Blogger: Larry Cannell
This is the fourth in a series of blog posts intended to help IT managers understand open source licensing and its implications. In this post I cover the risk of inadvertently licensing proprietary software as open source by mixing it with a GPL-licensed product.
Recall that my research focuses on the use of communication, collaboration, and content management (3C) solutions within enterprises. As it turns out, a large number of the leading open source 3C products are licensed under the GPL. So care must be taken if organizations choose to integrate these products with enterprise systems. The concern has to do with the GPL’s Copyleft provision, which states that a system must be licensed under the GPL if any GPL-licensed source code was used to create it and it was distributed. A previous blog post discussed hereditary and permissive open source licenses in more detail.
But let’s say this up-front, if your plans do not include modifying the source code of (or integrating with) a GPL-licensed product, or if you have no intention to distribute any software which involves GPL-licensed software (either linked or integrated with another system) then you should have nothing to worry about.
The issue I want to highlight here is where organizations are considering integrating a GPL-licensed product with an enterprise system. In some cases it is fairly straightforward to determine if a piece of software falls under the GPL. For example, if a developer links their source code with GPL-licensed source code then the resulting program is considered a derived work and would have to be licensed under the GPL, if it were distributed.
In her book “The Open Source Alternative: Understanding Risks and Leveraging Opportunities” Heather Meeker does a good job describing the “border dispute” of the Copyleft provision in the GPL. The problem is the GPL itself is not always clear as to what defines a program that is considered derived from GPL software. Meeker is very good at setting the scope of the issues and then exploring a number of scenarios regarding the applicability of Copyleft.
However, while Meeker’s background and analysis is interesting I don’t intend to explore the legal issues brought on by the GPL in cases such as loadable kernel modules in Linux or proprietary operating systems running within a Xen host. What I want to briefly touch on here are the issues surrounding the use of GPL-licensed software within enterprise environments, most notably those which may have to integrate with corporate systems.
So let’s explore these issues by going through two scenarios:
- Configuring Drupal to use an enterprise’s directory system. For example, an enterprise uses Microsoft Active Directory as a central source of usernames and passwords. Should we be concerned with integrating Active Directory with a Drupal installation via an LDAP interface using the LDAP integration module?
- Surfacing data originating from an enterprise system within a sidebar on a blog running WordPress. For example, the latest sales numbers are displayed on a blog written by a marketing director, via a plugin which pulls data from their proprietary sales tracking system.
At first it may not be obvious that either of these scenarios would qualify as a derived work and be subjected to Copyleft. In both cases the GPL-licensed products involved (Drupal or WordPress) would probably not run on the same computers as the proprietary systems with which they are communicating.
To get some guidance we can refer to the Free Software Foundation. As Meeker says in her book: “The Free Software Foundation (FSF) is in some ways the de facto enforcer of the GNU General Public License (GPL).” To help clarify these types of questions about the GPL, the FSF has a frequently asked question list on their website. The answer to the question “I'd like to incorporate GPL-covered software in my proprietary system. Can I do this?” provides some illumination as to how the GPL applies to the above scenarios. It says in part:
“However, in many cases you can distribute the GPL-covered software alongside your proprietary system. To do this validly, you must make sure that the free and non-free programs communicate at arms length, that they are not combined in a way that would make them effectively a single program.”
In other words, it matters a great deal how a GPL-licensed program integrates with a proprietary system, regardless of whether they are on the same system (and, we should also note, given the pervasive connectivity of the Internet, it doesn’t matter if the two systems are on the same network of even in the same company). If they operate as a single program then the FSF considers them a single program now subject to Copyleft.
So, the key is to be able to demonstrate that the two systems involved can still be considered separate. In the first scenario (Drupal using Active Directory) communication between the two systems is done via a well-known protocol (LDAP). All of the software used in the Drupal system can operate as a separate entity by connecting to any LDAP-compatible directory, not just this particular Active Directory. The two systems are clearly separate programs.
The second scenario is less clear. In her book Meeker suggests “to focus on the spirit of the GPL rather than its letter” and goes on to say the degree in which the proprietary code can be considered a “black box” will help clarify whether there is sufficient “arms length” (as the FSF describes it above) between the two.
If the proprietary sales tracking system was custom-written by company employees and the company wrote a custom extension to serve the data along with a custom WordPress plugin to pull the data and display it within the blog, then this sounds like two systems performing as a single program and subject to Copyleft, if either of the two were distributed.
On the other extreme, let’s say the company purchased a widely available sales tracking system, which provides sales data in RSS feed, and an RSS feed is fetched by a WordPress RSS plugin (which can be used with any RSS feed) that simply displays the feed items on the blog. This certainly seems to qualify as a “black box” and the two systems can be considered separate.
In closing, while is makes sense for enterprises to use GPL-licensed software (after all, a large number of the leading open source 3C products are GPL-licensed) care must be taken when integrating them with proprietary systems.