Copyright, GPL, Licensing
comment 1

The GPL and the story of WPScan and Vane

The debate

By now, many in the WordPress community will have heard about the WPScan/GPL debate. Personally I was a bit late to the party on this one but, thanks to a tweet from ManageWP this morning, I’ve now read a bit about it.

I’m not expressing a legal conclusion

Now, I don’t want to wade into this specific debate and try to express a legal view on what’s right and wrong here because I don’t know the facts well enough. Instead, I’m just going to state a few propositions that I believe reflect copyright law (in many countries) and the requirements of the GPL. I leave open how they might apply to this situation and, to be clear, I’m not providing any legal advice to anyone that reads this post. My usual disclaimer applies (I know that sounds a bit OTT but I’m just exercising a lawyer’s caution).

The propositions

So, without further ado, here are those propositions I mentioned:

Sole copyright owner can do what she wants:  A person (or company), lets call her A, that owns all copyright in a new work (such as a software program) is entitled to release that work under whatever licence or licences she chooses. (The words “all copyright in a new work” are important, as we’ll see below.)

Multiple licensing is OK: A may license this work (one in which she owns all the copyright) under the GPL or under a proprietary licence or both. Applying the GPL to the work does not prevent A from subsequently licensing the work under a different licence. This is because she is the owner and because she has not, by licensing it earlier under the GPL, granted an exclusive licence which would otherwise prevent her from licensing it to others by alternative means. As the sole owner of the copyright work, she has the exclusive right to do ‘restricted acts’ (acts such as copying, adapting and distributing the work, and licensing others to do these things) as she pleases.

Recipients of GPL’d version get the GPL freedoms:  At the same time, anyone who obtains the work under the GPL is entitled to exercise the freedoms that the GPL confers in relation to the GPL’d version. The existence of a different licence over another version (regardless of whether the content is the same) is irrelevant.

A continues development as owner, not licensee:  When A, the owner, continues development on her own work that she has GPL licensed, she is not making a derivative work of someone else’s copyright work. If she was, she would be obliged to obey the GPL’s downstream licensing requirements. But she is not. She is adapting her own work. Let’s look at the language of version 2 of the GPL. The (in)famous clause 2(b) says this:

“2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.”

This is an obligation cast on licensees by the licensor, A. The “You” in this clause refers to licensees, not the licensor (A).

But if A’s work is a derivative work of a GPL’d work, the GPL licensing requirements kick in on distribution: However, things can get trickier than this. If the work in question is actually a derivative work of someone else’s, or other people’s, GPL’d work, A (in this discussion) would be a licensee. She needs a licence to make that derivative work. The GPL authorises this but on the clear condition that her derivative work, when distributed or published, contains the GPL licence statements and is licensed for use by others under the GPL. Now, to the extent that she develops her own original code, she is the owner of that code, but the derivative work actually consists of two copyright components: the original GPL’d work (or part of it) and the new code. A does not obtain property rights in the derivative work that are greater than her own contribution. If she doesn’t obey the GPL’s requirements, her distribution of her derivative work becomes an infringement of the original owner’s copyright.

What if A’s solely owned GPL’d work is contributed to by developers who license their contributions under the GPL?  What about the scenario where A’s work, when initially licensed under the GPL, contained only A’s code (and couldn’t be said, for argument’s sake, to be a derivative work) but is subsequently contributed to by other community members (let’s call them B, C and D) who, because they’re contributing to GPL’d code, license their contributions under the GPL. Assuming that these contributions qualify for copyright, the resulting work is now a collection of different property rights. No longer can A be said to be the sole owner of the resulting work. At this point, A’s ability to license the resulting work under whatever licence she chooses, when she distributes or publishes the resulting work, falls away. It falls away because, as she is now a co-contributer (even if the primary one), she is bound by the obligations cast on her under the GPL by B, C and D in their position as licensors. Going back to the wording of clause 2(b), she is now a “You” and, as a result, must “cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License”. The “Program” here is B’s contribution. And C’s contribution. And D’s contribution. The ‘resulting work’ I mentioned above now contains the Programs of B, C and D (or, perhaps in some cases, parts of them). A can still license her original work (i.e., without B, C and D’s contributions) under any licence she chooses, but the same does not apply to the resulting work that contains B, C and D’s contributions.

What if A’s solely owned GPL’d work is contributed to by developers who assign copyright? But wait, there’s another scenario. It’s the same as the previous scenario but, instead of B, C and D licensing their new original contributions under the GPL, they are required by a contribution agreement to assign any copyright in their code to A upon submission. In this scenario, A remains the owner of all copyright in the resulting work. Because she remains the sole owner, she can continue to license the resulting work under whatever licence she likes.

What if Mr X obtains GPL’d version 1 but A licenses version 2 under a proprietary licence? Now, what is the position where A licenses version 1 under the GPL, A subsequently decides to apply a proprietary licence to version 2 of the work in circumstances where she can as full copyright owner, and a developer, let’s call him Mr X, wants to copy and adapt the original GPL’d work and then sell it. Mr X is perfectly entitled to do so and it would be quite wrong (in my view, anyway, and certainly from a legal perspective) to castigate Mr X as a pariah or anything of the sort. If you play in the GPL sandpit you need to understand the sand it contains, what you’re getting into and what licensees are entitled to do when they’re in there with you. A’s act of subsequently applying a different, proprietary licence to version 2 of the work (either a version with the same content or a truly new version) does not have the effect of revoking the GPL that applied to the original work. The GPL is generally considered to be irrevocable which means that anyone who obtains a copy of a GPL’d work may exercise the freedoms that the GPL grants, subject only to complying with its conditions.

What if Mr X took a newer version licensed under a proprietary licence? If, in this same general scenario (i.e., where A owns all the copyright), Mr X took a newer version of A’s software that was only licensed under a proprietary licence, and sought to use it in a way that went beyond the permissions in that licence, Mr X would be infringing A’s copyright.

Let’s close

I think that’s enough for now. I hope it’s helpful and doesn’t ignite further flame wars. Let’s not forget that we’re all here together on this pale blue dot, a dot that has more web-related and open-sourced opportunities for us all than it did before Michel Valdrighi, Matt, Mike Little and the many others got stuck into WordPress and made it the fantastic CMS it is today.

As I’ve said above, I’m not commenting on the specific facts of the WPScan case. I don’t know the specific facts in relation to the codebase, whether it was a derivative work in the first place, who contributed how much code to it and so forth, and so can’t purport to express a legal conclusion on it. I’ll leave that to others with more information than me. Good luck (as these questions can be tough at times for everyone involved).

1 Comment

  1. Thanks for the rundown! It was hard for a non-legal like me to read (it’s easier to follow when applied to a situation) but I got the gist.

Leave a Reply

Your email address will not be published. Required fields are marked *