www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Odence <pode...@blackducksoftware.com>
Subject Re: Antideficiency Act
Date Tue, 06 Mar 2012 12:18:51 GMT
I was at the meeting and although there was such a naive comment made, generally I believe
the govt procurement folks understood the impracticality of negotiating OSS licenses. They
just felt caught between a rock and hard place wrt the ADA.  That said, I really don't understand
the Army's position. I'll try some of my contacts in DoD and if I can get someone to articulate
it, will report back to the list. 
Phil Odence, Black Duck Software

Sent from my iPad

On Mar 6, 2012, at 5:23 AM, "Ben Laurie" <ben@links.org> wrote:

> On Tue, Mar 6, 2012 at 12:58 AM, Lawrence Rosen <lrosen@rosenlaw.com> wrote:
>> [This email is NOT confidential.]
>> 
>> 
>> 
>> A colleague recently sent me his notes from a U.S. Department of Defense
>> "Open Source Software Public Meeting" last January. This meeting was held
>> primarily to discuss with government suppliers of software the new DFARS
>> policies on the acquisition of open source software. I had reviewed the
>> DFARS document a few months earlier and expected no particular issues to
>> arise at the meeting. I didn't go.
>> 
>> 
>> 
>> However, I learned later that there were several references at that meeting
>> to the Antideficiency Act, codified generally at 31 U.S.C. §§ 1341(a), 1342,
>> and 1517(a). These obscure (to me) statutes prohibit any government agency
>> from authorizing any obligation in excess of the amount appropriated unless
>> authorized by law.
>> 
>> 
>> 
>> This affects Apache because of this obscure (to me) provision in Apache
>> License 2.0:
>> 
>> 
>> 
>> 9. Accepting Warranty or Additional Liability. While redistributing the Work
>> or Derivative Works thereof, You may choose to offer, and charge a fee for,
>> acceptance of support, warranty, indemnity, or other liability obligations
>> and/or rights consistent with this License. However, in accepting such
>> obligations, You may act only on Your own behalf and on Your sole
>> responsibility, not on behalf of any other Contributor, and only if You
>> agree to indemnify, defend, and hold each Contributor harmless for any
>> liability incurred by, or claims asserted against, such Contributor by
>> reason of your accepting any such warranty or additional liability.
>> [Emphasis added by underlining.]
>> 
>> 
>> 
>> Here is how my colleague described the particular "incompatibility" between
>> the Antideficiency Act and Apache License 2.0 that affected one of his
>> client's transactions:
>> 
>> 
>> 
>> We are using certain Apache code in one of our proprietary products.  The
>> code is subject to Apache 2.0 and we make the necessary disclosure of this
>> in our software license.  After reviewing the Apache 2.0 license, a division
>> of the Army (one of our customers) believes that Section 9 (indemnification)
>> constitutes an Anti-Deficiency Act (ADA) violation and therefore has
>> rejected the order on grounds that it cannot accept this ADA risk.  An ADA
>> violation arises when a Government agency makes or authorizes an expenditure
>> or obligation of money (i) in excess of the amount available in an
>> appropriation or fund (31 USC 1341(a)(1)(A)) or (ii) due to a contract or
>> obligation for the payment of money before an appropriation is made, unless
>> authorized by law (31 USC 1341 (a)(1)(B)).  Indemnification clauses run
>> afoul of the ADA because the Government in essence is agreeing to an unknown
>> monetary amount in absence of an appropriation.
>> 
>> 
>> 
>> We have argued incessantly to the Army that we do not believe that the
>> indemnification clause applies to them so long as they merely use the
>> software program as a consumer (i.e. so long as they do not offer
>> warranties, indemnification, support, or other legal obligations to any
>> other third parties… which is the case as the Army is only using the
>> software as a downstream consumer).  The Army, however, believes that any
>> contingency indemnification obligation, no matter how unlikely, constitutes
>> an ADA violation.  Basically the Army believes that any indemnity
>> obligation, no matter how remote, constitutes an obligation to commit
>> government funds.  Note, too, that even if we were to agree with the
>> Government that we would stand in the Government’s shoes as indemnitor
>> (which we will not do), the Government has taken the position that even that
>> would not be sufficient to do away with the ADA violation risk.  Short of
>> removing Section 9 indemnity from the Apache license… which we are powerless
>> to do even if we wanted to, or somehow asking Apache to relax Section 9
>> (which I do not expect Apache to do), or removing the Apache code and
>> replacing it with either commercially available code or our own suitable
>> replacement (which is possible but causes a lot of other side engineering
>> issues and delays), I am having trouble finding a way around the problem.
>> 
>> 
>> 
>> In our view, the Army is taking a hyper-sensitive view of the indemnity
>> clause and the ADA.  They also are ignoring the fact that Apache code is
>> some of the most widespread code in use within the Department of Defense (if
>> you believe the Mitre study on this and recent reports that the DoD CIO has
>> put out).  One also wonders how the Government can advocate encouraging the
>> use of OSS within the Government when faced with intractable positions like
>> we are facing with the Army.   The Army attorney I am dealing with told me
>> that she would prefer that Apache, GPL, and others all make their OSS
>> licenses more “government friendly” to avoid things like indemnification and
>> choice of law (i.e. substituting a particular state for governing law in
>> favor of federal common law).  ...  I do believe this particular wing of the
>> Army is taking an untenable, overly conservative view of the ADA.  My guess
>> is that it is not within the norm of how most government agencies… civilian
>> and DoD… interpret the Apache license.
>> 
>> 
>> 
>> One senior government official reportedly opined at the January meeting that
>> "contractors should not discount the possibility of negotiating license
>> deviations from the OSS license with entities like Apache or FSF." I note
>> this only to point out the absurdity of certain expectations about open
>> source. :-)
>> 
>> 
>> 
>> Better than just yelling in frustration, though, and in the interest of
>> providing a sensitive and well-reasoned response to vendors hawking Apache
>> wares to the U.S. government, do any of you have a ready answer why our
>> license isn't incompatible with the Antideficiency Act that we can share
>> with the government and on our website?
> 
> Well, it seems to me the licence says "you can only do X if you offer
> indemnity", and the ADA says "you can't offer indemnity", so it seems
> quite clear that this means the ADA says "you can't do X". So, I'd
> suggest they don't do X, and we're all happy.
> 
> If the Army want to be morons, that's up to them, surely?
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message