They do have that right. Sometimes the legal office gets requests designed to check our GPL compliance. Every release, we file information on the distributions we use, their versions, which libraries we link to, which compiler versions we use, build instructions for any components that we did a custom compilation of, etc. The CYA paperwork is pretty extensive.
Only if you've modified it. If not, then it's upstream's responsibility to distribute source. And even if you've modified it, I think distributing patchsets is enough, no?
If you distributed binaries made from GPL code to me, you're obliged to provide the source code if I ask you. You can do that by pointing me to an upstream url fine, but you need to be sure that that url will be valid when I ask you.
Even beyond that, we need to be able to prove that the binaries we're distributing were made from the source that we claim they are, and be able to provide exact instructions for a customer to independently re-create the binaries. That usually means that we stick to versions of libraries and compilers that are on the GA installation disks for a system, with exceptions made for a few security-critical libraries like OpenSSL.
