Preventing open source software contamination

Preventing open source software contamination

Summary: Sometimes you have to move slowly to get ahead in the long run.

SHARE:

Commentary - Sometimes you have to move slowly to get ahead in the long run.

As more software companies use open source software (OSS) to create proprietary software products, the risk of OSS contamination has grown increasingly high. There is no doubt that utilizing OSS can cut back on development cycles and help plug the gaps of your proprietary software. But if not executed properly, companies can quickly fall victim to the costly consequences of software contamination.

Contamination most often occurs when software developers combine OSS with their own proprietary code. By nature, that contamination may render affected software open source as well. Depending upon the specific open source license under which the OSS is licensed for use, that contamination can then prevent the developer from enforcing patents covering the proprietary code or from otherwise imposing restrictions on use of the proprietary code. If the developer does not then distribute the combined software under the terms of the open source license, the developer violates the OSS license. Such an offender is then open to copyright infringement claims.

As the OSS community continues to grow, so has the enforcement of the Terms of Use included with each OSS license. The Free Software Foundation (FSF) acts to defend open source licenses, particularly the GNU General Public license, and has pursued legal action against violators. On December 11th 2008 the FSF sued Cisco Systems for OSS misuse and license violations; the case settled out of court May 20th 2009. Cisco Systems agreed to pay an undisclosed amount, in the form of a charitable donation to the FSF and appointed a new position within their company to properly manage their use of OSS. This relatively quick settlement by a major corporation acted as a wakeup call to everyone using OSS to make sure they too were in compliance.

Common causes of contamination
There are a number of ways that OSS can contaminate proprietary software, and while most are inadvertent, knowing where violations arise is the best way to avoid them.

  • Selecting code with the wrong license: There are roughly 70 OSS licenses available to the public, each with its own terms of use, some of which are more restrictive than others. Thoroughly reviewing the Terms of Use will reveal which OSS license is best suited for your particular project.
  • Distributing code under the wrong license: Often when someone is creating software, they use code licensed under multiple OSS licenses to complete the program. This is not uncommon and usually doesn’t violate any Terms of Use. However there are a few OSS licenses that are not compatible with other OSS licenses; for example, in some cases, the OSS license requires all code to be distributed only according to their terms. The GNU General Public license is one example of such a license, which requires all code containing GNU General Public licensed code to be distributed according to its terms. Again, a thorough understanding of the Terms of Use is paramount.
  • Ignorance is no defense: Chances are good that between a team of developers, someone is using code that originated from outside sources. Don’t assume that due diligence was conducted for every bit of code that your software developers include. If you acquire and use software in a manner that is in violation of an OSS license, you are likewise in violation and could be held responsible for any legal repercussions – even if you didn’t realize that this code was included in your software product.
How to avoid contamination
Open source contamination can be a very serious legal issue, one that can cost your business significant time and money. Here are some quick tips to preventing contamination during your software development cycle:
  • Set a companywide policy: The easiest way to avoid software contamination and violation of OSS license terms is to not use open source software. This may seem like an overly simplistic solution, but if you don’t use OSS, you’re obviously not going to violate the associated license. Many companies that develop software have a “zero tolerance” stance on using OSS in order avoid contamination issues. However if you do choose to use OSS, it’s best to identify which OSS licenses may leave your software product vulnerable and make it company policy to avoid those particular OSS licenses. Finally, if you plan to allow any and all OSS usage, make sure that all licenses are reviewed by a copyright or intellectual property expert beforehand and be certain to only include code that is compatible with your company’s business model. This will ensure that the license is fully understood and that there is no risk of contamination through ignorance.
  • Read the Terms of Use thoroughly: Open Source Software license’s Terms of Use are legally binding once you incorporate the code into your product. A complete understanding of all the information is necessary to ensure you do not become a victim of contamination. This means having a lawyer or at least a senior, experienced IT professional examine the terms completely and give you an informed decision on whether or not to use a particular license given your company’s goals for a particular software product.
  • Carefully review software you did not create: Oftentimes, software that is purchased or acquired via a merger or acquisition goes unchecked for contamination issues. “I didn’t know we were in violation, we didn’t create the software” is not a legitimate defense against a licensing violation. All third-party software your company did not create should be checked for contamination issues and Term of Use violations. The originating developers may not be as familiar with OSS, made a mistake or deliberately violated a license; you just cannot know for sure unless you check.
  • Use OSS scanning software: there are a variety of software scanning products and services available that systematically check all of your software and make sure that you are in compliance with any and all OSS license’s Terms of Use. While this may incur an additional cost, it could be worth the expense in the long run.
In most cases preventing contamination is as simple as doing your due diligence when it comes to reading and understanding the OSS license’s Terms of Use. A careful inspection by an appropriate agent should keep your company free from violations.

biography
Dr. D’vorah Graeser is the founder and CEO of Graeser Associates International (GAI), an international healthcare intellectual property firm. Dr. Graeser has been a U.S. Patent Agent for more than 15 years and has extensive experience and expertise in the biomedical field. Her firm specializes in the preparation, filing and prosecution of medical device, biotechnology, pharmaceutical, bioinformatics and medical software patents. The firm also develops customized intellectual property strategies for companies with interest in selling their ideas and products internationally, primarily in the U.S. Europe, China, Brazil and India. For more information about Graeser and Associates International, please visit http://gai-ip.com/.

Topics: IT Employment, CXO, Legal, Open Source, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Uhhh... no...

    "The GNU General Public license is one example of such a license, which requires all code containing GNU General Public licensed code to be distributed according to its terms."

    Assuming that the first code is really software then that's not correct. It requires that the binary be distributed under the GPL (assuming there is a binary) and all of the source to be made available (or an offer) - however all source does not have to be under the GPL. That's why the FSF maintains a list of GPL compatible licenses: http://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses
    david.dillard
  • I am interested in this topic

    I am interested in this topic and would like to find out some more information as my friend need information on this topic. This is good content thank you for sharing it.
    johnlevis