Subject: Re: GNU and classified software
From: Frank Hecker <>
Date: Mon, 26 Mar 2001 00:22:08 -0500

Norbert Bollow wrote:
> So under your interpretation of the GPL, the NSA has the right
> to distribute "classified GPL'd software" to whoever they like
> while at the same time restricting the recipient of this
> "classified GPL'd software" from distributing the software
> further?

It is not the NSA itself that is restricting the distribution, it is US
government laws and egulations. (If it's confusing to think of the NSA
as distinct from the US government in this context, imagine a situation
where a government contractor creates classified software and
distributes it to another US government contractor.)

This is exactly analogous to the former situation in the US with regard
to encryption software. Prior to the US government export control
regulations being changed (say, back in 1999) a US citizen and resident
could create software implementing an encryption algorithm (DES, RSA,
whatever), license it under the GPL and distribute it to another US
resident; however the recipient of the software would be prohibited from
redistributing that software to further persons, if those persons were
not in the US (or Canada). That restriction was not imposed by the
creator of the software, it was imposed by US government laws and
regulations relating to encryption software.

> However the GPL is also designed to be incompatible with
> some types of licenses.  I would say that "This is classified
> software and you are hereby given security clearance to have
> it" is a GPL-incompatible software license.

I think there is confusion here between a license and an overriding law
or regulation. Prior to 2000, if I said, "This is encryption software
developed in the US, and you must be a US citizen or resident to have
it", that doesn't change the license, it just specifies that additional
laws and regulations apply over and above the license.

> In general I believe that it is best when
> software is publicly available even when the data that it
> processes may be confidential.

I don't disagree. For what it's worth, I doubt that there is or will be
much if any software created "from scratch" by NSA or anyone else that
is both classified and under the GPL. The original question was about
creating classified software using GPLed tools, which is a different
issue. I also suspect that there are also pre-existing GPLed products
used within classified environments, and I presume that the people using
those products may make in-house bug fixes and enhancements. However if
I would be very surprised to learn that NSA or anyone else had created a
classified application themselves and decided to license it under the

Frank Hecker            work:        home: