Licensing focus in govt open source guide

The Australian Government Information Management Office (AGIMO) has released the final "Guide to Open Source Software" for government agencies, which includes its new open source procurement principles.

The office had released a short policy document in January, which said that Australian Government ICT procurement processes must actively and fairly consider all types of available software, including open source. The policy also recommended that clauses be used in checklists and requests for tender, to ensure that alternative software possibilities are considered.

The government had asked for feedback on the policy, which was generally positive. However, users asked that the policy document be released under creative commons, and said that it should have a description of how the policy would affect procurement, as well as advice to agencies on the benefits of contributing to the open source community.

The office has now released a 67-page document, which delves into open source definitions, and couches its principles (which appear the same) in advice on what to consider when procuring open source software.

AGIMO delved into certain issues that agencies consider when buying open source, such as:

• access to source code: open source makes this available, while proprietary does not
• capital expenditure: agencies need to consider total cost of ownership, not just an upfront fee, according to AGIMO, which urged agencies to consider acquisition, deployment, integration, support and maintenance, as well as training and exit costs
• customisation: if the agency needs to customise, consider whether there will be enough support for the customisation, and what this will mean for licensing obligations
• development: open source communities with a broad user base and an active and diverse membership will be more responsive to user requests, according to AGIMO — it recommends that agencies carefully look at the credentials of the developers, considering whether development of the software will continue during the lifespan of the agency's use
• innovation: open source software allows agencies to innovate; however, this can also add to the total cost of ownership
• lock-in: open source software often aligns with industry standards, which improves interoperability and reduces chance of vendor lock-in
• code forking: if changes are made to code without it going back into the community, it makes it difficult for the agency to upgrade to newer versions of the open source code, since it would have to reapply all of its changes — AGIMO did, however, point out that a similar risk existed when agencies customised proprietary packages.

Licensing received pages of attention in the guide, with AGIMO going into detail about the dangers that open source licences present.

"A breach of an open source licence will occur if software covered by an open source licence is used contrary to the terms of the licence. Any breach may have far-reaching consequences. For example, a breach of the GNU General Public Licence V2 immediately terminates the licence, after which only the copyright holder can reinstate the licensee's rights," it said.

"Without a valid licence, the licensee must immediately cease using or distributing the software. Breaches of licence provisions are not always intentional; they may be due to a lack of governance in tracking the use of open source software within an agency. In addition, agencies may not be aware of all the actions that may lead to a breach of an open source licence."

It warned that some open source software licences include reciprocity requirements, which say that agencies would have to contribute back changes made to code if it's "distributed".

AGIMO said that the definition of distribution is not entirely clear legally, but it gives guidelines in the appendix as to when agencies should expect to have to give code back to the community depending on the level of reciprocity required under their licence.

A summarised version stated that if the modified source code was only used within one agency, it is unlikely that reciprocity will be triggered. AGIMO said, however, that agencies should seek legal advice rather than relying solely on the guidelines.

The agency said that there have been few court cases about open-source licensing, and AGIMO said that understanding the likelihood of enforcement was more useful than considering abstract legal questions of terms such as derived works.

However, it also urged agencies to take a conservative position on licensing if they were uncertain, and pointed to the Free Software Foundation or the Open Source Initiative as sources of information to use for ground rules.

Software developers generally weren't aware of licensing issues, AGIMO cautioned, and, because of the zero-upfront cost of the software, the organisation suggested that agencies put governance measures in place to track software use. Project managers should also make sure that any contractors or vendors have correct compliance procedures, it said.