalent from the freely available sources...and I even successfully did a test build...but my recollection is there were a lot of licenses in the various pieces.

My recollection is when you agree to the maintenance agreement you're encumbering your use of the binaries. I'd suggest concentrating on whether that similarly encumbers your ability to build from the sources used to make those RH-built binaries.

I think most feasible alternative if Red Hat pushes this hard (which they shoud not) is Ubuntu. Maybe OS should be free no matter what but support should be.. I root for RocyLinux for RPM based distribs otherwise Ubuntu.

IANAL but as you say contract and copyright law are different and a bit orthogonal. Maybe RH are within their rights to terminate a customer's subscription according to the contract, but that does not mean that the contract is compliant with the upstream source licences. I can see a license violation case (brought by a copyright owner of a substantial body of code included in the distro, not a RH customer) be at least arguable in many jurisdictions, so bringing attention to this is a huge gamble on RH's part just to spite the "freeloaders". If they are found to be in violation of the license they don't have permission to distribute that code (and arguably never did), what then?

What if the plaintiff is not a good faith actor (eg like gpl-violations.org when they were active) but someone like SCO using this a a money grab?

There can be no license violation because the contract also says that any open source license supersedes the terms of the agreement. For example the prohibition to share source might not apply to AGPL software, because of the requirement to offer modified source over the network. So if anything someone whose support contract is cancelled could sue and ask for the contract to be reinstated according to the GPL. But I am skeptical that it would succeed, the lawyers know both copyleft licensing and contract law better than you and I.

Mike McGrath's response (https://www.redhat.com/en/blog/red-hats-commitment-open-source-response…) just smacks of Bill Gates' "Open letter to hobbyists."

"Simply rebuilding code, without adding value or changing it in any way, represents a real threat to open source companies everywhere. This is a real threat to open source, and one that has the potential to revert open source back into a hobbyist- and hackers-only activity."

The only threat to open source right now, is Red Hat

I'm still trying to understand the issues. Are these 2 points correct?

- Demanding a fee (such as requiring a RHEL subscription) for getting RHEL source code is legal under GPL2.
- GPL2 says that anyone receiving a product with GPL2 must be able to obtain the source code. So following the point above, a subscriber to RHEL is obligated to have the source code for RHEL for no additional fee.

However, Red Hat says that a subscriber who redistributes their product will be kicked out as a subscriber (thus the person will no longer have access to the source code).

My question is, is there anything in GPL2 that says a company like Red Hat is allowed to restrict (however they wish) a customer's ability to redistribute source code?

I am struggling with this question as well. How does a customer using RHEL for their products comply with the GPL license for individual packages under GPL/LGPL? The GPL/LGPL license requires that both original and modified source code be made available for any GPL-licensed binaries that are distributed (i.e. shipped with the product). How can this be done if RH contract restricts redistribution of their GPL source. I don't see how this restriction could be allowed for code under GPLv2+/LGPLv2+.

Logically and ethically, it makes zero sense. Legally, it seems to be kosher. Enough that all the corporate OSS folks I've talked to agree that Red Hat would probably win any court case challenging it.

Thank you for confirming what you have found out, Jeff. Completely agree this makes zero sense logically and ethically. Ans seems to be skirting on the edge of GPL compliance. I'll be discussing with my legal team to this week when back from July 4th holiday.
I have been doing OSS compliance for several years, and haven't seen this type of arrangement before, even with proprietary vendors who at least provide copyleft source and allow for redistribution of that source for compliance purposes.
However, as you said, legally, it is probably kosher since as a RH customer, i.e., I can request the source for GPL components; but it really puts us in a bind w.r.t. GPL compliance if/when *our* customers request source.
This will be a forcing function for us to move off RHEL, and now will be hesitant to trust that RH UBI images will remain open, so will likely avoid those as well. Disappointing, since I have long been an advocate for RHEL/CentOS, had a lot of respect for Red Hat's support of OSS projects, how well they supported OSS compliance in the RHEL/CentOS distros, and their engagement with SBOM and VEX support. Sigh.

Yeah, and feel free to reach out if you find anything interesting after discussing with the legal team.

I thought for sure there would be precedent over coercion/intimidation laws ("it'd be a shame if your account were deactivated after you exercise your rights to share that code"), but apparently that's only a thing for real estate law (AFAICT).