Open Source Compliance Trend


There have been a number of lawsuits over the past 2 years, and it is starting to look like a trend! Both the out of court settlements and the court determined settlements have favored the plaintiffs, ie, the advocates of open source. The courts have ruled that the license obligations are enforceable. Further, it appears that both the original commercial software developer and the company that buys and distributes the commercial software are equally liable, if the open source inside the commercial software comes with license obligations that are not fulfilled.
Most of the settlements have driven the appointment of an open source compliance officer. This is someone who is empowered in the corporation to insure that the open source license obligations are, in fact, met. This is something Gartner has recommended for some time, and it looks like the trend to create this type of post is gathering steam.
So it is becoming official, companies using open source inside their commercial software should appoint an open source compliance officer to help create the open source policies and then enforce them.
Details of the last 9 court cases is below:
-Verizon, the telecommunications giant, was sued by the Free Software Foundation. The suit alleged that Verizon was distributing Busybox in its FIOS wireless routers (which were made by Actiontec Electronics). Busybox is licensed under GPL, and Verizon was accused of not honoring the GPL obligations and not making the Busybox source code available to its customers. The suit was settled with Actiontec Electronics agreeing to 1) appoint an Open Source compliance officer 2) publishing the BusyBox source code on their website 3) informing all of their customers including Verizon of the obligations posed by the GPL license. Of course, Actiontec Electronics is also paying an undisclosed sum to the Free Software Foundation, similar to the last 3 lawsuits brought by the Free Software Foundation.
-Diebold, maker of voting machines, was sued by Artifex, copyright owner of the Ghostscript open source package. Artifex has accused Diebold of incorporating Ghostscript into its commercial voting machines without honoring the terms of the GPL.
-Skype, maker of the phone conferencing software, was sued by GPL-Violations.org in a German court. The court found that Skype was guilty of not upholding the terms of the GPL. Skype was distributing a third party VoIP phone from SMC Networks (the WSKP100) which used a version of Linux. Skype was found to not providing an adequate mechanism for the user to get an alternative copy of Linux. While the infraction is relatively minor, this ruling upheld the general principle that the provisions of the license are enforceable, and in this case, enforceable in Europe.
-D-Link, maker of various routers, was sued by GPL-Violations.org in a German court. The complaint was that D-Link was selling and distributing the DSM-G600 product which incorporated GPL licensed software and yet D-Link was not meetings its GPL license obligations. The German court found that “D-Link is not entitled to dismiss GPL’s legality on the one hand, while at the same time enjoying the use of code licensed under it.” D-Link has signed a cease and desist agreement, published firmware on its site, and informed customers. In addition, the court found D-Link liable for the expenses incurred by GPL-Violations.org.
-Fortinet, a small maker of firewalls, was sued by GPL-Violations.org in a German court for distributing Linux without following the terms of the GPL. The court ruled against Fortinet, and Fortinet agreed to publish the GPL licensed code on its website and to let customers know.
-Monsoon Media, was sued by the Free Software Foundation. The suit alleged that Monsoon was distributing Busybox, which is licensed under GPL, inside its products, while not honoring the terms of the GPL. Monsoon settled this out of court by agreeing to pay the Free Software Foundation an undisclosed sum, while also publishing the GPL licensed code and letting its customers know.
-Xterasys Corporation, was sued by the Free Software Foundation. The suit alleged that Xterasys Corporation was distributing Busybox, which is licensed under GPL, inside its products, while not honoring the terms of the GPL. Xterasys settled this out of court by agreeing to pay the Free Software Foundation an undisclosed sum, while also publishing the GPL licensed code and letting its customers know. Xterasys also agreed to create a post of Open Source Compliance Officer.
-High Gain Antennas, was sued by the Free Software Foundation. The suit alleged that High Gain Antennas was distributing Busybox, which is licensed under GPL, inside its products, while not honoring the terms of the GPL. High Gain Antennas settled this out of court by agreeing to pay the Free Software Foundation an undisclosed sum, while also publishing the GPL licensed code and letting its customers know. High Gain Antennas also agreed to create a post of Open Source Compliance Officer.
-Cisco, maker of the Linksys family of routers, was sued by the Free Software Foundation for copyright infringement. Per the suit, Cisco has incorporated several GPL and LGPL licensed components including the GNU GCC and the GNU User Stack, both essential components of Linux, and Cisco has repeatedly failed to fulfill the GPL obligations which include disclosing that their products include GPL licensed code and offering to make that code freely available to customers. This suit was settled out of court, with Cisco agreeing to the usual conditions, ie, paying an undisclosed sum to the plaintiff and agreeing to honor the terms of the license while appointing an open source compliance officer.
Open Source Governance Policy


Gartner released an interesting survey last month. Surveying 300 enterprises, they found that 85% use open source within their organization today and the remaining 15% expect to use open source within the next 12 months. That’s the good news.
The bad news? 69% of those same enterprises had no formal open source policy. This opens up huge liabilities.
As the author, Laurie Wurster, say, “Just because something is free, doesn’t mean it has no cost.” “Companies must have a policy for procuring OSS, deciding which applications will be supported by OSS, and identifying the intellectual property risk or supportability risk associated with using OSS. Once a policy is in place, then there must be a governance process to enforce it.”
So there it is. Actually, here it is, a link to the press release about the study from Gartner.
Open source is undeniably here to stay, within the most conservative enterprises. But, all enterprises should adopt policies, about what open source is acceptable and what open source is not.
From Source Auditor’s viewpoint, the policies should outline the following at a minimum:
- The licenses which contain obligations which the enterprise finds acceptable to fulfill
- The license which contain obligations the enterprise does not find acceptable
- The process for reviewing new candidate open source packages the enterprise wishes to adopt, both directly, or embedded inside commercial products
- The process to review existing software products already in use in the enterprise (to decide if that software contains open source and if that open source contains licenses which are acceptable or not)
This, of course implies, the enterprise not only adopts and enforces a policy, but the enterprise creates a review board that can review new and existing software. All existing and new software should be audited, an an inventory created of all embedded open source.
If all of this seems like a lot of effort for something that is “free”, that’s where we refer back to Gartner’s comment. Open Source may be royalty free, but it certainly has costs. The costs are no different, then the costs of insuring that any commercial royalty bearing software that you use, is in compliance with the license that came with it. As recent court cases have shown, the license obligations in open source are legally enforceable, and violating them is the same as copyright infringement.
Does IT need a “Open Source Compliance Officer?”


This is an interesting thought in an article in Information Week, citing the recent lawsuits that have been won by open source advocates. The article notes that Xterasys settled a lawsuit with the Software Freedom Law Center, where they admitted not following the provisions of the General Public License after downloading and incorporating Busy Box open source within their own product. The kicker is that Xterasys agreed to create the post of Open Source Compliance Officer to insure they would not violate the provisions of open source license obligations in the future.
For a software developer, tracking the use of open source is something they should be doing, just as tracking the use of proprietary software is something they should be doing. Providing that the software developer has a policy on open source licenses (they know the licenses which their organization would accept) the task of tracking what open source is used within the organization is relatively simple. If desired, Source Auditor provides the means to audit the code and set a baseline inventory, which can then be easily maintained.
IT’s Newest Title: “Open Source Compliance Officer”
Can the unfulfilled legal obligations of open source inside my source code really lead to lawsuits?


There have been a series of lawsuits related to unfulfilled legal obligations from open source licenses over the years. Verizon, for example, was sued by the Software Freedom Law Center on behalf of Busybox, which is a GPL licensed package. The claim was that one of Verizon’s subcontractors used a GPL licensed package in Verizon’s wireless routers, without fulfilling the re-distribution obligations of GPL. This claim was settled when Verizon’s subcontractor agreed to provide its source code free to the public.
Similarly, in recent years there have been similar successful claims against Cisco, Monsoon Multimedia, and Xterasys (see articles in the links section below). In the Cisco/Linksys case, Cisco chose to re-engineer their routers to avoid GPL based re-distribution obligations. Xterasys was settled when Xterasys agreed to pay an undisclosed sum and to meet their GPL re-distribution obligations. The Monsoon Multimedia case is still in litigation.