It was tempting to make my first post here about the alleged inability of enterprise CIOs to distinguish between code quality and the developer’s footwear when evaluating software. But I’ve managed to resist… nearly.

Instead, here’s an issue which has been tickling my cranium every now and then and on which I would like to collect some opinions. Can you really keep in-house software, base on GPLed code private in a modern company where outsourcers and contractors abound?

I’ve spent a good deal of time in the past telling people that being scared of the GPL is stupid, that using the word “viral” is stupid and that instead, they should actually read the license and the GPL FAQ, see what it actually means and then decide dispassionately, whether it makes sense for them. I’ve also told people that one place where the use of GPL code is absolutely “safe” is within their enterprise: ‘As long as it’s not being distributed externally, you can keep the source code and your company secrets up your sleeve’, say I. But am I actually right? The GPL FAQ itself is clear on the matter: In answer to the question: “Is making and using multiple copies within one organization or company “distribution”? it says:

No, in that case the organization is just making the copies for itself. As a consequence, a company or other organization can develop a modified version and install that version through its own facilities, without giving the staff permission to release that modified version to outsiders. However, when the organization transfers copies to other organizations or individuals, that is distribution. In particular, providing copies to contractors for use off-site is distribution.

The license itself is entirely quiet on the matter: as far as it is concerned, if you distribute a GPL-based application then you have to distribute the source code too, full stop (or period, for U.S readers). The FAQ’s interpretation is based on the legal view of the corporation as person: distributing within an organization is akin to distributing it to yourself; ergo you’re not distributing it.

But in these days of outsourcing and, external contractors working in-house and loosely affiliated operating groups, I become slightly concerned. The GPL clearly states that you cannot impose further restrictions on recipients to stop them from distributing code; so adding a contractual clause with contractors to say: ‘our GPL software stays strictly in-house’ would appear to be a no-no.

This doesn’t mean that I’m altering my advice about the safety of in-house GPL use. From a purely practical view, I think it highly unlikely that a GPL software author or the FSF will attempt to enforce distribution of source in the situation envisaged above; particularly since the FAQ interpretation is regarded as canon. Even if a contractor really demanded the source of a company application (a career limiting move) and managed to pushed it all the way, the worst likely to happen would be for the original license to be revoked. The in-house company might have to re-write the app so that it didn’t use GPL code, in order to avoid handing over the source. But even that worst case scenario seems unlikely.

Nonetheless, the question makes my thumbs prick: it seems to me to be a slight disfigurement to the otherwise elegantly simple GPL structure. And if a disgruntled employee did start externally distributing an internally developed GPL-based program, together with source code things could get messy.

I’m interested in your thoughts.