Slashdot Mirror
Hole in GNU GPL?
Public Apology
I posted this piece because I felt Faré raised some subtle but interesting ethical and legal points about the GPL that were worth discussion and clarification. I honestly did not expect to get flamed over my decision to post his submission.
I believe that software licenses and documentation, like software itself, should be discussed as openly and publicly as possible so that bugs can be exposed and repaired. However, words (especially legal words) are far more slippery than code. With words the question, "Is this a bug?" is often far harder to answer than it is in software.
But I was wrong to post this to Slashdot, which is obviously not an appropriate forum for discussion of subtle ethical matters, and it is apparent that any mention of even a hint of a possible tiny imperfection in the GPL does not belong here, and that anyone who dares to mention any such thing on this website must expect - and probably deserves - a series of harsh, even obscene, personal attacks instead of rational rebukes or comments.
Please accept my humble apology. I was wrong. I will try not to make the mistake of posting anything even remotely like this on Slashdot ever again.
- Robin
Update: 01/18 01:37 by CT :Another Public Apology I apologize for Robin's "Humble" apology. Robin posts many good stories on Slashdot, but sometimes when he gets flamed, he takes it very personally. The reality is that every author on Slashdot gets a big load of flame every day as part of their job. They get this for mistakes, misunderstandings, or just because someone had a crappy day. Those of us who have been at it for a long time just don't care any more.
I think Slashdot is a fine forum for arguing subtle points. I just think that when things like the GPL come into question, the hostile kneejerk reactions run rampant, and its a good idea to up your threshold a notch if you prefer a conversation to be a little more mature.
- CmdrTaco
But they can sell MEMBERSHIPS to an organization which will distribute only the
binaries!
Where in the GPL does it say that clubs/organizations can distribute internally without source?
There is a big difference between a club member and an corporate employee, and those differences is why this "club" idea has no basis in legal reality at all (keeping in mind the GPL is a legal contract)...
Recursive: Adj. See Recursive.
Slashdot stories really are getting worse in the way they misrepresent minor stories as major disasters or breakthroughs. This is a rather trivial issue that has been kicked around for ages, and can't really be resolved without a legal battle (after all, you can make all the logical arguments you wish, but nothing is certain in court).
I thought someone was finally going to bring up the possibility of reducing a piece GPL'd software to a sort of daemon which acts as a shared library. If the interface is designed rationally (i.e. code for it can be written from scratch easily), there would be no need to reuse headers or other GPL'd files. Then proprietary additions to the software could be made through the creation of a proprietary client program.
I don't think anyone could make a case for communicating with a daemon being a creation of a derivative work. It is the same as the way you can make a script that runs programs which may be (and, in fact, are) GPL'd, without releasing the script under the GPL.
The fact is that there is no way to freely distribute and freely allow modification of software while forcing all later modifications to be released to free. Programs can interact, yet be seperate. There are many examples of programs which would be useless without the existance of another program (ex.: anything that isn't it's own operating system...), but they are clearly seperate and the copyrights are held by seperate people.
The GPL will not be upheld by legal threats, but by PR and competitive threats. Violation of the spirit of the GPL in this manner will create immense hostility from the Free Software community. Massive numbers will jump onto the hijacked project to duplicate the functionality of the proprietary additions, while eliminating annoying bugs and (of course) giving it away for free.
I fully expect that some company will try this trick some day, and be brought to their knees as a massive grassroots PR campaign paints them as evil corporate monopolists demanding money for an inferior product.
I think this may be too broad, legally speaking. Absent express definitions to the contrary, I believe a court would interpret "distribution" in the context in which it is used: a license to exercise exclusive rights to distriubute under the Copyright Act.
Accordingly, we should look for a transfer of title, rental, lease or lending. Accordingly, control or possession of a copy transferred among employees or agents of the corporation probably do not constitute a distribution. On the other hand, control or possession of a copy by a non-employee, non-agent, even if subject to nondisclosure would probably constitute, at least, a lending (bailment) of the copy.
There are cases, I recall, holding that infringement occurs when a consultant/third-party is given access to copyrighted works for the purpose of repairing software on behalf of the licensee. However, I seem to remember that these cases went off on copying, rather than distribution.
I'm just spitballing here, but it seems to me that a plaintiff asserting breach of GPL would probably do just fine in the case of a defendant who gave a customer/non-disclosee copies of a work.
It would be fun to research the judicial gloss on this statutory language to see how it informs the question of distribution within a corporation.
Nevertheless, for these reasons, I think "non-disclosure boundary" is probably too broad a range to permit non-distribution exchanges of copies. I imagine that the result would be probably much closer to an "in the family" (employees and actual agents) test.
Corporations are individuals in the eyes of the law. They can be sued. They can even be convicted of crimes. Their directors can be held personally accountable for their [i.e. the corporation's] actions. Being an individual under the law is why corporations exist! There's a reason why you aren't on the hook to pay the bills when a company you own shares in blows up, and that reason is that the corporation is a legal entity unto itself. The corporation is responsible for paying its bills -- the shareholders aren't.
The first line of the post from Mr. Rideau says it all: "in my interpretation [ ... ] companies are not individuals and have no right as such".
While I happen to think the bugroff license is cute and witty, the fact remains that the law is not terribly interested in Mr. Rideau's gross misinterpretation of the notion of the corporation's rights as an individual. Slashdot dropped the ball on this one. The GPL is as sound today as it was yesterday. We don't know how well it'll stand up in court, but if it's defeated, it certainly won't be because of some cockamamie "interpretation" that says corporations lack rights as individuals under the law.
Companies can keep their internal modifications secret as long as they don't distribute the code OUTSIDE their non-disclosure boundary - and once they distribute the object outside that boundary, they must also distribute the source.
Giving the code to people INSIDE the non-disclosure boundary is not "distribution" within the meaning of the GPL, so it does not confer on such people the right to disclose the modified code without the approval of the company's official decision-making process.
This is good. It means that a company can adopt GPLed open-source software without taking an increased risk that any company-secret changes they make for internal use only will be disclosed without their permission. That will make them more willing to adopt GPLed open-source software.
They'll still have to distribute the source to their changes if they distribute the changes themselves generally. And they're more likely to distribute anything useful but NON-company-secret than they would if they were working with closed-source code.
The only problem I see is if this speculation by legally-uninformed people, raising a spectre of employees disclosing their secrets, scares off management that otherwise would adopt GNU-licensed code.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It seems Rob's taken things to heart. While I didn't read the vast majority of flamebait posts, neither do most people. The Slashdot community moderated up the posts that criticized the decision. None of them criticized Rob personally. They spanned both sides of ther argument.
,but please expect that occasionally their opinions will differ from yours.
Calls for artticle moderation are valid, despite the fact that this may very well be difficult to implement.
Rob, chill out. You posted an article that alot of peopel thought hadn't been background checked efficiently. That doesn't mean we hate you, it means we think you made an error in judgement. I'm sure the overwhelming amount of people who responded to this article would be saddened if you ever left slashdot - you are slashdot.
You've brought thousands of people together tom participate in debate. Be proud of it
You're having a bad day. Walk away from the computer, get drunk, have a shower with your girl. Wake up tomorrow a happy man.
I agree with that position, as a question of legal interpretation of the GPL. The reason is that the company is not distributing the program in that case.
I don't think it is ethically right to permanently withhold useful improvements. But that is a different question from what the GPL permits.
I saw this hole ages ago. The bottom line is that corporations function largely as fictitious people. Authorized people can enter into contracts on behalf of a corporation. The contract can outlive the person's employment or even the person. And it can enter into contracts on behalf of its employees, assuming that those contracts are legal.
The interesting test case would be one where a company makes changes that they want to keep to themselves to GPL'ed code and one of the employees releases them. What it would be testing is whether the employees could act as individuals with respect to the enhancements to the code.
I agree with RMS that it would be ethically wrong, violating the spirit, if not the letter of the GPL. Furthermore, I don't think it is in the interest of the company doing it. Eric Raymond has written about the reasons that projects don't fork in Homesteading the Noosphere. Nearly all of the reasons that apply to a forked open source project apply in greater measure to an internal project by a company. But there are a couple of other issues that are special in this case:
In the end, I think it is an unlikely scenerio to last very long. In the short run, I could see a company wanting to keep some development private. A hardware manufacturer might keep drivers secret until they release their product in order not to tip their hand to the competition. I honestly don't think that is something we even want to try to discourage. If allowing them to do that encourages them to release open source drivers after the product release, I applaud them.
The net will not be what we demand, but what we make it. Build it well.
Companies are not individuals and have no right as such. The author seems to have missed on a large body of law that says otherwise. The entire position seems based on his opinion or personal preference rather than actual juridical decisions. I might have read more than two replies into the thread if he had bothered to offer court decisions supporting his belief that licenses can only apply towards individuals. But what do I know, I'm just an Anonymous Coward.
If you are a corporate employee, this can override certain 'human rights' you might think you have. You may not be entitled to your own thoughts, or ideas. You probably are safe from being legally tortured to death with pitchforks, look on the bright side :)
This fellow's hysteria seems to be based on the notion that people who are part of corporations have some sort of 'individual' rights. It's a pleasing argument, but largely hypothetical. Expect corporate powers over 'their own bodies' to become stronger and stronger as they are challenged.
To a corporation, firing and suing an employee to ruin the employee's life because the employee posted internal GPL code is the same as you cutting your toenails or burning off a _wart_. There is reason to believe that this perspective would hold up in court, because the employee theoretically had complete freedom to join, or not join, the corporation in the first place. Having joined, the employee's 'rights' or lack of same are spelled out in contract law... the person might find that they themselves did not own the ideas they used to modify the GPLed software, or any of the other ideas they talked about at work or came up with at home- so after being fired they could be left with _only_ publically GPLed work, and the company project which they forcibly publicized ahead of schedule- and everything else they did, not having been GPLed by anyone, is property of the company and if they tried doing anything with that, they'd be hosed, slammed into the pavement by a very slam-dunk sort of case in which they are STEALING TRADE SECRETS not theirs to GPL.
That is an ugly scenario, but it is quite real. So the trouble is not the corporate employee being harmed for exercising their right to GPL- they have no such right, they are a corporation's toenail in the legal sense and are not entitled to any such grandstanding. The trouble is on a more pragmatic level, and it's a medium sort of trouble, not a big trouble.
Basically, the corporation can fork a GPLed project and put massive resources behind trying to produce a significantly different version, all under tight wraps. It's allowed to discipline its parts as it sees fit, and is allowed to keep its work entirely to itself until it releases it with a well-funded publicity splash. At this point it must release source, and anyone can extend off this reference point- but the corporation can turn around and begin another round of complete revamping under complete secrecy, refusing to cooperate with outsiders.
I spoke to RMS about this, seeing it as a sort of loophole. He remained unperturbed, and I think I understand why- to RMS, 'free' development will always outpace, always outproduce such closed environments. For RMS this isn't even an issue, much less a loophole, to him it's the corporations being fools by turning away from a world full of willing helpers.
I don't know if he's right or not. Certainly he has a point- though there are also examples of types of work where a controlled team can outperform the bazaar- particularly game or art projects where the project's goals and values are very much a judgement call. On the other hand, OSS moves really fast- in the event of a radically altered GPLed codebase being sprung on the world, everything about it would be known and understood within days- there's not a lot of strategic advantage to keeping secrecy when you're inevitably going to make full disclosure anyhow.
Final analysis- this really isn't about the GPL so much as it's about corporatism. Like it or not, corporations get to own people and their ideas, legally. They also get to play in the fields of OSS alongside ill-funded hackers, and what they lack in nimbleness and cooperativeness they gain in sheer ability to market and distribute on a global scale.
It may be that eventually corporations will set the course for OSS by using their capacity to control collective programming skills and choke off communications. However, in a way this hardly matters- the source will get out there, no amount of GPL-allowable obfuscation (i.e. minimal) would stand up to the eyes of the world for longer than six hours or so, and frankly, if anyone thinks the amount of kluge and mess created by a world of corporate OSS 'coders' trying to trip each other up... would be worse than the current world of _closed_ corporate coders collectively trying to do exactly the same thing, with no expectation of eventual source disclosure.
Expect the corporations to abuse their privileges as hard as it can. It only adds a scattering of immensely rich, and twisted and obnoxious 'individuals' to the talent pool. Think of it like having some prima donnas who keep re-inventing everything, and just roll with it...
Sadly, this is untrue. Someone else pointed this out earlier but it bears repeating: in the United States, a corporation is a "natural person" under the law, entitled to all the same rights as people who happen to be made of meat.
This great Adbusters article goes into a lot of detail of the history of corporations and how we ended up in this mess. From the article:
Adbusters is wonderful, you should subscribe.
Here is my interpretation of the issue. Reading this is not a substitute for reading the real posts.
Background: GPL says that you can't just distribute a binary (in essence). If you distribute at all, it must be with source.
The Issue: Can a company make an internal distribution of GPL software and not release it? (E.g. NSA secure linux, or Corel closed beta)
View 1: Companies are not people. A developer in a company may modify the code and give to other workers in the company. These other workers have all the rights to source from the GPL. Thus, if one worker decides to publish the modified code, the company cannot (legally) do anything, it's GPL code still. Thus, internal distributions of software can only be enforced through threat of firing. Even if only a binary is leaked, people who d/l the binary can require the company to give the source!
View 2: Yes of course. That is not subject to the terms of the GPL, you are not distributing it. The problem with this view is that what if I want to sell modified GPL code? I can say: $10 to join NickSoft, Inc. Then I will send you code, but you may not distribute as terms of 'employment' with NickSoft. Boom, there goes GPL.
The original poster says both views are flawed and you cannot have any other (legally they are mutally exclusive).
RMS says, yeah maybe its a flaw, but its really minor.
Again, this is only my interpretation. Read the original posts.
(My personal opinion is close to RMS', its a very tough issue and is hard to avoid, however one states a GPL-like licence. I'd say leave it be)
--Nick
The idea is that someone creates an organization, and then requires everyone to be in the organization as a condition for software distribution. Then the modified GPLed program is only distributed to club members, and all the club members agree to only distribute the program within the club. In a sense, the Trillian project (which is porting the GNU tools and Linux to the IA64 architecture, which is still under nondisclosure agreements) is such a club.
So, does the fact that this can be done break the GPL protections? No, because it doesn't get around the requirement to provide sources to everyone who gets binaries. Attempts to do this kind of thing for a different reason (e.g. charge everyone big bucks for being in the club and forbid them from sharing information with outsiders) may run afoul of antitrust provisions in the US and the EU (forcing people to be in a club before you do business with them may not be legal, depending on the circumstances).
RMS often points out that the GPL (and other licenses) shouldn't be written, or read, as if they represent the whole of the law. Just because the GPL doesn't exclude some possibility doesn't mean that it is legal. It may be illegal for another reason.
As a colleague of Faré in the Tunes project (shameless plug) and a subscriber to (and occasional participant in) the cybernethics mailing list, I'd like to point a few things out.
First of all, Faré is French and resides in France. So before attacking his integrity, honesty, manhood, morals, intelligence, competence or whatever, ask yourself this question, American-boy: do you have any idea as to how French law applies to this issue? What if it were the case (perhaps not in France, but somewhere else) that this loophole _were_ applicable and an issue under some other country's law?
Also, as other posters have said, Faré is worried about what might happen if a corporation were created with the express purpose of hoarding otherwise GPL'd code. This might be an issue.
Finally, please don't fuck cybernethics up! If you want to join in on the discussion, that's great, but the membership is really soaring, and it'd be very unfortunate to see the list deteriorate, and I'm afraid that this is going to be the case. So try to keep the S/N ratio up.
Anyway, if anyone cares, Faré and I are on IRC right now (#tunes at openprojects.net). If you've got a problem with him (or me!), come over... we've already got the boxing ring set up.
To the editors: your English is as bad as your Perl. Please go back to grade school.