Removing Proprietary Bits from Illegally Closed Open Source?

hahnfeld asks: "I maintain an Open Source (GPL) project which is fairly popular among commercial companies who produce proprietary add-ons for the software. Recently I found that someone was selling code derived from my product under a proprietary license. As a settlement, we finally agreed that his software (which had come a long way from the original Open Source base) will be released under the GPL. Obviously, I have plans to distribute the newly GPL'ed code from my project's site. Now that I've made the announcement, many commercial add-on authors are saying that they believe their code may be contained in the software and it is MY responsibility to remove it or they will come after ME. I've received everything from threats to insults from the commercial add-on authors, who believe the newly GPL'ed product will cut into their business. I've already notified everyone who has a proprietary add-on that I know about, and I'm planning on cleaning out anything I find. But short of not distributing the newly GPL'ed software, is there any way for me to protect myself in the event some proprietary code gets left in the GPL code?" As open source gains popularity, this issue is bound to strike another developer. In addition to seeking legal advice, what suggestions would you give to someone unfortunate enough to be in this position?

How to tell?

[breon.halling]

I'm not a professional programmer or anything, but I am in the process of learning, and I'm just wondering how one would go about actually identifying the proprietary bits of code.

Short of searching for "Proprietary code: Go!" comments, does anyone have any insight into this?

Re:How to tell?

[DeadSea]

If you could tell which parts were proprietary, then this wouldn't be much of an ask slashdot question, now would it.

Here is what sounds like happened:
Some unscrupulous person without any regard to copyright holders' rights took code from multiple sources, used it and released it as their own. The sources included a GPLed project and various bits of code from proprietary sources. The result may have been useful, but it was using stolen GPL code as well as code stolen from other developers trying to make a profit.

It sounds like any number of people could have gone after this product, as several people hold copyright over portions of it. Unfortunatly, that means that the code is not distributable under any license. By GPLing the product, it sounds like the author is opening himself up from the other side, allowing the folks who own the copyright on the proprietary code to sue.

My advice: Don't redistribute the code yourself. If the person who wrote it wants to distribute it, they have to distribute the source too. Let them take the flack. They should be the ones that are hit by the lawsuits. At the very least, get a written statement from them that all the code in the package that was not taken from GPLed sources was written by them. That way you can pass the buck if you do get sued.

Countersue

[Geckoone]

Can't you countersue based on the fact that they shouldn't have added their proprietary code to a GPL'd software distribution in the first place?

Sic the FSF on 'em

[Vinson+Massif]

So what do you think the chances are that these guys have incorporated GPL source in their add-ons and are taking an aggressive stance to cover their asses?

Insn't this one of the senarios where assigning copyright to the FSF is helpful?

Good laugh.

[Henry+V+.009]

Ha ha ha. I'm sorry, but that is funny. After taking something they didn't legally own (your GPL'd software), they gave away something that they didn't own in settlement.

If it turns out that they didn't have copyright to all the code that they promissed to GPL, that settlement is invalid. You have a great case for taking them back to court.

And if other authors do own copyright on some of that code, you don't have the right to distribute it. Simple as that.

Re:Good laugh.

[nuggz]

If it turns out that they didn't have copyright to all the code that they promissed to GPL, that settlement is invalid. You have a great case for taking them back to court.

Good point. The person who gave that code to you, who said they owned it is in trouble, they gave you code they didn't own. But just because they screwed up, doesn't mean you're off the hook.

If you don't know for sure that you can distribute this code, don't. They notified you of the problem, you should not ignore it. Otherwise you lose the "I didn't know" defense.

Their in fault, not you

[dh003i]

They added their proprietary code to a GPL'ed program and distributed it. The only legal way to do that is by GPL'ing their proprietary code, which they didn't.

Thus, you need not heed their meritless threats. Anything distribute along with your GPL'ed code should also be GPL'ed, and if it isn't, you can force it to be so (and you have the right to simply distribute it under the GPL).

The impact this has on their business is not your concern. Its their fault for incorporating their add-ons onto GPL'ed code. There should be no compromise here: you should force anything that was distributed with your GPL'ed code to be GPL'ed as well. Simply distribute the entire thing under the GPL, as is your right to do so. If they try to sue you, they don't have a leg to stand on because the GPL demands that any modification/add-ons to GPL'ed code be GPL'ed.

Re:Their in fault, not you

[ivan256]

if it isn't, you can force it to be so (and you have the right to simply distribute it under the GPL).

Not true. They can pull the code instead of releasing it under the GPL. They own the copyright, and they decide which license it is distributed under. If this not a GPL compatible license then it will have to be removed.

The rights always belong to the copyright holder. The same rights that give the GPL power also allow these companies not to GPL their software.

As an aside, and in response to the original poster: Comments like the parent to this one are exactly why you should disregard any legal advice given in this story and talk to a lawyer. This guy sounded like he knew what he was talking about, but if you listened to him you may have been financially liable. Ignore everybody's copyright advice here and talk to a professional. The FSF has lawyers for exactly this reason, and you should call them.

Re:Their in fault, not you

[dh003i]

Bullshit. They may have the copyright to their work, but they can don't get to choose whether or not to GPL their software (if its based on GPL'ed software). They can choose to distribute it and GPL it, or not to distribute it at all.

Once they've distributed it, that choice is over. If they distribute it and don't GPL it, they're in violation of the license, and can be forced to release it under the GPL. The people who've already bought it have the right to see the source, as that code is based around GPL'ed code.

You can't "take back" a distribution once you've released it into the world or on the net. Thousands of people have already bought it, and thus will have the right to see the source, as the GPL grants.

Just because they say it's your responsiblity...

[HotNeedleOfInquiry]

Doesn't mean it is. You really need a good IP lawyer for this. If that's out of the question, I'd send each of the plugin companies a copy of the source, along with a letter stating that to the best of your knowledge, the code is yours and that you intend to GPL it. Give them 30 days to identify any code that they believe is theirs, with the option of declaring none. Tell them that if they do not respond in 30 days, their license to use your code will be terminated and they must cease marketing and supporting the product. Disclaimer - I am not a lawyer and this is not legal advice.

EveryAuction?

[Futurepower(R)]

The software being discussed seems to be EveryAuction. Is that correct? (Hahnfeld's email address is listed at the beginning of the Slashdot story as matth@everysoft.com.)

Practical Suggestions

[4of12]

<ianal>

I'd send a nice general "cover" letter to the company in question that used your GPL'd code as the basis for their extended code.

I'd thank them for recognizing and adhering to licensing restrictions, in this case the GPL. I'd mention that you, too, want to adhere to all licensing restrictions. Thus, if they incorporated others works that are bound by other specific licenses besides the GPL to make clear to you exactly which parts of the code are restricted in non-GPL ways.

If they don't have the time to mark other's code, at the very least they could mark code which is unambiguously "yours+their extensions".

Be prepared at any time in the future to remove chunks of code from the GPL project if some third party presents irrefutable evidence that such code is under their copyright and that they do not wish to distribute their code that way. Kinda like old RSA code used to be.

Someone may argue that you didn't properly adhere to the licensing agreements for that code, but that's where you have to be able to demonstrate that you made a good faith effort to adhere to all of the restrictions that you knew about. If the company did not inform you of those restrictions and you asked them to do so, then it will be more difficult to fault you. After all, it is that company that made agreements with the other licensors, NDAs, etc. and it is their responsibility to adhere to those agreements when giving code over to you.

</ianal>

Either/or

[TheSHAD0W]

Let me get this straight: You have the software company who was distributing the product containing your GPL'd code, and you have other coders who have contributed to the project, and who do not want their proprietary code made public. Now, either the other coders knew they were working with your code and may have been aware of the GPL licensing, or they didn't.

If they were aware of the licensing restrictions on the code they were working with, then they are morally in the wrong and a court will probably rule against them.

If they were not so aware, as in if the software company concealed the knowledge of GPL restrictions from them, or had them working on a separate segment of the code which was included in the project but not directly involved with the GPL, then it's the software company's fault in scheduling conflicting licenses. It is not YOUR responsibility to PUBLISH the source code, it is that company's; you might only be distributing that source, and perhaps not even that. The software company would have the options of:

(1) Withdrawing the program from the market completely;
(2) Replacing your GPL'd code with equivalent proprietary code, and keeping the codebase secret;
(3) Replacing the other coders' proprietary code with open-sourceable code (or licensing their code for open-source use) and publishing the codebase;
(4) Publishing the codebase as-is, and risk being sued by the other coders;
(5) Keeping the codebase secret, and risk being sued by you.

I do not see any way a court would hold you liable for making the software company publish the code; it was not your decision to tie their code up with yours. If it does head to court, though... Get a good lawyer.

Mod Parent Up

[hughk]

I'm not sure if the AC is genuine, but he has a valid point. If the AC developed some code which was combined by a third party with the GPLed code and the third-party released the merged software as propriatary.

Its an interesting point because the AC acted in good faith and it is that third-party who did the dirty. However if the code isn't attributed during the merge, it becomes very difficult to say which bit came from where.

My view is that the merger was the same as the third-party inadvertantly disclosing AC's proprietary software. The third-party becomes responsible for any tidying up.

Re:You're screwed [kinda]

[0x0d0a]

That wasn't really what I was asking.

if you take GPL'd code and make somethin else, the finished product, even if it no longer does the same thing it did before, must be gpl'd

I realize that.

My question (I'll restate and perhaps be clearer) :

A = The guy that wrote the original GPL work.
B = The guy that illegally grabbed the GPL stuff, then merged it with propriatary stuff, then illegally tried to GPL someone else's code.

I am, for the moment, ignoring the fact that B is already in hot water for distributing a derivative work containing GPLed code under a non-GPL license. We all agree that B is already in hot water for doing that.

My question relates to the second bit: B has made an invalid license in trying to GPL the derivative code he made. It contains non-GPLed code that he does not own which he does not have the right to GPL, thus the derivative project cannot be GPLed as a whole. He attempted to GPL the derivative work as a whole. This license is necessarily *invalid*.

I believe that the derivative work contains three sections of code. The propriatary code from the third party, the GPL code from A, and some additions from B.

Now, B has made this invalid licensing under the GPL of his derivative work as a whole. Since this is invalid with respect to the propriatary extensions, my question is whether his license is still in place (and binds him) as regards his *own* contributions to the derivative work, or whether the entire thing simply goes out the window.

If B makes three licenses that say:

"I am licensing A's contribution under the GPL", that's valid
"I am licensing B's contribution under the GPL" this is valid, as he's the copyright holder
"I am licensing third party propriatary bits under the GPL", this is not valid.

However, the first two licenses still hold (though only the second one is important).

This guy made a *single* license that applies to the work as a whole. Are his own contributions to the derived work now GPLed or not?