HP is among the biggest backers of Free and Open Source Software (FOSS) in the world. As such they’ve developed their own best practices and tools to
help their customers understand what Open Source licenses their applications
contain as well as helping to maintain compliance with the terms of the
various licenses.
In a set of new initiatives HP is now taking its experience and its open
source license governance tools and open sourcing them in an effort to raise
awareness and build a broader community for open source governance.
“Open Source is unavoidable today and a lot of developers are bringing it
into the enterprise in some cases without a lot of visibility from other
folks that would normally evaluate a contract,” Karl Paetzel, worldwide
marketing manager for HP’s Open Source and Linux Organization, told
InternetNews.com. “So instead of doing something under the radar
we’re helping to institute a resource to help make sure development is in
line with company guidelines.”
The new effort includes the FOSSology project which will help identify what
open source licenses are being used and the FOSSBazaar community which will
focus on best practices. Paetzel noted that among HP’s own customers
they’ve found that many typically have more open source applications in use
then they thought and they also have more license obligations than they were
aware of.
“We’ve got a lot of experience in FOSS governance and started to get more
questions,” Paetzel said . “Things like ‘I don’t know how much open source
I have’ or ‘we don’t know what our license obligations are’. So we started
offering services based on our own experience and we’ve had some interesting
engagements.”
Paetzel noted that a key part of governance is first identifying what open
source code is being used as well as identifying all the various licenses
associated with it. As an example Paetzel commented that the OpenOffice.org
(OOo) office suite primarily uses the LGPL license though there are numerous
others as well including the MIT license.
“It’s difficult for our legal folks to figure it all out so we have tools to
automatically identify what’s included,” Paetzel said.
The FOSSology tools project Web site is the open source instance of HP’s
tools. The site itself was soft launched several weeks ago to allow HP’s
research partners access. Letting others work with HP’s tools is a key goal
of the effort. Paetzel explained that since the FOSSology project is about
having an extensible framework, the fact that it’s open will enable others
to expand it in ways that HP itself had not thought off.
The FOSSBazaar effort
The second effort being launched by HP is the FOSSBazaar effort, which will
actually be run as a workgroup within The Linux Foundation. HP has already
solicited the participation of Coverity, DLA Piper, Google, Novell,
Olliance Group, OpenLogic and SourceForge to join the effort.
“FOSSBazaar we feel will house the discussion around policies and best
practices,” Paetzel said. “I think the discussion for this is going to be
more business, legal and procurement people.”
The issue of Open Source compliance has become a hot one recently with the
Software Freedom Law Center (SFLC) bringing legal suits on behalf of developers against a trio of companies including Verizon
that were not in compliance. Paetzel noted that HP has had its share of
compliance related issues and that’s where their tools have helped them.
“At HP when dealing with OEM development partners there have been cases
where we comply but some partners haven’t,” Paetzel said.
The GPL license changes made to the code are supposed to be contributed
back to the community. In the case that Paetzel noted, the OEM partner had
made modifications but had not contributed the changes back to the community
as the license demands.
“Our process uncovered the issue and we informed them,” Paetzel.
He added though that in one case a partner refused to contribute their
changes back because they said the changes were proprietary. HP didn’t end
up using that particular partner’s product and as such HP avoided a
situation where it could have been out of compliance.
The openness of the FOSSology and FOSSBazaar projects is also why Paetzel
doesn’t see any particular competitive threats. There are a few vendors
including Black Duck and Palamida that currently offer services related to
license governance and identification. Paetzel noted that anyone is able to
get involved in FOSSology or FOSSBazaar if they want too.
“They are more than welcome to contribute and really this is about raising
awareness that will help everybody use open source, ” Paetzel said.