Open Source, GPL or NDA?

Trogdor

Alright so I wrote a custom program for my employer, a local government agency. That program has now caught the eye of another public agency. My higher ups have no problem sharing the program (and source code) with them but would still like to maintain some level of "ownership" over it for what amounts to PR reasons....basically "Hey look at this cool thing we made that will make your job easier". Other than that they have left the whole process up to me and I am not sure on the best way to proceed.

Do I go completely open source, put my code out somewhere under a GPL(General Public Licence) and hope people respect the open source process?? If so whats the best way of going about it? Sourceforge.net seems to be the best/easiest option I've found so far but I've also run across open source projects that host their own code repository. Its a fairly simple/small program so I don't see my employer wanting to put in the time and effort of doing that but I could probably convince them if it was the better route.

OR do I go for a less open approach and have this other agency (and every possible future agency) sign an NDA (Nondisclosure Agreement) before they get my code, obviously with some sort of mutual collaboration element to it?? Is there something out there like Sourceforge that allows more control over who can see your code or am I forced to get something setup in-house??

I'm probably jumping the gun since its just the one other agency but I'd like to lay the right ground work in case word spreads.

Resonant

Stick with the NDA. Unfortunately, the GPL is bogged down with all sorts of restrictions that may come back to cause headaches.

Might I suggest the BSD license though?

DrFrylock

DISCLAIMER: IANAL

Most people and organizations will not overtly try to claim credit for someone else's product, even when there is no specific license telling them they couldn't do it anyway. If you're solely concerned about PR purposes, then it really doesn't matter what license you use. The best way to have good PR is to be a good steward of the project: set up an attractive and easy-to-use website for it, keep the site up to date, and do good support for the project.

If you put your code under an open-source license, you usually don't have to "hope people respect the open-source process." 99.9% of the time, they will. The counterexamples are pretty rare indeed.

If you do go the open-source route, you need to choose your license carefully, because it will affect what people can do with your code.

If you use a BSD/MIT-style license, they can do pretty much whatever they want with it. They don't have to give you credit, although you will continue to hold the copyright on any code you developed. There is an "old-style" BSD license that demanded that any advertising materials advertising something using the product gave explicit credit to (insert author here), but the use of that style license has fallen out of favor because the list grows long pretty quickly, and the requirement to keep putting more and more people in the advertising credit became more and more onerous.

If you use the GPL, then organizations can use or extend your system freely, but if they make any changes and distribute those changes outside their organization, they must also distribute the code with those changes. Note that it does not REQUIRE them to distribute their changes; if they make changes and then use the changed product solely in-house, they are not required to distribute it.

If those changes involve linking with a commercial or proprietary library, it will prohibit them from distributing their modifications without violating the license. This may or may not be a turn-off for your potential future contributors.

There is a weaker version of the GPL called the LGPL (L = originally for 'library,' now for 'lesser') that says that any changes made to your product are covered under GPL-like terms, but if you link it to somebody else's product, the license doesn't apply. This is especially useful for library developers. Let's say you write a library called "libfoo" that allows people to read and write images in the brand new "foo" file format. If people make improvements to your library and distribute them, you want those changes to be open-source too. However, if they are just linking your library into some commercial product to use it, and not making any changes to it, you don't care. That's a good case for the LGPL.

If your code is some kind of Web application, then an organization can take GPL code, make modifications, deploy it on their own website, and not distribute the changed code at all (since just running it on a Web server does not constitute 'distribution' under the classic GPL). There is a stronger version of the GPL called the Affero GPL that requires you to distribute code if you run the app on a server in this way.

There are dozens and dozens of other open-source licenses you could choose. Open-source license compatibility is a huge nightmare these days because of this. The question of "can I combine code distributed under license X with code distributed under license Y and distribute the combined program?" is generally thorny in all but a few well-known cases. You can, for example, include BSD code in a GPL program, but not the other way around.

The other licenses exist for a panoply of both good and bad reasons. The Apache license, for example, is in the BSD/MIT "do whatever you want" family of licenses. However, it includes things like a patent grant - so organizations can't develop code, patent a technique used by that code, distribute the code under an Apache license and then sue everybody who uses it for patent infringement.

Another issue to consider is your liability in releasing your code. This is why most open-source licenses explicitly disclaim warranties. Yes, it is theoretically conceivable that if your code has an error in it, somebody could sue you and win unless you put the right license on your code. Well, not you specifically, but your agency. I once heard some attorneys give a talk on open-source, and they said that they were concerned that some obscure form of liability (I can't remember which) was not explicitly disclaimed under the BSD license, and that this might be a risk to people who use it. Now, nobody has ever sued under this form of liability and it likely will never be tested in court, but this kind of bizarre stuff is what lawyers think about all day long.

Because of liability issues, your boss' OK might not be enough to legitimately release your code. I am sure your state agency has some kind of General Counsel and maybe even a policy on intellectual property and how it has to be handled. Make sure to CYA with these guys. It doesn't matter if you are going open-source or proprietary.

As for environments, yes, you'll find more freely-available environments for code sharing and collaboration for open-source projects than for proprietary ones. There are likely a number of providers that will sell you a development environment for team-based development of proprietary software. CollabNet comes to mind, but there are probably others.

FyreWulff

Depending on your local laws and if your code counts as work-for-hire, the code may be in the public domain and all your agency can do is ask the other agency nicely to say 'software from CURRENT_AGENCY' somewhere on their site.

Trogdor

DrFrylock wrote: »

snip

lots of useful info

Hmmm liability could be an issue because the process my program deals with does carry some legal responsibility...food for thought.

I'll continue to sift through some of the licenses but I'll probably just go ahead with some sort of NDA option and focus on finding some suitable environment for the project. Collabnet seems like a good place to start.

Thanks!

Ethea

I personally like the Apache 2 license. Also remember no matter what one you choose make sure you are absolved of any liability issues.

harry.timbershaft

If this is something that your company is concerned about, they should spring for you to run this by a lawyer.