Question about usage of a GPL-licensed library in a proprietary product

Hi,

I inherited a 15+ year old Python application, which I am about to port to Python 3.

The application is a proprietary, web based intranet solution, which is only deployed inhouse and used by colleagues.

Amongst other curiosities I found a library, which got vendored (copy pasted into our repository), which is licensed as GPL.

The library itself was abandoned like 2001!

In the header I read of three contributors.

Could you please advise me how to proceed in order to comply with GPL?

Afaik it is not allowed to use or continue to use the library for the proprietary intranet solution.

I could

  • ask the three contributors if they agree to re-license the library to e.g. mit/bsd license? (not a good chance to reach them after 18 years)
  • rewrite the library (only about 150 lines of code with lots of lines to delete because of Windows comp. which I do not need)
  • replace the library with a different one
  • release the prop. intranet solution as gpl (hardly practical, as too much company specific stuff hardcoded => too much effort to bring in shape and possibly zero external interest)
  • extract the library into a separate application, which I could release as gpl - and talk to this new app via rest?

I appreciate any advise.

Thank you in advance!

Licensing something under GPL is a different thing than a public release. You can have a GPL-licensed code and you do not have to publish it anywhere outside of your organization.

Hi @franta
thank you for your answer.

Licensing something under GPL is a different thing than a public release. You can have a GPL-licensed code and you do not have to publish it anywhere outside of your organization.

I cannot follow. The library was published by a third party publicly back in 2000, and we want to use it in our prop. intranet solution. I thought we are not allowed to do this? If we used that library, we have to also publish our intranet app which makes use of the library?

GPL does not require you to publish anything. Simply said, GPL only requires that you will share the source code with users you distribute the binary version to. So if you distribute the software only to your own intranet servers, you do not have to share the source code with public.

In other words: if there are no users of that software outside your organization, no one (from the outside) will complain nor ask you for the source code.

1 Like

Thank you once more!

So when you talk of “software” and “source code” you speak of the intranet?

So when I understand you correctly, the current usage is legally correct.

Now, the library is Python 2 only.

I want to port it to Python 3.

Am I allowed to put the library on my companies github account and make it public?
I’d make some massive changes as it support lots of use cases we do not need.
I’d also make a release on PyPi (the python package index).

As far as I understood you this is all covered by the GPL license - btw the library uses version 2.

Thank you very much for your help!

1 Like

Sure, you can publish your modified version on Github and PyPi as long as you continue to distribute it under the GNU GPLv2, if it contains the “or any later” statement you might also consider publishing your version under the “GNU GPLv3 or later”.

1 Like

Yes, you can do it, this right (redistribute) is guaranteed by the GPL license. You can distribute both source and binary forms and both modified and verbatim. You just have to keep original copyright notices (i.e. keep there the name of the original authors and do not pretend that it is completely your creation). With Git or other versioning system, this is no problem because it keeps the history.

This is commendable work. And this is one of great parts of free software – if the original author stops developing the software, others can continue.

Please note that however widespread GitHub is, it is a problematic centralized service/network. Please read the GNU ethical repository criteria. You can use GitHub as a Git hosting until anybody can anonymously clone the repository and download the sources. But it becomes problematic when you try to collaborate with others and accept contributions (including bug reports). Please do not force users and contributors to register at GitHub (i.e. sign a contract with a corporation). Please provide a way to report bugs and contribute patches without having an account at GitHub (or other proprietary centralized service / social network).

Yes, that’s the usual interpretation I keep reading. It does make
some sense, but… can I, the company, keep my employees (who are
entitled to the modified source) from re-distributing it outside
the company (e.g. by an NDA)? Or would that go against the “no
further restrictions” clause in the GPL?

Cheers
– t

Any employee who has access to the modified source code, whether they are ‘entitled’ to it or just found it, can publish it, as it’s licensed to you (and them) under the GPL. You cannot override these terms, because if you do then you are not complying with the terms of the GPL and you no longer have permission to use the software.

1 Like

@franta and @bjoern, once again, thank you very much for your help!

I remember that I read once that if you use the software only in your organization you can forbid your employees to copy the software and release it elsewhere. The reason, when I remember correctly: The employee uses the software only during work on devices provided to them by the organization with the software pre-installed. So the software was never really distributed to the employee and also legally not the individual but the organization uses the software during their working hours.

Unfortunately I can no longer find the article. So I can just tell it out of my head, obviously that’s no legal advice.

Maybe someone else also remember something like this?

The definition of ‘distribution’ can be very complex, certainly.

Interesting discussion.

@kpfleming Typically a company has a say over it’s employees. The company owns the copyright of their work, and can prevent voluntairy publication with policies.

I thought the original point of @jugmac00 was about having a GPL licensed library in a non-GPL application, possibly violating the license. I am not a lawyer, but is seems to me that the GPL library requires the application to be GPL licensed. As the library is nog LGPL licensed (or is it?).
If you want to address this violation, you’d either have to GPL the aplication-part the library is used in (e.g. the back end). Or you’d have to come up with a replacement library that is LGPL or BSD-like licensed.
Something to consider: sometimes the dual-licensing practice of a company is to keep the GPL statement in the code, whilst the code is actually distributed under a different license, typically after payment. If that is the case, you might be legally allowed to use the code as non-GPL code, despite is also being available as GPL code. In that case your company should have ‘a receipt’ to prove the legality. The same can be the case for the software provider that provides you the application. The could have bought a license of the library which allows them to re-license it to you.

@bjoern and @franta
Huh, I thought this topic is done, but Nico’s assessment of the legal situation is diametrically opposite.

Could you please comment on that?

Thank you once again.

Interesting discussion.

@kpfleming Typically a company has a say over it’s employees.

That depends on whether your live in a state of law or not.
The company doesn’t /own/ their employees. They may have
some right on the software written on the company’s resources.

If they take some GPL software, build on it, and distribute
it internally, they’re still bound by the GPL – towards their
employees. But they can’t take away rights granted legally to
them.

Of course, as a programmer, it’d be my duty to point out that
I’m extending some GPL software for the company’s purposes, and
their right to say “no, better write from scratch, we don’t
want to be bound by GPL”.

The company owns the copyright of their work, and can prevent voluntairy publication with policies.

But they are’t outside the law (although some companies try to).

Cheers
– tomás

1 Like

This was reason why I wrote:

:slight_smile:

This might be a bit ambiguous and in the end it depends on a court decision (if it goes so far that you need a court to resolve such case).

In depends on the meaning of the word „distribute“ or „convey“ and on whether you see the whole company (employer + employees) as a single entity. If you say that the employer distributed the software to particular employees, than the employees should get also the source code. Or if you say that the developer (employee 1) distributed the software to the administrator (employee 2), the administrator should also get the source code. But if you say that the company develops the software for its internal purposes, the software is developed and used by the same legal entity and there is no actual distribution.

The GNU GPLv3 contains this definition:

To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.

So if it is an intranet application running on a company’s server, it is not conveyed to particular employees. It is questionable whether it was conveyed to the administrator of given server… But even if the software is installed on „employee’s“ computer, actually it is a company’s computer – owned by the employer and the employee is just allowed to work on it but does not own it.

If we look at habitual practices in the industry: the software from the third-party vendors is usually licensed to the company, not to particular employees (however employees work on computers where such software is installed). The court might be looking for an analogy between proprietary and free software licenses this way. But even in the case of the proprietary software, there are sometimes employees names in the software or in the license key or the employee is even forced to have an account at the software vendor or have to agree with EULA or other conditions when running the software for the first time.

I basically tend to this reading: the software is developed and used by a single entity (the company) and it is not distributed/conveyed to any other entity. The software stays on the computers owned by the company.

But it is still bit unclear – this might happen:

  • An employee takes the software from the company and publishes it somewhere else. The software had GPL license headers, so he thought that it is OK to (re)distribute it. The company might sue him for breaking the employment contract or internal rules of the company. And then the (third-party) author of the software/library might sue the company for breaking the GPL license (because „You may not impose any further restrictions“).
  • An employee is using a software (on a company’s computer) and sees in the about dialog, that given software is licensed under GPL. So he asks the employee for the source codes, and if he do not get them, he will sue the employee.

Everything depends on: was the software distributed from one legal entity (employer) to another (employee) or is it used by a single legal entity (the company as a whole)?

Do you know about any legal cases? Was this question ever resolved at a court?

In the FSF forum jfrancis found solution:

So the company do not have to worry and can include GPL libraries in their privately developed software without publishing the source code.

2 Likes

Yes, but is “the company” at all allowed to link their proprietary code with the GPL’ed code, if they do not distribute it; even if they do not distribute it?

As I understand it, the company must GPL it’s own code base, but they are then not required to give the their code base to the public. And the company can prohibit it’s employees from giving out the code base to the public, since it has not “distributed” the code to the employees.

The obligations in the GPL are triggered by distribution, not by linking or any other form of usage. If there is no distribution, then the GPL-covered code can be used in any way that the company wishes.

2 Likes

Thanks for that clarification. I was not aware of that. Is it possible for you to refer to specific region in the license, which states so?