Subject: Re: JBoss aquired by Red Hat
From: Thomas Lord <lord@emf.net>
Date: Mon, 01 May 2006 13:57:59 -0700

Russ Nelson wrote:
>  > I'm sorry, I just don't understand how your comment is responsive.   Can
>  > you explain?
>
> Assuming a sane NDA, the Customer need take no action to release
> Consultant from the NDA.  The act of distribution simultaneously
> releases the Consultant from the NDA, and so is not a restriction.
>   
Got it.  Thank you.  I was having a serious bout of "It's like I'm
from another planet," for a second there.

I think you are right that Customer does not need to pro-actively
notify client of his release from the NDA so yes, at first glance,
it looks like Customer is passive here.  It's not so, though.

Consultant must be able to discern, at any given point in time,
whether or not she has been released from the NDA.
Otherwise, the agreement is not practicable.

One trivial possibility is that Consultant is released from the NDA
as soon as she asks whether she is or not.   This would require
nothing special from Customer.   It would also make the NDA
null -- so it is an absurd possibility.

The other possibility is that Consultant can sometimes be told
by Customer "No, you have not yet been released from the
NDA."    What is required for Customer to be able to say that?
Well, Customer must keep track of whether or not Customer
has distributed the program.   And if Customer *has*
distributed the program, Customer must make sure to give
a "Yes, you have been released," answer.

That may seem like a minor point but it is not.  If Customer
gives an inaccurate "No" answer, Consultant may suffer
damages or a third party suffer harm.   If Customer distributes
the program without, *in addition*, keeping track of the fact
he has done so -- Customer can be liable.  Especially if
Customer is a large corporation, keeping track of whether
or not redistribution has taken place is non-trivial.

So there is an extra restriction on Customer's own right
to distribute this secret program.   Customer can only do
so while protecting Consultant and third parties that Consultant
might be in a position to help.   The existence of that extra
restriction is what violates the GPL.

> If the Consultant distributes code to a Third Party and a Customer
> with whom he has executed an NDA such that the code is covered by the
> NDA, the Consultant has screwed up.  
This is part of the confusion between us.  I have made two separate
arguments.   In the stuff above this, I am talking about one argument.
In the stuff I just quoted from you, you are talking about a separate
argument.

In this second argument, yes, Consultant has screwed up and can
even be thrown in jail.   My concern here, though, isn't for Consultant --
it's for innocent third parties who legitimately and legally receive
further copies of this distribution under the terms of the GPL.

Those third parties are not guilty of any crime.   The GPL did, in fact,
ensure their permission to receive these copies, begin using them, begin
modifying them, and begin redistributing them.

If the program were not a trade secret, that would be the end of
the story.   Because the program *is* a trade secret, upon receiving
notice from Customer, these third parties can have their GPL rights
revoked.

In this way, Consultant has failed to distribute the program to
Customer under a license that is valid for all third parties, free of
charge.  By section 2b, Consultant violated the GPL in distributing
the program to Customer.

> Every branch of your concern ends up with "and X screwed up and hurt
> himself." 
No.  One argument (about Customer's rights) says that nobody
screwed up but Customer received a GPL distribution with
forbidden extra conditions attached.   The other argument
says that, yes, X screwed up but, additionally, X distributed
a program to Y without causing the program to be licensed
to all (particularly innocent) third parties -- X violated
the GPL with that initial distribution, before any screw-up
occurred.  The fate of third parties after a leak of the secret
simply highlights X's initial violation of the GPL.

>  I don't argue that people don't make mistakes.  I argue
> that you are wrong to say that because X might make a mistake, some
> other party or agreement should be different.  Sorry, we're all adults
> here.  You screw up and hurt yourself, well, it's a learning
> experience.
>
>   
I have no sympathy for Consultant if Consultant violates the NDA.
I have no sympathy for an employee of Customer if that employee
violates their own NDA.    Fines, jail, whatever.  That's what ya get.[*]

My concern is about innocent third parties who do not break any
law, legally receive a distribution of a GPLed program, then have
the GPL invalidated as the result of chain of events which begins
with the act of Consultant distributing a derived work of a GPLed
program to Customer under an NDA.    Since the license is not
valid for these third parties who legally received a distribution,
Consultant has failed to cause his distribution to be licensed as
required by 2b of the GPL.

So, while the leaker is in trouble for breaking the NDA?  In
addition, Consultant violated the GPL in the first place.

Does the violation exist even if no leak ever takes place?  You would
say no, I gather.   As far as I can tell, it depends on what a
court would find to be the essence of clause 2b of the GPL.  I think
the essence is to ensure software freedoms for all users who
might legally come into possession of the program.   The transitivity
of the GPL, central to its very construction, is all about that.
Even if a leak has not taken place, Consultant has undermined
that guarantee of transitivity.   She has thwarted the intentions
of the author of the original program.   So, yes, even in the absence
of an actual leak, I would argue that Consultant has violated the
GPL.

-t


[*] "I have no sympathy for Consultant if Consultant violates the NDA.
       I have no sympathy for an employee of Customer if that employee
       violates their own NDA.    Fines, jail, whatever.  That's what ya 
get."

     Presuming, of course, that the leaker is not leaking out of a necessity
     to protect public safety, national security, an individual life, or 
whatever.