Minding your P's and Q's with Open Source & IP Indemnification

by Jonathan Bruce

Related link: http://blogs.datadirect.com/jonathan_bruce/2005/12/minding_your_ps.html

CROSS POST FROM: http://blogs.datadirect.com/jonathan_bruce/2005/12/minding_your_ps.html

On Friday, December 9th, the International Herald Tribune brought up some critical aspects of the appropriate uses of open source software which is ever more pressing as open source continues to go more main stream. Open source compliance continues to be difficult issue, often compounded by the large and varied range of licenses that governed the use of the software that may come with the kind of strings attached that you may not realize.

The following is a snap-shot story from IHT, highlights a well known violation of probably the most stringent of all open source licenses, GPL:

Harald Welte, a 26-year-old software developer in Berlin, was peeved in 2003 when he learned that a company in Irvine, California, was selling software that used Netfilter/iptables, a program he had created with five software developers in Australia, Japan, Canada and Germany.

The California company, Linksys, had failed to honor to a critical part of the General Public License, or GPL, the most common of about 90 open-source licenses in use today. Under the GPL, any product that includes a licensed program must publish its underlying source code, that is, the computer instructions as written in a programming language. To make matters worse, Linksys had just been bought for $500 million by Cisco Systems, the world's biggest maker of networking equipment.

After the Free Software Foundation, holder of the GPL license, wrote to Cisco and Linksys to criticize the license breach, Cisco published the source code of the Linksys product, thus giving credibility to the idea of enforcing open-source licenses and spawning new caution among sellers of software.

"This kind of infraction is not as uncommon as one might think," said Welte, whose efforts have also forced Deutsche Telekom, Siemens and smaller European software makers like Allnet, Sitecom and Fortinet, among 50 others, to publish source code because they were selling products based on his software. "Violations are getting more common all the time."

As result, software indemnification is becoming cannot be ignored by software house that uses one or more line of source code from the Open Source community. A recent article published on DataDirect’s developer site explains more about the risks incurred if you choose to ignore what you the sand approach, but critically, the article states the following:

"DataDirect provides legal indemnification and quality guarantees that provide customer protection and legal assurance."

Recently, this is going further and spawning new business models. The world renowned` insurance brokers Lloyd's of London who are typically more associated with shipping insurance is now offering ‘open-source compliance insurance’, particularly for companies doing M&A – unpeeling the many layers of software dependencies is now a core part of due diligence. One only has to look at start ups such as Palamida underscore the increasing need for open source compliance.

So the watch-word is, proceed with caution. When looking to acquire software, look for intellectual property indemnification and most importantly an understanding from your software vendor that they understand the risks of using open source.


2005-12-12 18:10:02
how about, proceed with brains?
The IHT article is little better than scare-mongering. Check out the lead:

"...is commonly but often mistakenly thought to be free and unprotected." Um, no, I don't think so. Anytime FOSS code is misappropriated most likely it's deliberate, not some sort of "accident."

Then read on to the bit about Linksys violating the GPL. Read carefully what happened- after months of lawyers yakking and racking up bills, what happened? Cisco/Linksys came into compliance with the GPL.

Now think about this- no money damages, no prolonged lawsuits. Is this really something to spread fear over?

Finally, remember that FOSS code is easily auditable. But who knows what lurks inside closed proprietary code. I'll bet money that a lot of it would not withstand scrutiny.