On Sun, 2018-09-09 at 13:20 -0400, Theodore Y. Ts'o wrote:
> 
> The only middle ground is "gentleman's agreement".  The main problem
> any legal agreement is what are the teeth if someone violates the NDA
> and breaks the embargo.  The reason why it will be very hard for some
> third-party, like the LF, to sign any kind of NDA on behalf of
> independent developers is that it puts the liability risk on the LF.
> And the LF's lawyers aren't going to be comfortable with this.
> 
> We've been through this before with the TAB and getting all of the TAB
> members under an NDA so we could talk about pre-standardized UEFI
> proposals.  We looked at trying to get the LF to sign an NDA for the
> TAB members who didn't work for companies which had an NDA with UEFI,
> and it just didn't work.  Ultimately, what we did is we negotiated a
> specific NDA just for me (where it would be my house on the line in
> terms of an NDA violation), and I then had to get the Google's lawyers
> to OK my signing it as a personal NDA.  The whole process took
> **months**.

In practice there's not really a lot of difference between a "real" NDA
and a gentlepersons' agreement. Nobody's *really* going to lose their
house; all that's likely to happen if you screw up is that they won't
include you in the party next time round.

We *had* a breach before the Spectre/Meltdown embargo was supposed to
be over, and to my knowledge (and I *hope*) nothing actually happened
except a bit of tutting.