Statutory Copyleft

This is only half-serious, but I think it is rather more than less true:

Recently I found the EU’s guidance about the CRA, specifically its requirement on licensing security fixes you upstream to the original project:

Where the component is a free and open-source component, the security fix should be shared in a manner compatible with that component’s licence, for example by sharing it under the same licence or under a licence that allows the maintainer to distribute the fix under its own licence.

Copyleft is about a software license requiring other works to be licensed under the original project’s license. And that’s the case here, if you follow the guidance about contributing “under the same licence”.

Those copyleft effects have so far only been imposed by license. If we take the guidance as law in the wider sense, we have statutory copyleft.

Of course, that’s only half-true. First, the guidance is not legally binding, although in practice most people will almost treat it as such.

And second, the guidance allows for contributing under a compatible license, say licensing your security patch under MIT and contributing that to a GPL-2.0 project. But that is just a matter of degree. It is still the original work’s license imposing on other works that would not be affected, were it not for the CRA’s duty to contribute.