RedHat found a way to get around the GPLv2 license intention with contract law
I recently wrote about how the Red Hat model only worked for Red Hat. But Red Hat’s recent move to only provide Red Hat Enterprise Linux (RHEL) source code to customers suggests that the “Red Hat model” no longer works for Red Hat. Removing the public code base for CentOS and only offering the RHEL source code to customers may be technically legal but it lacks transparency and is a sideways attempt to restrict the redistribution of open source code. It violates the spirit of the open source software movement and was not well-received by the community:
From a business perspective, Red Hat’s decision to curtail downstream clones is easy to rationalize. Low rake (generating a lot more value than you capture) is a real issue for open source companies. Capturing more of the value the company creates is good for business. But from a community perspective, the change has severely damaged Red Hat’s reputation with the community. Downstream clones are an important part of the open source ecosystem and code freedom (i.e. not restricting how the code is used or distributed by others) is a core tenent of the movement.
From a licensing perspective, the legality of requiring a subscription agreement that prohibits redistribution seems to be in direct odds with the GPLv2 license. The general consensus is that Red Hat is not technically breaking GPL terms but skirting the lines of compliance. For a company that has built its brand and reputation on being open, the lack of transparency in how the announcement was made and how the subscription agreement will be enforced is creating distrust between the open source community and commercial open source companies.
It’s perfectly acceptable to profit from open source code but companies that do so need to operate with an extremely high level of transparency. It shouldn’t be difficult for an OSS consumer to know and exercise their rights under an OSS license.
The tension between GPLv2 and the RHEL subscription agreement
When the announcement was first made, the legality of the move was immediately called into question: Can a company restrict access to GPL-licensed code?
Software licensing expert, Heather Meeker, explained in a video, “One of the requirements of the GPL is that if you give people executables, you have to offer them source code. But that doesn’t mean you have to offer it to the whole world.” The GPL does not require Red Hat to share its source code with everyone, only those they distribute the software to. In this case, Red Hat only needs to share source codes with its customers who pay for a subscription.
However, pay walling RHEL source code isn’t the only issue. The GPLv2 license guarantees recipients of software the same rights and freedoms as the distributor. This includes redistributing the software with or without modification, for any reason.
The license preamble text explains:
“For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.”
And the first clause of the terms and conditions declares the distributor’s rights:
You may copy and distribute verbatim copies of the Program’s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
While Red Hat is not obligated under the license to share the source code publicly, they are not allowed to restrict the rights of those who receive the software. This calls into question the subscription agreement which restricts the end user’s right to redistribute the subscription service:
(g) Unauthorized Use of Subscription Services. Any unauthorized use of the Subscription Services is a material breach of the Agreement. Unauthorized use of the Subscription Services includes:… (d) using Subscription Services in connection with any redistribution of software…
Any unauthorized use seems to be a clear violation of the GPL license. However, contract clause 1.4 clearly states the agreement does not intend to interfere with “your rights to software code under the terms of an open source license.”
The subscription terms are incredibly confusing and seemingly contradictory. The Software Conservancy analysis summarized the conundrum as a pick-your-poison scenario: “In essence, Red Hat requires their customers to choose between (a) their software freedom and rights, and (b) remaining a Red Hat customer.” End-users are allowed to exercise their right to redistribute the code but if they do, they face the consequence of Red Hat canceling their subscription and being cut off from future versions of the software and Red Hat services.
What’s the big deal? Proprietary software companies do this all the time and it’s expected as it’s part of the business model. But open source is built on the idea the software comes with specific freedoms and Red Hat’s loophole is an untransparent way of making people choose between those freedoms or its services. It’s a choice and consequence that open source users shouldn’t have to face.
Downstream projects and products are part of the ecosystem
In my last article, I applauded Red Hat for staying “extremely principled to completely open sourcing all its software for 30 years” while pointing out that in doing so, the company faced a constant threat of being disrupted or undermined by other open source providers, specifically citing CentOS and downstream clones RockyLinux and AlmaLinux. My statement wasn’t a proposal for the company to do something about downstream products but an example of the type of competition a fully open source company faces and why it’s so unlikely another company would reach the same level of success again.
I stand by the fact that Red Hat has made significant contributions to open source. But open source doesn’t restrict who can use source code or what they use it for. Unhindered competition is part of it. Whether the competition is for-profit or free and community-driven doesn’t matter. Fully open source companies should expect to face this type of business “threat” and it’s one of the reasons why more companies haven’t reached the same level of commercial success as Red Hat—it’s hard to stay competitive. Red Hat appears to be feeling that heat as they explicitly singled out people who don’t pay for RHEL as a problem in their response to the backlash:
“I feel that much of the anger from our recent decision around the downstream sources comes from either those who do not want to pay for the time, effort and resources going into RHEL or those who want to repackage it for their own profit. This demand for RHEL code is disingenuous…
…Simply rebuilding code, without adding value or changing it in any way, represents a real threat to open source companies everywhere. This is a real threat to open source, and one that has the potential to revert open source back into a hobbyist- and hackers-only activity.”
The sentiment of “we should get paid for our work so we’re going to make it harder to copy” would make sense if it wasn’t a GPL-licensed open source product built on decades of open source contributions. The burden of responsibility is on open source companies to figure out how to stay competitive and offer something that people are willing to pay for. Or, companies can choose an alternative business model, like open core, where they contribute to open source while also creating source-available proprietary software for a fee. The open core model maintains transparency in open source by providing a clear business model for how the company makes money while contributing to and benefiting from open source software.
Fueling the flames of competition
RedHat’s decision around CentOS, RHEL, and CentOS Stream has fueled the flames of competition. Vice recently reported a roundup of companies taking action to keep Linux open, transparent, and compatible: SUSE announced it will spend $10 million creating a compatible fork with a fully-open code base for all. Oracle issued a statement in response promising to “pursuing our goal for Linux as transparently and openly as we always have while minimizing fragmentation.” RockyLinux has a work-around that doesn’t violate any subscription agreements and AlmaLinux is adjusting its development model to pull from CentOS Stream.