I wrote to the address in the GPLv2 license notice (2022)
code.mendhak.com783 points by ekiauhce 3 days ago
783 points by ekiauhce 3 days ago
This is funny because I was the operations assistant (office secretary) at the time we received this letter, and I remember it because of the distinct postage.
I met a web developer working for the FSF at a Boston pub one night while in town for a Red Hat conference. After many drinks, he walked us down fifth street to the FSF office building. I wasn’t sure what to expect but when we got there, he typed in some numbers on the door entry system, and what came out was RMS singing the free software song lol. It was a wonderful treat for a young Linux nerd on a hazy adventure in the early morning
I love that your story could be read in two different ways: (1) a recording of RMS appeared on the door entry system screen, or (2) the man himself waltzed out of that door and started singing.
How wonderful! Since the game of the day seems to be the technicalities of the minutiae, could you explain the decision to send the GPLv3 vs GPLv2? Is this a request that happens often?
The sender didn't specify the version in his request, so I find it natural that they've sent him the latest version.
The author mentioned this exact problem. Quoting:
> There was a problem that I noticed right away, though: this text was from the GPL v3, not the GPL v2. In my original request I had never mentioned the GPL version I was asking about.
>The original license notice makes no mention of GPL version either. Should the fact that the license notice contained an address have been enough metadata or a clue, that I was actually requesting the GPL v2 license? Or should I have mentioned that I was seeking the GPLv2 license?
This is seemingly a problem with the GPL text itself, in that it doesn't mention which license version to request when you mail the FSF.
A Sid Caesar skit showed doughboys celebrating and one shouted "World War 1 is over!"... when they made GPLv2 maybe they didn't anticipate creating future versions (although yeah, if you're already on v2 you should foresee that).
There is a GPL v.1, and it may have been so numbered at initial publication:
Well to be fair, that's not the full license notice, that's only the last paragraph. There should a couple more above that one and the first paragraph says the version of GPL in use. That said I think the license notice is also just a suggested one, it's not required that you use that _exact_ text.
How does a sender who only has a GPLv2 license notice even know that there is a v3? Should they first send a letter asking which versions are available?
the usual license header has something along the lines of "either version [23], or at your discretion, any subsequent version", which clearly explains that there are specific versions with distinct rules. Many people opt not to include this clause because they (understandably) don't want to automatically agree to a contract that hasn't even been written yet. However if they fail to make the version clear that's on them.
Anyways I don't think this defense would ever fly in court. As soon as the plaintiff's lawyers produce evidence that you are aware of GPLv3 (such as pointing out that you have GPLv3 software on your PC or phone) the judge is going to see that you're trying to game the system on technicality and sanction you. Judges really don't like this sly loophole BS where it's extremely obvious that you're feigning ignorance for the sake of constructing an alternate reality where you hypothetically never knew there was a GPLv3.
If the sender requests GPLv2, he should receive GPL version 2.
If the sender requests GPL, I find it natural for him to receive version 3, because it's the latest version. At the time of receiving the license, he gains knowledge about the existence of version 3 (the header on the print says the GPL he received is version 3).
If the sender has a notice about GPLv2, it means that there's a high chance that there's also GPLv1. This should be a sufficient hint that requesting only "GPL" is not sufficient, because the sender should be aware of the risk of receiving GPLv1 if he won't mention the "v2".
GPLv2 by default means GPLv2 or later, so GPLv3 is perfectly valid indeed.
That's actually not true. GPLv2 by default means v2, not v3, unless you explicitly allow "or later."
Linux is actually the famed example of v2 but not v3.
The version wasn't specified in the request
What sort of request volume did you get? How many per day were you sending out?
On average, zero per day, maybe 5 to 10 per year.
I'm really surprised that it's more than 1 ever.
At scale, there are a lot of confused people who do unexpected stuff. The maintainer of cURL has people contact him when a notice shows up in car software or when they think he is connected to hacking: https://daniel.haxx.se/blog/2018/02/16/why-is-your-email-in-... https://daniel.haxx.se/blog/2021/02/19/i-will-slaughter-you/
At least he got a response. Meaning the address didn't change mostly.
A few years back I worked on an embedded linux project. For our first "alpha" release one of the testers read through the license agreement (as opposed to scrolling past all that legalese like most people do) and found the address to write to to get all the GPL source, he then send a letter to the address and it was returned to sender, invalid address. Somehow the lawyers found out about this and the forced us to do a full recall, sending techs to each machine to install an update (the testers installed the original software and were expected to apply updates, but we still had to send someone to install this update and track that everyone got it). Lawyers want to show good faith in courts - they consider it inevitable that someone will violate the GPL and are hoping that by showing good faith attempts to follow the letter and spirit the court won't force releasing our code when a "rouge employee" manages to violate the license.
The more important take away is if your automated test process doesn't send letters to your GPL compliance address to verify it works then you need manual testers: not only are you not testing everything, but you didn't even think of everything so you need the assurance of humans looking for something "funny".
The Free Software Foundation closed their office at 51 Franklin St in August 2024 [1]. Their new mailing address is on 31 Milk Street [2].
If this test was reproduced today, we may see different results ;)
[1]: https://www.fsf.org/blogs/community/fsf-office-closing-party
That's recent enough that mail forwarding should work, if they set it up:
> Standard mail forwarding lasts 12 months. You can pay to extend mail forwarding for 6, 12, or 18 more months (18 months is the maximum).
Edit for source: https://www.usps.com/manage/forward.htm
> > Standard mail forwarding lasts 12 months. You can pay to extend mail forwarding for 6, 12, or 18 more months (18 months is the maximum).
That's kind of awkward when you consider people will find that address for source code where that license file just wont be updated for decades to come, if at all.
We need DNS, but for mail addresses.
Maybe DNS for mail addresses is like a Post Office Box number? :-) https://en.wikipedia.org/wiki/Post_office_box
With 20/20 hindsight, if the FSF had used a P.O. Box number in the license, the license addresses would always be correct even if the FSF office changed addressed or (as now) was no longer maintained.
Of course, the cost of a P.O. box over 40 years would have added up to thousands of dollars and that is less money for FSF advocacy. And time spent going to the post office to check the box would also have taken away from advocacy time.
Another physical mail DNS-like idea is mail forwarding -- but it typically has time limits at the post office although not for private mail forwarders: https://en.wikipedia.org/wiki/Mail_forwarding "Private mail forwarding services are also offered by private forwarding companies, who often offer features like the ability to see your mail online via a virtual mailbox. Virtual mailboxes usually have options to get your mail scanned, discard junk mail and forward mail to your current address."
Although strictly speaking, these forwarding services are not quite like DNS (even if they do get at the idea of indirection). A true mail DNS would be more like a service you mail a post card to with a person's or organization's name and which mails a post card back to you which tells you what address to currently write to in order to reach that person or organization. (At least, if you write to that received address during some time-to-live window of validity of the address.) And I guess Encrypted DNS would be like you and the service using more expensive security envelopes instead of post cards? :-)
> Of course, the cost of a P.O. box over 40 years would have added up to thousands of dollars and that is less money for FSF advocacy. And time spent going to the post office to check the box would also have taken away from advocacy time.
To be fair, renting office space in downtown Boston also adds up to tens (if not hundreds) of thousands of dollars, every year. By comparison, $500 dollars a year [0] for a medium PO Box (in the lobby of the building for their new office, no less!) is a steal.
CGP Grey, a youtube channel, has a video on some of the problems of the postal codes and addresses from earlier this year that I learned about alternates to my familiar US based system. https://www.youtube.com/watch?v=1K5oDtVAYzk
Even moving once has made the need for this clear to me, it boggles my mind that it isn’t a (common) thing.
One thing I've been meaning to try, but never got round to, is to stick a URL on an envelope, pointing at a page with an address, and see if the mail (royal mail, in my case) actually deliver it. I suspect they would but that it would take a few extra days. It's no worse than some of the addresses that they do deliver.
What about encoding the address as a QR code?
This should not require any Internet access to view by whoever is scanning it to be sorted for delivery.
It also does not help you to update the address later.
It does if it leads to a web page with an address.
What happens when all project maintainers die and the source code disappears?