Subject: Re: JBoss aquired by Red Hat
From: Thomas Lord <>
Date: Thu, 27 Apr 2006 09:41:26 -0700

Jamie Lokier wrote:
>> What non-discrimination means is that the license you grant may not
>> impose any restrictions on redistribution by those who receive it from
>> you, ie, outside of your legal person, whether an individual or
>> corporate.
> This seems not dissimilar to the distribution of open source code
> under NDA in an ordinary (i.e. not military) business context.
Be careful with your terms.

It is the FSF's position that *distribution* of GPLed code under an NDA is
prohibited by GPL because the NDA would impose a further restriction
on redistribution.[1]

What you *may* do, *according to the FSF*, is agree to work with or on a
GPLed program under an NDA in conditions in which you are not receiving
or making distributions.  This could be considered analogous to you coming
into my office and, under the agreement between us, you may use my computer
to add a new feature to  undistributed code I have there.   I haven't 
distributed the
program to you.  You haven't gained any GPL rights.   Well, why do we need
a specific computer for this?  With an NDA you can do the development on 
own machine but it still counts as work-for-hire using data (the GPLed 
code) you
get to see only under the NDA.  Companies have been using this trick 
since at
least the days of Cygnus Support.[2]

As a personal observation: I think the FSF is dead wrong here. It's 
ironic that
(the story goes) the free software movement started in response to RMS' 
to receive a copy of some printer control software written by Xerox.   A 
had a copy but had signed an NDA to receive it and therefore refused to 
give a
copy to RMS.

I would argue that FSF is legally wrong because the distinction they 
draw relies
on a logically incoherent definition of what comprises a "distribution" 
-- a question
which I understand to be unsettled in case law.  It's also a question on 
which FSF
has some positions that strike me as incompatible with its position on NDA.

The FSF is ethically wrong because work of this sort under an NDA is a case
of the employee giving up their software freedoms in exchange for the 
of a particular job.   What can easily result is  for the employee to be 
left in a
bind -- a choice between two evils:  breaking the agreement or helping a 
in need.

They are pragmatically wrong because the NDA loophole can, and as far as 
I can
tell *is* used for the primary purpose of undermining the GPL.

Now, I'm not as hardline as it might sound at first.

First, basic public safety and national defense can clearly trump 
copyright licensing.
Nobody may negligently imperil others or violate legitimate national 
laws and expect to be excused because of a software license.   This is 
similar to
why nobody may shout "fire" in a crowded theory or take out an ad in the 
advertising bomb schematics and claim immunity on the basis of the first 

Second, yes, companies need secrets too.   The canonical example is a 
company building
a new kind of CPU.  Their instruction set is not publicly disclosed yet 
but now is the time
to do the GCC port.   How can this be done, if not via an NDA?   Key to 
the answer is
that an NDA really affords very little actual protection.   If the agent 
you hire for this work
is poor, then no penalty you can collect for unauthorized disclosure 
will be enough.
If the agent you hire for this work is rich, and they are at all smart, 
they will construct
legal barriers around the work to limit their liability to be not much 
better than in the
case of the poor guy.   If you really value non-disclosure that highly 
you ought to be
talking to Lloyd's of London.   Therefore, instead of an NDA, you should 
provide incentives.
If your agent manages to not disclose your secrets for some period of 
time, you pay them
a bonus in one form or another.

What of cases where, in theory, the disclosure of the secret would be so 
valuable to
your competitors that no bonus you could afford to provide would be 
enough to
match what your competitors might pay?   This is probably not an 
uncommon case.
When a competitor uses superior resources to monopolize access to common 
we call this an unfair trade practice and you can go after your 
competitor.   In fear of
this, many competitors are already very conservative in their tactics 
for gathering business
intelligence and influencing common suppliers.  Those who are not tend 
to come under
legal attack.

What of cases where your supplier is left in a different kind of bind?   
They can help
a neighbor by disclosing your secret or they can collect a bonus from you?
Well, the key thing is that if they help their neighbor -- *and* you 
therefore decide
to not pay the bonus -- then your supplier is left no worse off and his 
neighbor is
helped.  Your supplier has the choice between the greater of two goods 
rather than between
the lesser of two evils.   Best of all in this arrangement is the 
opportunity for
forgiveness.   In the heat of the moment your supplier can help his 
neighbor, explain
the situation, and perhaps offer to share the bonus with the neighbor.   
So long as that
neighbor is not your competitor, and does not further disclose your 
secret where you
don't want it to be seen, you can say "Ok, the bonus program is 
intact."   In some sense
this simply recognizes and formalizes the patterns under which a lot of 
in (e.g.) Silicon Valley has taken place for years and years.


[1] According to the FSF you may not distribute GPL code under NDA

[2] According to the FSF, you may work on GPL code under NDA without
      receiving a distribution of it