Friday, 1 June 2012

Does Oracle v Google put a hole in the GPL?

I had an odd thought (a nagging worry) that with Oracle v Google's API argument resolved, there might be a gaping hole in the GPL, even version 3. I'm not a lawyer, so I hope someone will correct me on this and allay my concern. Let me tell it as a story....

One day, NastyCo decided it wanted to use nicelibrary in a proprietary software product. Nicelibrary is open source under GPLv3, but NastyCo don't want to give their source code away.

So NastyCo decide to use Maven to build their product. NastyCo don't give their customers a compiled binary; they give them a build script, and tell them "all you need to do is run the script; you can even just double click on it". When a customer runs that build script, their computer then fetches a compiled jar of NastyCo's code from NastyCo's servers, but fetches all the open source GPL libraries from Maven Central Repository and other public open source repositories. And their computer running the build script assembles the proprietary product automatically there and then.

Mr Nasty, CEO of NastyCo, reasons thusly:
  • NastyCo's proprietary source code isn't a "derived work" of nicelibrary because after Oracle v Google it seems to have been made clear that there's no copyright in an API.
  • The compiled and linked program together is a "derived work", but NastyCo are not distributing that -- they are just distributing the binary of their own code, and a build script. Their customers (running the build script) are fetching the rest from somewhere else and building the "derived work" themselves.
  • Because NastyCo aren't distributing ("propagating") a derived work, the GPL doesn't require them to publish their source code, so they're not in breach of the GPL.
  • Although the customers are running a derived work, they built it themselves (their computer built it using the build script), and the GPL explicitly allows them to run and modify private derived works, so they're not in breach of the GPL either.
  • Because those privately-run derived works are allowed under the GPL, NastyCo can't even get in trouble for condoning or enabling infringement.
So, thinks Mr Nasty, neither NastyCo nor their customers are breaching the GPL, but nicelibrary has now ended up in NastyCo's proprietary product that can end up on millions of customers' machines without NastyCo ever having to publish a line of sourcecode.

So, I dearly hope there is a flaw in Mr Nasty's reasoning, but what is it?