But How Serious Is the Risk?
Theres really no consensus on the seriousness of the risk. The only consistent answer is: it varies.
Issues of open source licensing obligations, mixed licenses and the like only come about when software is distributed that is, when it leaves the walls of the company making use of it, noted Gordon Haff, an analyst with Illuminata Illuminata.
Another important distinction is what sort of license the open-source project falls under. Some open source licenses such as Apache and BSD impose very few restrictions on how the code covered by these licenses can be used, Haff said. Its really only the copyleft licenses, like the GPL, that are a concern and again only if the code is distributed outside the company.
With those points in mind, the risk for an organization using open-source software for entirely in-house efforts isnt that large. But what if that in-house software is later distributed or even commercialized? The project developers could be long gone, and its possible that the organization would not even know it had an open-source foundation to its project.
This is one of the challenges that OSRM addresses. When clients have questions about open source, our first step is to mitigate risks, Egger said. This often means complying with open-source licenses. Even though OSRM offers indemnification, whats often more important is simply understanding what software is in a project and what licenses it must adhere to.
More often than not the software is something that could best be termed mixed source, a combination of open and proprietary code. The development model where companies write their own software, top to bottom, is gone, Egger said. However, many executives dont realize this. They came of age in a time when development was still done all internally.
Other considerations come into play, as well. As with Cisco and Linksys, an acquisition could change your profile, or as with Linksys with Broadcom, a company acquiring a component for its larger offering could have unknowingly integrated open source.
Theres a mistaken mindset that third party equals proprietary, Egger said. People just assume that when they get something from a third party that the third party owns all the rights and has transferred them.
How Free Is Free?
Figuring out licensing can get pretty messy. Who own what is often in contention, and opening things up to comply with one license could result in an IP challenge from somewhere else.
Turning back to Microsoft, what if a software distributor decided it didnt want the legal headaches and decided to just pay some royalties for, say, their use of Linux? Theyd be set, right?
Wrong. They would then be in violation of the GPL, which prohibits those distributing GPL-licensed free software from paying patent royalties.
Microsoft isnt going to get the free software community to roll over without a fight. Free software advocates do their own license enforcing and litigating, and they have been quite successful. There are plenty of these organizations, so those challenging open source never know who theyll be up against.
For instance, an obscure German organization, gpl-violations.org, forced security vendor Fortinet to release code because its appliances used Linux. This was an organization few had ever heard of, not a heavyweight like the Free Software Foundation, and it scored a big win for open source.
Not every free software organization looks to litigate, though, and often the first step is simply understanding those complicated licenses.
We dont intend to police the GPL, explained James Vasile, an attorney with the Software Freedom Law Center Software Freedom Law Center. In fact, we dont really do that much violations work. Most of our clients need to figure out how to handle licenses. Plenty of developers have used GPL but dont know what it means.
When the Software Freedom Law Center has a client seeking GPL enforcement, the cases usually get resolved without much fuss. There are some willful violators out there, but the majority is just unaware, Vasile said. We inform them of their licensing issue, and most then ask how to comply. We dont try to extract money from them or get negative publicity. The only thing we want is for them to distribute software in a way that is compliant with GPL.