Last week started talking about GPL 3.0 and the fact that folks on both sides don't seem to want you to read it. In addition, we discussed the basics of software licenses, and how the new model presented by the GPL creates some challenges for companies.
Now I'll dig a little deeper into how the GPL poses risks to your business, and make some suggestion on how to approach the new -- and highly contentious -- GPL 3.0 that many in the open source movement can't seem to agree on and argue that you simply may not be able to avoid it, whether you want to or not.
What makes the GPL different is that it has built within it provisions that ensure people who develop custom code on GPL'd products contribute to the overall software effort. In effect, it has built-in payment terms, but in this case the payment is intellectual property, not cash.
Typically, the only person who has the right to give away a firm's intellectual property is the CEO, and even then it may still require board approval. The Free Software Foundation, the organization driving this license type, has as a primary goal the elimination of software intellectual property rights to promote broader collaboration and increase innovation.
I doubt very much your organization's approval policy has been altered to take into account the GPL. Not only might you want to correct this, but you will likely be held to the terms and intent of the policy, and it would be wise to know the related implications.
This IP-sharing component is fundamentally different from other software license types. In addition, like any other license, this license attempts to follow the code. So, for instance, if a piece of protected code were to make it into a third-party product with a proprietary license, your choice as a user or vendor would be to either settle with the content owner or stop using the offending product.
However, under the GPL, if you are using an infringing product, you may now be bound under the conditions of the GPL, even though you were not aware of the connection. This suggests that even if you never plan to use the GPL, your legal folks should be up to speed on it because it is likely you are, or will be, unintentionally bound by it in the future.
As with any new contract type, there is the risk of unintended consequences. This primarily follows from the fact that the clauses in the contract have not yet been creatively interpreted by those either unintentionally or intentionally misreading them. For the most part, at least from what I can interpret myself (and my own legal skills are not up to date nor is the agreement final), it would appear the risks largely reside with your ability to protect any intellectual property you develop on or with code protected by any version of the GPL. Enforcing the 3.0 version of the GPL will be a nightmare, largely due to its complexity, and I doubt we will know the full scope of the license change for some time after it is put into place.
There may be certain things you will avoid with the platform and certain procedures you can use to mitigate the risk, but to adequately make a decision you need a contract expert that is both current and has your best interests at heart.
Legal Department Problem
This isn't a trivial problem, because most legal departments are focused on traditional contracts and the GPL, in all its forms, is not traditional. When lawyers see something new, they have a tendency to "just say no" because that, to them, is the safest path. Lawyers only get into real trouble when they say yes by mistake, no has little risk.
This probably goes a long way to explain why a number of companies have outlawed open source in general and why a number of IT organizations are quietly going around their management and legal departments.
This is a risky path and, should they be found out, creates a potential board-level disclosure event with very painful consequences, including termination (in fact that's generally what is recommended because of the breach of trust at the foundation of the act).
Preparing for GPL 3.0
The latest form of the GPL is undergoing final review. If you are already tied to Linux, your legal department should be up to speed on it and, if they have concerns, they should be expressing them to the Free Software Foundation. Once in place, this agreement should, by following the code created under it, become the dominant form of the GPL until it is replaced by a later version.
You can't hide from it or dodge it, and eventually it will either be used to your benefit or used to your detriment. The key difference is knowledge.
I'm not suggesting you need to study law and become an expert on this license type -- only that you need to make sure those that have that background and have the mission to protect your company do so.
What bothers me about the agreement is that the goals are not aligned with what customers want -- which would probably suggest a focus on making it easier to get through an approval process -- but the goals of the FSF. This is no different from the development path for a proprietary license and suggests, underneath all of the rhetoric, that there are good reasons to watch this effort more closely.
In the end, much like it would be if you were buying a car or a house, if anyone tells you to not worry about the small print, that's the time to start reading it. Make sure someone who is qualified and whom you trust to have your best interest at heart has reviewed this license before you fall under it and take their recommendations to heart.
So What Is the Real Truth Behind GPL 3.0?
It is a contract, one you probably can't change, one that needs appropriate approval, and one you should treat with the same deference and concern as any other contract. In other words, you have an expert advise you on it. It is also one you probably can't avoid, which suggests you need to make sure your legal folks are up to speed on it, and contributing where appropriate to its wording.
Should you be concerned? If someone was unilaterally changing a contract I lived under, I'd be concerned. The time for comment is now. If you or your company aren't involved, you probably should be, and anyone who says you either shouldn't be concerned or shouldn't be involved is suspect.
Or to quote Linus Torvolds: "...I would be totally crazy to accept a license for my code sight unseen."
I don't think Linus will have a choice with regard to GPL 3.0 any more than you will, and that is something to think about.