www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@links.org>
Subject Re: Antideficiency Act
Date Tue, 06 Mar 2012 10:22:59 GMT
On Tue, Mar 6, 2012 at 12:58 AM, Lawrence Rosen <lrosen@rosenlaw.com> wrote:
> [This email is NOT confidential.]
> A colleague recently sent me his notes from a U.S. Department of Defense
> "Open Source Software Public Meeting" last January. This meeting was held
> primarily to discuss with government suppliers of software the new DFARS
> policies on the acquisition of open source software. I had reviewed the
> DFARS document a few months earlier and expected no particular issues to
> arise at the meeting. I didn't go.
> However, I learned later that there were several references at that meeting
> to the Antideficiency Act, codified generally at 31 U.S.C. §§ 1341(a), 1342,
> and 1517(a). These obscure (to me) statutes prohibit any government agency
> from authorizing any obligation in excess of the amount appropriated unless
> authorized by law.
> This affects Apache because of this obscure (to me) provision in Apache
> License 2.0:
> 9. Accepting Warranty or Additional Liability. While redistributing the Work
> or Derivative Works thereof, You may choose to offer, and charge a fee for,
> acceptance of support, warranty, indemnity, or other liability obligations
> and/or rights consistent with this License. However, in accepting such
> obligations, You may act only on Your own behalf and on Your sole
> responsibility, not on behalf of any other Contributor, and only if You
> agree to indemnify, defend, and hold each Contributor harmless for any
> liability incurred by, or claims asserted against, such Contributor by
> reason of your accepting any such warranty or additional liability.
> [Emphasis added by underlining.]
> Here is how my colleague described the particular "incompatibility" between
> the Antideficiency Act and Apache License 2.0 that affected one of his
> client's transactions:
> We are using certain Apache code in one of our proprietary products.  The
> code is subject to Apache 2.0 and we make the necessary disclosure of this
> in our software license.  After reviewing the Apache 2.0 license, a division
> of the Army (one of our customers) believes that Section 9 (indemnification)
> constitutes an Anti-Deficiency Act (ADA) violation and therefore has
> rejected the order on grounds that it cannot accept this ADA risk.  An ADA
> violation arises when a Government agency makes or authorizes an expenditure
> or obligation of money (i) in excess of the amount available in an
> appropriation or fund (31 USC 1341(a)(1)(A)) or (ii) due to a contract or
> obligation for the payment of money before an appropriation is made, unless
> authorized by law (31 USC 1341 (a)(1)(B)).  Indemnification clauses run
> afoul of the ADA because the Government in essence is agreeing to an unknown
> monetary amount in absence of an appropriation.
> We have argued incessantly to the Army that we do not believe that the
> indemnification clause applies to them so long as they merely use the
> software program as a consumer (i.e. so long as they do not offer
> warranties, indemnification, support, or other legal obligations to any
> other third parties… which is the case as the Army is only using the
> software as a downstream consumer).  The Army, however, believes that any
> contingency indemnification obligation, no matter how unlikely, constitutes
> an ADA violation.  Basically the Army believes that any indemnity
> obligation, no matter how remote, constitutes an obligation to commit
> government funds.  Note, too, that even if we were to agree with the
> Government that we would stand in the Government’s shoes as indemnitor
> (which we will not do), the Government has taken the position that even that
> would not be sufficient to do away with the ADA violation risk.  Short of
> removing Section 9 indemnity from the Apache license… which we are powerless
> to do even if we wanted to, or somehow asking Apache to relax Section 9
> (which I do not expect Apache to do), or removing the Apache code and
> replacing it with either commercially available code or our own suitable
> replacement (which is possible but causes a lot of other side engineering
> issues and delays), I am having trouble finding a way around the problem.
> In our view, the Army is taking a hyper-sensitive view of the indemnity
> clause and the ADA.  They also are ignoring the fact that Apache code is
> some of the most widespread code in use within the Department of Defense (if
> you believe the Mitre study on this and recent reports that the DoD CIO has
> put out).  One also wonders how the Government can advocate encouraging the
> use of OSS within the Government when faced with intractable positions like
> we are facing with the Army.   The Army attorney I am dealing with told me
> that she would prefer that Apache, GPL, and others all make their OSS
> licenses more “government friendly” to avoid things like indemnification and
> choice of law (i.e. substituting a particular state for governing law in
> favor of federal common law).  ...  I do believe this particular wing of the
> Army is taking an untenable, overly conservative view of the ADA.  My guess
> is that it is not within the norm of how most government agencies… civilian
> and DoD… interpret the Apache license.
> One senior government official reportedly opined at the January meeting that
> "contractors should not discount the possibility of negotiating license
> deviations from the OSS license with entities like Apache or FSF." I note
> this only to point out the absurdity of certain expectations about open
> source. :-)
> Better than just yelling in frustration, though, and in the interest of
> providing a sensitive and well-reasoned response to vendors hawking Apache
> wares to the U.S. government, do any of you have a ready answer why our
> license isn't incompatible with the Antideficiency Act that we can share
> with the government and on our website?

Well, it seems to me the licence says "you can only do X if you offer
indemnity", and the ADA says "you can't offer indemnity", so it seems
quite clear that this means the ADA says "you can't do X". So, I'd
suggest they don't do X, and we're all happy.

If the Army want to be morons, that's up to them, surely?

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message