Comments on: In acquiring Merrill Lynch, must Bank of America open source its software?

When a company like Bank of America acquires an open-source, software-rich Merrill Lynch, does it need to contribute that software back to the open-source community?

[mpsayler]

At least as far as the GPLv2, this isn't true right? (this is how Cygnus sold gcc to individual vendors..) GPLv2 SS3:

"3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software
interchange; or,

b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,

c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)"

So.. If I sell both the source and binary, I don't have to provide a license to all third parties.

[Matt Asay]

Btw, for those interested, a year ago a CTO of a large enterprise told me that he was absolutely of the belief that something like the Merrill acquisition would constitute a distribution and trigger the requirement to open source the code....

[Matt Asay]

But by this same reasoning, Red Hat (which distributes a binary of RHEL) would be immune from CentOS and others redistributing its software, instead of using its trademark strategy. If it were simply a matter of "I distributed a binary, therefore I'm safe from third parties gaining access to the code, then CentOS would not exist.

[Matt Asay]

@mpsayler: I'm not sure I understand. Can you clarify? 3(b) would seem to indicate that "any third party" can claim access to the source code that Merrill might privately distribute to BofA. Am I misunderstanding your point?

[selinux]

Read it again Matt, you are only feeding the foolish fear that the GPL will steal their work that many CIO's have. The distributor gets to choose "one of the following." Merrill Lynch will most likely choose 3a. They will give BoA both the binary and the source code. 3b only applies if you do not provide the source with the binary.

Once BoA has the source they will be able to choose to distribute that source however they want, but nothing is going to force them to distribute it at all. The no additional restrictions clause would stop Merril from forbidding BoA from giving out the source, but this is a non-issue.

If both you, and the person you give your source/binary to are complicit in the fact that you both independently don't want to give away the source there is nothing anyone can do to take that source from you. There is also nothing either party can do to stop the other from giving it away.

[jdzions]

selinux's analysis is precisely and exactly correct. If you didn't receive the binary distribution, you're not a party to the license. If you did receive it, the license merely tells you what your rights are. BofA has the right to distribute the code, but they're not going to (it's part of the value they got in exchange for their money), and no one can compel them to unless they receive a distribution from BofA.

[Matt Asay]

But what you seem to be overlooking is that Section 3 only applies if someone opts to distribute code in executable or binary format. It doesn't obviate the requirements under Sections 1 and 2, so far as I can tell. Indeed, it calls out the need to comply with those sections. I don't think the 3a dodge is a dodge at all....

Nah, it's not a distribution. Even if it were, they would just give themselves the source (as the GPL requires that those who receive the binaries get the source, not the general public).

In other words, this isn't that much ado about nothing.

[lucaf]

Matt,
Please add an "update" to your post. Most people don't read comments, and as it is your post - besides incorrect - is feeding unjustified FUD about open source.

[Matt Asay]

I would if I were convinced. I've heard equal and opposing arguments from those whose perspectives I value. I'm not trying to feed any fear here: I make money with open source, not fear of open source. But I think there's a real question here, and I'm not convinced by selinux's analysis, as if true, I think we'd see far different behavior in the industry today than we do.

[drdavid hill]

There is just one litmus test that you have to use when looking at regulation of the domestic and global banking system.
If the banks were government owned they would not have been allowed to operate the present system of self-regulation with no checks on their operations.
Q. why is it that governments around the world allow this self-certifying system to operate freely in the private sector therefore, for after all, they are dealing with our money and not theirs aren't they ?
A. The answer can only be that governments and politicians are in the back pockets of the banks and have listened far too long to our financial institutions. For this can only be the answer why regulation has not been introduced as a free-market philosophy has been shown clearly not to work and to be totally detrimental to the wealth of billions of people worldwide. Indeed, the sheer harm that this open system does is incalculable.

Dr David Hill
World Innovation Foundation Charity (WIFC)
Bern, Switzerland

[lucaf]

Matt,
I tried to figure out how to email you directly instead of posting another comment, so feel free not to publish this one because I am not sure I can be direct without being rude (which I certainly don't mean to be).
Anybody with a relatively basic understanding of open source licensing will see your post as undeniably incorrect. The fact that the source of incorrect information is a columnist "expert" about open source does not help your reputation. And the fact that you remain "unconvinced" after several people kindly pointed out the precise language of the GPL helps you even less.
Just to clarify - please re-read the language of the GPL, paying specific attention to the "provided that you do also ONE of the following" bit. It's not a matter of being convinced or not - it's a matter of English language.
Again, I mean to be constructive here. Please email me directly if I can be of any further help -- lucaf at lucaf dot com.

[lucaf]

Matt,
Some more pointers for you. The language mentioned above kicks in only when you "distribute" or "publish". The only way an acquisition could be construed as "distribution" is in the case of an asset sale, which is certainly not the BofA/ML case.
I believe it's even questionable whether an asset sale would constitute "distribution". In an asset sale what is sold is not the modified code but rather the full IP rights to it -- in other words the buyer steps into the shoes of the seller. "Distribution" would instead entail an expansion of the number of licensees.
Finally, just think that modified GPL code is used within many corporations, and M&A activity hasn't stopped. If you look at all the cases of "poisonous GPL code" in the context of M&A due diligence, it's about incorporating GPL code within a proprietary software product licensed to third parties, which would trigger the source code release (but, again, only to such third parties!).
Hope this helps...

[lucaf]

Not sure what the relevance of Red Hat / CentOS is, since those are examples of software licensed to third parties, not used internally.

I completely agree with Matt regarding binary distribution.

Sections 1 and 2 (of GPL v2) are about distribution and publishing to third parties. Section 2 requires that if you distribute or publish to any third party, you have to give all such third parties the source code. Hence even if you consider that BofA and ML post-merger are separate parties and there's a "distribution" of software from ML to BofA, ML's obligations to disclose the source code are only towards BofA. Just to clarify: in the context of the GPL the "first party" is who is granting the license (e.g. the Apache Foundation), the "second party" in this case would be ML, and the "third party" is somebody the software is distributed or published to.

[mpsayler]

Don't take my word for it, though. Check out the FSF's opinion:

http://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLRequireSourcePostedPublic (and several subsequent sections)

"But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program's users, under the GPL." (the users, not the public)

"If I know someone has a copy of a GPL-covered program, can I demand he give me a copy?
No. The GPL gives him permission to make and redistribute copies of the program if he chooses to do so. He also has the right not to redistribute the program, if that is what he chooses. "

"What does this ?written offer valid for any third party? mean? Does that mean everyone in the world can get the source to any GPL'ed program no matter what?

If you choose to provide source through a written offer, then anybody who requests the source from you is entitled to receive it.

If you commercially distribute binaries not accompanied with source code, the GPL says you must provide a written offer to distribute the source code later. When users non-commercially redistribute the binaries they received from you, they must pass along a copy of this written offer. This means that people who did not get the binaries directly from you can still receive copies of the source code, along with the written offer.

The reason we require the offer to be valid for any third party is so that people who receive the binaries indirectly in that way can order the source code from you. "

"The GPL says that modified versions, if released, must be ?licensed ? to all third parties.? Who are these third parties?
Section 2 says that modified versions you distribute must be licensed to all third parties under the GPL. ?All third parties? means absolutely everyone?but this does not require you to do anything physically for them. It only means they have a license from you, under the GPL, for your version. "

-----------------

IOW, you have to get a copy of the binary before you can think about asking for the source--if the author distributed the source and binaries in the first place.

[mpsayler]

I think the above posters clarified for me, but you get to chose one of the section 3 items. If you give the source, you don't have to make it public (you can't *prevent* the person you give the source to from giving it away, but if they have no incentive to do that...)