Prior posts have looked at the serious impact of the draft GPLv3 on companies that sell web services. See Tony Healy's GPLv3 and Web Businesses: Is the Free Software Foundation Getting Tricky? (Feb. 2006), plus here and here.

Bernard Golden at CIO also thinks web companies have a problem, in Richard Stallman:Entrepreneur of Freedom:

The Sting in the Tail: User Access to Source Code

As to the stickiest area of the draft license, it’s buried in Section 7 (License Compatibility). Within this section, there is a paragraph that states:

Aside from additional permissions, your terms may add limited kinds of additional requirements on your added parts, as follow:

They may require that the work contain functioning facilities that allow users to immediately obtain copies of its Complete Corresponding Source Code.

I initially read this as stating that if someone merges some other-licensed open source code (e.g., Mozilla-licensed code), the person merging the code could add this requirement. Not particularly controversial.

However, in discussions with Karen Copenhaver of Black Duck Software, she shared with me that during the meeting at Cambridge, Richard Stallman (founder of the FSF and author of the license) said that he would recommend that this paragraph be attached, as a matter of course, to GPL3-licensed software. In other words, this paragraph, rather than being an occasional (or even rare) presence in a merged product, would become a common feature of all GPL-licensed software. If this is true, it’s likely to be a major controversy regarding GPL3.

First, there is the practical difficulty of making source code immediately available. Does that mean every organization using GPL3 software must set up a code repository and somehow make it available via its system? That would be challenge enough.

More troubling, the paragraph is ambiguous as to the definition of user (in fact, user is nowhere defined in the license). Does it mean that an end user accessing a system via a browser residing on their home machine must have immediate access to a GPL3 derivative work running within a company’s data center?

What could this look like in the real world? To take a hypothetical example, suppose a large bank has used GPL3 code within a proprietary credit scoring application. This paragraph would require it to hand that code out – immediately -- to its customers, employees, competitors, and anyone else that exercises the code through a remote user interface. In other words, this paragraph would impose complete transparency of any part of an organization’s software infrastructure that contains GPL-licensed code and is somehow accessible to an outside user. According to Karen, the code availability requirement would also include code accessed via service-oriented architecture mechanisms as well as end-user interfaces.

While this condition is quite consistent with the FSF’s perspective on software creation and use, it’s likely to be a killer for organizations. No organization is going to use software that imposes the practical challenge of becoming a software distributor; much more threatening is the requirement for distribution of all software incorporating GPL3 code. (As an aside, the license is also tightened up regarding the definition of source code to include dynamically linked code; that is to say, code that integrates with an executing program at runtime).

As I stated at the beginning of this post, this is a draft of GPL3. So, what will happen between now and when the license is finalized? In my next blog posting, I’ll discuss what happens next, and, crucially, how you can get involved in the comment process. I plan to discuss in a future post (near future, I promise) my thoughts on how you can respond to the potential changes in GPL3 in a way that enables you to continue using GPL3-licensed code without sharing any company secrets.

One awaits the promise made in the last line with bated breath. On the other hand, why should a company such as Google bet the farm on its ability to work things out with people who think that Google is acting evilly when it tweaks open source code and does not share the tweaks with "the community"? (Maybe its not just Schwartz who is laughing; sounds like Steve Ballmer has joined in.)