GPL vs. NDA dilemma

Do you have a question? Post it now! No Registration Necessary

Translate This Thread From English to

Threaded View
Here's a possible dilemma...

Let's say I work as a contractor modifying the Linux kernel
(or any GPL source) for companies who require me to sign NDAs.
Then I would give them the binaries and modified source per the GPL.

Then someone learns I've been modifying Linux and demands
the modifications I did for every client.
I must provide modified source code to 3rd parties per the GPL.

But NDAs prevent me admitting I ever made any modifications!
Distributing modifications is an implicit disclosure (a gray area).

Re: GPL vs. NDA dilemma
Quoted text here. Click to load it

Speak to a lawyer in your jurisdiction, but I would say that this falls
under section 6 of the GPL at least (my asterisks for emphasis):

"6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the original
licensor to copy, distribute or modify the Program subject to these terms
and conditions. **You may not impose any further restrictions on the
recipients' exercise of the rights granted herein**. You are not responsible
for enforcing compliance by third parties to this License."

Therefore, the companies you work for may not impose an NDA on you as far as
any work on GPL projects goes, or that's what I would assume from it.

Blane.



Re: GPL vs. NDA dilemma

Quoted text here. Click to load it

The company is violating the GPL if it distributed GPL code whilst attempting
to hide the fact that the binaries are modified. However, the wrongness of the
company behaviour does not necessarily make the NDA void nor does it make it
safe for the emloyee to violate the NDA.

There is a special case that the employee's responsibility as a citizen is of
greater significance that their responsibility under contract law so if they
know that someone else is breaking the law and getting away with it and if
their actions are in the public interest and the sort of actions that any
good citizen would have a duty to perform then they might get away with breaking
the NDA (but plenty of "whistle-blowers" have come out wearing the rough end
of the pineapple so don't think I'm offering any guarantees).

In most cases, it is easy for the recipient of the binaries to test for
themselves
whether they are the same as those generated from publicly available source and
the employee can safely give an anonymous tip-off that someone should do a bit
of testing and the message "leaks" out in the long run. However, embedded
devices are tricky because it can be very difficult to test or even examine the
binary so potentially embedded GPL code can be illegally distributed without
any ramifications simply because of lack of proof. Then again, this isn't a
fault of the GPL as such, after all, embedded devices might potentially contain
all sorts of copyright violations and with the chips locked down it is still
next to impossible to prove anything.

    - Tel


Re: GPL vs. NDA dilemma

Quoted text here. Click to load it

I've been modifying GPLd programs for my own use.
Can you *demand* that I give you my modifications? I don't think so.

Quoted text here. Click to load it

Only if *you* distribute the binaries. From GPL Preamble:

   For example, if you distribute copies of such a program, whether
   gratis or for a fee, you must give the recipients all the rights
   that you have.  You must make sure that they, too, receive or
   can get the source code.  And you must show them these terms so
   they know their rights.

Cheers,
--
In order to understand recursion you must first understand recursion.

Re: GPL vs. NDA dilemma

Quoted text here. Click to load it

Not really.


Yup.


Wrong.  You are only required by the GPL to provide sources to
people to whom you have provided binaries.  You have done that.

Quoted text here. Click to load it

Then don't.


Under the standard GPL, you're not obligated to give source
code to anybody except those to whom you've given binaries.

--
Grant Edwards                   grante             Yow!  I'm gliding over a
                                  at               NUCLEAR WASTE DUMP near
We've slightly trimmed the long signature. Click to see the full one.
Re: GPL vs. NDA dilemma

wrote:
Quoted text here. Click to load it

I assume that means only the modified binaries. i.e. does the source
code have to match the binaries? So if he gives a copy of the original
binary set to someone else, he has to give them the original source as
well.

Bob McConnell
N2SPP


Re: GPL vs. NDA dilemma

Quoted text here. Click to load it

Yes. If you give somebody a binary of a GPL program, you have to give them
the sources _for_that_binary_.  Giving them sources for some other program
would be pretty silly.

Quoted text here. Click to load it

Correct.

--
Grant Edwards                   grante             Yow!  If this is the DATING
                                  at               GAME I want to know your
We've slightly trimmed the long signature. Click to see the full one.
Re: GPL vs. NDA dilemma
wrote:
Quoted text here. Click to load it

Clarification: you're required by the GPL to provide sources to people
to whom you have provided binaries *provided that* you distribute the
sources with binaries. Otherwise if you distribute binaries without
sources, then any third party may ask for sources.

I know that doesn't apply in this specific case, but just wanted to be
clear :-).

Jifl
--
--[ "You can complain because roses have thorns, or you ]--
--[  can rejoice because thorns have roses." -Lincoln   ]-- Opinions==mine

Re: GPL vs. NDA dilemma
On Mon, 30 Jun 2003 01:42:37 +0100, Jonathan Larmour
Quoted text here. Click to load it

That's not quite true either.  You have to give it to a third party
who gets the binary from the party you distributed to.  I know the
words in the GPL say "any third party", but the FSF has clarified
in the GNU FAQ that the third party will have to present a copy of
your written offer to distribute.

The idea is that the party you gave the binary to will be obliged to
supply source code if they distribute.  They can satisfy their obligation
by giving the third party a copy of the written offer you made to provide
source code to third parties.  The third party then comes to you for the
source code.

Isaac

Re: GPL vs. NDA dilemma
Quoted text here. Click to load it

But wouldn't it then be that middle person's responsibility to deliver the
source code, since they distributed the binary to the third person? I mean,
after all, you have already given them the source code per GPL requirement,
so now they are required to share the source with the binary, not you. Or is
that what you said?

Quoted text here. Click to load it

Well, yes, that makes sense. But if someone else is redistributing without
direct access to the source code, isn't that person potentially in violation
of the GPL? After all, how can he know for sure that the requested source
matches the source still available on the web site.

If software producer A decides to discontinue distribution of a particular
version, but some third party distributes it and then sends someone to
software producer A for the source code of an old version that is no longer
available, who violated what? On one hand, software producer A no longer has
the source of an old piece of software. On the other hand, the redistributor
is sharing the software without any direct access to the source.



Re: GPL vs. NDA dilemma
Quoted text here. Click to load it

No. Distributing binaries with an offer for the source is potentially a
bigger burden than just distributing the source in the first place. Since
you will also need to accept offers that have been 'copied' in a
further binary distribution. There's no limit to the 'depth' of
this copying, and no limit to the number of requests for the source you
could recieve.

Quoted text here. Click to load it

A written offer is for the source that produced the binary. The original
written offer distributor has to keep the source around for three years,
yet another burden of using that method of distribution.

Quoted text here. Click to load it

If it's been less than three years since the offer was granted then A is
in violation.

Once the three years is up, then (from my understanding of the GPL) it's
possible to have GPLd software distributed without source. It would include
a written offer, but that offer would be out of date. It can only be
non-commercial distribution though.

--
Sam Holden


Re: GPL vs. NDA dilemma
wrote:
Quoted text here. Click to load it

In this case, I think it's all a purely "internal" modification anyway.  The
company in question modified the program for it's own internal use.  The
fact that the person who did it was a contractor rather than a "regular"
employee probably doesn't matter.

Of course IANAL...

--
Grant Edwards                   grante             Yow!  .. Should I get
                                  at               locked in the PRINCIPAL'S
We've slightly trimmed the long signature. Click to see the full one.
Re: GPL vs. NDA dilemma

Quoted text here. Click to load it

 
I was talking about a company that distributes (sells) a product
containing binaries from GPL source code modified by a contractor.

The company and contractor are two separate parties.
The contractor distributed the binaries/source to his client.
The client (company) in turn distributes just the binaries to customers
in whatever product they're selling.

Let's say someone who has never heard of the company but has heard of
the contractor tells the contractor to surrender all modified GPL source.
The contractor is forced to say, "My NDA prevents me from disclosing my work".

Re: GPL vs. NDA dilemma
Quoted text here. Click to load it

The GPL doesn't require the contractor to redistribute his work.  It says
*if* you redistribute binaries, you must also make sources available.

So he can comply with the NDA by not distributing the binaries to that
third party.  Then he doesn't have to give them sources, either.

If they managed to get the binaries from someone else, they should go to
them to get the sources as well (the GPL should ensure that this is
possible).

--
Barry Margolin, snipped-for-privacy@level3.com
Level(3), Woburn, MA
We've slightly trimmed the long signature. Click to see the full one.
Re: GPL vs. NDA dilemma

Quoted text here. Click to load it

That's the part I'm not too sure about.

Quoted text here. Click to load it

I guess it depends on the contract.  When I did contract work,
the work done under contract belongs entirely to the
contractor, just like work done by a regular employee.  I
didn't have any rights to the work and didn't "distribute" it
to anybody: the owner of the work just used it.  When I build a
program here in my office for use by others in my company, I'm
not distributing it to anybody (legally).

Quoted text here. Click to load it

My point is that it probably was never "his work" at all.  It
always belonged to the contracting company if his contracts
read anything like mine used to.

--
Grant Edwards                   grante             Yow!  Wow! Look!! A stray
                                  at               meatball!! Let's interview
We've slightly trimmed the long signature. Click to see the full one.
Re: GPL vs. NDA dilemma
Quoted text here. Click to load it

I believe the legal phrase for this is "work for hire".

--
Barry Margolin, snipped-for-privacy@level3.com
Level(3), Woburn, MA
We've slightly trimmed the long signature. Click to see the full one.
Re: GPL vs. NDA dilemma

Quoted text here. Click to load it


They are in a legal context, and by corollary, in the GPL context.


Quoted text here. Click to load it


With all due resp, I believe you mean the contracted work
belongs to the company, not the contractor.


Quoted text here. Click to load it


Yes, a contractor doesn't have rights to non-GPL source.
That's legal and typical.

But in the spirit of the GPL, everybody on the planet has rights
to GPL source whether in original or modified form.  So a contract clause
where "source code is the exclusive property of Company ABC" isn't binding
if the source is protected by the GPL.  But tech companies can and
invariably do stipulate an NDA clause.


Quoted text here. Click to load it


Yes, reasonably, there shouldn't be any GPL issues if you're just
letting people use your GPL binaries on your machines.

Re: GPL vs. NDA dilemma
Quoted text here. Click to load it

No they don't.  They have a pseudo-right demand source code if they receive a
binary.   Their position falls short of a right because they cannot enforce
it at all other than by asking.  Only the copyright holder of the original
source code has any real ability to enforce the GPL.

And the pseudo right doesn't belong to everyone.  No one can require that
someone give them code merely because the code was licensed under the GPL.
They have to be distributed a binary first.

Isaac

Re: GPL vs. NDA dilemma

Quoted text here. Click to load it

Yea, That's what I meant.  I was using contractor (probably
incorrectly) to refer to the "employer" and contractee to refer
to the "coder".

Quoted text here. Click to load it

Only if they've been given a binary.

--
Grant Edwards                   grante             Yow!  There's a SALE on
                                  at               STRETCH SOCKS down at the
We've slightly trimmed the long signature. Click to see the full one.
Re: GPL vs. NDA dilemma
Quoted text here. Click to load it

Perhaps.  But in general the question of what rights the customer and the
hiree are going to have to code ought to be negotiated up front.  If based
on that discussion, it turns out to be inappropriate that GPL code can be
used, then the hiree should avoid using it, even if that means that he
must turn down the work.

Isaac

Site Timeline