94

I'm currently the only HR worker at a medium sized engineering firm in Canada. There should normally be 2 additionally HR workers on-staff more senior than me, but one is on parental leave and the other position isn't currently filled, and I'm in over my head.

We are selling a product with a "custom Linux kernel installed". Our engineers say that "most of the product is GPL code we've modified", and that since we are selling a product with this software in place, "we're shipping GPLed code". Our company owns the copyright, but from a reading of how "GPL licenses" work, it sounds like some of our code is indeed GPLed. The plan was to never let the customer know GPL code was present in the product.

We have a senior engineer, "Francis", who doesn't get along with a more senior engineer, "Lee". In short, Francis pointed out a serious technical flaw in Lee's designs, and tried to encourage Lee to change his designs based on this information. Lee took it as a personal insult, and attempted to "squash" Francis (i.e. get him written up, even fired). Francis raised the issue with the entire engineering department, and embarrassed Lee significantly (i.e. Lee made a serious technical mistake, and his attempts to squash dissent made him look bad). We put the two on separate teams to prevent any further issues about 6 months ago.

Francis has since excelled on his new team, and was up for a significant promotion. However, a senior manager, "Ling", vetoed the promotion, citing Francis wasn't "mature enough" for the role (and didn't provide an indication as to when Francis would be mature enough). Lee and Ling are close personal friends, hence I sense a conflict of interest here. Somehow Francis found out about the veto (he shouldn't have access to this information). It turns out Lee gloated over the issue and disclosed it to Francis, and we promptly fired Lee (gave him half the normal severance he's entitled too as an alternative to firing with cause and getting nothing), and attempted to smooth things over with Francis. This caused substantial embarrassment for Ling.

We've started getting calls (addressed to Francis' colleagues and supervisors) for job references (pretty bold, since people rarely use their current employer as a reference while job hunting), and have determined that many of the companies calling are direct competitors. We called in Francis for a meeting, and he spelled out, bluntly, that he's looking for a new job, he's pissed over the veto debacle, and that we're welcome to give him severance (8 months' pay) to go away here and now. We don't want to lose him, but he has made unreasonable demands for a counter offer:

  • The promotion (we'd consider it).
  • 2 years guaranteed unconditional severance arrangement (even if he quits) (partially accepted: 2 years, unless he's fired with cause or quits).
  • Guarantee of another promotion within the next 4 years (to ensure this isn't just a temporary counter offer to buy time before eventually firing him, and ensure he can still move up the ranks) (rejected, but promised the well wasn't poisoned.).
  • Ling being further reprimanded/punished by the directors (rejected; we can only pass the details up to directors; they choose whether or not to discipline managers).

Francis seemed to be displeased with the results of his "negotiation", and indicated he'd continue job hunting on personal time. We reminded Francis of his non-compete clause, and he then retorted with something that raised red flags by the senior engineering team:

  • He plans to move from Canada to the US (dual citizenship), which he feels would invalidate his non-compete significantly.
  • He plans to work with a direct competitor, and re-create the work he's been doing for our company for the past 6 months.
  • He plans to make large portions of the code, much of which is in "Linux Kernel" and "Docker" code, public, due to "an obligation to the FOSS community".

This last point would be disastrous, and suing Francis would not recover the lost potential profit. We stressed that he would be receiving correspondence from the legal team unless he took back what he said. He refused to speak any more after that point. We have him working remotely on "research tasks" (no access to servers) while we try and figure this out.

Anything that's sent to Legal has to be retained for at least 3 years. The engineering director has ordered me not to send any emails with "GPL" or "GNU" in it.

Is there anything we can do to prevent Francis from disclosing code out of spite? Are "super injunctions" real (i.e. like when celebrities want to prevent embarrassing news from being published)? Or are there other uncommon benefits that can be offered besides cash and extra vacation time (large raises are allowed, but not large bonuses)? Whether we throw a bigger/different bone, or find a way to forcibly stop him, we need to prevent disclosure.

breversa
  • 152
  • 1
  • 10
Thoma
  • 813
  • 1
  • 6
  • 6
  • 1
    Comments are not for extended discussion; this conversation has been moved to chat. –  Oct 28 '19 at 08:38
  • 46
    One important element: is this actually GPL code that your company should make available anyway? – Jeffrey Oct 28 '19 at 12:05
  • 45
    @Jeffrey Probably not. It seems Francis wants to publish the code. The GPL does not require the developer to make sources publicly availble, only to provide them to those who receive the code by them (which may be noone if they do SaaS...). Chances are Francis is going to be in a lot of trouble by publishing company secrets. IMHO if Francis was truly for FOSS and had a case he would simply "whistleblow" the situation to the FSF and they would proceed with proper legal battles to enforce GPL on OP's company. Making your own justice is rarely they right solution – Giacomo Alzetta Oct 28 '19 at 13:04
  • 26
    @Snow Unfortunately this has caused in the removal of highly relevant comments which clarified the question. – Konrad Rudolph Oct 29 '19 at 13:31
  • 33
    @KonradRudolph, indeed, that there is GPL code in a publicly released product is very relevant as it changes the equation completely. All Francis has to do to cause major problems is tell someone who has purchased the product to request the code. You would also struggle to prove he even told anyone. He could even buy it himself and request the code! – crobar Oct 29 '19 at 14:13
  • 16
    Could you explain why you didn't fire Ling? Your post implies that Ling leaked the veto information to Lee. Therefore, your company would not be in this situation if it weren't for Ling's actions. He's already shown a willingness to ignore confidentiality and facilitate sabotage of a coworker's career. Keeping him on will reduce morale with other employees as word of this gets around. Francis may only be the first to leave if Ling remains with your company. – Starfish Oct 29 '19 at 20:56
  • 1
    I need clarification regarding the last two bullet points. Is Francis saying he will release your company's GPL code, or is he saying he'll release the new code he will write at the competitor's company as GPL? The way you've worded it sounds like the latter. – Starfish Oct 29 '19 at 20:59
  • 3
    @Thoma I know this isn't reddit, but give us an update please~ – Rohit Sep 05 '20 at 17:50
  • 2
    @Thoma Can you update us? Thanks! – alexander_roidl Oct 13 '20 at 08:57
  • 9
    Just to be clear: you're selling a product in violation of copyright, and your question is how you can prevent a disgruntled employee from causing you trouble over that? – Jonathan Cast Dec 01 '22 at 15:40
  • Given the level of detail here, it would not surprise me if someone were to figure out what product or at least what company this is. This post could also be used as cover for the very whistleblowing you're trying to prevent. Francis could easily find this post, take the 2 years severance, and get a third party to call out the copyright violation (and point to this post and industry knowledge as the source) immediately after. You wouldn't be able to cancel the severance if you can't prove Francis was the source. A topic this sensitive and legally active probably shouldn't be shared like this. – Jack Gifford Nov 13 '23 at 15:47

10 Answers10

227

While I won't answer the original problem directly I wish to tackle something tangent to this. And I feel it is important enough to warrant an answer and not a comment.

From a comment (and the post) it is established that GPL'ed code is modified and distributed, without distributing also the modifications:

We are selling a product with a "custom linux kernel installed". Our engineers say that "most of the product is GPL code we've modified", and that since we are selling a product with this software in place, "we're shipping GPL'ed code"

The free software foundation (writers and maintainers of the GPL license) has a specific "faq" for this

The GPL does not require you to release your modified version, or any part of it. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.

But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program's users, under the GPL.

Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you.

Now you are hence violating the license, and since it is the linux kernel it is also "quite easy" to contact the original maintainers.

This creates a very vulnerable point for your company. Even if you manage to settle something with this employee, there will be another one after this. So you take the risk of each disgruntled employee to report it to the copyright holders.

I think a single employer is less of a problem than such a violation. I'd strongly urge you as company to either move away from using copyleft-licenses, or start decoupling the code from the GPL code and only work with lesser-gpl libraries (and don't modify them, use them). Or do something which google does with android: release to the public the modifications, but build upon those a personal layer; and make the profit not from the software but the service provided.

lvella
  • 165
  • 4
paul23
  • 1,714
  • 1
  • 6
  • 10
  • 201
    THIS, thank you. The main and the only purpose of the GPL license is to make what the OP's company is doing illegal. If they are distributing the modified Linux kernel installed in a device (an internet router, a smart watch, anything), they are legally obligated to disclose the modified source. And if their whole business model depends on it (complying with the law “would be disastrous,” in OP's words), Francis is likely the least of their problems. – kkm -still wary of SE promises Oct 28 '19 at 04:25
  • 14
    Note, that they are only obligated to disclose the source code upon request, so while their legal position seems iffy, they've likely haven't broken any laws/licensing terms yet (unless such requests were made and they've refused or otherwise violated GPL). – Dan M. Oct 28 '19 at 13:35
  • 2
    @DanM. my main point isn't even the legal point. It's the vulnerability of having a legal issue that is "vital to business". – paul23 Oct 28 '19 at 14:01
  • 9
    Note also that they are obligated to release the code only to their customers, not necessarily to post it on a publicly accessible Github repo, per my interpretation of the GPL – usr-local-ΕΨΗΕΛΩΝ Oct 28 '19 at 14:03
  • 40
    They are also obliged to inform their users about the licensing terms of the GPL. I wouldn't be surprised if such a company didn't do it, so they would have broken the terms already. – Didier L Oct 28 '19 at 14:08
  • 11
    @paul23 The Linux Kernel isn't from the FSF - it's from Linus Torvalds and thousands of other contributors. The copyright in the kernel belongs generally to its authors, and in some parts I expect to its' authors employers. You can see many authors listed at https://github.com/torvalds/linux/blob/master/CREDITS – bdsl Oct 28 '19 at 14:09
  • 37
    @DanM.: There are two obligations here; the first is that the company must actively tell their customers that they're using GPL software (Article 1), and then the company must offer sources. The first obligation is not on request, but it is mandatory to distribute the GPL'ed code either in binary or source form. I agree: the company urgently need a lawyer, and you need to bypass the manager that's keeping Legal out of the loop. This is an existential threat to the company. Handle it badly and the company stops to exist. – MSalters Oct 28 '19 at 14:11
  • 24
    @DanM. They are obligated to offer the source code to their customers. They don't have to actually prepare the code until the customer wants it, but they can't just wait for their customers to ask about it, either. If they haven't given their customers a notice saying "we'll give you the source code if you ask" then that is illegal. – user253751 Oct 29 '19 at 09:57
  • I wonder if there are any consequences to the person who made the decision to use GPL'd code. One may argue, that the legal team or management should make this decision, but legal isn't usually even available for small grade companies and managment has no idea what any of this means. I have seen engineers deciding these questions, so I wonder if an employee deciding to just use such a license can result in a massive lawsuit after the company is forced to disclose code and was not aware of this prior. – Koenigsberg Oct 29 '19 at 18:43
  • @Mär In the netherlands (and europe, and I hope the US) employees are generally protected from any such claims. The business (whatever legal entity it is) would be the one in fault here. If the company tries to get reparations from an employee they probably will also get a cold shower: the company should've known better and should have more supervision. – paul23 Oct 29 '19 at 21:02
  • The reality is, the GPL gets violated all the time. Not much gets done about it. – Keltari Oct 30 '19 at 00:44
  • 3
    FWIW, even though the Linux kernel isn't owned by the FSF, a number of Linux kernel contributors have either assigned copyright to their contributions or signed an enforcement agreement with the Software Freedom Conservancy, so if you want to find someone to go after a Linux kernel GPL violator in court, it's still pretty easy: https://sfconservancy.org/copyleft-compliance/ – Daisy Leigh Brenecki Oct 30 '19 at 04:06
  • Btw: The experience of the Linux community is that upstreaming (releasing private modifications of Linux to the public) is good because more people will look at your code and try to improve it. – Martin Schröder Nov 01 '19 at 16:40
209

This situation is spiraling out of control out of anger and frustration. I can't speak to the legal aspect, but it should not have gotten to this stage. You basically gave him nothing in negotiation and then now that he wants to leave, you are acting to trap him in his current position. He is a wounded animal fighting back.

The promotion (we'd consider it).

He got nothing there.

2 years guaranteed unconditional severance arrangement (even if he quits) (partially accepted: 2 years, unless he's fired with cause or quits).

Cause can always be found when someone wants to fire you. That's worthless.

Guarantee of another promotion within the next 4 years (to ensure this isn't just a temporary counter offer to buy time before eventually firing him, and ensure he can still move up the ranks) (rejected, but promised the well wasn't poisoned.)

This entire thing started due to management/HR at your company having limited integrity and now you want him to value your promise of integrity?

Ling being further reprimanded/punished by the directors (rejected; we can only pass the details up to directors; they choose whether or not to discipline managers).

So he got nothing there either.

The clearest course of action is to offer to largely waive the non-compete (plenty of places they cannot be enforced anyway) in exchange for confidentiality about company secrets and a nice reference letter.

Help him leave, offer him some severance money, and most likely he will be willing to agree to keep company secrets. Releasing the code is mutually assured destruction for both of you, so I doubt that is his goal and more just his leverage.

Heck, I would go even further and ask a member of the board to find him a cozy position at a similar (but not directly competing) company. He will go be happy and stop thinking about you day to day and have no interest in attacking your firm.

You lost him as soon as he was denied the promotion under questionable circumstances.

Matthew Gaiser
  • 47,725
  • 21
  • 131
  • 195
  • Would a confidentiality deal be corrupt/illegal (i.e. "hush money")? – Thoma Oct 27 '19 at 23:19
  • 2
    I am not a lawyer and do not know your jurisdiction, but they are widely used for sexual harassment employment separations and settlements, so do not see why it would be, as long as the employee gets something in return (waive his non-compete). – Matthew Gaiser Oct 27 '19 at 23:22
  • I also doubt that you would require it anyway, but do get some legal advice. Put waiving his non-compete for certain related industries on the table and he will settle down and possibly even retract his statements. – Matthew Gaiser Oct 27 '19 at 23:24
  • 2
    You are looking for a sledgehammer to deal with someone who is trying to avoid getting hit with a stick and made that threat to do so. – Matthew Gaiser Oct 27 '19 at 23:26
  • 19
    @MatthewGaiser In the Netherlands such settlements have surfaced as of late in the media, and were immediatelly shown to be "invalid". A person cannot be forced to not talk about criminal stuff. Now I do not know how far this extends, (there's a mile difference between copyright violation and criminal behaviour): but it's highly murky water and can come back much later. – paul23 Oct 27 '19 at 23:37
  • 2
    @paul23 I am not a lawyer, but depending on jurisdiction, I’m pretty sure copyright violation is criminal behaviour, because copyright violation is itself a crime. – nick012000 Oct 28 '19 at 01:28
  • 6
    @nick012000, out of curiosity, in what jurisdictions copyright violation is considered a crime? AFAIK (but IANAL), in the English-law countries it's not, and, since EU, NA, Australia and NZ are all in a well-working trade system, their laws are pretty well-harmonized. (And of the two predominantly-English-law EU members one is, ehm, still in the EU ;-) ). – kkm -still wary of SE promises Oct 28 '19 at 04:54
  • 5
    California non-competition contracts are not enforceable, I mention California, due to the relative (small) distance from Canada. Suppose your company will have to determine how strong the contract is and if the clause can be enforced. Trying to force an employee to stay will end poorly – Donald Oct 28 '19 at 05:12
  • 13
    I strongly disagree with the following: "Releasing the code is mutually assured destruction for both of you". In fact, I'd argue the complete opposite. Usually, it's the party who releases the code first that gets the boost in reputation and the boost in customer sales/referrals. And even if you do not believe me, that's fine because I can assure you that this rogue software developer thinks the exact same way I do. Releasing it will be to his benefit. He's one of the few who understands it. Furthermore, by releasing it himself, he's making himself look like the de facto expert in it. – Stephan Branczyk Oct 28 '19 at 08:21
  • I wouldn't call 8 months severance pay 'nothing' – JMK Oct 28 '19 at 13:02
  • 13
    @JMK he offered to walk away for 8 months in pay. He didn’t get it. – Matthew Gaiser Oct 28 '19 at 13:12
  • Ah sorry @MatthewGaiser, I misread and thought that he had been offered that – JMK Oct 28 '19 at 13:13
  • 5
    @StephanBranczyk perhaps if he wants to go into consulting on that code he can do reasonably well with that strategy. But this isn’t a matter of two competitors, but rather an engineer who will have released code because he was mad at his employer.

    People don’t hire genuine whistleblowers. They are going to hire someone who’s last action at their prior job was to try and bring the company down?

     – Matthew Gaiser Oct 28 '19 at 13:24
  • 5
    "Help him leave". Agreed, that is the best plan. The only way to enforce provisions is to go to court, and even in jurisdictions that allow non-compete clauses a judge would likely void that clause due to the unethical behavior of the company. They have dealt themselves a bad hand, it's time to cut their losses, – President James K. Polk Oct 28 '19 at 13:56
  • 2
    Matthew Gaiser, But who's going to tell the new employer what happened? The previous employer legally can't. At least, that's the way it works in the United States, I don't know about Canada. To the new employer, it will look like the code was released to the customers and folded back into the original GPL'd codebase with the original employer's permission. – Stephan Branczyk Oct 28 '19 at 19:41
  • In Canada "fired with cause" is a very high bar. A company is unlikely to be able to manufacture "cause" in the legal sense that will stand up in court. The severance deal is worth something. – DJClayworth Nov 13 '23 at 17:19
138

I know you did not ask anything on behalf of yourself but humanitarian considerations compel me to strongly advise you to avoid hanging around anywhere near the ass end of your company because that is where it is about to be badly bitten.

Your company has made some serious blunders. Not only have they irreparably mangled their relations with their employees, but they have committed a serious copyright violation against the authors of Linux. The reason for the blunders is obvious: your management is a bunch of unethical immoral lunatic idiots.

If they were essentially ethical and moral, they would have investigated the GPL before relying on it. There would be nothing to hide and a disgruntled employee would not have any leverage. If they were sane and clever, they would have fired the correct person 6 months ago and would not have created a whistleblower within their own staff. It is the combination of evil and stupid that will destroy the company.

Here are some red flags that tell me that a scapegoat will soon be needed:

  • You are currently the entire HR staff, everyone else has scarpered

  • Management is strongly focused on covering up instead of mitigating damage

  • Management is insisting that HR (that's you and you alone) find a way to solve a dangerous legal problem without corresponding with the legal team

  • The engineering director has ordered you not to send any emails with "GPL" or "GNU" in it

  • The plan is to never let the customer know that GPL code is present in the product -- but you have just told us, on an indelible public platform, that there is

  • You don't even know whether a confidentiality deal would be corrupt or illegal

  • When the coverup fails, you will be the one who didn't make it succeed

  • You've been reduced to seeking advice from random strangers on the internet

Your position may be untenable. I'll not rush to tell you to run away, but you should at least know the danger you are in.

A. I. Breveleri
  • 19,293
  • 9
  • 37
  • 63
  • 2
    I just assumed incompetence, but he could easily be set up to take all the blame. – Matthew Gaiser Oct 28 '19 at 04:35
  • 33
    Management doesn't seem to be rational enough to have planned to set Thoma up, but when the brown stuff hits the spinney thing, they are going to frantically compose a list of peasants to blame -- and lo! Thoma's name will lead all the rest. – A. I. Breveleri Oct 28 '19 at 04:42
  • 45
    "Management is insisting that HR (that's you and you alone) find a way to solve a dangerous legal problem without corresponding with the legal team" - Gotta love this part. They're doing illegal stuff they don't want to reveal to their own lawyers, piss off probably the one person in a position to reveal everything and are asking a single junior HR person to fix everything. popcorn.gif – JollyJoker Oct 28 '19 at 13:41
  • 3
    Please withdraw language over management. They have faults but do not deserve insulting – usr-local-ΕΨΗΕΛΩΝ Oct 28 '19 at 14:06
  • 14
    @usr-local-ΕΨΗΕΛΩΝ His judgement of management is sound, in my opinion. Company culture comes from the top. The company has been poisoned by the personalities in charge, and OP will keep having to deal with such problems if he stays there. – Z. Cochrane Oct 28 '19 at 14:36
  • 3
    @JollyJoker: Yes, but it's not that management wants to conceal anything from their legal dept (I'm confident that legal is rapidly becoming aware of the depth of their predicament) but that they are terrified at the thought of putting anything in writing, even internally. Emails to and from in-house counsel have a way of transubstantiating into evidence. – A. I. Breveleri Oct 28 '19 at 16:16
  • 14
    @usr-local-ΕΨΗΕΛΩΝ: My characterization of Thoma's management is clearly supported by the reported evidence. - I know my language is colorful but I like it that way. – A. I. Breveleri Oct 29 '19 at 01:53
  • 3
    To wit, original poster... start keeping a very, very tight recording of all correspondense between you and, just about everyone in the firm. Do it in at least two, unrelated, competing, service (e.g. Google, Outlook, Yahoo!, ProtonMail, etc) by sending all previous correspondence to yourself and BCC-ing, the B, as in "Blind CC" is imperative. Cover all your bases and your behind. Butting heads with FSF, as your company might soon be doing, is something you don't want to get in the middle of, and for whose sake?! Your bosses?! Please... –  Oct 29 '19 at 13:17
67

Don’t retaliate against Francis. Talk to a lawyer.

Your company has been breaking the law with regard to your violations of the GPL, and now one of your employees wants to become a whistleblower. You’re already going to be in enough legal problems from your violations of copyright law; the last thing you want is to get in even more trouble from breaking whistleblower protection laws, and you’re going to need to talk to a lawyer to determine what your obligations under those are.

Community
  • 1
nick012000
  • 10,747
  • 2
  • 29
  • 46
  • 10
    And keep in mind that GPL violations can usually be fixed quite cheaply: by adhering to the GPL going forward. Most authors of GPL software prioritize "following the license" over "punishing wrongdoers". – Mark Nov 01 '19 at 23:43
37

It's not in your interest to make this kind of decision. If something goes wrong, which is likely, the blame may fall on you.

This is a decision that has strategic and legal implications. And such a decision needs to be made by upper management in conjunction with your company's legal team.

As an HR person, your role is to make sure upper management is informed and your legal counsel is looped in.

Stephan Branczyk
  • 58,781
  • 29
  • 128
  • 208
  • Absolutely. This is beyond, and outside, your expertise. Take it to the people who have the training and experience to handle it, that being the legal department first and someone higher in your management chain if you can do that. Maybe even if you can do that. If your immediate superiors are out, it is resonable to go to their superior, say "I'm not sure this can wait until they return", and get guidance. – keshlam Nov 13 '23 at 21:20
11

Wow. This is a mess. Get lawyers and external consultants if you want to save your company.

I see many separate issues:

The plan was to never let the customer know GPL code was present in the product."

  • That may or may not be Fraud. Ask a lawyer

We are selling a product with a "custom Linux kernel installed". Our engineers say that "most of the product is GPL code we've modified", and that since we are selling a product with this software in place, "we're shipping GPL'ed code".

  • Your engineers are probably right, but ask a lawyer for ways around this (Ways around this have been good business in the past, but they require that you openly work with your customer)

i.e. Lee made a serious technical mistake, and his attempts to squash dissent made him look bad.

  • Lee should have been fired back then since "squashing dissent" over something which turned out to be a serious problem is unprofessional

Somehow Francis found out about the veto (he shouldn't have access to this information). It turns out Lee gloated over the issue and disclosed it to Francis, and we promptly fired Lee (gave him half the normal severance he's entitled too as an alternative to firing with cause and getting nothing)

  • Why was Ling not fired? He should have never disclosed this to Lee

and have determined that many of the companies calling are direct competitors.

  • I really, really hope that your contracts are more watertight than your "We GPL code and don't tell the customer" approach

We called in Francis for a meeting, and he spelled out, bluntly, that he's looking for a new job, he's pissed over the veto debacle, and that we're welcome to give him severance (8 months' pay) to go away here and now.

  • Nice and professional of him. He could probably sue you for much more.

Anything that's sent to Legal has to be retained for at least 3 years. The engineering director has ordered me not to send any emails with "GPL" or "GNU" in it.

  • You must be f_ing kidding me. Not only that your company f_d up a central licensing issue for a core product and continued to lie to customers about it, you even admit that the company does not intent to fix the licensing issue but keep lying about it.

Is there anything we can do to prevent Francis from disclosing code out of spite?

Yes. Ask a lawyer versed in Canada and US law.

  • The GPL gives the customer the right, not people working on it (IANAL), so it may or may not be that Francis is not entitled to obtain a copy of the code, ask a lawyer

  • The problem here is not so much "taking away the code" (as you said, you have the copyright), but more the disclosure of your shady business practices to customers and public.

  • Given what you wrote here, you currently maybe don't even have the license to distribute the product, which may (IANAL) or may note open you up to companies suing for compensation for re-licensing technologies which can not be technically separated from potentially alternatively licensed module

There are three essential ways to handle this:

  • Continue lying and pay a lot to Francis in an exchange for an NDA and him leaving quietly (with glowing references)

  • Come clean, let Francis go

  • Come clean, fire Ling, give Francis shares of the company to give him some incentive for no going nuclear and make him the boss of the successors of Lee and Ling. Fire your compliance officer and fire the person responsible for the decision to lie to the customer.

I do not see that suing Francis is something which your company should put on their plate right now, it may do (IANAL) more damage than it prevents.

Sascha
  • 17,910
  • 2
  • 39
  • 67
9

Summary: Shit happened. A lot of it was due to Lee (who got himself fired) and Ling (who got himself reprimanded) at the expense of Francis. Francis would be a valuable employee, but is now pissed off (understandably) and shows behaviour that threatens your company (not a good move, and not a clever move).

Before Francis went off the rails, the best solution, and the fairest solution, would have been to keep him happy and keep him employed. With the situation now, I would say that you cannot possibly keep him as an employee.

But it seems that Francis misunderstands what GPL-licensed code is. Even if your code is derived from GPL-licensed code, nobody can force you to publish it. In the worst case, if your company was in violation of its license, the copyright holder of the GPL-licensed code could sue you, but they cannot force you to publish your code. (They can give you arguments why it would be wiser to publish your code, but they cannot force you).

Francis however has no right whatsoever to publish your code. It is your copyrighted code. Nobody but your company has the right to publish it. If he publishes it, it's copyright infringement. You can sue him for actual damages. You can sue anyone using that code for copyright infringement and actual damages, so nobody will touch it. Of course you won't be able to recover all the damages from him, but you can make his life a misery for the rest of his life. That's what your legal department can tell him (in a cleaned up form, that's why they are lawyers).

I also must really recommend that you sort out your use of GPL-licensed code. Even though Francis has no right to publish your code, there is no way to prevent him from telling the world what you're doing. So you could find yourself in trouble.

(The GPL license basically says: You are allowed to use this code if you do A, B, C. If you don't follow the rules you are not allowed to use the code. And apparently you don't. That gives the copyright owner the right to sue you for copyright infringement. It doesn't give anyone the right to publish your code).

PS. You are allowed to use and modify GPL licensed source code if everyone receiving your software inside your product is given the complete source code. If customer A doesn't want to give the source code to potential customer B because B is a competitor of A, then you can do this and pray. Your customers would have a right to publish the source code in this case but hopefully don't want to.

And the problem doesn't go away when you have sold your products unless you want to close down the company and run away with the money.

@viraptor: No, Francis doesn't have any rights whatsoever to the source code. Nobody distributed the code to him. The copyright holder of the GPL licensed code has the right to sue the company, nobody else has any rights.

gnasher729
  • 169,032
  • 78
  • 316
  • 508
  • "You can sue anyone using that code for copyright infringement" - this is true, if you can identify who they are and that they are using it. It would be very difficult to prove they didn't "white room" it though! – corsiKa Oct 27 '19 at 22:53
  • Thank you. Does this apply if we "forked the Linux kernel and added neat stuff to it" (i.e. most of the code in our product is GPL code our engineers added to). – Thoma Oct 27 '19 at 22:53
  • @corsiKa If they make money with it, you know who they are. If they don't make money with it, you don't care. Proof is easy. You take them to court and ask for discovery. Thoma: See end of my answer. – gnasher729 Oct 27 '19 at 22:57
  • there is no way to prevent him from telling the world what you're doing -This is exactly what I was tasked with preventing (until at least July of next year, when we've sold all our units of this product). – Thoma Oct 27 '19 at 22:57
  • 33
    Francis has a moral duty to go against the company. This is not a bad employee: this is a whistleblower and needs protection from human resource in said company. - Read the comments: customers are sent the (compiled) code as executable. So legally they have to release, and as employee you cannot be forced to do illegal things. The copyright owner might not notice it: so Francis being the whistleblower needs protection to show the world the violation. – paul23 Oct 27 '19 at 22:58
  • 2
    @paul23 This is not a whistleblower, this is just a totally f***ed up situation. – gnasher729 Oct 27 '19 at 23:06
  • 12
    Telling the world a company is violating a license is kind of the definition, and showing the source is just "showing proof" in my eyes. – paul23 Oct 27 '19 at 23:07
  • 29
    “ It is your copyrighted code.” -- If what @Thoma says (We are selling a product with a "custom linux kernel installed". Our engineers say that "most of the product is GPL code we've modified" in a comment under the post) is taken at the face value, it's a GPL-copyrighted code, crystal clear, even thought IANAL. GPL is infectious as f**k, and has been explicitly designed with that goal in mind. Any Linux-based home router has a GPLed modified source code download link in the documentation. But if the modifications are the “secret sauce,” that's looking very bad for the company's future. – kkm -still wary of SE promises Oct 28 '19 at 05:05
  • 2
    This answer is the one i would also have given. GPL does not even demand to make things public. It demands that if you distribute SW, you must provide the source to the recipients. That means that if you operate your own servers and sell services there is nothing wrong (legally) to keep it secret. Make sure that the employee understands that if he publishes it, he goes for personal bankruptcy for paying the damages, and, if profits from it, potentially fraud or copyright violations. Is it worth it? – Sascha Oct 28 '19 at 07:13
  • @kkm You need to read the GPL license carefully. Nobody can force you to release your code. The copyright holder can give you strong encouragement but they cannot force you. Someone who is not the copyright holder has no rights whatsoever. It seems their code should be GPL licensed but it isn’t. – gnasher729 Oct 28 '19 at 09:12
  • 17
    “Nobody can force you to release your code”--this is true. Nobody can force you not to steal or not to murder; it's all about the consequences. License is not a recommendation or advise; it's a legally accepted, binding and enforcible agreement. Linux kernel license violations, in particular, are handled by the Software Freedom Conservancy. And they do sue violators. Also, some jurisdictions consider explicit claims of not using parts of licensed code as fraud, which is easier to prosecute. – kkm -still wary of SE promises Oct 28 '19 at 10:47
  • Anyway, what is your point? That the copyright law is an "encouragement", and no software license can be enforced in the court of law? That sounds like a woo-woo alarm to me, sorry. – kkm -still wary of SE promises Oct 28 '19 at 10:49
  • 31
    "Even if your code is derived from GPL-licensed code, nobody can force you to publish it" Yes, they can. If you distribute binaries built from GPL-derived code, you are legally obligated to share the whole source code, with only the limitations imposed by GPL itself (aka: if a recipient make it public, you have no recourse). People can and do get sued (successfully) for GPL breaches. – 520 says Reinstate Monica Oct 28 '19 at 12:40
  • 7
    @gnasher729 I don't know where you're getting this 'encouragement' thing from. The GPL is not 'encouragement'. It is a legal software license that is as enforceable as any from Microsoft or Oracle. In many jurisdictions 'injunctive relief' is a thing (meaning the defendant is forced by the courts to comply with the license, which in this case would mean the release of their internal source code under GPL). – 520 says Reinstate Monica Oct 28 '19 at 16:12
  • 3
    I find it quite interesting that this answer boomerangs a litle bit. Essentially it is true, even under GPL nobody can force the company to release code, but the company can be sued, likely sucessfully and expct legal punishment. But then the anwer states, "Francis has no right to publish code". I mean, yeah - but again, if he has the code, the company cannot stop him from publishing either, all they can do is sue if he does, again, probably successfully. To sum up, nobody can force nobody to do shit, but there can be legal consequences. Thus, the more sensible way is to entice Francis. – Koenigsberg Oct 29 '19 at 18:53
  • 3
    "Even though Francis has no right to publish your code" I'm not sure why people see Francis and customers differently. Francis has a copy of the GPL-licensed code. The license grants him the right to distribute, modify, and sell that code. His rights are not different from paying customers' rights. – viraptor Oct 30 '19 at 21:50
  • I find it funny that the correct answer on the point of right to release the code (this answer) has 3 votes, while several 140+ and 70+ answers give false information on that point. Company that employed Francis has the sole copyright on the code contributions that he wrote. Only the company has the right to publish or not. GPL says "if your distribute your program that uses our GPL library, you need to distribute the source code with it as well to your users, under GPL license". If Francis distributed the source he would be liable same like in the case he published 100% proprietary code. – Borut Hadžialić Nov 20 '19 at 18:37
  • 1
    @BorutHadžialić: It is questionable if any clearly right answer exists with entangled code that has been shipped out to multiple people. – Joshua Sep 06 '20 at 16:40
  • 6
    @viraptor The GPL doesn't give rights to people who have the code, it gives rights to people who have had the code distributed to them. When a company uses GPLed code internally, that's not "distribution". If Francis only has a copy as part of his work for the company, then it hasn't been distributed to him and he doesn't have rights under the GPL. – cpast Oct 14 '20 at 01:31
9

Not answering the question itself, my advice to you, if you say that your product solely relies on your modifications being kept a secret, is to find a new workplace, yesterday!

Why? Francis needs no more than going online via an internet-cafe and/or using the free WiFi of a "regular" cafe and using a strong, reliable VPN service, one that doesn't keep logs of users and your company's trade secrets are bust!

Even if you try legal action against him, unless he's a complete and total idiot, which he doesn't sound like, you'll have no proof, and all the while the milk would have been spilled.

Basically, your current company is in deep doo-dee.
Bail. Bail now.

Also, as I commented above, but to summarize my above comment: as long as you are with the company, start keeping all correspondence you have, in relation to this case and Francis, backed up in at least two storages not controlled by your company.
As someone else noted, you, through no fault of your own, have become the perfect patsy for your shitty management, should they need it.
It's not even loss of work, like I said, bail today. It's the possibility of becoming the legal face of your company. Against the FSF, owners of the Linux Kernel... want to take a guess how you fare up?

Good luck, and sorry for you that your crappy managers brought you to be in legal danger.
I hope your next place will be less crappy.

5

He plans to make large portions of the code, much of which is in "Linux Kernel" and "Docker" code, public, due to "an obligation to the FOSS community".

Your question is mainly about the human resource aspect, but there is an important piece of information that should be clarified.

The GPL license does not force you to make the code "public", you only needs to provide the modified source code to the program's user, so basically your customers that are owning and running the device. This is a subtle but important distinction.

It means that if tomorrow rather than shipping a device, you ship the device and CD containing the source code, and some instruction how to build it your are compliant (for GPLv2, for GPLv3 you should provide installation instructions if this is a User Product)

So the code does not have to be "public", "Francis" is likely trying to fudge the issue to make it more threatening.

You should definitely consult with an IP lawyer first.

Xavier T.
  • 159
  • 3
  • 3
    If someone buys the device, they are by default being distributed a binary of the GPL software. As such, anyone who buys the device has the right to demand to access the source code for that binary distribution. – crobar Oct 29 '19 at 17:20
  • @crobar : this is correct, but it does not mean, that I, random internet person, can ask company X for its source code. That's how I would understand the code being "public". So you don't actually have to disclose to the FOSS community, but to your users/customers. – Xavier T. Oct 29 '19 at 17:23
  • 5
    @XavierT.: Yes and no. First, the GPL absolutely requires the company in this case to notify their customers that the code is licensed under GPL and that they have the absolute right to the source code, if they want it. They are currently violating this requirement. Second, the GPL absolutely forbids the company from restricting the further distribution of the BINARY, as well as the source. If they give a binary to Al, and Al gives a copy to Betty, and then Betty calls them up and says "I want the source", they are required to comply with Betty's request. – John R. Strohm Oct 29 '19 at 17:29
  • @XavierT.: There are TWO ways they can comply with Betty's request. They can give her the source outright, or they can say "Get it from Al." At that point, when she replies "Al told me to get it from you", they are stuck between a rock and a hard place. – John R. Strohm Oct 29 '19 at 17:31
  • @JohnR.Strohm : I agree about the sentiment, but in the Al, Betty story, if Al is copying the binary, and effectively distributing to Betty, then this is Al that is bound by the licence. If you are using Fedora, you can get the source from Fedora but you have no claim on upstream development. – Xavier T. Oct 30 '19 at 08:43
  • @XavierT. That's why I said 'if someone buys the device', although admittedly I was assuming the company was selling direct to consumers which we don't know. – crobar Oct 30 '19 at 09:55
  • 4
    @XavierT.: Read the GPL. GPLv3 paragraph 6b says that a distributor of the binary may comply by offering "to give anyone who possesses the object code" (verbatim) either a copy of the source code or access to a download facility. The key word "anyone" has the same meaning in legalese as it has in everyday English, and this means that the author must honor the request from Betty. Similar provisions are found in GPLv2 paragraphs 3b and 3c. The key phrase in GPLv2 paragraph 3b is "any third party", and legalese very strongly emphasizes that "any third party" means "ANY third party". – John R. Strohm Oct 30 '19 at 14:09
-4

Neither side is looking good in this situation, but Francis has already poisoned the office - he needs to go.

Advise your directors to sort this as soon as possible. You do not want people like him inside your company. Your company may suffer in the short term, by losing talent, but it'll be less of a problem than you imagine. If it costs eight months salary to get rid of him - that's cheaper than a long lawsuit on either side.

PeteCon
  • 32,805
  • 12
  • 82
  • 116
  • 16
    Sounds like it's company management and corruption that has poisoned the office. Everything else you've said is correct. An amicable settlement is in order. – Z. Cochrane Oct 28 '19 at 14:40