Friday, January 20, 2006


More FUD about the GPL

Just completed reading a "study" put out by a company called Wasabi Systems. (No, I will not provide a link). The article itself is well written, and is scholarly. On the intro page, they claimed this:-

"Recently, however, some have called into question the use of Linux in embedded applications due to the strictures of Linux's GPL license, which requires that any source code that is changed also be released free of charge. Unfortunately, many of these "critiques" are merely spreading fear, uncertainty, and doubt. However, the GPL does have important legal requirements which may be of critical importance, depending on your business.
At Wasabi Systems, we use GPL software, BSD-licensed software, and proprietary software. Since our customers frequently choose our solutions because we offer a range of licensing options, our legal department, headed by Jay Michaelson, a widely-published expert on software licensing, has created this website to separate myth from fact for those considering Linux or BSD.
On this site, you will find a short "Licensing 101" guide to when the GPL requires you to share code, and when it doesn't. You'll find out exactly which business uses the GPL really affects and which it doesn't. You'll learn how the The Sarbanes-Oxley Act changes the open source landscape by making GPL violations a federal crime. And you'll learn how Loadable Kernel Modules may be the riskiest Linux bet of all."

The thesis of this study seems to be "use software under a BSD-ish license, else you have trouble from all sides of the world, including the securities law. The reason, of course, is obvious.

At Wasabi Systems, we use GPL software all the time in our GNU toolchain business. The customizations we do are not significant intellectual property, and we share them. But for our OS customers, we don't recommend Linux. Instead, we suggest Wasabi Certified(tm) BSD, which has a court-tested, business-friendly BSD license that lets our customers do whatever they like with the code. BSD offers all the Unix-like functionality of Linux, wide platform support, certification and testing -- and no GPL. You can have the benefits of open source Unix without the GPL.

It is one thing to say that you prefer a non-copyleft license; but to say things like this about the GPL is mere FUD; and here is why. But, first, let us have a look at what Wasabi has to say.

The United States of America has this law, called the "Sarbanes-Oxley Act", a piece of legislation aimed at better corporate governance. The FUD Wasabi wants to spread is this - if you use the GPL, you risk violating the Sarbanes-Oxley Act; but if you use the BSD license, you need not bother. And the write up is precisely targeted at the decision makers - the executives. Here are the excerpts from the article.

What's more, due to the new provisions of the Sarbanes-Oxley Act, legal review of processes relating to GPL compliance may be required by the law. Thus, even if you're complying with the GPL, not having your legal counsel review all GPL use may be breaking federal securities laws.
( .... )
As a vital part of this certification process, the executives are required to discuss and evaluate the internal controls and procedures used in generating the financial data that is ultimately reported. Executives must not only certify that what they say is true; they have to certify that they have systems in place for making sure it is.
( ... )
(As discussed above none of this applies to companies who merely use GPL software, such as those who run Linux on their servers, as long as their software was created in a compliant way. In addition, none of this applies to companies using non-GPL open source software, such as BSD; in the case of BSD, there is no requirement to make modifications open source. Rather, the requirements discussed here apply to companies who modify GPL software, such as embedded OEMs using Linux.)
( ... )
What if your company complies with the GPL? Are you necessarily in compliance with Sarbanes-Oxley?
Even companies which comply with the GPL may be violating the Sarbanes-Oxley Act if they do not adequately comply. Even if an executive thinks the company is complying, s/he may still be breaking the law if adequate control measures are not in place. What that means is unclear - but, at a minimum, it requires a lawyer. Identifying and mitigating the damage that could arise from the inclusion of GPL-governed open source software fragments that carry with them onerous licensing requirements is essentially the practice of copyright law.
( ... )
For companies that modify GPL software, lawyers must be intimately involved in software development processes in order to fulfil the requirements of the Sarbanes-Oxley Act. Ensuring legal review of GPL compliance is not merely virtuous. For public companies, it is required. Is it enough to make a CD containing source code available to anyone who asks? Or does the source code need to be available online? Lawyers, not engineers, must answer these questions for internal controls to be "adequate" under the law.

The quotes are from various pages of the article; and as I said before, I am not going to link to the article; you can go their web site, and the article has a index page linked from the /gpl/ directory.

What intrigued me was the innuendo that use of software under the GPL, and not the other laws, warranted closer scrutiny by corporate executives, and involvement of lawyers to ensure - not mere GPL compliance, but also compliance with compliance requirements of Sarbanes-Oxley Act. (see the files named sox.html and soxintro.html)

What the the law requires is that executives should ensure (a) truthful reporting, and (b) that systems are in place to ensure truthful reporting; of assets of a corporation.

The procedures and "due diligence" should exist with respect to all activities involving use of copyrighted material; not merely those covered by the GPL. Thus, if a corporate claims that it owns some code under a BSD-ish license, the executives still have the obligation to ensure that the code is actually owned by the corporation.

It should be noted that the BSD-ish licenses, especially those without an "advertisement" clause, do not oblige the distributors to disclose the sources of the license; hence there would be no violation of license itself if a distributor falsely claims that they are owners of the copyrighted work. But they are still in violation of the SOX Act.

FUDding the GPL is bad, more so when you simply want to sell a product under a non-copyleft license.

Comments: Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]