The trend has been called alarmist and over the top. Even a Microsoft conspiracy theory or two has been floated as justification for dismissing the rising tide of licensing concerns surrounding open source software. But even so, some industry observers are sounding the alarm about the need for open source software license awareness in the enterprise.
In the report "Open Source Vendor Perspectives: It's Real, It's Hidden, and It's Bigger Than You Think," Bruce Guptill, vice president of Westport, Conn.-based Saugatuck Technology Inc., said many IT executives today know that they have Linux in their data center, but not which applications run on top of the operating system.
"Many users cite the Linux operating system and the Mozilla browser," Guptill said. "Users seem to not be aware of the presence of Apache code in established applications server software [such as IBM WebSphere]; aware of the presence of MySQL database code in a wide range of enterprise and departmental applications; or aware of Java, Perl and PHP in development and management tools." But Linux, Apache, MySQL and PHP/Python/Perl make up the popular all-open source LAMP application stack.Licensing ignorance can be costly
This kind of ignorance about the nature of Linux apps can get executives in trouble and may invite unfavorable licensing litigation in your enterprise, said Tim Harvey, CEO of XAware Inc., a Colorado Springs, Colo.-based middleware services provider to the financial sector. The company relies on several different open source software components for its service-oriented architecture software stack. Alternatively, having a good grasp on software licensing requirements can save a company serious money.
With customers in the highly regulated financial services arena, XAware uses an intellectual property application from Black Duck Software Inc. in Waltham, Mass., to vet the licenses the software uses.
"We need to understand which licenses the software is using and that we are in compliance with those licenses," Harvey said. Using a third-party service is critical, he said, as some of XAware's software development is handled by a third party based in India. "We couldn't possibly go through every line of code," he said.
Harvey attested that Black Duck has saved XAware's bacon at least once by identifying a potentially business-busting licensing dilemma just before a new product went out the door.
"Had we shipped that software without being aware, we would have needed to go back and get compliance from the third parties [whose code XAware infringed upon] and remove the software and replace it for our 50-plus customers," he said.
Put simply, such a redaction would have cost XAware hundreds of thousands -- if not millions -- of dollars, Harvey said.
"We knew [licensing] was an issue. … In the last six months, we've had three customers ask us specifically about licensing protection. Twelve months ago, it was zero. You can't protect yourself enough," he said.
Licensing ills worsening
Saugatuck's Guptill laid out the scope of the problem. "Linux is already mainstream within larger user enterprises, with as much as 25% of new critical systems being deployed on Linux servers worldwide," he said. "If critical operations are running on Linux, there's an excellent chance that other critical operations are being accomplished with other open source software."
By his estimation, licensing issues should come to a head around 2009, when open source licensing issues are "set to explode." That's because vendors are integrating more and more open source into their software stacks, exacerbating the problem.
"The open source environment, especially the licensing issues, are going to get more complex as vendors catch up with users and start integrating open source components -- MySQL databases or Mozilla browser code -- into other software and Software as a Service-based services," he said.
Compounding the complexity is an increasing willingness among software vendors to tailor open source licensing terms to their own needs, Guptill said. Microsoft Corp., for example, refers to "permissive use" licensing rather than what's usually considered "true" open source (à la General Public License, or GPL).Licensing fire and brimstone?
Still, some open source observers consider Saugatuck's report on the licensing crisis in the enterprise "alarmist." Dave Roberts, vice president of strategy and marketing at open source router manufacturer Vyatta Inc., is one such critic. Vyatta's flagship product, the open source router and firewall Open Flexible Router, is based on version 2.0 of the popular GNU General Public License.
"The fact is there have been many open source licenses for quite some time," Roberts said. "In fact, if you buy a copy of [Red Hat Enterprise Linux (RHEL)] from Red Hat, you're getting a product with many licenses embedded in it; every Linux distro is the same. Without pointing to a specific license that is problematic, it's all just huffing and puffing without substance."
Indeed, the software packages contained in the RHEL distribution contain code licensed under GPLv2, Apache, BSD, and Mozilla, to name a few. "Every copy of Red Hat Linux is covered by a plethora of licenses, and people already deal with that. I don't see where the danger is," Roberts said.
In a similar vein, on the blog rand($thoughts), Linux user Savio Rodrigues wondered why indemnification should be a customer issue at all.
"Do any of us care that the BlackBerry or iPod we use may have patent infringing technology inside? Or that these devices may include some copyrighted material (a la the software) inside? No, we expect that the vendors who sell us these products have taken care of that for us," he said.
The problem is that in many cases, vendors have not taken care of everything, said Heather Meeker, an attorney with global law firm Greenberg Traurig LLP. And these days, IT managers are more likely to implement software in their Linux stacks and production-level environments without fully comprehending which licenses the software contains.
"As every day advances, open source becomes a bigger and bigger concern for corporate users," Meeker said. "This does not mean it is a bad thing yet. But it does mean there are concerns about it. It's become a significant trend over the past five to seven years to use more third-party software in production, especially with open source," she said.
This is especially onerous in the enterprise, where the sometimes free nature of open source can help it fly under the radar of corporate asset managers, Meeker said.
"The thing is, if [an IT manager] doesn't have to pay for something, then in the business world it never happened," Meeker said. "A lot of these issues are therefore undiscovered."
At the executive level, ignorance about open source is even more rampant, said Alex Fletcher, principal analyst at Entiva Group in Silver Spring, Md.
"Open source software, especially within the data center, is often assessed, tested and even deployed in production environments all before management -- let alone the CIO -- is even alerted to its presence," Fletcher said.Brace yourself for an audit
For IT managers, the good news is that there's plenty of time to prepare. Meeker concedes that the current atmosphere is being driven more by fear than any serious litigation. As more software is included in the Linux stack and thus the potential for problems grows, it's essential to establish some kind of audit strategy sooner rather than later, Meeker said.
"The worst situation I ever encountered was when a company had been formed by a string of acquisitions and as a result all of their development activities had become very siloed," Meeker said.
When a board member asked if the open source software being used in production had to be Sarbanes-Oxley (SOX)-compliant, the answer was yes, and there was a feverish flurry of activity as the company tried to find out what it was running. "The company had no idea what kind of software it had," she said.
Signed into law in 2002 by President George W. Bush, SOX is a wide-ranging piece of legislation that established new or enhanced standards for all U.S. public-company boards, management and public accounting firms.
Unfortunately, installing a compliance audit strategy after the fact can often be a two-year or more process that Meeker compared to an archeological dig. Sure, there are vendors that specialize in the auditing process, such as Palamida Inc. and Black Duck Software, but even then, having a third party come in after the fact requires lengthy approval processes and implementation.
Over the past four years, for example, one Palamida client was doing internal code audits on its own and said that when it finished the first audit for one year it had to immediately begin the next year's audit. As a result, high-end resources were being devoted to the process and not to development, she said.
But in the long run, said Guptill, there is an upside to auditing and understanding your open source licensing posture: better software. "It's hard -- and more expensive -- to plan and manage technologies if you don't know what's in them and what needs to be done to make them work better together. It takes more time and more trial and error."Email Jack Loftus with your comments and suggestions.