Software developers who doubt that violating an open source license is a costly mistake should look into cases
involving Motorola, Acer and Progress Software.
Each company was in violation of the General Public License for software and suffered tens of thousands of dollars in fees and out of court settlements with the Free Software Foundation (FSF) Inc. and German watchdog group gpl-violations.org. In the case of Progress Software Corp., the losses were reportedly in the tens of millions.
You can potentially avoid those types of headaches with the implementation of an open source license detection (OSLD) system.
Currently, only two vendors -- Waltham, Mass.-based Black Duck Software Inc. and San Francisco-based Palamida Inc. -- offer OSLD products, and both companies' products have merit in the eyes of analysts.
Why invest in OSLD?
Today, the ease with which developers can integrate open source code into a proprietary product or contribute proprietary code into an open source project is incredible, said Burton Group analyst Richard Monson-Haefel.
"If a company is using open source software, it behooves you to use one of these [OSLD] products, and it is particularly important for companies that are product vendors because they are at greater risk of violating license policy," Monson-Haefel said.
The Midvale, Utah-based analyst added that with an Internet connection, there is very little to prevent either scenario for occurring. "For commercial companies to protect themselves from legal risks and loss of intellectual property, they must be able to detect when open source code is used by their products and when code from their proprietary products has leaked into the open source community," he said.
Even if a developer is careful in monitoring code, proprietary software can still leak into open source software without the knowledge or permission of the company that owns it. Such was the case when the SCO Group Inc. filed a $1 billion lawsuit against IBM in 2003 for allegedly contributing proprietary code from SCO's System V Release 4 Unix kernel code to Linux.
The license as a virus
Monson-Haefel said developers should be aware that all it takes for a violation is a few lines of code or a borrowed algorithm. In most cases, the violation is unintentional but the result is the same.
"The analogy that [license violation] is like a virus is really adept in that they are both very small invaders of a body that can result in the shut down of the entire system.
"Even if it is a snippet of open source code, you are still responsible for adhering to the license. In most cases, people never know the difference, but if someone finds 100 lines of code from an open source project, that could result in the open sourcing of the entire product," Monson-Haefel explained.
Black Duck CEO and president Doug Levin said this was the case with a Web services customer that found 36 of the 10,000 lines of code within its product had been borrowed from the open source memory module of a game found on the code repository SourceForge.net.
"Software developers who find these issues need to remediate and create an audit trail to show who did what to the code and when," Levin said. You can easily reference the documentation then -- either at the end of the project when a customer wants to see code or when a company is financed or sold.
Whether large or small, the companies in need of license detection systems share the same needs. Palamida co-founder and vice president of marketing Theresa Friday said that her company's third-largest customer, Cisco Systems, has as much to lose with its IP affairs as San Francisco-based open source IT management vendor GroundWork, also a Palamida customer.
Which to choose?
Both of today's OSLD vendors are worth a look, but ultimately it will be the individual needs of the user that will determine which is selected.
"There isn't a clear victor between Black Duck and Palamida, as each offers some advantages over the other. Black Duck has better reporting of violations, and some customers say Palamida runs faster and has a larger database," Monson-Haefel said.
In a report released this month, Burton Group recommended that software development firms trial run each product. The best way to conduct a trial, the report said, is to purposefully infuse an open source piece of code into the larger code base and see which product is able to discover it.