Are You Violating BusyBox's GPL Code?
Page 1 of 2
Software licensed under the GPL open source license is considered to be Free Software but that doesn't mean it's free as in beer and that developers don't have rights. As four cases in point in 2007, the Software Freedom Law Center (SFLC) has filed legal suits against four different defendants for alleged copyright infringement of the BusyBox's GPL licensed code.
BusyBox is a collection of UNIX utilities that have been optimized for size and are most commonly used in embedded environments. BusyBox is licensed under the GPL which is a reciprocal license and requires that users make the source code available to end users.
Will your company be next to get a call from the SFLC lawyers? Do you know if you're using GPL licensed code in your organization properly?
Experts note that there are a number of different things that organization can do to protect themselves and to ensure that they are in compliance with the GPL. There are also a few steps that organizations should take if the SFLC or someone else alleges that you're in violation of the GPL.
One of the most obvious is to identify where you may have GPL licensed code like BusyBox within your infrastructure or developments. To that end there are at least three different tools available. OpenLogic offers a tool called OSS Discovery which can discover BusyBox as well as 900 other open source products.
Doug Levin CEO of Black Duck told InternetNews.com that protexIP, Black Ducks flagship product, analyzes both source code and binaries to identify GPL snippets, code segments, blocks and trees. The reports produced identify the license violations and other issues. The report, which Black Duck calls the Bill of Materials, can help engineers and attorneys make decisions about the disposition of the code and code base, license violations and other issues.
Palamida is another vendor with a solution for license usage and identification. Theresa Bui Friday, co-founder and VP of Marketing at Palamida said that Palamida software can point customers to the exact place in their code where there is an issue, pointing out where the Busybox resides across their codebase, whether they are using source code, binary files, or any other resources associated with BusyBox.
"We should also point out that even when a component is embedded within another component, we can flag it as an issue that should be reviewed," Bui told InternetNews.com.
From a legal point of view, a company's responsibility when it comes to open source software usage is quite clear. Jason Haislmaier an attorney with Holme Roberts and Owen LLP is right in the thick of things when it comes to compliance. He is the attorney representing High-Gain Antennas, one of the defendants in the BusyBox suits. Haislmaier's prefaced his comments by noting that he is not commenting specifically on that case.
"The bottom line is that companies need to understand their use of open source software and make each use of open source a knowing and compliant use," Haislmaier said. "This starts with implementing and maintaining an open source compliance program to help understand when and where open source is in use in your company so that you can take the proper steps to comply with the open source licenses applicable to that software."
The reality is that until the BusyBox cases came along this year, it's likely that many organizations were either not aware of their compliance issues or simply did not take them seriously. The SFLC has filed legal suits against Monsoon Multimedia, Xterasys, High Gain Antennas and Verizon. To date only Monsoon and Xterasys have settled.