How to avoid public GPL floggings on Apple's App Store

Publishing your source may not be enough to comply with Open Source licenses like the GPL.

Publishing your source may not be enough to comply with Open Source licenses like the GPL. In the sad case of VLC for iOS, a licensing conflict created an untenable situation that required it be pulled from the App Store.

It is often said that no good deed goes unpunished. Unfortunately even with the best of intents, particularly as it relates to releasing Open Source Software, it is possible to run far afield of GPL and FOSS kashruth even if you think you are following the rules to the best of your ability.

Such was the case of the iOS port of the popular free VLC Player application produced by French software developer Applidium.

VLC Player for iOS was distributed on Apple's App Store until it was determined that the very distribution of the software itself which used components licensed under the terms of GNU General Public License version 2 was incompatible with the software distribution Terms of Service of the App Store.

Got that? Farshteyn? Okay, great.

Just over a year ago, I discussed the implications for consumer electronics manufacturers which used GPL and other Open Source components that did not make their source code and changes to those components freely available, and how these situations could be avoided in the future.

Since the widely-publicized lawsuits from the Software Freedom Law Center (SFLC) from late 2009, there has been very little if any public flogging of large entities that manufacture and distribute consumer electronics which did not publish their GPL code.

That lesson it seems has been learned. Fortunately for the named parties in those lawsuits, the GPL has yet to face a scenario in which it has had to be tested in court. So far, such as with the Verizon case from 2008 all of these to date have been settled amicably, and out of court.

But if you develop using Open Source code which uses GPL-Licensed components, just publishing your source may not be enough to keep you out of trouble.

Also Read: How to avoid modern day public GPL floggings (2009)

In the case of Applidium, which created the iOS port of the popular VLC Media Player of which the source originated from Videolan.org, it fully published all of its modified source code. However, what it did not do was understand how the Terms of Service of Apple's App Store violated the very nature of the GPL version 2.

In other words, if you develop software which uses GPLv2 components which you do not have the exclusive copyrights to but the distribution of said software on an App Store such as Apple's has additional terms and conditions imposed on it, that may prohibit you from distributing that software using that model in the first place.

Applidium's VLC Player could have been distributed on Apple's App Store for a very long time and even escaped this scrutiny had not a single developer/contributor on the VLC project, Rémi Denis-Courmont lodged a formal complaint requesting that it be removed.

As my ZDNet Open Source colleague Steven J. Vaughan-Nichols put it, this was a "Don't Ask, Don't Tell" type of situation. The VLC project was well aware of the GPLv2 violation, entities within Apple may have also been aware of it and yet nobody decided to make a fuss about it.

So a little cheese found its way onto the pastrami on rye Applidium VLC sandwich. No biggie. They made a Reuben.

Also Read: No GPL Apps for Apple's App Store

But the moment Denis-Courmont lodged his complaint about Applidium combining milk and meat in the same meal, it was all over. After several months of Talmudic deliberation on the matter, Apple finally removed the software. The deli was closed.

[Next: You don't mix milk and meat!]»

Specifically, Denis-Courmont's complaint was that the product usage rules of the App Store -- one of which deals with the application of Digital Rights Management on all products distributed on the store -- are in violation of the terms of the GPLv2.

As far as 3rd-party ports popular and well-known GPLv2 projects such as VideoLAN and VLC are concerned, the case is open and shut. These applications can never be distributed under Apple's current App Store Terms of Service if they are ported. Trayf!

[EDIT: It has been pointed out to me that the distribution of OpenJDK/Oracle Java on the Mac App Store could be problematic as it is GPL-licensed. However, since Oracle owns all the copyrights to Java and would give permission to Apple to distribute, it's not an issue.]

While nothing should stop you from distributing ported GPLv2 iOS source code and running it on a "Jailbroken" iOS device (such as with Cydia) distribution of GPLv2 material via Apple's official channels is a non-starter. Period.

Clearly, what happened on Apple's end was a result of a shortcoming in their due diligence process which failed to recognize that GPLv2 software had been submitted, and the software should never have been approved in the first place. The Mashgiach slipped up.

However, I don't want to assign much blame to Apple here, because the infrastructure and know-how may not have been in place at Apple to do the code review to determine that VLC for iOS was GPLv2 software.

We also have to understand that thousands of applications are submitted to the App Store every month, and one must assume that due diligence on code review requires a substantial effort and details are inevitably going to be missed.

The obvious retort to this is "Oy, everyone knows VLC is GPLv2" but we're talking about two entirely different cultures here, that of Apple's ecosystem and that of Free and Open Source Software.

Apple's App Store reviewers weren't explicitly looking for GPLv2 components. They look for things like porn and clearly adult material, undocumented APIs and use of non-native external libraries and programming languages like Java and Flash that violate the Software Developer agreement, as well as various other criteria such as UI deficiencies and duplication of functionality issues that would constitute an immediate rejection.

Well, we can now add GPLv2 software to that list. But the chicken soup gets a bit murky from here.

So we know that big projects like VLC are obviously GPLv2. But what about all the little games and utilities and even major applications that may be sitting in the App Store which might utilize some third-party GPLv2 code? There could be dozens, if not hundreds, or maybe even thousands of these things sitting there.

Many of these will probably go unrecognized, but it's possible that Apple may start enlisting the services of Open Source code auditing firms like Black Duck or OpenLogic to determine if any actual cut and pasting of GPLv2 code has occurred. And when those apps are found, they'll be removed until those GPLv2 bits are replaced with bits that aren't GPLv2.

If you develop software for Apple's App Store, which now also includes the Macintosh platform, then you are obligated to do a preliminary code review yourself and be absolutely sure you aren't using any GPLv2 components you don't have the exclusive copyrights to before you submit an application for electronic distribution.

Otherwise you might find yourself having to re-write thousands of lines of code, or even worse, become subject to public floggings by groups such as the SFLC and incurring significant legal costs. Oy vey.

These things aren't just Apple-specific either. Other platforms with similar types of App Stores, such as Google's Android Market, the RIM BlackBerry App World, Microsoft's Windows 7 Phone and Amazon's upcoming 3rd-party App Store for Android have Terms of Service which may very well impact the use of GPLv2 and other FOSS-licensed software components.

With the yanking of Applidium's VLC port for iOS setting an unfortunate precendent, it is an absolute requirement now that all of these software distribution Terms of Service of these new app stores be reviewed by appropriate legal professionals to determine how and if Open Source software can be distributed without running into these kinds of problems in the future.

Will we see more GPLv2 applications removed from App Stores in the future? Talk Back and Let Me Know.