Are You Violating BusyBox's GPL Code?

Download the authoritative guide: Cloud Computing 2018: Using the Cloud to Transform Your Business

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Software licensed under the GPL open source license is considered to be Free Software but that doesn't mean it's free as in beer and that developers don't have rights. As four cases in point in 2007, the Software Freedom Law Center (SFLC) has filed legal suits against four different defendants for alleged copyright infringement of the BusyBox's GPL licensed code.

BusyBox is a collection of UNIX utilities that have been optimized for size and are most commonly used in embedded environments. BusyBox is licensed under the GPL which is a reciprocal license and requires that users make the source code available to end users.

Will your company be next to get a call from the SFLC lawyers? Do you know if you're using GPL licensed code in your organization properly?

Experts note that there are a number of different things that organization can do to protect themselves and to ensure that they are in compliance with the GPL. There are also a few steps that organizations should take if the SFLC or someone else alleges that you're in violation of the GPL.

One of the most obvious is to identify where you may have GPL licensed code like BusyBox within your infrastructure or developments. To that end there are at least three different tools available. OpenLogic offers a tool called OSS Discovery which can discover BusyBox as well as 900 other open source products.

Doug Levin CEO of Black Duck told InternetNews.com that protexIP, Black Duck’s flagship product, analyzes both source code and binaries to identify GPL snippets, code segments, blocks and trees. The reports produced identify the license violations and other issues. The report, which Black Duck calls the Bill of Materials, can help engineers and attorneys make decisions about the disposition of the code and code base, license violations and other issues.

Palamida is another vendor with a solution for license usage and identification. Theresa Bui Friday, co-founder and VP of Marketing at Palamida said that Palamida software can point customers to the exact place in their code where there is an issue, pointing out where the Busybox resides across their codebase, whether they are using source code, binary files, or any other resources associated with BusyBox.

"We should also point out that even when a component is embedded within another component, we can flag it as an issue that should be reviewed," Bui told InternetNews.com.

From a legal point of view, a company's responsibility when it comes to open source software usage is quite clear. Jason Haislmaier an attorney with Holme Roberts and Owen LLP is right in the thick of things when it comes to compliance. He is the attorney representing High-Gain Antennas, one of the defendants in the BusyBox suits. Haislmaier's prefaced his comments by noting that he is not commenting specifically on that case.

"The bottom line is that companies need to understand their use of open source software and make each use of open source a knowing and compliant use," Haislmaier said. "This starts with implementing and maintaining an open source compliance program to help understand when and where open source is in use in your company so that you can take the proper steps to comply with the open source licenses applicable to that software."

The reality is that until the BusyBox cases came along this year, it's likely that many organizations were either not aware of their compliance issues or simply did not take them seriously. The SFLC has filed legal suits against Monsoon Multimedia, Xterasys, High Gain Antennas and Verizon. To date only Monsoon and Xterasys have settled.

Hopefully a good thing.

Haislmaier argued that the BusyBox situation with the SFLC filing legal suits is not a necessary thing but it is hopefully a good thing.

"The BusyBox cases represent what could play out to be major evolution in the open source license enforcement landscape -- with enforcement actions moving from the traditionally private enforcement actions brought by the FSF (Free Software Foundation) and others to far more public lawsuits," Haislmaier explained. "I think everybody hopes that open source compliance practices will evolve as well. I tell clients that the BusyBox lawsuits are not as much a cause for concern as they are cause for compliance and understanding. "

The legal suits have also raised awareness about open source license compliance and may well be a boon to those business that help ensure that organizations stay in line.

"These law suits have certainly increased awareness among all software developers that the SFLC and their client the FSF are serious about enforcing their copyrights," Black Duck's Levin said.

Kim Weins VP of Marketing at OpenLogic noted that her firm has had prospects and customers come to them because they have had legal actions against them in the past or because they are concerned about potential risks.

Haislmaier's business is also benefitting from the BusyBox suits.

"If nothing else, the suits are generating increased interest in the potential risks posed by using open source," Haislmaier said. "I have been asked for years by clients and colleagues, "Why should I care about open source compliance?" The BusyBox lawsuits have helped to drive home the answer to that question for a number of companies."

Haislmaier argued that with the GPL itself the problem of compliance isn't so much about awareness of the requirement but rather an awareness of the extent to which those requirements may apply.

"While there are a number of companies that have implemented very robust open source compliance programs, many more have not," Haislmaier said. "This means not only that these companies are at increased risk of an open source violation, but that the recipients of any of their products containing open source are also at increased risk, many times unknowingly. This is the case in more than one of the BusyBox cases. If the BusyBox lawsuits have demonstrated one thing it is that remaining ignorant of existing open source software usage and potential open source software license violations can be expensive."

What if the SFLC knocks on your door?

If the SFLC contacts your company and alleges that you've got a GPL violation, Palamida's Bui suggests that you do the right thing and comply with the license.

"If the license is not in line with your business needs, find alternative software with license terms that are in line with your business needs," Bui said.

Black Duck's Levin suggest that you contact a lawyer or law firm that has a lot of open source, and specifically GPL, experience.

"Your lawyer may recommend putting a software compliance management program in place and utilize Black Duck’s protexIP to identify issues in the code base," Levin said. "The next steps depend on the situation and many other factors."

The key thing to do when contacted by the SFLC though is to do something and not just let the issue remain unchecked. Haislmaier noted that the time line in each of the BusyBox cases has evolved from initial contact by the SFLC regarding the alleged GPL violation through to the filing of a lawsuit at a very rapid pace.

"Unlike many of the private open source compliance actions carried out in the past by the FSF ,it would appear that the SFLC is willing to act quite aggressively on behalf of its clients in pushing their grievances," Haislmaier noted.

"Companies need to respond quickly and decisively to any informal complaints about violations of open source software licenses, whether by the SFLC or any other organization. Those that do not will likely increase their risk of being the subject of a lawsuit."

This article was first published on InternetNews.com.

Submit a Comment

Loading Comments...