September 20, 2020

Costs of a GPL Ban: An Example

Many people have criticized the recent proposal from some congressmen to ban the use of the GNU Public License (GPL) on federally funded software projects. There’s one disadvantage of this proposal that I haven’t seen discussed. I’ll illustrate it with a real example.

Brent Waters and I are currently doing research on a method for improving certain cryptographic operations. (I’ll spare you the details, which don’t matter here.) As part of this project we wanted to build a proof-of-concept implementation, by modifying the code of an existing state-of-the-art encryption package to add our improvement to it. We surveyed the packages that are out there and chose a package called GPG as the only viable starting point for our implementation.

At this point, there are three things that can happen:
(1) we don’t write any code,
(2) we add code to GPG but don’t release that code, or
(3) we add code to GPG and release that code under the GPL.
Anything else is prohibited by GPG’s license, which is dictated to us by the authors of GPG.

Number (3) is clearly the best choice for us, for other researchers, and for industry. But if a GPL ban were in place, we would be forced to choose (1), or possibly (2).

I want to emphasize that we did not pick GPG because we wanted to create GPL’ed code. We chose GPG because it was the only product that both (a) offered the required features and (b) had a license that allowed us to create and distribute modified versions of the source code.

It’s rare for a software researcher to create an entirely new piece of software from scratch. Our scenario, where researchers build on a large, existing product, is much more common. In situations like ours, the effect of a GPL ban often would be to ensure that no code is released at all. Surely this can’t be what the congressmen had in mind.