GPL issue at my work place

[Philippe Verdy]

De : Tzeng, Nigel H. [mailto:Nigel.Tzeng at jhuapl.edu]
> This doesn't fix the general issue of GPL for him but only this specific
> problem.

Well, the fact that Linux is accepted proves that the GPL is not directly
the problem. What concerns the legal department is to find someone
accountable for all what may be released under GPL. For Linux, it's simple:
the distributor of the OS is offering such accountability, and in case of
problems, promises to find solutions, including replacement code, in order
to maintain most of the functionality and interoperability.

But many GPL-licenced softwares do not come with enough information about
the effective author or who to contact in case of problems. In fact, they
come by default with a denial of responsibility, meaning that each user of
the GPL software MUST evaluate each part and assume all the risks by itself.

In this case, there are solutions: if the Linux distributor does not offer
such additional warranty, look for a open source risk management company
that will offer service to warranty the continuity of service and propose
assistance and solutions for replacement softwares in case of legal problems
with some parts: there are MUCH enough other solutions to find within the
very large commons of GPLed software, but in some case this will require
some works to adapt them to a particular case.

That's not completely impossible to evaluate, and at least this evaluation,
that includes possibly paying for subscription to an assistance service,
mais still be less costly, and will require much less work than depending on
a single proprietary solution. The beauty of open-sourced software is that
every part of it is replaceable at any time.

However I'm opposed to the argument of the legal department when it says
that the mere interaction through a public access network implies that the
whole service needs to be open-sourced, not just the software itself. This
is a too broad interpretation of what is covered by the GPL. The GPL for
example does not extend to the content created or edited with GPL softwares:
authors remain proprietary of their creations: texts, images, databases,
designs, and will decide themselves about the status they give to it. The
GPL links the licence only through some binary API that creates a required
dependency on the software.

But a website, whatever tool is used to build it, does not depend on the
software used to run it. It does not expose the software directly (at least
not in a way that allows it to be reused legally, i.e. excluding the exploit
of possible security holes by malicious users), and running a website does
not expose it like a true distribution of the software running it, unless
the website is itself configured to allow such reuse (for example by
providing an explicit interface to a synchronous mirroring system; you may
still use "wget" to create a private mirror without any interface, but this
would just be an asynchronous mirroring of the content, but this would not
allow to replicate completely the dynamic features of the service).

If your website exposes some dynamic services using some open standard (for
example RSS, RDF, XML, SOAP...) it is not directly offering a proprietary
API to the software used to run it. As the interface uses a public and
interoperable interface, and allows transparent replacement by another
server-side software without violating any term of the licence convering the
initial software exposing this API, this is enough to remove the fear caused
by dependency: you just have to demonstrate that there exists another
independent solution exposing the same interface, and not bound to the same
terms as the licence of the existing server software.

Then comes the problem of creating proprietary softwares with the help of
third-party providers: if you contract with them, it should be enough to let
them sign an agreement of secret, to keep your IPR private, even if they
happen to use (under private permission) your system: these third-party
providers (or any of their workers) are not allowed to reuse the system or
redistributing it legally to any other third-party (because it would be
stealing private properties they don't own or have no right of use for
themselves).

I see absolutely no difference here, if the proprietary system (that is not
redistributed) is using open-sourced/free software or proprietary licences.
The GPL viral effect does not apply when there's no redistribution (and not
even when there exists some distribution but this one is made illegally by
stealing secrets). There still remains in all cases the legal personal
responsibility of the distributor, independently of what may be said in the
licence: if the initial distributor violated some law, then this voids all
the invalid licences he gave directly or indirectly to its downstream users
or redistributors, but courts will still allow the downstream users a
reasonable time to recover from such situation and are allowed to create
become parties to a legal action against the initial illegal distributor of
invalid licences.

And even in this case, the legitimate IPR owner has to seek for an
arrangement with those that have been abused, without threatening them first
with a legal suite or claiming them some huge royaltees they may not even be
able to pay or that could put them out of business: courts will examine the
claims and will evaluate what was the financial benefit of using the claimed
IPR by the defendant and the size of this business, because the transaction
claimed by the IPR owner has to be fair: there must exist a chance to
negociate the terms, given that such sudden claim comes without possible
competition with other offers.

The defendant will then need time to evaluate the "offer" made by the
claiming IPR owner, and choose with other competing offers, using at least
as much time than what it took to the IPR owner to claim its rights: those
companies that come with claims years after an open-sourced or free or even
commercial solution has been developed, should also allow the same number of
years for the other (really abused) parties in order to find alternatives or
remove all use of the claimed IPR.

Licence risk management is not specific to open-source or free software. The
risks are in fact completely equal in the domain of proprietary commercial
softwares, as well as the way to recover in case of problems, and the need
to find a balancing solution. So, large organizations will need to manage
this risk, exactly like they also do with proprietary software: if they
can't manage it completely themselves, they should use the service of a risk
management organization that will provide assistance, servicing in case of
urgent need for replacement, advices for choosing between many available
solutions, advices to secure the accountability of their distributors, and
so on.

My opinion is the open-source/free software has a definitive advantage here:
in case of problems (such as IPR claims), it allows much faster way to
recover from them, because it gives many more alternatives and replacement
solutions, and many more independent and competing providers for helping
them in due time, than with proprietary software requiring specific, often
rare, and costly skills. Open-source/free software really favors the
competition, removes many dependencies on single sources (that may also fail
themselves at any time) and will reduce the cost to defend your self in case
of legal problems because you'll be able to solve the problem more rapidly.