The Pitfalls of Open Source Litigation

Open source

SAN FRANCISCO — Optimists say the best things in life are free; realists say yes, but anything that’s free costs way too much. Nowhere is that more applicable than in open source software.

Enterprises using open source are being sued for not complying with the multitude of licenses the software comes with.

The problem is that open source software developers call in code from other open source applications. “If you’re using only a few open software packages, you’re actually using a whole lot more applications because open software builds on things other people have done,” Stormy Peters, executive director of the Gnome Foundation, a nonprofit organization that coordinates the efforts of the Gnome Project, told a presentation today on avoiding open source lawsuits. The Gnome Project is a worldwide project to create a free computing platform for public use.

For example, a project using Ant, MySQL and MSQL Server Connector, AspectJ and the Spring Framework would “really use over 90 different open software packages, each of which has its own license,” Peters said. “The problem is that it’s difficult to find out what other software open software depends on.”

Peters made her presentation at the Next Generation Data Center and LinuxWorld conferences, being held concurrently here through Thursday.

Enterprises are more at risk of lawsuits than they think. According to Peters, companies report an average of 94 open sources in use, but actual inventory scans show they actually have from three to 10 times more packages in the environment, which is “a risk, logistically and legally, right off the bat.”

Corporations can face lawsuits for a multitude of reasons. They can be sued for intellectual property infringement, which is violation of patent, trademark, copyright or trade secrets, Peters said. Or they could be sued for noncompliance with the terms of a license.

The problem is complicated by the fact that two levels of licenses govern open source software. At the general level, several general licenses are over and above the licenses.

One is the GNU General Public License (GNU GPL) , which says, in essence, that anyone modifying and distributing software this license governs has to include the modified source code with the distribution. This doesn’t apply if the software is used in-house.

Next page: Licenses and lawsuits

Page 2 of 2

Licenses and lawsuits

Other general licenses are the GNU Lesser General Public License, the GNU Free Documentation License and the Affero General Public License. Each has its terms and conditions.

The licenses imposed by the developers can be wild and wacky. Some open source software is called beerware, because their licenses state that their users should buy the authors a beer or drink a beer in their honor if they meet. Peters said some enterprises don’t let their staff use beerware “because they can’t guarantee that their staff would recognize the developer at a conference.”

Some really large companies have been sued over open source software. For example, the Software Freedom Law Center (SFLC) filed suit against U.S. telecoms giant Verizon (NYSE: VZ) in December on behalf of open source software developer BusyBox for allegedly violating the GNU GPL.

The suit, filed in the United States District Court for the Southern District of New York, was settled in March. It is one of four launched on behalf of BusyBox, Peters said.

According to Peters, all four were for violations of the GNU GPL. Some of them have been settled, and under the terms of the settlement, companies were required to add an open source compliance officer to their teams, she added.

Enterprises have no clear guidelines as to what constitutes violation of open source licenses because most actions are settled out of court, Peters said. That “leaves a lot of ambiguities about open source because a lot of things haven’t been settled in court, so your attorneys can’t give you definitive advice,” she added.

Peters recommended five steps enterprises should take to prevent lawsuits: Discover what open source software they have, create open source communities around each of these packages, implement an open source strategy and policy, manage the approval process, track and audit open source usage and ensure compliance with open source licenses.

“From the beginning you must audit your open source software,” Peters said. “And you must track and audit usage so, if you do get sued, you can ensure you don’t get into a $50 million lawsuit.”

News Around the Web