My company uses a mix of onsite and increasingly offsite contractors for development of websites and online applications.
Our platform uses a mix of open source software and libraries that we’ve made a number of modifications to over the years. Some of the modified software is licensed GPLv2 without the linking exception. For various reasons, we do not want the source to be made public.
The concern is that if we supply the binaries to our platform for our offsite developers, we are obligated to supply the source code upon request. Additionally, there will be times when we need to distribute the source of our modified libraries. From there, nothing would seem to preclude the contractor from redistributing the work.
The GPL FAQ states:
. . . when the organization transfers copies to other organizations or individuals, that is distribution. In particular, providing copies to contractors for use off-site is distribution.
Furthermore, the GPL states:
You may not impose any further restrictions on the recipients’ exercise of the rights granted herein.
The question is: what can be done to restrict offsite contractors from redistributing our modified code?
A note, that I think the GPLv3 addresses this concern with the following clause. So my question is specifically about GPLv2-licensed modified code:
You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright.
2
In all seriousness, get an attorney experienced in these matters.
It seems to me that your contractors are working on your behalf, accessing your software, and this is not “distribution” (in a common sense standpoint).
I would ensure that the contract with your contractors is a work for hire, causing you to own their work on your behalf (like an employee). If this is not the case, you don’t likely own the copyright to their modifications anyway.
Common sense would dictate that an appropriate work for hire contract whereby they are working on your software on your behalf and not for their own use — it would not conflict with GPL.
3
So long as the contractors are employees of your organization, then you should have them sign NDAs indicating that they will not distribute the code because they are trade secrets and you should be fine.
Normally, I would recommend consulting an attorney “just to be safe.” However, in this case the FSF is exceptionally clear about your usage being permissible and that the contractors’ “distribution” of the code would not truly qualify as a distribution obligating you to provide source. You should consult an attorney anyway.
Here are some pertinent sections from the FSF’s GPL v2 FAQ.
- Is use within one organization or company “distribution”?
No, in that case the organization is just making the copies for itself.
And this is why they need to be contractors reporting to the firm, not independent contractors acting upon your firm’s behalf. - If someone steals a CD containing a version of a GPL-covered program, does the GPL give him the right to redistribute that version?
Short answer: No.
Longer Answer:If the version in question is unpublished and considered by a company to be its trade secret, then publishing it may be a violation of trade secret law, depending on other circumstances. The GPL does not change that. - A company is running a modified version of a GPL’ed program on a web site. Does the GPL say they must release their modified sources?
Short answer: No, not required to distribute source. This is a ‘special case’ (FSF’s term). - Does the GPL allow me to develop a modified version under a nondisclosure agreement?
Short answer: yes, and it remains the client’s purview to distribute or not.
I am by no means an expert on licensing, but to the best of my knowledge:
You can’t do anything. If you distribute modifications – in any form – source code must be made available, under the same license. That’s kind of the thing with the GPL licenses – the source can’t become proprietary.
What is allowed under the GPL is making modifications for personal use and keeping them to yourself. The clause you’re quoting from GPLv3 means that you can also have someone else make modifications – as long as you are the only one using them. Otherwise you would have to make the source available to the public.
Again: I am not a lawyer. You should talk to one.
1