I found it quite frustrating to read Carsten Munk's concerns about GPL and licensing related to the kernel shipping with the bq Ubuntu phone. Clarity is essential in these matters. That Carsten can't tell what is going on for certain is a problem. It shouldn't have happened and I'm pleased to see that my colleagues are working hard to clear it all up.
As a Canonical employee and an Ubuntu developer I work hard to make sure that the work I'm involved with is fully compliant. Sometimes this takes me considerable time and effort. So for me the frustrating part of reading Carsten's investigation is that only our mistakes are evident. When things are done right people often don't notice, and so it's all too easy for outsiders to draw the conclusion that we are "evil". I'd like to present an example of how I work hard to do things right, in an effort to balance this view.
Juju is a particularly challenging project to package using the traditional distribution model. It's a cross-platform, cross-distribution and cross-release tool, and a single deployment needs to be able to deal with all of this simultaneously. But from a licensing perspective, the challenge comes from it being a major Go project. It follows standard Go practices in handling its dependencies, so by the time an an upstream release gets to me the release tarball contains all of Juju's dependencies embedded within it. As the person who uploads new Juju packages to the Ubuntu archive, it's my responsibility to make sure that everything is compliant from a licensing perspective. The embedding means that instead of having to verify just the Juju code itself, I also have to verify all dependencies, recursively. Many of the dependencies are small third party projects that appear to not have been packaged for a distribution before, with little attention paid to licensing compliance before I looked at them. Dependencies are added and versions bumped frequently. Every time, I have to check again. Right now, the sum of Juju and its dependencies involves over 3000 files over 37 separate projects.
Back in July I did a full review over all of this code and developed a process to follow further changes incrementally, since the situation here is quite radically different from a traditional distribution package. In my initial review, I found a whole slew of clearly unintentional errors, but sought to have them fixed anyway. I filed an extensive bug report describing the contradictions and ambiguities I found. I have also filed bugs in upstream projects as appropriate: for example in gojsonschema. I was pleased to find that it wasn't just me focusing on diligence in this area: as you can see from the first bug, my colleagues on the Juju team all took the issues I raised seriously, addressed them and committed fixes in just a week. Bugs I have filed more recently about licensing errors introduced in newer releases have continued to result in a quick response.
So, please do not misconstrue our intentions. Mistakes may happen but we do care, and do seek to resolve them as quickly as we can.