Navigating Open-Source Licenses Can Be Tough Task
Feb 21, 2005 5:00 AM PT
In a matter of just a few years, open-source software has gone from the back room and skunk works to serious contender for corporate budget dollars.
No longer is open source just an academic and hobbyist pursuit. Major technology vendors have taken note of its evolution and want to ensure they have a piece in its future. One can now count numerous industry veterans jumping into the open-source game, including IBM, Computer Associates, Sybase, Sun Microsystems and even Microsoft.
Corporate IT staff are now frequently developing open- and mixed-source solutions as well as consuming them. As a result, hundreds of new open-source software packages are now available -- some of which may be tied to existing software patents.
This, coupled with concern over intellectual property (IP) issues and liability, may be a recipe for confusion, especially since a plethora of "open-source" licenses exist. The process for choosing a license, reviewing code and launching without fear of liability becomes more vexing as the open-source atmosphere expands.
When a company is considering its options for open-source licenses, the first stop should be the Open Source Initiative (OSI). The group maintains the definition of open-source software and certifies licenses that adhere to it. However, drop by the site and you will find more than 50 licenses described.
There have been questions of late as to whether there should be consolidation of some licenses, though some, such as the Academic Free License, serve niches. Eric Raymond, co-founder and president-emeritus of the OSI, suggests many of the licenses the OSI lists are essentially individual or corporate vanity projects.
"Only about half a dozen are in any wide use," Raymond told LinuxInsider. "We are mulling ways to push back against further proliferation, but up to now it's been our policy not to reject licenses that fit the OSD even if they are duplicative. That may soon change."
Understanding the Process
Raymond's organization vets proposed new open-source licenses with a battery of reviews and discussions.
"We look for conformance to the ten points of the OSD. We have lawyers, and legally savvy non-lawyers, chew over the license on license-discuss. The board considers their recommendations and votes," he said.
Most recently, Sun Microsystems contributed the Common Development and Distribution License (CDDL), through which the company released its Open Solaris. Sun officials have said they chose to opt out of existing licenses so they could build-in patent protection for users of the new Solaris platform.
For his part, Raymond does not always believe there is a good argument to release new licenses even if the company is big.
"Most new licenses are exercises in monument-building by corporate legal departments with too much time on their hands," he said. "Occasionally you'll get a license that addresses the underlying legal issues in a genuinely new or interesting way. But that was never common and is now extremely rare."
Intellectual Property Concerns
The beauty of open source is perhaps its simplicity -- find an application that meets a need, download, install, and start using or developing with it.
Sourceforge, a product of VA Software, may be considered the Creative Commons of open-source software projects, hosting over 90,000 open-source projects with over one million registered users. It is also where multitudes of open-source developers and users go to find software.
This alone is no threat. However, IP and license considerations become critical if source is being modified, packaged in another solution and distributed.
A cottage industry is brewing just for this purpose, with companies such as Black Duck Software hoping to capitalize on corporate concerns over the creation, use and distribution of open- and mixed-source code by proposing code review solutions. This can be a costly proposition to some and, according to Raymond, may make complete compliance impossible.
"With as much copyrighted and patented code as there is in the world, positive assurance by review is effectively impossible," he said. "The best you can do is make sure your code doesn't have someone else's explicit copyrights in it, and that's not nearly good enough."
Still, reviews are carried out regularly, though primarily for purposes of showing due diligence.
Raymond thinks the only strategy that makes sense in the crazed and toxic environment created by modern IP law (especially patents) is to do just enough of a pro forma review to have it on the record that you did one, then basically ignore your risks until and unless you get sued.
"And this is exactly the advice patent lawyers will give you. You don't 'want' to know what patents you may be infringing in advance -- that makes it 'willful' and trebles the damages," he said.
"Yes, this is crazy," he admitted. "It reflects the fundamental insanity of modern IP law."
In recognition of today's evolving IP issues, the GNU General Public License, one of the most widespread variations, will be refreshed for the first time in thirteen years. The revision is expected in 2005. However, Raymond suggests developers not hold off in selecting a license in order to wait for it.
Easing the Risk
Policy makers, attorneys and judges will end up guiding an archaic set of IP laws into the 21st century. The direction this process goes in may depend on individuals' and organizations' understanding of open source.
While the OSI does a little bit of advocacy for policy makers on open source and the state of intellectual property, according to Raymond, "Our main focus has been on selling the idea to businesses in the belief that they would then sell it to government. There are more politically focused groups we cooperate with, such as OSIA (Open Source Industry Alliance)."
In the meantime, developers are left to distill licenses and select one for their needs on their own. While expensive legal advice can help, others may be gambling when choosing a license to stake their code on.
Can the public expect a tool for simplifying license selection from the OSI anytime soon?
Raymond would only say, "Not yet. We're working on that."