Subject: Re: Apology to Cygnus, FSB, all
From: craig@jcb-sc.com
Date: 26 Jun 1999 19:42:33 -0000

>I think that there is a tangled mess in the interaction between NDAs and GPL,
>and I obviously don't agree with Michael's interpretation of how the relevant
>law plays out.  Someday a court will have to figure it out.

I take it that your last sentence here is not a statement of fact (or
a threat) regarding *this* case, but regarding the likelihood of a similar
arrangement reaching litigation down the road?

In any case, Michael's interpretation makes a lot of sense to me, but
that's *assuming* his statement of the facts are correct.  And they don't
seem to be actually *contradicted* by your statement of *facts*, if I've
been reading properly, although clearly you disagree about the
interpretation of those facts.

If Cygnus said "we'll now distribute this GPL'ed code to you, because
Sun tells us you've signed an NDA", they have not violated the GPL
on that basis.

If Cygnus said "we'll distribute this GPL'ed code to you on the condition
that you *not* distribute it further, except to *others* who have signed
an NDA", then they *did* violate the GPL.  The GPL does not permit the
adding of such conditions upon distribution.

My impression is that, if anyone, *Sun* told you the latter, not Cygnus.

The question is, what or who actually *prevented* you distributing the
GPL'ed code further?

If you signed an agreement that said you would not distribute even *GPL'ed*
code -- code that was distributed to *you* -- further, then whoever got
you to sign that agreement violated the GPL.

However, whether you actually signed such an agreement depends on the
wording of the NDA.  If the wording includes only material that has
not been *legally* made public, then it does not apply to anything
*legally* distributed as part of a GPL'ed product, because *that*
information, by definition, *has* been made public -- or, at least,
legally distributed under terms that permits any recipients to make
the information public.

In this case, it's similar to MacroHard Corp. shipping "betas" of its
Looz3000 software to five customers under strict NDA, then shipping
it to a sixth customer *without* NDA, allowing that sixth customer
to disclose the relevant info.  If the NDA allowed sharing information
already made available to others *not* under NDA (an automatic-
expiration clause, or applicable default), then the mere act of
shipping to that sixth customer annulled the NDA the other five
customers were under vis-a-vis that particular "secret" information.

However, if the NDA you signed restricted you from sharing the GPL'ed
code further *even if* others *not* under NDA had received that same
code, then you signed a document that was, vis-a-vis GPL'ed code containing
that NDA'd material, unenforceable.

There are two legal avenues of relief I can think of offhand.

One is for you to distribute the GPL'ed code anyway.  The license for
the code *you* received clearly stated you could do that, and, as long
as it wasn't *you* adding NDA'd material to the code you redistributed,
you're in the clear.  The risk is that you get sued by the company that
says you signed an NDA, but you can quite simply point out that it wasn't
*you* who put the NDA'd material out for public viewing -- it was whoever
put that into the GPL'ed code in the first place *and* subsequently
distributed it (ultimately) to you.

Another is for copyright holders of the GPL'ed code (not necessarily the
NDA'd portions) to demand source code for the NDA'd version, assuming
it was distributed to you (or anyone else) binary-only (GPL, 3b), and
sue if that demand was not met.  This is a safer choice for you, since
it leaves you entirely out of the picture (assuming you haven't distributed
the binaries further).  But I don't see how this could work if all of
the NDA-containing distributions are made with source (GPL, 1 & 2).

It's still reasonable for, say, Sun to insist you sign an NDA before
Cygnus ships you code that incorporates the NDA'd code, as long as that
NDA doesn't attempt (since it can't, legally, succeed) to prevent your
redistributing unmodified GPL'ed code containing NDA'd material, because
that prevents you from simply re-doing the NDA'd implementation in the
GPL'ed code and shipping the result as a proprietary, or competitive,
program.

That is, the NDA prevents you from simply disclosing the information
you receive, and also prevents you from gaining a "leg up" on the GPL'ed
distribution you receive, which already has some implementation details
based on the NDA'd information, at the expense of the organization
*creating* the NDA'd information in the first place.

In short, I believe the legal case is clear if a signed NDA attempts
to prevent redistributing (again, unmodified, to be clear about this
case) GPL'ed code containing material protected by that NDA, because:

  -  The GPL clearly spells out the terms of distribution and
     modification, which do not permit adding restrictions upon
     distribution.

  -  The organization attempting to enforce such an NDA against a
     redistributor can (presumably) be shown to have previously had
     opportunity, i.e. an option, to prevent the NDA'd material from
     ending up on a GPL'ed distribution in the first place.

  -  The authors of the non-NDA-related GPL'ed code had (presumably)
     no say in the decision between multiple parties to sign that NDA,
     or to insert NDA-related code into a distributed derivation of
     their product.

  -  Therefore, the intent of the GPL (protecting the code) trumps the
     intent of the signatories to the NDA, because the latter had
     plenty of opportunity to foresee and avoid the conflict, while
     the authors of the GPL code had no such opportunity.

Of course, IANAL (I Am Not A Lawyer), but I used to play one on
gnu.misc.discuss.  ;-)

        tq vm, (burley)