SAN FRANCISCO — Are you in compliance with the open source licensed
application you’re using?
It’s a question that Google’s Open Source Program Manager Chris DiBona understands well.
In an energetic 90-minute session here at
LinuxWorld, DiBona explained the principal differences between licenses
and how to maintain compliance with them.
He also explained how Google,
which consumes, produces and supports open source in a myriad of ways,
handles the complexity of code licensing.
At the core of all open source applications is the open source license under
which the application is made available.
The definition of open source, according to DiBona, is something that is easy to answer at a high level: It is approved by the Open Source Institute.
DiBona warned, however, that not all firms that claim to be open source
actually are open source.
“If you go out on the show floor, vendors will say words like ‘open source,’ and
sometimes they are lying; but sometimes they have a different idea about what
x or y license is.”
At the root of the problem of understanding what is and isn’t open source is
the fact that there are over 60 OSI-approved licenses.
Yet, among those 60-plus licenses, one license clearly dominates the landscape.
“GPL is the most important license in open source today,” DiBona said.
According to Google’s studies cited by DiBona, GPL-licensed code represents 45 percent to 50 percent of all open source software.
The fact that the GPL is so
pervasive means that understanding its terms is even more important.
The GPL is a reciprocal license, meaning the code
must remain free and that contributions must be committed back to the
community.
DiBona said the problem with many licenses is with open source
intermingling where bits of code licensed under different licenses are
cobbled together into an application.
Not all licenses are compatible.
“It ends up hurting your productivity,” DiBona said. “It’s worth
understanding this problem so you can stay out of it.”
A lot of license compliance has to do with the spirit of the license as
opposed to the letter of the license.
A lot of terms in open source
licensing can be somewhat ambiguous, and non-compliance enforcement doesn’t
carry much of a penalty.
“The reason why we’re [Google] compliant is because it’s the right thing to
do,” DiBona said. “The financial penalty is not significant.”
DiBona noted that people are breaking the law in terms of license compliance, but they often are remedied simply. In his view most developers simply just
want to make sure their code and applications continue in an open source
manner.
“What it comes down to is that there are developers that want others to
use their work, and that’s pretty awesome.”
The GPL in its current version 2 includes some items that are
often misunderstood.
If you link, you have to make your code free. But there
is no clear definition on what linking means.
For example, if a user uses GCCto
compile their application, that doesn’t mean that the software that is
compiled is now GPL.
“Most people agree that linking means dynamic linking to a library,” DiBona
explained. With GPL’s other variant, the Lesser GNU Public License,
a dynamic link is not an infection.
The terms of the GPL and other open source licenses is not necessarily where
the difficultly rests.
“The problem is not mirroring or patching or following the law. The hard
part is tracking the software,” DiBona said.
DiBona told the audience that Google built a tool to track what is what and where things came from. As such, code is properly segregated, minimizing the risk of non-compliance.
“We spend a lot of time on engineer training,” DiBona said.
As part of that
training DiBona gives new Google engineers an orientation that teaches them
about Google’s code repository and the importance of identifying and
tagging code.
“Once they get into the habit in your own organization, they’ll get used to
being compliant,” DiBona said.
What it boils down to in the end is understanding where open source
developers are coming from so you can make better use of the software.
The idea is hat you get more out of open source code and
participating in the process of its development and growth than you would
simply by using it on your own.
What’s important to understand about most open source software developers is
that they are not in it for the money, according to DiBona.
“They know what they are doing, and if they wanted to charge you they would
choose a commercial license,” DiBona said. “There are lots of opportunities
in commercial licensing. If you want to get paid do not give it away.”
That said DiBona did note that there are plenty of opportunities to make
money in open source, but making recurring licensing revenue is not one of
them.
“Ninety-nine percent of projects are one or two people that have a problem that interests them so they use the license so they can work together,” DiBona said.
“Open source licenses give us a structure to work together, not one to rip each other off.”