Saturday, September 18, 2021

Are You Violating BusyBox’s GPL Code?

Software licensed under the GPL open source license is considered to be Free
Software but that doesn’t mean it’s free as in beer and that developers don’t have
rights. As four cases in point in 2007, the Software Freedom Law Center
(SFLC) has filed legal suits against four different defendants for alleged
copyright infringement of the BusyBox’s GPL licensed code.

BusyBox is a collection of UNIX utilities that have been optimized for size and are most commonly used in embedded environments. BusyBox is licensed under the GPL which is a reciprocal license and requires that users make the source code available to end users.

Will your company be next to get a call from the SFLC lawyers? Do you know
if you’re using GPL licensed code in your organization properly?

Experts note that there are a number of different things that organization
can do to protect themselves and to ensure that they are in compliance with
the GPL. There are also a few steps that organizations should take if the
SFLC or someone else alleges that you’re in violation of the GPL.

One of the most obvious is to identify where you may have GPL licensed code like BusyBox within your
infrastructure or developments. To that end there are at least three
different tools available. OpenLogic offers a tool called OSS Discovery
which can discover BusyBox as well as 900 other open source products.

Doug Levin CEO of Black Duck told InternetNews.com that
protexIP, Black Duck’s flagship product, analyzes both source code and
binaries to identify GPL snippets, code segments, blocks and trees. The
reports produced identify the license violations and other issues. The
report, which Black Duck calls the Bill of Materials, can help engineers and
attorneys make decisions about the disposition of the code and code base,
license violations and other issues.

Palamida is another vendor with a solution for license usage and
identification. Theresa Bui Friday, co-founder and VP of Marketing at
Palamida said that Palamida software can point customers to the exact place in their code where there is an issue,
pointing out where the Busybox resides across their codebase, whether they
are using source code, binary files, or any other resources associated with
BusyBox.

“We should also point out that even when a component is embedded within
another component, we can flag it as an issue that should be reviewed,” Bui told InternetNews.com.

From a legal point of view, a company’s responsibility when it comes to open
source software usage is quite clear. Jason Haislmaier an attorney with
Holme Roberts and Owen LLP is right in the thick of things when it comes to
compliance. He is the attorney representing High-Gain Antennas, one of the
defendants in the BusyBox suits. Haislmaier’s prefaced his comments by
noting that he is not commenting specifically on that case.

“The bottom line is that companies need to understand their use of open
source software and make each use of open source a knowing and compliant
use,” Haislmaier said. “This starts with implementing and maintaining an
open source compliance program to help understand when and where open source
is in use in your company so that you can take the proper steps to comply
with the open source licenses applicable to that software.”

The reality is that until the BusyBox cases came along this year, it’s
likely that many organizations were either not aware of their compliance
issues or simply did not take them seriously. The SFLC has filed legal suits
against Monsoon
Multimedia, Xterasys
, High Gain Antennas and Verizon.
To date only Monsoon and Xterasys have
settled.

Hopefully a good thing.

Haislmaier argued that the BusyBox situation with the SFLC filing legal
suits is not a necessary thing but it is hopefully a good thing.

“The
BusyBox cases represent what could play out to be major evolution in the
open source license enforcement landscape — with enforcement actions moving
from the traditionally private enforcement actions brought by the FSF (Free Software Foundation) and
others to far more public lawsuits,” Haislmaier explained. “I think
everybody hopes that open source compliance practices will evolve as well. I tell clients that the BusyBox lawsuits are not as much a cause for concern as they are cause for compliance and understanding. ”

The legal suits have also raised awareness about open source license
compliance and may well be a boon to those business that help ensure that
organizations stay in line.

“These law suits have certainly increased awareness among all software
developers that the SFLC and their client the FSF are serious about
enforcing their copyrights,” Black Duck’s Levin said.

Kim Weins VP of Marketing at OpenLogic noted that her firm has had prospects
and customers come to them because they have had legal actions against them
in the past or because they are concerned about potential risks.

Haislmaier’s business is also benefitting from the BusyBox suits.

“If nothing else, the suits are generating increased interest in the
potential risks posed by using open source,” Haislmaier said. “I have been
asked for years by clients and colleagues, “Why should I care about open
source compliance?” The BusyBox lawsuits have helped to drive home the
answer to that question for a number of companies.”

Haislmaier argued that with the GPL itself the problem of compliance isn’t so much about awareness of the requirement but
rather an awareness of the extent to which those requirements may apply.

“While there are a number of companies that have implemented very robust
open source compliance programs, many more have not,” Haislmaier said. “This
means not only that these companies are at increased risk of an open source
violation, but that the recipients of any of their products containing open
source are also at increased risk, many times unknowingly. This is the case
in more than one of the BusyBox cases. If the BusyBox lawsuits have
demonstrated one thing it is that remaining ignorant of existing open source
software usage and potential open source software license violations can be
expensive.”

What if the SFLC knocks on your door?

If the SFLC contacts your company and alleges that you’ve got a GPL
violation, Palamida’s Bui suggests that you do the right thing and comply
with the license.

“If the license is not in line with your business needs, find alternative
software with license terms that are in line with your business needs,” Bui
said.

Black Duck’s Levin suggest that you contact a lawyer or law firm that has a
lot of open source, and specifically GPL, experience.

“Your lawyer may recommend putting a software compliance management program
in place and utilize Black Duck’s protexIP to identify issues in the code
base,” Levin said. “The next steps depend on the situation and many other
factors.”

The key thing to do when contacted by the SFLC though is to do something and
not just let the issue remain unchecked. Haislmaier noted that the time line
in each of the BusyBox cases has evolved from initial contact by the SFLC
regarding the alleged GPL violation through to the filing of a lawsuit at a
very rapid pace.

“Unlike many of the private open source compliance actions carried out in
the past by the FSF ,it would appear that the SFLC is willing to act quite
aggressively on behalf of its clients in pushing their grievances,”
Haislmaier noted.

“Companies need to respond quickly and decisively to any
informal complaints about violations of open source software licenses,
whether by the SFLC or any other organization. Those that do not will likely
increase their risk of being the subject of a lawsuit.”

This article was first published on InternetNews.com.

Similar articles

Latest Articles