Legal Risks of Open Source
Open Source Trends 
Comments Off on Legal Risks of Open Source
Deja vu. The feeling of having been here before.
On December 11, the Free Software Foundation filed a complaint against Cisco Systems, claiming copyright infringement related to several Linksys wireless routers. The foundation alleged that “in the course of distributing various products under the Linksys brand, Cisco has violated the licenses of many programs on which the FSF holds copyrights including GNU GCC, Binutils, Wget, Debuger, Readline, Parted, and the C library.” The foundation also said that, “Cisco has denied its users their right to share and modify the software as a result.”
The FSF has requested an injunction be issued against Cisco and asked that damages and litigation costs be awarded. The suit covers several popular Linksys routers.
Brett Smith, FSF compliance and licensing engineer, wrote in his blog, that the FSF had been working with Cisco since 2003, but despite Cisco’s efforts, “during this entire time, Cisco has never been in compliance with our licenses…”
In a statement, Cisco said: “Cisco is a strong supporter of open source software. Cisco takes its open source obligations seriously and is disappointed that a suit has been filed by the Free Software Foundation related to our work with them in our Linksys division.”
So, the FSF has decided that Cisco wasn’t moving fast enough in insuring they are in compliance with the licenses that came with the open source they are using. I don’t know how this will play out, but it points to the legal dangers of leveraging open source without also making sure that all the license obligations are fulfilled.
It sounds like the FSF is especially concerned about the GPL redistribution obligation, where all modifications to the open source, the original open source, as well as any software that is “based on” the GPL open source must be provided as open source under the GPL license.
For many commercial entities, this particular provision is the one that proves unacceptable, because it risks forcing the commercial entity to make what they consider their intellectual property into freely available open source. For these commercial entities, it behooves them to audit their software, to identify the GPL licensed open source, and to clearly identify their legal risks with relation to that GPL licensed open source.
For example, here are some typical options if the commercial entitiy finds GPL licensed open source inside its commercial software:
1. Completely remove that GPL licensed open source and replace it with proprietary software
2. Completely remove that GPL licensed open source and replace it with other open source that has a more commercially friendly license
3. Completely remove the GPL licensed open source and ask the customer to get that open source themselves. This is not a practical option for consumer focused products, but can sometimes work in the business to business market.
3. Isolate that GPL licensed open source so none of your other proprietary IP is “based on” the GPL licensed open source. This is usually interpreted as, “not linked to”, ie, your proprietary IP should not be linked to the GPL licensed open source. In this option, you still need to redistribute the modifications to the open source and the original open source.
4. If the GPL licensed open source also has a commercial license, obtain the commercial license. This is usually an expensive option but is available in some cases.
At Source Auditor, our audits provide a quick and accurate way to identify the GPL licensed open source present inside your commercial source code, as well as recommended options to remove them if the provisions are deemed unacceptable.
Open Source Governance Policy
Open Source Process Comments Off on Open Source Governance Policy
Gartner released an interesting survey last month. Surveying 300 enterprises, they found that 85% use open source within their organization today and the remaining 15% expect to use open source within the next 12 months. That’s the good news.
The bad news? 69% of those same enterprises had no formal open source policy. This opens up huge liabilities.
As the author, Laurie Wurster, say, “Just because something is free, doesn’t mean it has no cost.” “Companies must have a policy for procuring OSS, deciding which applications will be supported by OSS, and identifying the intellectual property risk or supportability risk associated with using OSS. Once a policy is in place, then there must be a governance process to enforce it.”
So there it is. Actually, here it is, a link to the press release about the study from Gartner.
Open source is undeniably here to stay, within the most conservative enterprises. But, all enterprises should adopt policies, about what open source is acceptable and what open source is not.
From Source Auditor’s viewpoint, the policies should outline the following at a minimum:
- The licenses which contain obligations which the enterprise finds acceptable to fulfill
- The license which contain obligations the enterprise does not find acceptable
- The process for reviewing new candidate open source packages the enterprise wishes to adopt, both directly, or embedded inside commercial products
- The process to review existing software products already in use in the enterprise (to decide if that software contains open source and if that open source contains licenses which are acceptable or not)
This, of course implies, the enterprise not only adopts and enforces a policy, but the enterprise creates a review board that can review new and existing software. All existing and new software should be audited, an an inventory created of all embedded open source.
If all of this seems like a lot of effort for something that is “free”, that’s where we refer back to Gartner’s comment. Open Source may be royalty free, but it certainly has costs. The costs are no different, then the costs of insuring that any commercial royalty bearing software that you use, is in compliance with the license that came with it. As recent court cases have shown, the license obligations in open source are legally enforceable, and violating them is the same as copyright infringement.