Open Source Not Open and Shut

Open-source licensing still may pose some risk to the enterprise.
Posted September 1, 2005
By

Drew Robb

Drew Robb


The various operating systems all have their share of proponents and detractors. But as time goes on, the real issue is not so much which is best, but how to get them to play well together.

“People start talking about Linux vs. Windows vs. Mac, but the fact of the matter is all these have to coexist,” says Laura DiDio, a Research Fellow for Boston-based Yankee Group Research, Inc. “At some point in time, even if not on your own network, they are going to have to talk to a customer or supplier using a different operating system.”

Getting software to work together, however, also happens to raise some tough legal issues. The GNU General Public License (GPL) that governs use of most open source software states, for example:

“Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein.”

This provision is fine as long as it is used with other open source applications. Problems arise when open source is used with proprietary software.

Linux Lawsuits

Software lawsuits are commonplace, even when talking about proprietary commercial applications. Companies suing Microsoft, for example, have spanned the alphabet – from Apple all the way up to Word Perfect.

But while vendors will continue to fight it out in court, the real threat for customers is a vendor suing them for use of software the vendor claims violates its Intellectual Property rights. The most famous example of this is Lindon, Utah’s SCO Group Inc. claiming ownership of Unix patents and copyrights, and claiming that Linux violated those. Accordingly, in March 2004, SCO launched lawsuits against Autozone and DaimlerChrysler regarding their use of Linux. It also sent letters to hundreds of other corporations threatening legal action.

To counter this threat and put its own customer base at ease, Microsoft boosted its level of customer indemnification. As CEO Steve Ballmer explained in a letter last fall:

“Today, when a volume licensing customer - a business or organization ranging from as few as five computers to many thousands - licenses a Microsoft product, we provide uncapped protection for legal costs associated with a patent, copyright, trademark or trade secret claim alleging infringement by a Microsoft product. … No vendor today stands behind Linux with full IP indemnification. In fact, it is rare for open source software to provide customers with any indemnification at all.”

While these lawsuits and letters caused some organizations to put their Linux projects on hold, no additional Linux users have been sued, and it is looking less likely that they will. After two years of bluster, SCO has yet to provide any credible evidence that any of its proprietary code is used in Linux.

The primary reason for this is that, although thousands of people around the world have volunteered contributions to the process, Linux development has not been an uncontrolled free for all.

“It is a large project, but it is centered on the work of Linus Torvalds and Andrew Morton who are building and maintaining the kernels,” explains Bill Weinberg, an open source architecture specialist and evangelist for the Open Source Development Laboratory (OSDL) in Beaverton, Ore.

The OSDL employs Torvalds and Morton so they can work full time on Linux – Torvalds overseeing the development of future releases of the kernel and Morton maintaining the current version. They are supported by a team of about eighty lieutenants, each supervising the actions of developers working on a particular aspect of the operating system. Any code first gets approved by these lieutenants and then by either Torvalds or Morton before it goes into the production software.

How effective has this system been so far? Torvalds has averred that there isn’t a single line of proprietary code in Linux and he seems to be backed up by the developments in SCO’s lawsuit against IBM. Recently an August 2002 email was released it the public. In it, SCO employee Michael Davidson describes the results of an earlier investigation:

“The project was a result of SCO’s executive management refusing to believe that it was possible for Linux and much of the GNU software to have come into existence [sic] without *someone* *somewhere* having copied pieces of proprietary UNIX source code to which SCO owned the copyright. The hope was that we would find a ‘smoking gun somewhere in code that was being used … At the end, we had found absolutely *nothing*. ie no evidence of any copyright infringement whatsoever.”

Raising the Comfort Level

Just because Linux has come up clean so far, that doesn’t mean that companies shouldn’t take precautions. The OSDL has set up a legal defense fund to assist companies sued by SCO. Red Hat, HP, and Novell/SuSE all offer some level of indemnification for their Linux customers. In addition Open Source Risk Management in New York City sells insurance to protect against trademark, copyright and patent infringement claims on common Open Source technologies including Linux, MySQL, Apache, PERL and PHP.

But that is a small part of the software a company might use. The SourceForge.net site alone hosts over 100,000 development projects. Then there is all the development that gets done in house.

“Programmers are always looking for ways to not write code and instead use what already exists, so they all look at open source repositories whenever possible,” says Jothy Rosenberg, CTO and founder of Service Integrity, Inc., a business intelligence firm in Lexington, Mass. “They are pretty careful but it is easy, since we are not lawyers, to not be sure if the license on that particular module is clean.”

As an additional precaution, therefore, he uses ProtexIP software from Waltham, Mass.’s Black Duck Software, Inc. ProtexIP analyzes and maps a piece of source code and compares it against a database of open source software. It flags anything which is open source so it can be recoded. Otherwise, the proprietary software would become subject to the terms of the open source elements used, meaning others could freely copy, modify and distribute the software.

“It found a number of worrisome things that we rectified,” he continues. “It provides a level of assurance that increases our comfort level that we are ‘clean’ when we ship.”

Rosenberg says that given lawsuits such as SCO is bringing, such software is needed not just for his own piece of mind, but his investors and customers as well.

“Our VCs now require we indemnify them that we do not have any open source license violations,” he says. “The bigger the company the more critical this becomes.”






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.