I'll interrupt my usually ideology-free programme, and devote some of my time to this section again. Recently, there was some major flamage between Béranger and the Arch Linux community. The post that started it is on Beranger's blog, then discussed on Arch BBS. It was regarding Arch's compliance with GPL.

Okay, so what's the deal? Is that yet another FUD, or is it for real? Yes, it is for real, and yes, it's stupid. I will explain both below.

First of all, Arch really was in violation by not providing sources to their packages on their servers. Believe it or not, GPL does require distributors of GPL'd software to provide source tarballs on their own servers at their own expense. Now, I can uderstand this might have some benefits for those that want the sources, and it is the law, after all. But let's see how it works in reality.

In reality, I can get sources for Arch packages. I've never had a problem with that, and the fact that no bug was filed for not being able to fetch the sources kinda proves that (although I don't think it would hold up in court). Moreover, I can get the exact build instructions used to create the binary package along with any diffs or whatever I need to build the exact same binary version. That is done by simply typing abs at the command line, and then navigating into /var/abs subtree of the file system.

If the point of GPL was to ensure we can get ahold of the source, for me the way Arch handles source 'distribution' by linking to the original is a good option. Some people, like ion3 developer actually prefer people linking to their server instead of keeping the source tarball somewhere else, because it means people will be using his source which he supports himself.

But that's not the issue. My own very personal opinion is that GPL has become the stumbling rock for those that create distros. Sure, it's okay that people make commercial distros comply, because they are making money off free software, and they can pay for the storage and bandwidth needed to host the sources. But what about small projects run by volunteers on a donated server, like Arch Linux? They now have to burn extra bandwidth on their already throttled server to pull this off? Because, if I can't access the FTP for sources, they'd be in violation of GPL again...

That's not humane to say the least. And if GPL is going to make it harder for projects like Arch Linux to do their job (and let me tell you, the distro is great!), then people should switch away from GPL to a license that will be easier to understand, and more practical to follow by licensees.

Now, let me state another thing. GPL is great. Yes, I seriously believe that most of the GPL is great. I am not a lawyer, but still, I can understand the benefits of the GPL for open-source projects. But still, people are using it to harass projects that are in essence free and open-source, and are not even commercial. Is GNU doing something to fix that? I don't think so. They are probably up to their necks in battling anyone or anything that violates the letter of the law, and they probably don't care about what people are doing in the real world.

I've asked my friend who works at Freedom Task Force if Arch was really not complying, and he scrambled to write a report. Is that how the community is supposed to 'deal' with the contributing portion of the FLOSS world? If that's so, then GPL is no better than EULA.

UPDATE (May 28th, 2008)

I've contacted GNU a few days ago. They've kindly pointed me to section 6 of GPL3. Section six is called "Conveying Non-Source Forms" and it defines rules that apply to cases (AFAIK and IANAL) where you distribute binary code. Now let's skip to subsection d):

d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.

In there it says, among other things:

If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities

Now, Arch's packages are served through a FTP server, and you get them by downloading them (using any agent, including the package manager). So, an equivalent copying facility would be something, I suppose, downloadable. Now, furthermore, we have this:

provided you maintain clear directions next to the object code saying where to find the Corresponding Source.

In case of Arch Linux, we have two ways of finding the sources. But this is legal matter, so how do we know what is "clear" enough for someone? As for us, users, we know that we can get the ABS tree for the officially maintained packages (maintained by the core development team), locate and read a PKGBUILD file for the package, which contains the URL to the source tarball. The directory containing the PKGBUILD also contains any patches necessary to build the binary version, as well as smaller supplementary binary files such as images. A user can also browse the package list (link leads to core, others are also accessible) through the home page. Clicking on package's name, you can see the exact URL to the package.

The problem here is this:

you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.

How do you ensure that a source tarball exists without having any special arrangements with the copyright holder or a person that is hosting the sources? I mean without modifying the way Arch works right now. One solution is to pull in all source tarballs, and thus probably wasting a lot of bandwidth and storage when people start downloading those (if ever). Another solution is to pull the binary package as soon as the sources dissapear (or as soon as one learns of that). Third solution is to actually make an arrangement with the original author or server to have the project notified if the sources are pulled, which is not practical. And there are also people who download stuff like xyz-current.tar.gz which can be simply a symlink to a different package every time. What does this all mean? That you have no practical way of ensuring that the source tarball is actually there unless you host it yourself.

The section 6d in GPL3 is better than section 5b in GPL2, and it certainly sounds like GNU's been actually working towards accommodating (if you can call it that) those small dynamic distros like Arch. It's not perfect, but I'm glad it's happening.