SAN FRANCISCO — With open source code proliferating within enterprise applications, businesses must take steps to avoid “SCO Syndrome,” intellectual property experts said.
The second annual Open Source Business Conference, held Tuesday and Wednesday in San Francisco, focused on new business strategies for open source software (OSS) vendors, but also on what end-user businesses should do to avoid becoming targets for lawsuits like those filed by SCO against Novell, AutoZone and DaimlerChrysler for using Linux distributions that SCO claims contain its proprietary code.
“It’s increasingly unrealistic to avoid the use of open source software entirely, particularly if you’re a technology-based company,” Jason Haislmaier, an attorney with the law firm Holme Roberts & Owen, told a conference audience. Instead, he advises clients to focus on controlling both the entry of OSS into the organization and the release of code either in products or in contributions by individual developers employed by the company.
Businesses should form code compliance teams that set policies and controls, Haislmaier said. They then need to educate employees about policies while continuing to update them when appropriate.
For example, StorageTek
, a company that provides tape and disk storage products, found that some of its internal developers didn’t distinguish between OSS and public domain software, according to Maria Woods, corporate counsel for StorageTek. The company instituted policies to standardize how open source code was used.
Julie DeCecco, senior counsel for Sun Microsystems
, said that Sun carefully audits the code in its products.
For a project with a substantial code base, DeCecco said, Sun will ask an engineer who wasn’t involved in the project to search the code base for copyrights and licenses. Sun auditors will use that report to crosscheck by interviewing those involved in the project. They might also use third-party tools that automatically search code for licensing terms.
Solid compliance procedures could be a competitive edge, DeCecco said. “If you want to supply to a company, you’ll find increasingly that you’ll be asked to produce evidence of any open source software you’re using, and that you’re in compliance with those licenses,” she said. Muddy compliance procedures also could scotch a company’s chance to be acquired.
Unfortunately, licensing information is stored within code in a variety of ways. There are no conventions for including the information, which makes it hard for automated tools to extract the licenses, Scott Peterson, general counsel for HP
Attorneys specializing in intellectual property warned that any company using open source code or products is a target for patent infringement suits.
“It’s getting fashionable to sue end users as a point of leverage,” said Jim Harvey, a partner in the law firm of Alston & Bird. He said “patent trolls,” IP holding companies that seem to pop up out of nowhere to enforce broad patents, are especially going after companies that have licensed software with offending code, as well as the vendors who provided it.
Businesses also could get in the way of suits alleging violation of the GNU General Public License
StorageTek’s Woods advised companies to weigh the potential benefits of open source software against the litigation risks. “Do a cost/benefit analysis early on to quantify what is the financial impact of using open source,” she said. “It might not be worth the cost. A proprietary license might be the way to go.”
“Most end users in some way distribute software,” agreed Andrew Aitken, a managing partner of the Olliance Group, a consultancy focused on open source in the enterprise. “As an end user, you can’t ignore the issue.”